Oracle

Over the course of the last two years, Oracle's Java has been exploited time and again as hackers eviscerate the technology, seemingly at will.

As each exploit emerges against Java, Oracle typically responds within a short period of time with a security update, only to have the update exploited within days. While Oracle has pledged with its successive releases that it is improving Java security, the company has not publicly spoken out about the string of exploitation that has crippled confidence in Java in recent months. That is until now.

Oracle Corp. said Monday it has released a fix for the flaw in its Java software that raised an alarm from the U.S. Department of Homeland Security last week. Even after the patch was issued, the federal agency continued to recommend that users disable Java in their Web browsers.

Oracle Corp released an emergency update to its widely used Java software for surfing the Web on Sunday, days after the US government urged PC users to disable the program because of a bug it said made computers vulnerable to attack by hackers.

Java security expert Adam Gowdiak, who has discovered several bugs in the software over the past year, said that the update from Oracle leaves unfixed several critical security flaws. "We don't dare to tell users that it's safe to enable Java again," said Mr Gowdiak, a researcher with Poland's Security Explorations.

 Nokia and Oracle are expected to announce a deal tomorrow that will give Oracle customers access to Nokia's growing stable of data and location services.

The deal, which is due to be announced at OracleWorld conference in San Francisco, is expected to expand the reach of the Finnish handset maker's Navteq mapping services, The Wall Street Journal reported. Financial details of the arrangement were not revealed.

Adam Gowdiak, the CEO of Security Explorations – the company that discovered the recent Java vulnerabilities -, told Softpedia that Oracle confirmed the existence of the second flaw, reported on August 31, 2012.

“Oracle confirmed the security issue reported to them on Aug 31, the one that affects the out-of-band patch released on Aug 30. This is visible at our vendor status page,” Gowdiak wrote in an email.

Oracle's latest patch to close up several vulnerabilities that were being actively exploited in the wild may not have been enough, with researchers now claiming that even the latest patch (Version 7 Update 7) contains yet another vulnerability.

Oracle knew since April about the existence of the two unpatched Java 7 vulnerabilities that are currently being exploited in malware attacks, according to Adam Gowdiak, the founder and CEO of Polish security firm Security Explorations.

Security Explorations reported 19 Java 7 security issues to Oracle on Apr. 2. Those issues included the two zero-day -- unpatched -- vulnerabilities that attackers are exploiting to infect computers with malware, Gowdiak said Wednesday via email.

Oracle announced on Tuesday that it will start offering direct downloads and auto-updates to Java on OS X beginning with the release of Java Standard Edition 7 Update 6. Users can download the Java Runtime Environment (JRE) directly from Oracle's java.com website "soon," according to Oracle, and will receive auto-updates at the same time as Windows, Linux, and Solaris platforms.

Oracle has issued a fix for a security weakness in its database product that was disclosed at the Black Hat security conference in July in Las Vegas.

Oracle has won at least one legal battle this week. SAP is paying the hardware giant $306 million in damages resulting from a copyright infringement suit.

Unlike the fight against Google, it looks like victory over SAP really is a payday. SAP's bill to Oracle continues to get bigger as Oracle's general counsel Dorian Daley said in a statement that SAP will have to pay "a minimum of $426 million, including attorneys’ fees."