Still on Java, Updates and Security

For unclear reasons, the Java saga is continuing, and there have been more news about updates, patching and security in the last days. Just a few I picked up of possible interest:

  • VMware promises better security and is considering scheduled updates (see VMware blog)
  • Apple updates its own Java version (see here) to the latest version released by Oracle, but too late since in between it has been widely exploited including its own developers, Facebook, Twitter etc. (see for example here and here)
  • At the same time it seems that until February 20th nobody (Apple, Facebook etc.) informed iPhoneDevSDK that its site was compromised and distributed the malware responsible for the above mentioned attack (see here for more details).

This last news leaves me quite puzzled: one of the golden rules in managing a security incident is to notify all people and organizations involved: so why was iPhoneDevSDK not notified of what was going on?

More on Java, Updates and Security

Oracle has announced (see here for the official page) that on February 19th a new Java Critical Patch Update will be released which will fix the February 1st patch. But what worries me most is that the next updates are scheduled for

  • 18 June 2013
  • 15 October 2013
  • 14 January 2014.

In my opinion this indicates that Oracle has not yet managed to implement the software development and patching cycle in the correct way, or otherwise it should have been possible to release scheduled monthly updates. We know that it is not easy to do, but Oracle’s competitors have been able to, so what is going wrong with Oracle’s software development practices?

What’s happening with Java ?

The Java situation for what concerns the security in particular of the Java Runtime Environment and of web plugins, is not clear at all.

Oracle gives very little information about what is going on, but at the same time it makes public a meeting among its top  JRE responsible out of which it is not clear what to conclude. Some commented saying that this public relation move has backfired.

Some technical experts claim that it will take at least 2 years to clean up the Java code, not considering the new vulnerabilities which will be discovered.

Apple releases an update to Xprotect which bans Java plugins up to a version which was not yet released by Oracle at that moment. This in practice prevented the users to use Java plugins until Oracle released the new version. (BTW, it is not difficult to modify the XML configuration file of Xprotect to relax this condition, if you can access the OS as root.) Not clear information has been given also in this case neither by Apple nor by Oracle.

So we as users seem to be wandering in the dark and hoping for the best.

UPDATE: Oracle released a new Java version in a hurry, see eg. here for more info.