Java Flaw Found, Flaw Fixed, Flaw Found in Fix
It's been a tough week and a half for Oracle and its Java crew.
Let's recap Java's last 10 or so days:
- August 27: Security firm FireEye releases info on a zero-day flaw that is actively loading up targeted victims with malware. With no word from Oracle, experts say disabling the Java plugin is your best defense.
- August 30: Oracle releases an out-of-band fix in the form of Java Version 7 Update 7, which targets the zero-day flaw and two other vulnerabilities.
- September 1-3: Researchers warn that a phishing scam involving the zero-day exploit is sneaking onto systems, masked as an official Microsoft e-mail.
- September 4: News surfaces that a Polish security firm has already notified Oracle that their latest update contains another flaw.
Ouch, what a tough week for the Java scribes. Especially since some of it is out of Oracle's control. As someone with the byline for all of these stories, I got a couple of observations.
First, let's look at the fake e-mail scam: Seeing as researchers saw these Microsoft posers start showing up after a patch was released, wouldn't it mean those attackers behind it are wasting their time? Nope.
According to a report that I discussed here in April, we really suck at updating our Java. Only 38 percent update to the latest version -- and it takes six months after a release to hit that percentage. So by that standard, I'm estimating only about seven of you upgraded your Java since the latest release. That means there are still a huge number of lazy, unpatched fools for these attackers to target.
Second observation: How does a software firm balance the act of releasing a much-needed fix in a timely manner with maintaining a level of quality assurance that catches issues before they shut the door?
Oracle could have just waited until its quarterly update release (expected sometime in the next month and a half or so) to make sure that the fix doesn't tear any new holes. But then users would be stuck with only one "solution": don't use Java.
So, I'm assuming that the head honchos at Oracle didn't want to leave customers high and dry, so out pops an undercooked patch. But if I was Oracle (and last time I checked, I am not) and I read that same report that I referenced above, it might be worth the extra time to make sure the update is 100 percent before shipping out. Whether it came out last week or next month, it doesn't matter. We won't be updating any time soon anyway...