The patch comes less than a week after Sun told a Google researcher it did not consider the issue serious enough to warrant an out-of-cycle patch and less than a day after researchers spotted live exploits on a booby-trapped song lyrics Web site.
The release notes that accompanies the new Java 6 Update 20 makes no mention of the public flaw disclosure or subsequent attacks but I've been able to confirm that the patch does cover the vulnerability released by Google security researcher Tavis Ormandy.
The flaw, which was also discovered independently by Ruben Santamarta, occurs because the Java-Plugin Browser is running “javaws.exe” without validating command-line parameters.
Despite the absence of documentation, a researcher was about to figure out that Sun removed the code to run javaws.exe from the Java plugin.
Here is a link to download the patch from Sun's Web site.
It's incomprehensible that a software vendor like Sun, now under Oracle's wings, could have misdiagnosed this vulnerability when Ormandy originally reported it. It was clear, from the inception, that this was a "critical" issue that was found by several different hackers. On Twitter, Ormandy said he had no information that the issue was already in the wild before he wielded the full-disclosure stick. However, he maintains "it was just too trivial for that not to be the case."
Speaking of irresponsible, here's what I saw when I applied the new Java update this morning. Yes, checked by default. Sigh.