The H – (International) Security researcher experiments with patching Java. With Oracle planning to wait until February 2013, a security researcher decided to take matters into his own hands by developing a patch for a critical security vulnerability he discovered in Java. He posted a report on his efforts to security mailing list Full Disclosure. However, the patch is not intended for publication — as this would reveal details of the vulnerability, which the researcher has kept hidden so far. Instead, - 13 - the researcher hopes his experiment will prompt Oracle to speed up its process for releasing official patches. He informed Oracle of the critical vulnerability in late September. It potentially enables an attacker to use a specially crafted applet to access assets on a system with user privileges. He was, however, too late for the company’s October patch day. Oracle informed him that it was already in the final stages of testing its October patches and that any patch would have to be held over until the next critical patch update, scheduled for February 19, 2013. In order to estimate the amount of work involved, the security researcher then decided to develop a patch himself and found that fixing the vulnerability required changing just 25 characters of code in 30 minutes. According to the researcher, the patch has no discernible effect on the code logic, rendering extensive integration tests to check its effect on other programs superfluous.
Ali Loney, on October 23, 2012