The way Sun Microsystems patched serious vulnerabilities in its Java Runtime Environment (JRE) put millions of users at risk, according to security firm eEye.
eEye pointed to a serious flaw in the Java Runtime Environment (JRE), which the security specialist discovered in January. The flaw -- a bug in the Network Launching Protocol -- was patched in late June, however, the fix has yet to be pushed out to the millions of Java users located around the globe.
Sun spokeswoman Jacki Decoster told Network World the delay is so that developers can make sure that the update is bug-free. "There's an addtional round of testing that happens before we blast it out to consumers," she told the publication.
Marc Maiffret, eEye chief technologist disagrees. Maiffret said the problem with such a staggered release schedule is that it gives criminals and opportunity to reverse engineer the bug into exploit code that has the potential to affect millions of as yet unpatched users.
Microsoft releases security patches for all versions of its products simultaneously, though Sun is not alone in staggering its product releases. Oracle is also known to habitually release patches for known security issues up to weeks later for less popular platforms.
This is not accurate. Java 6 was never even affected by this flaw. Therefore,. consumers who had downloaded Java from java.com were never at risk.
And yes, that is according to the official Sun security advisory.. It specifically says that Java 6 is NOT affected.
Basically, the eEye researcher got it completely wrong, and started a panic over a problem that didn't exist.
I'm diaspponted in ZDNet and had hoped that they would have taken a little more care in researching what they report.
The following is a link to the official Sun security advisory on the issue the eEye researcher is refering too. Please note that the security advisory says Java 6 is NOT affected.
http://sunsolve.sun.com/search/document.do?assetkey=1-26-102957-1
So no, the version of Java that was on java.com was not affected by this flaw, and did not put anyone at risk.
Please ZDNet, try to research your sensationalist stories a little more next time before you run around claiming the sky is falling.