Sun denies Java patch release put billions at risk
Sun has denied its staggered patching schedule for a recent Java flaw put billions of devices at risk.
The Java Network Launching Protocol flaw -- which potentially affected three billion devices -- allowed hackers to install unauthorised software on Java-enabled PCs if users visited a malicious Web site.
US security firm eEye blasted Sun's decision to make the patch available on its Java developer site in June, but not push the patch out to the millions of customers who had not visited the site.
eEye criticised the approach for giving criminals the opportunity to reverse engineer the bug into exploit code, which could then be deployed against un-patched users.
Local Sun business software manager, Laurie Wong, told ZDNet Australia, "I haven't seen anything on the Web that the weakness has caused anything in anyone's system ... It's just unfounded speculation that it gave criminals a chance to take advantage of the bug."
Sun didn't push the patch out to all its three billion users with Java-enabled devices because at the time it had not tested the patch properly, according to Wong. Sun was waiting for feedback from developers.
He said: "History has proved that we made the right judgment call."
Paul Ducklin, Sophos' Australian head of technology, supported Wong's rationale.
"The advantage of doing staggered patching is it gives you a chance to remediate or improve [the patch] if it turns out in the real world it didn't work."
"The problem with patches is if you stagger a release and it all goes well -- just like vaccinations -- people who receive the patch last want to be at the front of the queue. On the other hand, if you injected eight people and six get sick from the vaccine itself ... Well, it's one of those games that as an operating system vendor you can never really win," Ducklin said.
John Cheney, CEO of BlackSpider Technologies and executive vice president of SurfControl, however, distinguished between security and operational patches.
"If it's a security-centric patch it's very important to make it available to everyone as quickly as possible. If it's just an operational update we'll make it available but won't publicise it," he said.
However, security consultant James Turner of IBRS Research claims releasing patches in this fashion leaves consumers operating under different contractual obligations, such as New Zealand's recently amended banking code of conduct, in another quandary.
Turner said: "It is scenarios like this that will lead to the New Zealand Bankers Association having a head-on collision with the bank customers; because the New Zealand banks have changed their code of conduct to place the onus of responsibility firmly on the shoulders of the home user. So how is the security industry helping the home users when left-field stuff like this Java issue hits the Internet?"
"The AV vendors will be working on signatures to help deal with any exploits, but the bottom line is that end users really shouldn't have to be security professionals. We shouldn't expect home users to be auditing their home computers for every application, checking the latest data on known vulnerabilities for each application, and taking the appropriate remedial action," Turner added.