Less than a week after the announcement of a new zero-day vulnerability affecting Java 7 (see http://goo.gl/QZrxlp and http://goo.gl/nZZkE), Oracle has released a fix in the form of Java 7 Update 7: http://www.oracle.com/technetwork/topics/security/alert-cve-2012-4681-1835715.html
Perhaps this is not too surprising, given that Polish security firm Security Expectations claims to have notified Oracle of the vulnerability (which is actually 2 vulnerabilities combined) earlier this year in April (see http://goo.gl/oVZCK). Now the details of who knew what, and when, are very interesting, but that is not what I wish to write about here.
I want to consider if this would have played out much different if Oracle had changed their stance that a quarterly update schedule is sufficient, to adopting a more Microsoftian monthly update schedule. Here are the approximate relevant dates:
- 2012-Apr-02: Security Expectations reports vulnerabilities to Oracle.
- 2012-Apr-17: Scheduled Oracle Update (Java 7 Update 5). See http://goo.gl/KzQHb for schedule details.
- 2012-Jul-17: Most recent scheduled Oracle Update (Java 7 Update 6).
- 2012-Aug-26: Reports emerge of exploits found in the wild of the latest zero day vulnerability CVE-2012-4681.
- 2012-Aug-30: Out of band security patch (Java 7 Update 7).
- 2012-Oct-16: Next scheduled Oracle Update
So, not one, but two scheduled updates went by without these particular vulnerabilities patched. However, by their own accounting, Oracle patched 175 vulnerabilities in these two releases. In such a widely exposed product as Java, which represents a very large number of lines of code, vulnerability reports must come in almost every day.
In fact, Oracle’s number gives about 1 vulnerability being fixed per day. In addition, Oracle, like Microsoft, is under pressure from the marketplace to keep innovating and adding features to their flagship products. Any experienced developer will tell you that new code inevitably brings new bugs, including security vulnerabilities.
Suppose Oracle were releasing monthly patches, and had the opportunity to push out another 30 or so fixes by, say, August 14 (the Tuesday closest to the 17th). Without knowing there were exploits brewing in the wild for this particular pair of vulnerabilities, they have to prioritize based on where they think the software is most vulnerable. There is a non-zero likelihood of being wrong in that assessment.
So, while I have been in agreement with much of the community that a monthly patch cycle would be an improvement for customer security, I can’t argue strongly that it would have helped in this case.