On September 25, Adam Gowdiak from the Polish security consulting firm Security Explorations submitted a Java security vulnerability to Oracle and provided a proof-of-concept. The vulnerability exists in Java 5 6,7, once the user accesses hosted malware site, an attacker can remotely control the infected machine.
Gowdiak later got in touch again with Oracle and got the response that the fix has reached the final stage. He can expect the patch in four months later. He eventually unbearable Oracle's tedious development, testing processes, We should know that Oracle has to create 30 more patches for Java and 109 patches for Oracle database, MySQL and other products. , Gowdiak and his team decided to develop the Java patch themselves, which took them only 26 minutes - only additions and deletions to 26 characters, and did not modify any code logic which needs no integration testing.
How can we wait for 4 months to get this high-risk vulnerability fixed where we only need 30 minutes to fix!? Gowdiak hopes that their action can challenge Oracle's position.
Source : http://www.csdn.net/article/2012-10-26/2811207-researcher-developers-fixed-Java-exploit