Isn’t it time Oracle gave us monthly security updates for Java?

Graham Cluley

Isn't it time Oracle gave us monthly security updates for Java?

Isn't it time Oracle gave us monthly security updates for Java?

In some ways, it could be argued that Java is an incredible success.

I’m serious. Stop laughing at the back.

You see, according to Oracle, Java’s developer, the product is used on over 3 billion different devices worldwide. That *is* impressive.

But, for those of us concerned with securing systems and keeping computer data safe, it’s been a nightmare.

In the last couple of years there has been a massive increase in attacks exploiting security holes in Java compared to other “old favourites” such as Adobe’s PDF Reader and Flash. The reality is that Java is probably the most targeted development platform for exploit attacks.

Some reports have even suggested that an astonishing half of all exploits target Java.

Part of the attraction, of course, is that Java is multi-platform. If you can exploit the platform you have an opportunity to infect Windows, Mac OS X, Linux and smartphone platforms. Is it any wonder that Java vulnerabilities get integrated so quickly into malicious web exploit kits?

But the other reason why Java gets attacked so often is that it is viewed as a soft target by malicious hackers – a veritable Swiss cheese of security holes.

And yet, Oracle takes a very different approach to securing Java when compared to the likes of Adobe and Microsoft.

Microsoft and Adobe have adopted a rigorous monthly schedule (dubbed “Patch Tuesday”), which sees security updates rolled out on the second Tuesday of every month. If there are critical fixes for Adobe or Microsoft products required out-of-band the two companies are not afraid of pushing those out between the monthly updates, after (we trust) appropriate testing.

There’s a whole different story for Java, however.

Oracle, in its wisdom, has adopted a quarterly critical patch update schedule for Java which syncs in – every three months – with the “Patch Tuesday” mega-patch day from Microsoft and Adobe.

The windows of opportunity for hackers who wish to exploit Java vulnerabilities is clearly wider than those who wish to take advantage of security holes in Adobe Reader, Flash or Microsoft products.

To give you a feeling for the scale of the problem, last October Oracle patched 51 security vulnerabilities in the Swiss cheese that is Java. In the next update, January 2014, the figure was a still staggering 36.

It’s hard to believe, but the quarterly rate of patch release is actually an improvement on Oracle’s part.

Until last October, Oracle only published security patches for Java every *four* months, so moving to a quarterly release is a step in the right direction – albeit not far enough.

Adobe and Microsoft have clearly shown that a monthly schedule for security updates is possible, and IT administrators responsible for securing company systems are used to the monthly routine of prepping and distributing patches to the computers in their care.

So, why can’t Oracle – whose Java product is attacked and targeted more often than the likes of Adobe Flash and Reader – do the same?

It’s time for Oracle to adopt a monthly “Patch Tuesday” schedule for Java security fixes. Anything less is putting internet users at too much risk.

Do you agree? Would you like to see Oracle adopt a monthly “Patch Tuesday” schedule for Java? Leave a comment below and let us know your thoughts.

This article originally appeared on the Lumension blog.

Graham Cluley Graham Cluley is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s when he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows. Now an independent security analyst, he regularly makes media appearances and is an international public speaker on the topic of computer security, hackers, and online privacy. Follow him on Twitter at @gcluley, or drop him an email.