A java vulnerability

Posted Dec 7, 2004 12:23 UTC (Tue) by eru (subscriber, #2753)
Parent article: A java vulnerability

The end result is that most users will need to get the updated JRE from Sun directly.

Assuming they even can... In the past days I have tried to update the JRE package on a Windows 2000 box (yes,a bit offtopic for this forum, but illustrates an OS-independent risk, so bear with me). The default download click on Sun's site rushes me to a page where it congratulates me on having installed Java. Apparently it detects the JRE is installed and ignores my request to "update it, please", an installer bug. There is also a "manual installation" which always seems to hand like the server were too busy (everyone trying to update Java at the same time? Or then I have just been unlucky).

The risk I see here is that by keeping tight control on JDK distribution, Sun has made itself a bottleneck. They can handle normal traffic, but when a lot of users want to get an update within a short timeframe, things break down. Of course Microsoft has basically the same problem, and has had it for a long time, but apparently they have learned to handle it better.

Sun would do itself a big favour if it allowed all browser and OS distributors (even open source ones and including mirrors) to distribute the JRE and provide update services for it. The other alternative for Sun is to buy a lot more servers and bandwidth, which is more expensive...