One of the security experts is blaming Oracle for inactivity for Java’s problems. Adam Gowdiak, a security specialist, was angry that the company has been doing nothing to develop fixes for some important software vulnerabilities. For example, one of the flaws, dubbed Issue 50, is only scheduled to be fixed next February.
Adam Gowdiak claimed that the software developer was doing wrong thing by stupidly sticking to a quarterly patch release cycle which wasn’t even understandable. The security expert wrote in Full Disclosure that the response of the software giant was that its Critical Patch Updates usually pass an extensive integration testing with a number of other products like Weblogic Server, JRockit, and E-Business Suite, which takes time, of course. For example, if it fixed the bug in question (Issue 50), this would delay almost 140 fixes for the apps integrating Java SE.
Nevertheless, Adam Gowdiak proved that it wouldn’t take 4 months to fix the bug. The security expert decided to conduct a small bug fix experiment in order to see how hard it will be to fix Issue 50 and how long it will take him. It turned out that he only needed 30 minutes to write the code which would fix the vulnerability. Actually, the code had only 25 characters to be changed and, apparently, the fix didn’t even require to be tested for integration with other Oracle software. The matter is that the code logic suffered no changes, but only minor changes were made to the code itself.
Gowdiak hopes that his quick experiment will challenge Oracle and will result in the verification of the company’s stance, in particular the one relying on a need for 4 months to implement.
Adam Gowdiak claimed that the software developer was doing wrong thing by stupidly sticking to a quarterly patch release cycle which wasn’t even understandable. The security expert wrote in Full Disclosure that the response of the software giant was that its Critical Patch Updates usually pass an extensive integration testing with a number of other products like Weblogic Server, JRockit, and E-Business Suite, which takes time, of course. For example, if it fixed the bug in question (Issue 50), this would delay almost 140 fixes for the apps integrating Java SE.
Nevertheless, Adam Gowdiak proved that it wouldn’t take 4 months to fix the bug. The security expert decided to conduct a small bug fix experiment in order to see how hard it will be to fix Issue 50 and how long it will take him. It turned out that he only needed 30 minutes to write the code which would fix the vulnerability. Actually, the code had only 25 characters to be changed and, apparently, the fix didn’t even require to be tested for integration with other Oracle software. The matter is that the code logic suffered no changes, but only minor changes were made to the code itself.
Gowdiak hopes that his quick experiment will challenge Oracle and will result in the verification of the company’s stance, in particular the one relying on a need for 4 months to implement.
No comments:
Post a Comment