If you have not been keeping up with the news this past week I am referring to Oracles latest flop with Java. On August 28, Oracle released Java version 7 which shortly after the launch it was discover that it had a security flaw that could be exploited on Windows, OS X, and Linux (Horowitz). According to Cnet following the news of this exploit and the potential for it to do harm, concerns arose regarding Oracle's release schedule for Java updates which are usually released quarterly.
In this case a patch was available within days. On August 30th Horowtiz posted on his website Java tester that Oracle release a patch for Java 7. He then followed this post on September 1 stating Java 7 still is still dangerous. Issues with Java has been known for a while, some month after Oracle acquired Sun Systems in April 2012 they were being criticized for not addressing the issues that were brought to them in regards security flaws with the program (Heath, 2012).
I understand that software programs cannot be perfect, but Java has a long history of being vulnerable. I think it is irresponsible for companies to launch programs that can be open to attacks. I am not saying companies do not bother to test their programs, what I am questioning is to what extent do they check for areas of vulnerability? After some research I found the answer and that is not much, this is not a new problem. In April 2003 following the "The Slammer Worm" attack that occurred in January of the same year PBS interview Amit Yoran in regards to this same very issue. At the time he was the Vice President of Managed Security Services Operations for Symantec Corporation. PBS during his interview Yoran was asked why does vulnerabilities happen and if there's such thing as code review. Yoran responded as follows:
"The code review process and the entire software development process does not have an appropriate level of emphasis on security. The consumers and clients of most software companies are so demanding of new features and capabilities that those features take priority over better software development practices and techniques. So our demand for new features essentially fuels the fire of increased vulnerabilities in software."
Fast forward 9 years and we are still in the same boat. I guess companies that offer anti-virus programs call such errors job security, but if consumers knew that companies are placing their computer at harm’s way by what it seems by design the uproar would be such that software companies would start doing better job before launching a new product or update.
References :
Cyber War! (2003, April 24). Retrieved September 2, 2012, from PBS
Heath, D. (2012, September 2). Oracle's recent Java patch is broken . Retrieved September 2, 2012, from ITWire
Horowitz, M. (n.d.). Java Tester. Retrieved September 1, 2012, from Java Tester
Kessler, T. (2012, August 30). Oracle patches Java 7 vulnerability. Retrieved September 1, 2012, from CNet
No comments:
Post a Comment