Sun security team receives criticism for poor handling of Java security update

Filed in archive Security on July 10, 2007

Sun is receiving stick from security researchers all because of their tortoise attitude. In the next few days Sun plans to issue update for plugging serious security hole in the latest version of Java runtime Environment and that too more than a week after it offered a fix for the same vulnerability in its earlier version of the program. This entire episode triggered security researchers to question the effectiveness and attitude of Sun's security team.

Marc Maiffret, Chief hacking officer, eEye Digital Security stated in an advisory warning:

Sun is one of the few companies that is still unable to coordinate the simultaneous release of security patches. This organizational failure puts customers at undue risk. Hopefully in the future Sun will be able to bring their security and development process out of the dark ages. The flaw, which affects Windows-based machines, is a stack buffer overflow in WebStart, a utility that manages downloaded Java applications. The vulnerability can be exploited simply by luring a victim to a booby-trapped web site, allowing an attacker to silently execute code that will hijack the machine.

It is the gap of eleven days which has brought Sun's security team under the scanner and its all due to the fact that hackers are adept at reverse engineering the patch for getting a clue as to how the vulnerability being fixed behaved and using that same knowledge they are able to design the exploits. The vulnerability should have been fixed on all platforms at the same time and this mistake might give a chance to hackers to again bring their heads up and cause trouble.