"Much like Microsoft's "Patch Tuesday," Java's slow-but-steady patch schedule is designed to give enterprise customers time to properly test the fixes before deploying them."
Microsoft does not wait for Patch Tuesday when there is a zero day exploit. Or at least not always, as the article implies.
I can handle breaking changes if they are community driven; I will not accept excuses for something that is maintained by a large corporation that has the resources and staff to prevent such issues. Oracle is rotting the fish from the head.
C'mon. The JVM's problems have such wide effects because so many people use it; probably more than all other non-native platforms combined. The JVM is still the most performant, best tested and most stable application platform out there. For real heavy duty applications, there is still no true alternative for the JVM. Certainly not a better one.
Good point. Do you happen to know of a list of managed native languages? All that really comes to mind is C# (the CLI really) and Go. Tried googling for a list of such languages but couldn't find any using terms "list of native managed languages" (without quotes).
When Oracle were originally informed about it in April it wasn't a zero day. They could have rolled out a fix on their next scheduled update and it would have been patched for everyone before it became public.
Hearing "Oracle ignored a critical security flaw" is so extremely ordinary that I almost just skipped this post. The only new thing is that they have found a new product for which they can neglect to provide security updates.
They have one of the worst records on this. (Is SGI still is business?)
Old-SGI (Silicon Graphics, Inc.) went bankrupt. The assets were sold to Rackable. Which then renamed itself as "Silicon Graphics International", or new-SGI.
Despite sale of assets and similar names, they're separate companies.
No, but it could have been without them knowing it. Just because an exploit hasn't been found and publicized by a security firm, doesn't mean black hats couldn't have found the bug and been using it without it being widely known.
So should we expect vendors to immediately fix all vulnerabilities and release the fixes immediately?
That creates a near-constant stream of updates which is difficult for users & sysadmins to manage, and is why Microsoft and others have a "Patch Tuesday".
(I know that Oracle didn't do that here, but that's what the GP post was talking about)
I don't think immediate fixes are reasonable, but expecting a <3mo rollout for critical vulnerabilities (such as this one) isn't unreasonable at all. If they plan to fix this in October, that's 6 months; regardless of a 0-day being out or not, that's pretty abysmal. Of course, Oracle is not the only company that does this, but that doesn't make it okay.
Usually (and hopefully) the exploit isn't public yet. But as soon as the patch is released the bad guys can figure out what the exploit is and start attacking unpatched machines.
If the sysadmins know when the patches are coming out then they can schedule downtime in advance and get things patched very soon after they're released.
Interesting, I was under the impression that most of the time the exploit was known before the patch release. But of course the patch gives away everything. Live an' learn.
Microsoft does not wait for Patch Tuesday when there is a zero day exploit. Or at least not always, as the article implies.