Though the latest “zero-day” Java's vulnerability was patched quickly, the damage has already been done, as several crimeware kits managed to use the situation. Moreover, researchers found out that the patch itself also left quite a lot to be desired. Even after debugging the patch, the U.S. Computer Emergency Readiness System encouraged users to disable Java in their browsers, reminding of “the number and severity of this and prior Java vulnerabilities”.
Founder and CEO of Security Explorations, Adam Gowdiak accused Oracle of sloppy work and claimed that their clumsiness at fixing security issues proved critically harmful to the interests of the Java users. Other companies are also fairly critical, saying that while Oracle should learn secure software development, they essential lack the will to be helpful to their customers.
Oracle was urged to adopt Microsoft-style security procedures. However, while Oracle has something called “Oracle Secure Coding Standards” and though it has published secure coding guidelines for third-party Java developers, it remains unknown whether the company has used its Standards on Java and, even if it has, it's clearly not working.
Java environment is so ubiquitous that this has become its biggest flaw. As it presents “ridiculous amount of functionality” (citing HD Moore, the chief security officer at Rapid7), many of the Java's problems are the results of its overreaching. But the company does not want to step back from many platforms, as their primary customer is the enterprise, so it seems that the situation is stuck in a deadlock.
