Saturday, January 12, 2013

Are some things best left outside the stack? (Oracle's off-site response to Java vulnerabilities)

In the past, I've talked about Oracle's long-standing strategy (and this is truly a strategy, not a tactic) to provide the entire "stack" of services for its enterprise users, ranging from hardware to vertical applications to everything in between. With such a strategy, one would think that Oracle would do the same internally. It's interesting to note that in at least one recent instance, Oracle chose non-Oracle avenues to release critical Oracle information.

Much digital ink has been spilled over security vulnerabilities in Java, which received renewed focus when the U.S. Department of Homeland Security began discussing them.


Disable Java in web browsers

This and previous Java vulnerabilities have been widely targeted by attackers, and new Java vulnerabilities are likely to be discovered. To defend against this and future Java vulnerabilities, consider disabling Java in web browsers until adequate updates are available.

Obviously, when a national government agency tells people to quit using your product, it's not a good thing.

Oracle acquired the rights to Java as part of the Sun acquisition, so many in the industry were wondering when or how Oracle would respond. Would the response come on Oracle's Java page? If it's there, it's deeply buried; I couldn't find it.

I did, however, find a response from Oracle on Twitter.

Oracle aware of flaw in #Java SW integrated w/ web browsers. Flaw limited to JDK7. Fix available shortly. Read more:

As you can probably guess by the "fb" initials in the URL, the "read more" link does not to back to Instead, it goes to an item on the Oracle page on Facebook.

Oracle is aware of a flaw in Java software integrated with web browsers. The flaw is limited to JDK7. It does not exist in other releases of Java, and does not affect Java applications directly installed and running on servers, desktops, laptops, and other devices. A fix will be available shortly

It's odd to think that an important Oracle announcement was not made at, but at and There are two possible explanations for this.

One explanation is that you don't want to put negative news on your own website. Perhaps this is anecdotal, but in many cases when a company has negative news to report, the news is not placed on the "press" section of its own website, but is instead directly released to various publications. Thus, the negative mention of a flaw in Java is shuttled off of, and is instead placed in other locations.

The second explanation - the one that doesn't make Oracle look as bad - is that people often don't pay attention to company websites any more. Perhaps it's my Reed education, but if I want to find out about CAIR, I go to CAIR's website, and if I want to find out about Oracle, I go to Oracle's website. But many people, including some companies, have a dramatically different view. Some companies almost beg you to go to other websites - "See our Facebook page for more details!" Facebook and Twitter and Pinterest are supposedly where the action is, so people flock there rather than going to the boring web address.

Either way, the message that is being sent is that if you want to find out important information about Oracle, don't go to Go to a third party...
blog comments powered by Disqus