Still on Java, Updates and Security

For unclear reasons, the Java saga is continuing, and there have been more news about updates, patching and security in the last days. Just a few I picked up of possible interest:

  • VMware promises better security and is considering scheduled updates (see VMware blog)
  • Apple updates its own Java version (see here) to the latest version released by Oracle, but too late since in between it has been widely exploited including its own developers, Facebook, Twitter etc. (see for example here and here)
  • At the same time it seems that until February 20th nobody (Apple, Facebook etc.) informed iPhoneDevSDK that its site was compromised and distributed the malware responsible for the above mentioned attack (see here for more details).

This last news leaves me quite puzzled: one of the golden rules in managing a security incident is to notify all people and organizations involved: so why was iPhoneDevSDK not notified of what was going on?