Sun Microsystems is putting millions of Java users at risk of attack by staggering the release of security patches, according to security researchers at eEye.

To illustrate the problem, eEye points to a recent flaw in the Java Runtime Environment, used to run programs that are written in Java.

In January, eEye discovered a serious bug in the Java Network Launching Protocol, which is used to run Java programs over the web. Hackers could exploit this flaw by setting up a malicious website that could install unauthorised software on any Java-enabled PC that visited it, according to eEye.

The flaw was patched in late June, but Sun has yet to push out the fix to its millions of Java users worldwide.

Instead, Sun has made a developer release available on its download page and is holding off on a more widespread release of the fix.

The reason? So that developers can make sure that the update itself is bug-free. "There's an additional round of testing that happens before we blast it out to consumers," said Sun spokeswoman Jacki Decoster.

The problem is that a staggered release schedule gives criminals a window to reverse-engineer the bugs and create code to attack the millions of unpatched users, said Marc Maiffret, chief technology officer with eEye.

"Sun has such a horrible update process that they released patches for this flaw a couple weeks ago, and more patches for different versions [after that]," he said via instant message. "If people were reverse-engineering the patch a few weeks ago, they have a head start on the good guys."

Microsoft releases security patches for all versions of its products simultaneously, but Sun is not the only company to stagger updates. Oracle, for example, habitually releases database patches for some of the less-popular operating system platforms weeks after its initial security updates.

Leaving Java users unprotected like this not a good idea, said Cesar Cerrudo, CEO of Argeniss Information Security. But with Sun expecting to push out a fix for the problem later this week, hackers are not getting a lot of time to develop attack code, he said.