According to NetworkWorld, data mined from Qualys’ free BrowserCheck service reports that 8 out of 10 Windows PCs run one or more copies of Java. Of the systems with Java, more than 40% were running an outdated version that contained at least one critical vulnerability. That puts Java at the top of the unpatched software list. Malware distributors are always looking for new ways to allow their programs to proliferate. The operating system has become difficult to attack, so exploit writers have focused their attention on third-party application vulnerabilities.
The article recommends that Oracle and other vendors start leaning on Microsoft to distribute their updates. I would say that this is a poor strategy, and not one that I expect Microsoft to quickly move into, without some kind of business case. Imagine the liability that MS would be taking on if it were to start delivering 3rd party updates. Would it then set a precedent and be forced in future to provide update delivery for ALL applications and Operating Systems? If they don’t, do they run the risk of ending up in court again for demonstrating unfair or monopolistic practices? And who do we blame when one or more of these updates goes all pear-shaped?
I would recommend that all vendors take a page from Microsoft’s playbook, build a secure and reliable update distribution channel for the consumer, and start building relationships with vendors whose business it is to push patches to enterprise environments.