Oracle Corp. (ORCL) issued an emergency fix today for vulnerabilities in its Java software about four months after it was warned about the bugs.
The delay in providing a fix allowed more than 100,000 computers to get hacked, FireEye Inc. estimated, Bloomberg.com reported on its Tech Blog.
“Oracle is one of the big vendors that really takes a long time to react,” Rodrigo Rubira Branco, director of vulnerability and malware research for Qualys Inc. (QLYS), said in an interview yesterday.
Oracle’s legacy of working mostly inside large corporations, and on databases that often are offline and more protected from the Internet’s myriad threats, is colliding with Java’s widespread presence on the Web, Branco said.
“I’m hoping that what’s happening with Java now will force them to finally change,” Branco said.
Deborah Hellinger, a spokeswoman for Oracle, declined to comment.
Oracle is the latest technology company to draw criticism for delays in repairing known security weaknesses in its products. When more than 600,000 Macs were compromised in April, Apple Inc. (AAPL) was criticized for knowing about the underlying bugs but taking two months to issue a fix. The gap allowed the first mass attacks on Apple products to spread. Those issues were also in Java, the ubiquitous software that’s managed by Oracle and is installed on billions of computers and mobile phones worldwide.
Oracle’s emergency “patch” may slow the threat but not stop it entirely. Users’ general inconsistency in updating their machines is a common reason why new attacks often exploit older bugs.
Only the latest version of Java -- Java 7 -- was affected in the latest attacks, according to Adam Gowdiak, chief executive officer of Security Explorations. While only Windows machines were being attacked, the other big operating systems -- Solaris, Linux, even Apple’s Mac OS -- were also vulnerable if users have Java 7 installed, he wrote in an e-mail.
Security Explorations had warned Oracle about the Java vulnerability. The emergency patch is a “good sign for the future” that Oracle is open to faster releases of security fixes, Gowdiak said.
-- Editors: Marcus Chan, Reed Stevenson
To contact the editor responsible for this story: Tom Giles at firstname.lastname@example.org