To the surprise of System Administrators everywhere, Sun released a Java update today. Arriving only a week after Java 6 Update 19 was released, the update comes as a surprise to address an exploit found in Java by Tavis Ormandy, a researcher at Google. Apparently Ormandy managed to force Sun’s hand as they had replied to his responsible disclosure of the exploit saying that the exploit was not critical enough to force breaking the update cycle, which would have meant it would be addressed in the next scheduled update of July. Tavis Ormandy to the Full Disclosure mailing list:
Sun has been informed about this vulnerability, however, they informed me they do not consider this vulnerability to be of high enough priority to break their quarterly patch cycle.
For various reasons, I explained that I did did not agree, and intended to publish advice to temporarily disable the affected control until a solution is available.
Within a few days of Tormandy’s public disclosure via the Full Disclosure mailing list, the exploit was seen in the wild as reported by Krebs on Security. With the exploit in the wild, doom-and-gloom came from multiple security-related sources from around the Internet. Apparently this was enough to convince Sun to address the problem with an emergency patch which came out today.
Java 6 Update 20 does not explicity state anything about patching the vulnerability in its Release Notes but it has been confirmed that the exploit’s proof of concept no longer works once you have installed the fix. Apparently the code to access javaws.exe (the source of the exploit) has been removed altogether, according to a researcher over Twitter.
After reviewing my previous article on how to deploy Java with Group Policy, I’ve pushed the update out to my users and all will be running the latest version upon the next restart.