Two Words: Offshore Contractors
Whatever education is being financed, it seems history is no longer a part of it.
I am a sysadmin on several web apps and I went and got the official security alert. I have to admit I am a bit confused by the message:
Oracle Security Alert for CVE-2013-0422
This Security Alert addresses security issues CVE-2013-0422 (US-CERT Alert TA13-010A - Oracle Java 7 Security Manager Bypass Vulnerability) and another vulnerability affecting Java running in web browsers. These vulnerabilities are not applicable to Java running on servers, standalone Java desktop applications or embedded Java applications. They also do not affect Oracle server-based software.
The fixes in this Alert include a change to the default Java Security Level setting from "Medium" to "High". With the "High" setting, the user is always prompted before any unsigned Java applet or Java Web Start application is run.
These vulnerabilities may be remotely exploitable without authentication, i.e., they may be exploited over a network without the need for a username and password. To be successfully exploited, an unsuspecting user running an affected release in a browser will need to visit a malicious web page that leverages these vulnerabilities. Successful exploits can impact the availability, integrity, and confidentiality of the user's system. "
Yet Oracle released another notice that talks about a critical patch update for several Oracle products (ie.: db, app servers, etc.)
Does anybody understand why there are cpu's for their products if the zde doesn't affect there products?
Elegance and truth are inversely related. -- Becker's Razor