Sandbox schmandbox. Java springs a critical security leak.

If I ever get asked what it is that I'll most remember 2005 for, perhaps it will be the fact that two of the most widely-promoted-as-impregnable technologies weren't so impregnable after all.  The first of these is Oracle's database technology which the company's CEO Larry Ellison has routinely hocked as being unbreakable.  More recently, as my fellow blogger George Ou reports, "unbreakable" has given way to "never breaks" in Oracle's parlance.  In another blog, Ou eventually got around to busting Oracle's hype after my partner Dan Farber said that Oracle was unbreakable no more.   Perhaps the new tagline should be "Breakable.  Patchable." 

And now, just when you thought the year was over, another so-called fortress of technology -- Sun's Java Runtime Environment (JRE) -- has apparently had its much ballyhooed security sandbox stripped down to size.  The flaws are apparently colorblind to operating system, equally exposing users of Windows, Linux and the company's own Unix-based Solaris.  A download that corrects the problem is apparently available on this page on Sun's Web site.  But demonstrating that Sun will probably need to establish the equivalent of Microsoft's security response team (along with requisite procedures), as of the publishing of this blog, neither that page, nor the home page for Java, nor the home page for Sun itself have the sort of road signs they should have to address the news and route users to the solution(s).  You know, the big blinking red warning sign that says "Click here to see if your JRE is secure or if it needs an update to address the most recent security advisory."  But the download page does have a pretty blue button (pictured above left)  for viewing the page in Japanese.