Skip to main content

Sun's new synchronized security updates policy

Posted by opinali on October 5, 2007 at 10:02 AM PDT

More details in this article: Sun Advances Security for the Java SE Platform. The updates were echoed by some news sites, but not always correctly, for example Computerworld has no mention to the advancements exposed in Sun's article, plus they get a critical fact wrong stating that "Neither JRE nor Web Start includes an automatic update mechanism; users must manually download and apply the updated versions"... duh!!

My $0.02 here is observing that Sun is realizing the fact that Java SE is a major applications platform, so it deserves the same treatment of other platforms. For example on every "Patch Tuesday", Windows Update pushes the latest security fixes for all supported versions of Windows (including all localizations). I think most other OS vendors do the same. Patching each version on different schedules is dangerous because the first patch release provides hackers with substantial new information about the fixed bug... For open-source platforms like Java SE this is even more critical: if you patch version 6 today and other versions only two weeks later, the bad guys will have two weeks to analyze the changes in v6, identifying the exact code that was broken so devising an attack becomes a piece of cake, and "port" this attack to target the unpached versions if necessary.

Now the new security policy is much better, kudos to Sun! And the timing couldn't be better, right on the heels of the upcoming Java Kernel / Update N / whatever release. Strong security management is much more critical in that space, since most back-end JREs, those serving Java EE apps, are professionally maintained and behind firewalls so the risk of any security defect is lower than for home users, or even intranet users running JAWS rich-clients.