A flaw in Sun Microsystems' Java software has highlighted the difficulty the company faces as flocks of tech novices start to turn to it for support.
Sun disclosed a serious security flaw in its Java virtual machine (JVM) software last month. The rare problem, which affects Sun's plug-in for running Java on a variety of Web browsers and operating systems, could allow a virus to spread through PCs running both Microsoft Windows and Linux.
A flaw-free version of the JVM software is available on Sun's Web site, and the company is encouraging people to swap it out. But some users of the Firefox Web browser who attempted to download the new software received a version that contained the vulnerability, Sun representatives told CNET News.com.
On Tuesday, Sun was in the process of updating the download pages on Java.com and its download site to fix that problem, having previously said it would make the change on Dec. 13.
Sun said the mix-up in support arose because it had not had a chance to update the download features for Firefox. It also said that it first concentrated on developing a patch for the more pervasive browsers—Microsoft's Internet Explorer, Netscape and Mozilla.
Even people with those browsers might not have had an easy ride. Some said they have had difficulty working out from Sun's Web site how to get and use the patch. "Sun has a page that documents the bug, but then just sends someone off to a download of the latest release, with no clear guidance as to whether it is OK to just install that on top of whatever someone has on their system already," one user, who described himself as "fairly computer-savvy," wrote in an e-mail to News.com.
Plugging the Java leak
How to make sure the hole in Sun's code for Java in browsers doesn't spread to your system.
Does this affect my PC?
If you are running Windows or Linux and have Sun's Java plug-in installed, you may be vulnerable to this flaw.
How do I check whether the plug-in is on my PC?
Check the Control Panel in Windows. If you have Java installed, an icon will be available to get more information. Linux users will have to search their computer for the term "j2re" and "plugin."
What are the risks?
A malicious Web site could install a program to take control of your PC without your knowledge. A link to the site could be disguised as a link to some other site and sent via e-mail or instant message.
What should I do?
Patch your computer by going to Sun's Java page. Click on the button in the top-left green box, which leads to a free Java download. The software will start downloading automatically onto Windows PCs.
Source: Sun Microsystems and CNET News.com.
The problems underscore an emerging issue for Sun. A greater number of Web users—many of them new to computers—are turning to server specialist for the Java virtual machine (JVM) software. The technology is used by Web developers to create small programs, or applets, that can run on any operating system.
The impact of the influx will be heightened by a 2001 patent deal between Sun and Microsoft. As a result of the settlement, Microsoft discontinued shipments of its own Java plug-in in all its new products last year. It plans to halt its support by Dec. 31, 2007.
A Sun representative said the Santa Clara, Calif.-based company recognizes that more people will be relying on it for Java updates and that it is planning a revamp of its Web site. "What started as a utilitarian site for Sun Java users has turned into a consumer site today. We are continuing to invest in it," said Craig Miller, Java.com program director at Sun.
To date, an estimated 40 percent of people with the Java plug-in have updated their security-flawed version to the patched 1.4.2_06 version, which has racked up 2.2 million downloads since its Oct. 11 release.
People can get the download at the Java.com site or at Sun's download site. Searches on Yahoo, Google and other sites for the plug-in are redirected to Sun's sites.
The comfort factor
Industry analysts note that Sun is more comfortable dealing with the big companies and technology-savvy customers that typically buy its servers and software.
"Sun has been an infrastructure company for the most part...so I would say that they still have a lot to do to improve the whole user experience," said Roger Kay, an IDC analyst. "The good news is that Sun has some time before Microsoft has pulled out of the picture entirely."
However, Microsoft is no longer involved in new Java plug-ins. Sun now supplies more than 60 percent of PC makers with the most recent version of Java, Miller said.
In addition, Java.com receives a large amount of traffic from Microsoft, which is in the top 10 list of sites that redirect inquiries for a Java plug-in to Sun, Miller said.
Sun plans to launch a Java.com revamp by the middle of next quarter. And, in the meantime, the company plans to tweak its auto-update feature when it releases a new update feature for Firefox users, said Laura Ramsey, a Sun representative.
But the auto-update feature will not automatically download the latest version of the Java software without some input from the user, Miller said. Sun typically requires that people take action to download updates if they are not logged onto their computer at the precise date and time when new updates are available.
"Sun is adamant about its sensitivity to users' privacy and security. We would rather have users opt in than opt out," Miller said. "So we're loath to have an automatic download, unless a user requests it. It has always been our strategy to err on the side of caution."
Sun noted that while Firefox is gaining in popularity, the browsers still represent a small percentage of the total number of machines that use Java plug-ins.
Analysts say consumers appreciate it when some of the thinking is done for them. That's a switch that Sun may need to make.
"Companies—I don't care what area they are in, if they are catering to consumers, they need to reduce the number of choices a consumer has to make," analyst Kay said.
"The issue is the culture of the company," Kay added, noting that it's a leap for Sun to move from dealing with code-aware customers to less knowledgeable consumers. "They have their work cut out for them."