An insecurity expert has blamed Oracle’s inactivity for Java’s problems.
Adam Gowdiak was furious that Oracle has been slow at issuing fixes for some important flaws. One, dubbed Issue 50, is not down to be fixed until next February.
Gowdiak said that Oracle was stupidly sticking to a quarterly patch release cycle which was not understandable.
He wrote in Full Disclosure that Oracle’s response was that its Critical Patch Updates have to go through an extensive integration testing with other products such as JRockit, Weblogic Server, and E-Business Suite.
If it fixed Issue 50 it would delay 139 fixes for applications integrating Java SE. However Gowdiak said it did not take four months to fix Issue 50, in fact it took him half an hour to write the code that would do it.
He conducted a small vulnerability fix experiment to see how hard it is to fix Issue 50 and what it took
Apparently the code only needed 25 characters to be changed. The fix does not seem to require any integration tests with other Oracle application software because the code logic is not changed and minor changes are applied to the code.
“We hope our quick experiment sufficiently challenges the company and that it leads to the verification of Oracle’s stance, especially the one relying on a need for four additional months to implement,” he wrote.