Lets be real – the category of people and companies that use software applications – well, that is just about everyone, but right now this affects a slightly smaller group. Assuming other framework vendors don’t already do this or don’t do this in the future.
The issue at hand is how Microsoft and Oracle are distributing .Net and Java respectively.
Up until now, if users installed the monthly or quarterly Microsoft and Oracle patches for .Net and Java, you were good.
But these companies are changing the rules.
For users of applications based around Microsoft’s .Net, you used to have to install the .Net Framework separately from your application (sometimes applications bundled the two separate installs so that they sort of looked like one, but they were still actually two). If Microsoft updates the .Net Framework, the monthly Microsoft updates will install the updates to the Framework.
Now there is something called .Net core. That actually becomes a part of the application and if the developer chooses to go that route, each application developer, whether internal or third party, needs to rebuild and re-release each application every time there is an update, which could, potentially, be every month. Application developers are unlikely to do all that work for free, so for users that do not have a maintenance agreement, they will likely just be vulnerable to being hacked.
For Oracle Java, the situation is the same, although they only release patches once a quarter. That doesn’t mean that bugs aren’t found every month, it just means they don’t fix them as quickly.
With Java 11, Oracle eliminated the Java Runtime Environment or JRE. That means that you, as a developer, must get a new Java Development Kit (JDK). Oracle MAY be on the way for charging for this – it seems to kind of depend. In any case, you still need to release a new version of the product and that is not likely to be free.
The bigger problem is that most users do not know whether their software is based on one of these tools or not.
Sooooo, here is what needs to happen.
You know that vendor cyber risk management program that I always talk about? We now have a new line of questions for EACH AND EVERY APPLICATION that you use , whether internally developed, open source or commercially licensed.
That question is does this application or any part of an application set use Java or .Net core. If the answer is yes or worse yet, “HUH?”, then you need to dig in further. Much further. And you are likely to get the deer in the headlight look, at least for a while. You need to find out for sure and then you need to understand what the companies update policies are and what the update frequency is.
If the company says that they are going to release a new version of each of their applications every month, then you need to get that in writing as part of the contract so that once they realize how much that is costing them they can’t change their mind.
If they say they are not going to patch their applications monthly, then you have to ask am I willing to live with the risk.
Remember, the bad guys already have this figured out. As soon as the patch comes out they figure out how to exploit it, if possible. Then they start scanning the internet looking for people and companies that haven’t installed the patch. They are then attacked.
In case you think that won’t be you, let me point to someone else who said that. Equifax, the source of one of history’s largest data breaches ever didn’t patch one server. At last count, and this is FAR from over, they have spent $1.3 BILLION dealing with the after effects of that decision.
Consider yourself warned, Source: Help Net Security.