To illustrate the problem, eEye points to a recent flaw in the Java Runtime Environment, used to run programs that are written in Java.
In January, eEye discovered a serious bug in the Java Network Launching Protocol, which is used to run Java programs over the Web. Hackers could exploit this flaw by setting up a malicious Web site that could install unauthorized software on any Java-enabled PC that visited it, according to eEye.
The flaw was patched in late June, but Sun has yet to push out the fix to its millions of Java users worldwide.
Instead, Sun has made a developer release available on its Java.sun.com download page and is holding off on a more widespread release of the fix.
The reason? So that developers can make sure that the update itself is bug-free. "There's an additional round of testing that happens before we blast it out to consumers," said Sun Spokeswoman Jacki Decoster.
The problem with this approach is that a staggered release schedule gives criminals a window of opportunity to reverse engineer the Java bug and then create attack code that can be targeted at the millions of unpatched users, said Marc Maiffret, chief technology officer with eEye.
"Sun has such a horrible update process that they released patches for this flaw a couple weeks ago, and more patches for different versions [after that]," he said via instant message. "If people were reverse-engineering the patch a few weeks ago, they have a head start on the good guys."
Microsoft Corp. releases security patches for all versions of its products simultaneously, but Sun is not the only company to stagger updates. Oracle Corp., for example, habitually releases database patches for some of the less-popular operating system platforms weeks after its initial security updates.
Leaving Java users unprotected like this not a good idea, said Cesar Cerrudo, CEO of Argeniss Information Security, in an instant message interview. But with Sun expecting to push out a fix for the problem later this week, hackers are not getting a lot of time to develop attack code, he said.