Security vendor eEye Digital Security is accusing Sun of putting millions of Java users at risk by staggering the releases of security patches for the software.
As an illustration, eEye points to a recent flaw in the Java Runtime Environment (JRE), in which a serious bug in the Java Network Launching Protocol was discovered by eEye in January. This flaw has since been patched in late June. Unfortunately, however, this fix has yet to be pushed out to the millions of Java users located around the globe.
The reason according to Network World:
[is] …so that developers can make sure that the update itself is bug-free. “There’s an additional round of testing that happens before we blast it out to consumers,” said Sun Spokeswoman Jacki Decoster.
Marc Maiffret, chief technology officer with eEye disagrees, however, saying that the problem with such a staggered release schedule gives criminals an opportunity to reverse engineer the bug into exploit code that has the potential to affect millions of as yet unpatched users.
Microsoft releases security patches for all versions of its products simultaneously, though Sun is not alone in staggering its product releases. Oracle is also known to habitually release patches for known security issues up to weeks later for less-popular platforms.
To me, the reason for the staggering of any security updates is apparently — sheer economics. It would cost proportionately more to allocate the manpower to simultaneously fix a problem across a swath of versions and operating systems. It is also not hard to understand that Sun wants to be absolutely sure that the fix doesn’t inadvertently break other things in the process. See Symantec offers compensation for update fiasco.
What is your stance towards the urgency that companies should adopt towards security patches?