The biggest flaw you never saw
First of all, the JVM vulnerability wasn't limited to Microsoft; it covered all JVMs, across many operating systems and distributions. The risk was therefore a lot greater than the reports would indicate. Second, by the time you heard about the problem, it was already fixed; Microsoft, Sun, and every other vendor that was distributing JVM code had already received the patches, integrated them, and had made them available to its users.
This is the way vulnerability reporting is supposed to work according to the Organization for Internet Security (OIS), but usually doesn't. Though the OIS wasn't involved in the JVM flaw matter, vendors handled the fix in the group's prescribed manner.
A spokesman at Sun says there's no evidence that anyone was affected by this JVM vulnerability. So there's no longer any reason to worry, right?
Well, not exactly. First, you have to actually update all those systems that have a JVM installed. This isn't an update that's exclusive just to Windows or any other operating system (Solaris, Linux, etc.)--it's all versions. If you have a fairly large installation, you'll need to create an update plan that handles the most vulnerable computers first. Then you have to make sure your staff actually gets it done.
Second, even though it seems vendors are working more efficiently to patch vulnerabilities, you can't afford to let your guard down. Some future vulnerabilities may end up being exploited before they're fixed.
The good news, however, is that a group of software companies worked together to release patches before there was too much publicity--and serious security breaches.
Tell me what you think about how vendors handled the JVM flaw. E-mail us or talk back below.