×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Security Expert Says Java Vulnerability Could Take Years To Fix, Despite Patch

samzenpus posted about a year ago | from the long-road-coming dept.

Bug 320

An anonymous reader writes "After the Department of Homeland Security's US-CERT warned users to disable Java to stop hackers from taking control of users' machines, Oracle issued an emergency patch on Sunday. However, HD Moore, chief security officer of Rapid7, said it could take two years for Oracle to fix all the security flaws in the version of Java used to surf the web; that timeframe doesn't count any additional Java exploits discovered in the future. 'The safest thing to do at this point is just assume that Java is always going to be vulnerable,' Moore said."

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

320 comments

So long/The way the future was (0)

Anonymous Coward | about a year ago | (#42583101)

You will be missed in the same way as the flying car. Sigh.

Re:So long/The way the future was (5, Funny)

Anonymous Coward | about a year ago | (#42583277)

Sure, Java will be dead in 5 years.. just like COBOL.

Re:So long/The way the future was (4, Funny)

gabereiser (1662967) | about a year ago | (#42583917)

I think he meant Kobol, the originating planet of the thirteen tribes.... Took a lot longer than 5 years to die but then again, the Galactica found it in ruin and didn't stay for archeological studies...

Java used to be secure and sandboxed (4, Insightful)

buchner.johannes (1139593) | about a year ago | (#42583129)

What happened? Most of these exploits seem to rely on rewriting methods / accessing byte code ... how about disabling that access for applets as a temporary measure?

Re:Java used to be secure and sandboxed (4, Insightful)

bobdehnhardt (18286) | about a year ago | (#42583215)

Nothing is truly secure, it's simply in a state where the vulnerabilities haven't been discovered yet.

Re:Java used to be secure and sandboxed (5, Insightful)

robmv (855035) | about a year ago | (#42583267)

I don't see think Java the platform is a security nightmare, but if someone doesn't need then don't install it, reduce your chances of being attacked with software you don use.

Every Chrome/Firefox release has security vulnerabilities fixes, sometimes bugs as critical as this one, and I don't see people screaming "Remove Chrome, Disable Firefox...". All software has bugs, the problem with Java is the slow response of Oracle (and Sun at that time) fixing things, the update cycles are too long and only when a critical bug very loud on the media is found you see them pushing a fix.

Re:Java used to be secure and sandboxed (5, Informative)

zero.kalvin (1231372) | about a year ago | (#42583347)

Yes, but when a bug is found in either of them (Firefox or Chrome) devs race to plug the whole. On the other hand Oracle knew about this since August and did nothing about it..

Re:Java used to be secure and sandboxed (5, Insightful)

Anonymous Coward | about a year ago | (#42583523)

They did not do nothing about it, they did release a patch. (That patch was insufficient and that is a valid point to criticize Oracle.)

Re:Java used to be secure and sandboxed (0, Offtopic)

ewibble (1655195) | about a year ago | (#42583555)

I don't see how this scored 4 when the parent scores 2, it even states that the problem is slow response from oracle.
Nothing against you zero.kalvin, just the rating system seem a bit screwed.

Re:Java used to be secure and sandboxed (2, Informative)

Billly Gates (198444) | about a year ago | (#42583901)

I don't see think Java the platform is a security nightmare, but if someone doesn't need then don't install it, reduce your chances of being attacked with software you don use.

Every Chrome/Firefox release has security vulnerabilities fixes, sometimes bugs as critical as this one, and I don't see people screaming "Remove Chrome, Disable Firefox...". All software has bugs, the problem with Java is the slow response of Oracle (and Sun at that time) fixing things, the update cycles are too long and only when a critical bug very loud on the media is found you see them pushing a fix.

It is a security nightmare. You can put to geek stats and engineering and I will point to examples. At the end of the day what matters is how many exploits keep getting hit by it compared to other products. The only thing that comes close are IE 6 and flash. Even PDFs have exploits but not as many as java nor the frequency.

Other browsers and technologies like silverlight have good engineering principles and less vulnerabilities. ... actually Firefox does have some as well compared to Chrome but htey update. Anyone uninstalling java yet uses Firefox 3.6 out of choice with +40 exploits is a fool. Chrome and IE 9 are sandboxed and so is silverlight. Java is sandboxed sort of, but it has RMI which sole purpose is to include untrusted unsigned c code. Corporations love it as it means +COM ojbect access for excel, but it also means a cracker can put whatever he wants in it. As Sun/Oracle try to sandbox and limit RMI it then breaks apps and teh corps end up whininng and locking down insecure old versions of it so their shitware apps work as they do with sticking with IE 6 as well.

Java still has its uses but not as a browser plugin. Java 7 is truly aweful and I sitll use Java 6 on my computer with plugins disabled on my browsers. It also doesn't turn itself back on inside the browser either. Java 7 turned security off and it re-enables itselfs in the browser according to ther slashdotters.

I highly advise anyone reading this to downgrade to Java 6 if they need it and then disable it in their browsers until all their apps no longer require it.

Re:Java used to be secure and sandboxed (4, Insightful)

gandhi_2 (1108023) | about a year ago | (#42583399)

Maybe if they'd spent less time trying to get people to install ask toolbar or somesuch bullshit....

Re:Java used to be secure and sandboxed (5, Informative)

Anonymous Coward | about a year ago | (#42583735)

yes, we already blacklist Java across the company where I work due to this.

in general they're quite liberal about letting employees manage their own computers (it's a software dev studio) but Java is blacklisted because of the Ask bundling, which is considered Spyware at corporate level and difficult to remove cleanly.

Re:Java used to be secure and sandboxed (1)

jones_supa (887896) | about a year ago | (#42583969)

Java used to be secure and sandboxed. What happened?

That struck the odd chord in me too. In my mind Java has also held the status of being a relatively secure system.

Avira claims it's users are protected... (0)

Anonymous Coward | about a year ago | (#42583157)

...how true is that?

Re:Avira claims it's users are protected... (0)

Anonymous Coward | about a year ago | (#42583441)

...how true is that?

Avira claims its users are protected against attacks that are known to try to take advantage of the specific security vulnerabilities Oracle claims to have patched in this one particular update.

WTF is the deal with Java and being so insecure? (0)

Anonymous Coward | about a year ago | (#42583181)

Somebody explain this to me. Please.

Re:WTF is the deal with Java and being so insecure (4, Insightful)

Anonymous Coward | about a year ago | (#42583321)

The idea is that you are at the same time providing a full language and a sandbox. Together. Java is not inherently more or less secure than any other language (well, mostly), but the above premise is extremely hard to pull off correctly. Think of an applet as some piece of code you download and execute. Would you trust doing that in any special language? Think of Flash, how many flash issues have we seen? And Flash is "less complex" than Java.

Re:WTF is the deal with Java and being so insecure (1)

ewibble (1655195) | about a year ago | (#42583765)

But we have javascript, which probably no more secure than java, especially now that we are now adding more features to it, canvas, websockets.

The thing is I see no need for more attack vectors so we might as well limit them not use java/flash on the web browser.

I run executable all the time, All apps should run in a vm by default, and only get access to real stuff if I explicitly say so, otherwise all data is faked to the app.

Re:WTF is the deal with Java and being so insecure (1)

Billly Gates (198444) | about a year ago | (#42583947)

Javascript is sandboxed in most browsers and in Firefox most of it is neutered in terms of access to local resources.

Java is untrusted and just runs without a user doing anything! That is the difference. Flash is now trusted and signed and Chrome auto updates it as does Windows Update now if you use IE 9. Mozilla it turns click to play now to prevent exploits.

Re:WTF is the deal with Java and being so insecure (0)

Anonymous Coward | about a year ago | (#42583349)

Java browser plugin uses exact same codebase that any java programs. Good thing about it - applets can use any ordinary Java code/library, there is 100% compability. The drawback - security is based on checking for permissions in some places. It is very hard to find all places where such check is required and adding new features to JVM doesn't help.

Two years? (5, Interesting)

schneidafunk (795759) | about a year ago | (#42583183)

It looks like he randomly pulled a time frame. I cannot find an explanation for the two year estimate.

Re:Two years? (5, Insightful)

Anonymous Coward | about a year ago | (#42583361)

It looks like he randomly pulled a time frame. I cannot find an explanation for the two year estimate.

Ah, but that's the beauty of it! Owing to the blind hatred of Java around these parts, he can pull any alarmist timeframe out of his ass at any time, and we're certainly not going to argue with him!!! If anyone does, we can accuse them of liking Java, and then we excommunicate them and shame them in the entire software engineering world until they can't ever get a job again as a warning to others! It's brilliant!

Re:Two years? (0, Funny)

Anonymous Coward | about a year ago | (#42583553)

Put away the hard-on for Larry Ellison and calm down.

Re:Two years? (5, Interesting)

Zocalo (252965) | about a year ago | (#42583437)

Possibly, but it could also have something to do with Oracle's announcement that Java will be getting regular updates on a two year schedule [computerworld.com] . Maybe he's just assuming it's going to take a major iteration - from the v8.x series due in September to the next release, v9.x to completely fix this class of flaws.

Re:Two years? (0)

Billly Gates (198444) | about a year ago | (#42583975)

I am sticking with Java 6. It is stable and industry supported. I feel like one of these morons saying why he is still going to stay on IE 6. But it does not have this exploit and I know if I disable plugins it will not re-enable them by default. Much software is not compatible with Java 7 and we all know it has lower security setitngs by default.

Re:Two years? (2)

OverlordQ (264228) | about a year ago | (#42583913)

I cannot find an explanation for the two year estimate.

Hey, Java is going to be vulnerable for a couple years so that means you should hire us to help protect you.

Browser Plugins are Always Vulnerable (5, Insightful)

Anonymous Coward | about a year ago | (#42583195)

The solution is to stop running untrusted code in your browser. If you are using a browser's default configuration, then any time you go to a website, the browser will automatically download and execute software from the website, in the form of Flash, Java applets, javascript, and Silverlight, if you have it installed.

And you think there aren't any vulnerabilities in any of those sandboxes?

the fix (0)

Anonymous Coward | about a year ago | (#42583199)

remove java, solved!

Re:the fix (1)

Anonymous Coward | about a year ago | (#42583497)

remove java, solved!

Nuke it. From space. Sharks, lasers, etc. Only way to be sure.

Applies to all outside software (4, Insightful)

Todd Knarr (15451) | about a year ago | (#42583205)

The safest thing to do at this point is just assume that Java is always going to be vulnerable.

That's not specific to Java, it applies to all software that's downloaded from an outside source and run on your local machine. That means Adobe Reader (PDF is simply a wrapper for a program written in Postscript), Flash (ditto, written in a special programming language) and even Javascript. It even includes downloaded TrueType fonts (the font hinting program they can include is just that, an executable program). Don't dismiss them just because they're sandboxed. Java was sandboxed, that didn't stop this vulnerability. Sandboxes are software and software has bugs in it, always. The only question is the number and severity of the bugs. The simpler the software, the fewer bugs there tend to be because there's fewer places for them to hide. Their favorite hiding place is in unexpected interactions between different parts of a piece of software, or between the software and the system it runs in, and simpler software has fewer and simpler interactions that're easier to get right.

This even applies to software you buy from a vendor. The difference is that with bought software you tend to download it only a few times and always directly from the source. Contrast this with the Web, where you're downloading multiple pieces of software on virtually every Web page you hit with no idea where they're coming from (and, in the case of advertising networks, the place you download them from may not even know who or where they're coming from).

Re:Applies to all outside software (5, Insightful)

TheGratefulNet (143330) | about a year ago | (#42583273)

in short, 'mobile code' (stuff that runs and is sent across from them to you, to be run on YOUR platform) is untrustable by nature.

I never liked the idea of it, not once. I think its all a security fail.

'here, here's some binary code. run this. no, don't ask questions, just execute this, please'.

why people thought that was a good idea is beyond me.

Re:Applies to all outside software (-1, Troll)

sfm (195458) | about a year ago | (#42583509)

Trying to use 'todays' internet with Java disabled is not a viable option. A realistic estimate is that over 70% of all common websites require Java to function correctly.

It is unfortunate that so many web developers use Java in places where it just isn't required. While I agree that Java Script does provide needed functionality in some situations, that is not the case in many (most) applications.

If this latest SNAFU gets developers to rethink using Java (or any similar tool), it may actually be a benefit to the web.

Re:Applies to all outside software (5, Informative)

Karlt1 (231423) | about a year ago | (#42583561)

"Trying to use 'todays' internet with Java disabled is not a viable option. A realistic estimate is that over 70% of all common websites require Java to function correctly.

It is unfortunate that so many web developers use Java in places where it just isn't required. While I agree that Java Script does provide needed functionality in some situations, that is not the case in many (most) applications."

Really? This day and age someone not knowing the difference between Java and Javascript?

70% of pages do not use Java. Javascript yes but they are completely different.

Server- vs. client-side Java (5, Informative)

DragonWriter (970822) | about a year ago | (#42583661)

"Trying to use 'todays' internet with Java disabled is not a viable option. A realistic estimate is that over 70% of all common websites require Java to function correctly.

The only way that number is within an order of magnitude of being correct is if it is a reference server-side Java, which isn't the issue. In-browser Java is the issue, and very few common websites require in-browser Java to function correctly (in-browser JavaScript, perhaps, but aside from artifacts of early-90s marketing in the naming, the two have nothing in common.)

Re:Applies to all outside software (1)

Lennie (16154) | about a year ago | (#42583667)

70% of pages do not use Java ? Make that 99.9999999999999% or something like that.

Re:Applies to all outside software (1)

Karlt1 (231423) | about a year ago | (#42583745)

"70% of pages do not use Java ? Make that 99.9999999999999% or something like that."

I agree, I was refuting the original claim that "70% of web pages use Java"

Re:Applies to all outside software (2)

gabereiser (1662967) | about a year ago | (#42583957)

But I still have my Clock Applet from 1993 running on my site counting down to the return of Jesus....

Re:Applies to all outside software (2)

hobarrera (2008506) | about a year ago | (#42583571)

Trying to use 'todays' internet with Java disabled is not a viable option. A realistic estimate is that over 70% of all common websites require Java to function correctly.

It is unfortunate that so many web developers use Java in places where it just isn't required. While I agree that Java Script does provide needed functionality in some situations, that is not the case in many (most) applications.

If this latest SNAFU gets developers to rethink using Java (or any similar tool), it may actually be a benefit to the web.

I haven't come across any website that uses Java in about three years (and even that one, was a very specialized website).

Name ONE popular website that requires Java.

Re:Applies to all outside software (0)

Anonymous Coward | about a year ago | (#42583733)

GoToMeeting.com (If you actually want to use the GoToMeeting features)

I wish I didn't have to but its how we support our customers when we need to view their desktop remotely

Posted ANON to not mess up moderation on someone else's post

Re:Applies to all outside software (0)

Anonymous Coward | about a year ago | (#42583773)

Public internet websites are one thing. Private intranet networks are another issue entirely. Unfortunately, I work for a state government that foolishly tries to develop enterprise applications "in-house" and way too often uses Java for these highly customized purposes. This includes not only our web-based online timesheet utility, but also our web-based travel reimbursement site and several others. And it is a nightmare to manage, e.g., remotely updating users desktops with every Java iteration every time something like this happens. Disableing Java in the web browser isn't really practical, since we'd have to train our users when to enable it and when to disable it, and they're not really computer savvy enough to know the difference.

Re:Applies to all outside software (0)

Anonymous Coward | about a year ago | (#42583731)

in short, 'mobile code' (stuff that runs and is sent across from them to you, to be run on YOUR platform) is untrustable by nature.

That sounds like JavaScript. Even basic HTML code is untrustable by nature, the interpreter can have security flaws in it. Actually, anything that comes from the Internet is untrustable by nature. Why do you dislike runnable, sandboxed bytecode more than the other content?

I sure hope they fix the Java Applet sandbox. Or making applets behave like "click-to-run" by default would be a decent option, too. That way the flaws couldn't be used without user consent.

Re:Applies to all outside software (0)

Anonymous Coward | about a year ago | (#42583287)

That's not specific to software. It applies to all hardware. And life in general.

Always assume you're vulnerable because there is somebody smarter, sneakier and greedier out there.

If you're honest about it, you won't have to worry.

Much hyperbole about nothing (5, Interesting)

Zero__Kelvin (151819) | about a year ago | (#42583403)

That's not specific to Sun/Oracle's JVM Implementation, but goes for all software, at all times.

"it could take two years for Oracle to fix all the security flaws in the version of Java used to surf the web" ... "The safest thing to do at this point is just assume that Java is always going to be vulnerable,""

This guy isn't a security expert. He doesn't even know that Java is a programming language, and that Oracle's JVM is not "a version of Java used to surf the web". No self respecting expert would misuse terms the way he is, and he should be sued for doing it. It leads to ridiculous situations, where people think Java is inherently bad. I mean, isn't Android based on Java? OMFG ... don't get one of those! Haven't you heard. Java is vulnerable to attack! If the writer got what this guy said correct then his guy is either shilling for Apple or Microsoft against Google/Android, hates Oracle, or is phenomenally incompetent.

Re:Much hyperbole about nothing (1, Insightful)

amicusNYCL (1538833) | about a year ago | (#42583485)

You think the chief security officer of Rapid7 doesn't understand the nature of Java, huh? It's not that he's trying to use language that most people would understand, but that he actually does not know that Java is a programming language and what the JVM actually is. That's some stunning logic you've got there. He sounds like he probably knows his stuff [rapid7.com] .

Re:Much hyperbole about nothing (2)

Zero__Kelvin (151819) | about a year ago | (#42583581)

I certainly left open the possibility that he is intentionally misleading people. You'd find people's logic less stunning if you learned to read and understand what you read. That being said, I didn't know who he was, or I would have went straight to the latter part of my post and skipped the possibly incompetent part.

Re:Much hyperbole about nothing (1)

PCM2 (4486) | about a year ago | (#42583865)

This guy isn't a security expert. He doesn't even know that Java is a programming language, and that Oracle's JVM is not "a version of Java used to surf the web".

You're assuming quite a lot there. I didn't see any sentence in there that said "Oracle's JVM is the version of Java used to surf the web." But most of the exploits we're talking about certainly do involve the version of Java used to surf the web -- the Java plugin. People who are just running desktop Java apps aren't vulnerable. These are browser exploits, or exploits that attack the interface between the plugin and the browser. If a Reuters reporter wants to simplify the language so that regular people can understand it, where's the harm?

Re:Much hyperbole about nothing (1)

Zero__Kelvin (151819) | about a year ago | (#42584019)

"But most of the exploits we're talking about certainly do involve the version of Java used to surf the web"

It's not a version of Java! Java is a fscking programming language. It is no more correct to say Java is vulnerable than is is to say C is vulnerable or COBOL is vulnerable. Also ...

" If a Reuters reporter wants to simplify the language so that regular people can understand it, where's the harm?"

Oh ... Oh ... I remember this one from elementary school English class! It would be because he used quotation marks!

Re:Much hyperbole about nothing (0)

Anonymous Coward | about a year ago | (#42583885)

No Android is not based on Java. It's a fork of the Linux kernel, and uses the Dalvik VM (a derivation of Java) to function under reduced memory and CPU requirements. Android, Linux, Java and Dalvik are all open-source projects, but that's about the only thing they have in common.

Please don't question the competence of other computer users when your own understanding of these systems is clearly inadequate (lest someone decides to sue you, as you suggest should be done with HD Moore (who, if you didn't know already, is the creator of Metaploit, a widely used penetration testing tool).

Re:Applies to all outside software (1)

Hatta (162192) | about a year ago | (#42583541)

Sandboxes are software and software has bugs in it, always.

So how does this bode for the cloud? OSs and hypervisors are conceptually similar at least to an OS and a sandboxed app. What prevents a hypervisor from being attacked in the same way that Java's sandbox was?

Re:Applies to all outside software (3, Informative)

Todd Knarr (15451) | about a year ago | (#42583747)

Absolutely nothing. In fact, I think they've already found ways to break out of most of the hypervisors out there and gain access to the host machine from inside a VM. The only exceptions I can think of are the IBM mainframe hypervisors, and those have the dual advantages of a) decades of work finding and removing bugs and b) hardware that was designed to run the hypervisor and has special support for isolating the hypervisor from the virtual machines.

Bear in mind that for cloud applications you actually need to be worried about the reverse: protecting your application from the hypervisor breaking into it. The worst incursions won't be from other applications breaking out of their VMs, it'll be incursions from the cloud provider's own internal network (from conventionally-infected machines) infiltrating the host machines' hypervisor software and from there reaching down to infect hosted applications.

So? (3, Interesting)

Hatta (162192) | about a year ago | (#42583221)

Running programs from untrusted sources has always been unadvisable. I run java every day, and I'm not worried at all about getting compromised. Apps like ImageJ or UGENE, if they weren't written in Java would be written in a native language which would be just as dangerous to install. So don't be an idiot and run programs from random websites and you'll be fine.

Re:So? (1)

Anonymous Coward | about a year ago | (#42583345)

And if their security was compromised, would you trust them to notice? Would you trust them to tell you? Would you trust them to tell you on time?

It's important to know, because with software as vulnerable as that, it's not a matter of if, but when.

Re:So? (1)

Hatta (162192) | about a year ago | (#42583471)

I would trust them about as much as anyone can trust any third party software. My point is that the software is written in java is as irrelevant as if it were written in C++.

It's the browser plugin... (5, Insightful)

Anonymous Coward | about a year ago | (#42583567)

Running programs from untrusted sources has always been unadvisable. I run java every day, and I'm not worried at all about getting compromised. Apps like ImageJ or UGENE, if they weren't written in Java would be written in a native language which would be just as dangerous to install. So don't be an idiot and run programs from random websites and you'll be fine.

The problem is, the default Java runtime install includes a browser plugin that allows Java applets embedded in a webpage to run automatically. Code delivered this way is supposed to run inside a strict sandbox, but that sandbox has been repeatedly shown to be full of holes.

(Desktop apps written in Java, including UGENE and ImageJ [and Eclipse, and the mostly-not-Java LibreOffice] do not use the browser plugin and will run fine even if the browser plugin is disabled or deleted completely. Your standard don't-be-an-idiot advice does indeed apply to these kinds of apps. But the JRE you installed to run ImageJ will install the browser plugin you never asked for and don't need.)

Oracle really should consider making the browser plugin a separate, optional, non-default installation.

Re:It's the browser plugin... (1)

RedDeadThumb (1826340) | about a year ago | (#42583785)

Java install has been crap for a while, even before Oracle got it. It should have always remained just a ZIP extraction. They also do their best to confuse between JRE and Java with the compiler (which then includes JRE, but it isn't the same JRE directory locations.)

Fact free claims (2, Insightful)

Anonymous Coward | about a year ago | (#42583239)

HD Moore, chief security officer with Rapid7, a company that helps businesses identify critical security vulnerabilities in their networks, said it could take two years for Oracle to fix all the security bugs that have currently been identified in the version of Java that is used for surfing the Web.

How is Mr. Moore computing this interval? Nothing is offered in these stories about why it would take Oracle "two years" to "fix" the "security bugs".

Re:Fact free claims (0)

Anonymous Coward | about a year ago | (#42583585)

Agreed that the time interval of "2 years" isn't adequately justified, since Oracle was able to release an emergency update quite rapidly; unfortunately, that update only closed 2 of the more than 50 vulnerabilities identified earlier. Perhaps the researcher extrapolated the time estimate from how long it took Oracle to address the 2 problems from the date it was publicized, and multiplied by the additional vulnerabilities already discovered, but not adequately addressed, and added a margin of time for vulnerabilities not yet identified.

Re:Fact free claims (0)

Anonymous Coward | about a year ago | (#42583705)

That's fine, and even plausible, if true. It's also pure speculation. I expect claims to be supported. Sorry.

So a rewrite? (2)

waddgodd (34934) | about a year ago | (#42583245)

It didn't take two years to write JDK in the first place...

Re:So a rewrite? (1)

Anonymous Coward | about a year ago | (#42583317)

And this time we promise it'll work.

Re:So a rewrite? (1)

Zero__Kelvin (151819) | about a year ago | (#42583465)

This has nothing to do with JDK (Java Development Kit.) It is the JRE (Java Runtime Environment, including the JVM (Java Virtual Machine)) as implemented by Oracle. That being said, the JDK has been around for at least a decade. If anyone knows how long it took to write, it's not the guy confusing it with the JRE. Of that much I am certain. See also ... [javabeat.net]

Re:So a rewrite? (1)

H0p313ss (811249) | about a year ago | (#42583703)

the JDK has been around for at least a decade

You're trying to slam someone else for their dubious selection of jargon but the best you could do is "at least a decade"? (For nostalgia purposes I keep the original edition of "Java in a Nutshell" on my desk, copyright 1996, and yes, JDK is in the index.)

Re:So a rewrite? (1)

Zero__Kelvin (151819) | about a year ago | (#42583807)

So you are saying that I was correct, but because I didn't indicate the exact moment of its inception (which I would only know if I was James Gosling anyway) that I was in error somehow? I wasn't "slamming" anyone. I'm tempted to do so now though, but you aren't worth the effort. HANL and hope to never hear from you again ...

Re:So a rewrite? (1)

H0p313ss (811249) | about a year ago | (#42583827)

And for what it's worth, the JDK includes the JRE and JVM, so yes, if the original JDK took a year (it didn't Oak [wikipedia.org] was under development for three years and it took two more for Java 1.0 to ship.) a complete rewrite, including the JVM should be less than two.

The problem with that statement is not that he said JDK, it's that his understanding of the time frame and effort to produce the original JDK is completely wrong and furthermore the current JVM looks almost nothing like the original from 1995. A complete white room rewrite with similar performance characteristics to the 1.7 VM with enhanced security would be significantly more expensive than the original implementation. (I'm pretty sure that more effort has gone into garbage collection algorithms alone since 1996 than went into the original JDK.)

Re:So a rewrite? (1)

timeOday (582209) | about a year ago | (#42583757)

Writing a JRE is like writing an OS. You can write a toy one in a few months (Minux) or spend lifetimes writing one good enough to be competitive in the real world (Linux).

Or (0)

Anonymous Coward | about a year ago | (#42583247)

ZOMG it could also take Oracle 2 bajillion years to fix all the security flaws. I'll offer the same support for this scientific estimate as the asshat featured in TFA did for his dumbass prediction: <bupkis>

Wow, really? (0)

Anonymous Coward | about a year ago | (#42583289)

And here I figured that since the announcement came from DHS, it could be dismissed as baseless fear-mongering. They should really use more reputable groups for their security announcements.

Applies to all (1)

kimvette (919543) | about a year ago | (#42583297)

This also applies to every desktop OS - ESPECIALLY Windows. How many years has Microsoft been attempting to secure Windows? Obviously if you care about national security, you will unplug your PC today.

OpenJDK (2, Interesting)

Anonymous Coward | about a year ago | (#42583323)

Are those security flaws also affecting OpenJDK 6 and/or 7?

Re:OpenJDK (1)

Beamboom (2692671) | about a year ago | (#42583887)

Bump for this - anyone know? Cause OpenJDK w/Icedtea plugin has really become very good - I myself use OpenJDK instead of Oracles JDK on all my machines nowadays, both in development and as end user.

Second 'Law of Moore' (1)

futhermocker (2667575) | about a year ago | (#42583333)

"Over theÂhistory of programming, the number of exploits in softwareÂdoubles approximately every two years."

No way out. (0)

Anonymous Coward | about a year ago | (#42583371)

Ah...the joys of closed source.

Applets? (2)

Twillerror (536681) | about a year ago | (#42583419)

Why exactly do we need applets on joe smoe's machine? If your a corporation enable it.

It would be great if all browser had a whitelist of domains that you tag a site for any of this stuff. Yes youtube can play flash, other sites not. Advertisers will just use animated gif\javascript or whatever.

Sure there is this plugin and that to accomplish this...time for FF, Chrome, and IE to build this stuff in and make it off by default and super simple to address. Of course you've got grandma on IE 6/7/8, but even then MS could put out a patch that just turns off applets. The next time IE starts up it ask the user. Group policy would override.

Re:Applets? (2)

ElmoGonzo (627753) | about a year ago | (#42583603)

Java applets were a good idea in 1996 or so when the web was mostly text documents and static images. Now there isn't very much that an applet does that can't be done with equal facility and somewhat greater security by making a web application using any one of a number of technologies. (Admittedly deploying an application server has its own set of security issues but for the most part, they are limited to the server side of the street.) I can't think of anywhere I've encountered Java applets in the past few years -- the ones I recall have all been replaced with Javascript for server-side calcuations.

Re:Applets? (1)

gl4ss (559668) | about a year ago | (#42583749)

both firefox and chrome ask per site if you want to run java.

by the way.. just today I had to fix my java plugins to work, to authenticate via my bank to a 3rd party(the bank uses a java applet for security code input.. there's no real logic why though). the shit wouldn't work in either firefox or chrome before I ran it in IE. such bullshit.

Re:Applets? (0)

Anonymous Coward | about a year ago | (#42583875)

Unfortunately, javascript is equally problematic.

Why isn't there a whitelist-only mode? (5, Interesting)

Anonymous Coward | about a year ago | (#42583431)

I find it strange that I can install a flash blocker that allows me to whitelist certain websites but that similar functionality seems to be missing for Java... the easy answer is to not allow java to run unless the site or even specific URL is in a whitelist.

The java engine should check whether the code it is about to execute is from a whitelisted location before it executes it. If the code is not, it should warn the user, perhaps prompting to add the site.

That way your banking and ecommerce sites would still work easily while the "bad guys" would at least have to successfully social-engineer you into adding their site, a situation much better than what we currently see where all you have to do is inadvertently browse to a web page with compromized java applets embedded.

Re:Why isn't there a whitelist-only mode? (0)

Anonymous Coward | about a year ago | (#42583693)

use the noscript plugin for firefox?

Re:Why isn't there a whitelist-only mode? (5, Informative)

David_Hart (1184661) | about a year ago | (#42583761)

If you are using Firefox, Chrome, or Safari, you can install NoScript. I find that it works well. It takes some effort to figure out which scripts you need to run for each page to display properly and which are the advertisement scripts. But it does the job. So far, I have found only one site that doesn't work with NoScript, but it's not a common site.

If you are not using If you are using Firefox, Chrome, or Safari, then it may be time to switch. I, personally, have always preferred IE. However, I made the switch to Firefox a couple of years ago and haven't turned back since. The security plugins for FireFox are much better than for IE and most are free (open source).

Let me get this straight... (1)

Anonymous Coward | about a year ago | (#42583507)

Some guy has the source code, examined it long enough and carefully enough to come up with an estimate of the time required to fix it... and didn't fix it? Didn't document the problems? Didn't bother to tell us what is wrong and where it is wrong? Sounds fishy. I don't think I believe it.

Re:Let me get this straight... (2)

mark-t (151149) | about a year ago | (#42583899)

You know, that's the funny thing I've always found about trying to do accurate software estimates. Because programming is so predominantly a thinking-heavy activity, the time that you're spending trying to figure out how long something is going to take can almost as easily be spent actually doing it.

I've always found it frustrating to try to explain this to people who want estimates on how complex certain tasks are, when you don't actually have enough data on those tasks yet to know, and by the time you do, you'll have already basically solved whatever problem the task was supposed to solve.

Could somebody explain.... (2)

mark-t (151149) | about a year ago | (#42583527)

... why, exactly, a java application that starts with the security manager turned on should *EVER* somehow need legitimate permission to turn the security manager off?

That, to me, seems so obvious as a basic security measure, it amazes me that software as old as Java would still have such vulnerabilities.

I can see absolutely no reason to start with an unprivileged app that can somehow give itself privilege it did not start with. In reality, such actions should be up to the user to decide *before* they run the app (although that may still be quite vulnerable to social engineering, it would at least remove the technical aspects of the vulnerability).

Applets are vulnerable, not Java (2)

WOOFYGOOFY (1334993) | about a year ago | (#42583607)

Get real. People running Java based apps on their computers are in no danger of anything. What is being talked about is Applets, where arbitrary code is injected and run in the browser-hosted sandbox. So you surf to some website We-R-Malware and it asks you to let it run their applet (written in Java) in your browser and you say "sure, great idea".

This is like opening an email attachment form the same domain name; don't do that because somehow that PDF file, Excel file, Word document or whatever is harboring some evil code.

But does any of that mean you should remove Excel or PDF readers or Word or Libre Office or anything else from your own machine? Of course not. Java apps are totally safe on your machine and removing Java from your machine makes exactly zero sense.

The only people (mis) representing this situation are people who have an economic stake in "competing " languages and runtimes and language warriors , so that would include M$, consultants who want to be able to bill to rewrite Java apps (for no reason) , authors and evangelists from competing languages etc etc etc . You should all be ashamed of yourselves. C# is a great language , Java is a great language , Perl is a great language , C is a great language, Scala is a great language, Lisp is a great language.. so just GTFU.

One could say that about any piece of software (1)

Omnifarious (11933) | about a year ago | (#42583639)

They all have undiscovered holes. What makes Java any riskier than IE? What makes it any riskier than Chrome or Firefox? Is it the lack of any update strategy on Oracle's part?

Nonsense (1)

Anonymous Coward | about a year ago | (#42583669)

Java vulnerability can be fixed in a few seconds:

apt-get remove java

There. Vulnerability fixed.

Do you guys realize... (1)

Synerg1y (2169962) | about a year ago | (#42583775)

These vulnerabilities affect java applets right? How many java applets are "in the wild"? 10? Most java applets are in-house businesses task specific apps from what I've seen. Meaning if you're casually browsing the web and the JVM is on... turn it off you don't need it... wants to come on and you don't trust it, block it... standard web practices here.

Reflection API (3, Interesting)

RedHackTea (2779623) | about a year ago | (#42584033)

So after following the rabbit hole, the article links here [security-e...ations.com] (see PDF) and here [security-e...ations.com] (same site, just "codes" for the issues) while exclaiming about 50 issues in Java! If you cut out the fluff, the only issue is the Reflection API. C# will and does have the same exact vulnerabilities. And after looking through it, it wouldn't take 2 years to apply these "fixes"; however, some "fixes" remove Java functionality, so it will never be "fixed" because why remove functionality. Any language can do bad things. We can only hope that the general public doesn't read this shill crap.

However, I admit that this is also a good thing to hopefully encourage Oracle to provider quicker updates/patches/etc.

I still don't see a mass migration to other languages happening. JAXB (and annotations in general) is one of the best things Java ever invented. I have yet to find a language with features that make XML reading/writing as easy as JAXB. Unicode, i18n, and l10n were well-done from the beginning. Even though people laugh at the notion of byte code and the cross-platformness of Java, I still have yet to see another language do this better. Java will die when either a better solution emerges or enough corporate shill kills it.

And I still don't understand why Linux is being bogged down with C# mono programs such as Banshee, TomBoy, etc. Don't get me wrong, these are great programs, but why not write them in a language that is more open? It would have been just as easy to do these in Java with GTK+.

/endrant
Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...