Sun's staggered update for Java flaw exposes users

Java flawSecurity vendor eEye Digital Security is accusing Sun of putting millions of Java users at risk by staggering the releases of security patches for the software.

As an illustration, eEye points to a recent flaw in the Java Runtime Environment (JRE), in which a serious bug in the Java Network Launching Protocol was discovered by eEye in January. This flaw has since been patched in late June. Unfortunately, however, this fix has yet to be pushed out to the millions of Java users located around the globe.

The reason according to Network World:

[is] that developers can make sure that the update itself is bug-free. "There's an additional round of testing that happens before we blast it out to consumers," said Sun Spokeswoman Jacki Decoster.

Marc Maiffret, chief technology officer with eEye disagrees, however, saying that the problem with such a staggered release schedule gives criminals an opportunity to reverse engineer the bug into exploit code that has the potential to affect millions of as yet unpatched users.

Microsoft releases security patches for all versions of its products simultaneously, though Sun is not alone in staggering its product releases. Oracle is also known to habitually release patches for known security issues up to weeks later for less-popular platforms.

To me, the reason for the staggering of any security updates is apparently -- sheer economics. It would cost proportionately more to allocate the manpower to simultaneously fix a problem across a swath of versions and operating systems. It is also not hard to understand that Sun wants to be absolutely sure that the fix doesn't inadvertently break other things in the process. See Symantec offers compensation for update fiasco.

What is your stance towards the urgency that companies should adopt towards security patches?


Paul Mah is a writer and blogger who lives in Singapore, where he has worked for a number of years in various capacities within the IT industry. Paul enjoys tinkering with tech gadgets, smartphones, and networking devices.

Deadly Ernest
Deadly Ernest

Personally, this doesn't worry me, as I think anyone who builds critical aspects of a web site around a proprietary application is just asking for trouble anyway. At any point, the owner of the software can start demanding payment to have it work right on your system. But the biggest problem I've always had with Java has been security. Not sure how it is now, but in the past, Sun has asked big bucks for companies to get access to the code for Java so they can write anti-virus checking routines to check inside all Java code and make sure it's OK. Thus, few AV software makers wrote strong AV software capable of giving all Java code a thorough check for malicious code - often resulting in heaps of Java code being tagged as suspect, and thus not allowed through high security gateways. Often resulting in web sites that were all blank or had huge section of blank space on them. These faults in Java should be no worry at all for high security places as they don't allow Java at all anyway.


What is your stance towards the urgency that companies should adopt towards security patches?

Editor's Picks