The way Sun Microsystems patched serious vulnerabilities in its Java Runtime Environment (JRE) put millions of users at risk, according to security firm eEye.

eEye pointed to a serious flaw in the Java Runtime Environment (JRE), which the security specialist discovered in January. The flaw -- a bug in the Network Launching Protocol -- was patched in late June, however, the fix has yet to be pushed out to the millions of Java users located around the globe.

Sun spokeswoman Jacki Decoster told Network World the delay is so that developers can make sure that the update is bug-free. "There's an addtional round of testing that happens before we blast it out to consumers," she told the publication.

Marc Maiffret, eEye chief technologist disagrees. Maiffret said the problem with such a staggered release schedule is that it gives criminals and opportunity to reverse engineer the bug into exploit code that has the potential to affect millions of as yet unpatched users.

Microsoft releases security patches for all versions of its products simultaneously, though Sun is not alone in staggering its product releases. Oracle is also known to habitually release patches for known security issues up to weeks later for less popular platforms.