Oracle issued an emergency fix today for vulnerabilities in its Java software about four months after Security Explorations, a security firm, warned the company about the bugs.
The delay in providing a fix allowed more than 100,000 computers to get hacked, security firm FireEye estimated. So why did it take this long to provide a patch?
“Oracle is one of the big vendors that really takes a long time to react,” said Rodrigo Rubira Branco, director of vulnerability and malware research for Qualys, in an interview.
Its legacy of working mostly inside large corporations, and on databases that often are offline and more protected from the Internet’s myriad threats, is colliding with the reality of Java and its widespread presence on the Web, he said.
“I’m hoping that what’s happening with Java now will force them to finally change,” Branco said.
Deborah Hellinger, a spokeswoman for Oracle, declined to comment.
After the flaws in Java became public this week, more than 100,000 computers were compromised, according to FireEye. Before the fix became available, the security firm expected that number to reach a million within weeks.
Oracle is the latest technology company to draw criticism for delays in repairing known security weaknesses in its products.
When more than 600,000 Macs were compromised in April, Apple took heat for knowing about the underlying bugs but taking two months to issue a fix. The gap allowed the first mass attacks on Apple products to spread. Those issues were also in Java, the ubiquitous software that’s managed by Oracle and is installed on billions of computers and mobile phones worldwide.
Oracle’s emergency “patch” will likely slow the threat but not stop it entirely. Users’ general inconsistency in updating their machines is a common reason why new attacks often exploit older bugs.
Only the latest version of Java — Java 7 — was affected in the latest attacks, according to Adam Gowdiak, chief executive officer of Security Explorations. While only Windows machines were being attacked, the other big operating systems — Solaris, Linux, even Apple’s Mac OS — were also vulnerable if users have Java 7 installed, he wrote in an e-mail.
Security Explorations had earlier said that Oracle was going to wait until its regularly scheduled software update in October to provide a fix. The emergency patch is a “good sign for the future” that Oracle is open to faster releases of security fixes for urgent problems, Gowdiak said.