Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Oracle Responds To Java Security Critics With Massive 50 Flaw Patch Update

timothy posted about a year and a half ago | from the no-more-jeans-all-patches dept.

Java 270

darthcamaro writes "Oracle has been slammed a lot in recent months about its lackluster handling of Java security. Now Oracle is responding as strongly as it can with one of the largest Java security updates in history. 50 flaws in total with the vast majority carrying the highest-possible CVSS score of 10."

Sorry! There are no comments related to the filter you selected.

OK (1, Insightful)

Anonymous Coward | about a year and a half ago | (#42767065)

Now please start working on an ARM version for my Surface RT.

Re:OK (0, Troll)

waddgodd (34934) | about a year and a half ago | (#42767105)

Now please start working on an ARM version for my Surface RT.

Yeah, like Orrible's (and specifically the Java section) going to lift a finger to help Microsoft after the whole J++ fiasco

Re:OK (4, Informative)

farble1670 (803356) | about a year and a half ago | (#42767457)

Yeah, like Orrible's (and specifically the Java section) going to lift a finger to help Microsoft after the whole J++ fiasco

1. that was not oracle, it was sun microsystem.
2. it was 10 years ago. you think any of the same people are around, and have the same motivations?
2. it wasn't a fiasco, it made sun $700 million. they were pretty happy about it.

Re:OK (5, Funny)

Bongoots (795869) | about a year and a half ago | (#42767691)

3. PROFIT!

Re:OK (-1)

Cammi (1956130) | about a year and a half ago | (#42767801)

Orrible? You really need to mature ...

Re:OK (-1)

Anonymous Coward | about a year and a half ago | (#42767993)

You really need to learn to distinguish between comments and quotes.

Re:OK (0, Troll)

jhoegl (638955) | about a year and a half ago | (#42767931)

Why would ANYONE want java on their device?
I mean, I thought Microsoft was terrible enough with its security holes and patches, but now Oracle with its multiple versions and updates?
"Oh... no, not that version of java, we only work with Java 6r12.
W....T.....F?
FU Java..... fu....

Re:OK (0)

Anonymous Coward | about a year and a half ago | (#42768347)

That would be the developer's fault not Java's fault.

Re:OK (0)

colinrichardday (768814) | about a year and a half ago | (#42768351)

And what other language(s) are present on Windows, Linux, and Mac OSX?

Re:OK (0, Informative)

Anonymous Coward | about a year and a half ago | (#42768487)

C, C++, Go, Python, Perl. That was the main ones.

Then there's an insane number of other languages that of course has compilers, and that do compile or has virtual machines on all these pltaforms.

Of course there are others.. haskell, php, and all the other minor languages...

Re:OK (2)

jameshofo (1454841) | about a year and a half ago | (#42768633)

That's proposterous! Your saying there are other programming languages?! But I want one thats riddled with gaping security holes that I have no control over, of which event the maintainers of say will take years to actually fix! If we didn't have to disable java every week what would the (nearly) useless people in our IT department do with their time!

first post! (-1)

Anonymous Coward | about a year and a half ago | (#42767079)

this is the first post!!

So nice (-1)

Anonymous Coward | about a year and a half ago | (#42767087)

So nice

Frosty Piss (-1)

Anonymous Coward | about a year and a half ago | (#42767107)

First post!

50 flaws when it knows of 150+ (0, Flamebait)

Anonymous Coward | about a year and a half ago | (#42767113)

Fifty whole flaws... Wow... (Dripping sarcasm intended)

Too late (5, Insightful)

Anonymous Coward | about a year and a half ago | (#42767125)

The knee-jerk reaction of getting the patches for Java out now following public criticism is not going to make up for their previous apparent disinterest in supporting the platform. The damage they have done to the reputation of Java is incalculable, and I for one as a C++ programmer thank them for it!

Re:Too late (5, Funny)

Maltheus (248271) | about a year and a half ago | (#42767515)

No doubt, this evens the scales after decades of buffer overun exploits. Especially given the explosive popularity of applets.

Re:Too late (2)

ilicas (2799301) | about a year and a half ago | (#42767673)

touché, mon frère

Re:Too late (-1)

Anonymous Coward | about a year and a half ago | (#42767909)

I can tell you're an inept "programmer" because of your intelligence level. If you really are doing C++ development then the code you write must be of the simpleton variety. But, I think the drivel you write is probably limited to Hello World programs.

Secondly, associating the security vulnerabilities of Applets to the Java programming language and proclaiming the damage to Java as incalculable is as retarded as thinking you're a C++ developer.

Re:Too late (1)

Anonymous Coward | about a year and a half ago | (#42767997)

Ellison, is that you?

Re:Too late (4, Insightful)

sjames (1099) | about a year and a half ago | (#42768147)

It is good that they released the patches, but since they waited until DHS actually suggested uninstalling it (and all the implications of that) to do so, it doesn't inspire much confidence. If they want to rehabilitate their reputation, they're going to have to be MUCH more proactive about security and it will take a while to convince people.

Re:Too late (0)

Anonymous Coward | about a year and a half ago | (#42768595)

Here here!

Effectiveness of a cop... (5, Funny)

jkrise (535370) | about a year and a half ago | (#42767147)

Supercop Oracle: I caught 50 powerful top grade thieves in my neighbourhood!! I am great!!!!

Ordinary cop: Why did you allow 50 scoundrels in the first place?

Re:Effectiveness of a cop... (-1)

Anonymous Coward | about a year and a half ago | (#42767227)

Supercop Oracle: I caught 50 powerful top grade thieves in my neighbourhood!! I am great!!!!

Ordinary cop: Why did you allow 50 scoundrels in the first place?

AFAICT the problem is really basic and the kind of thing nobody wants to talk about. Its a hotbutton issue like abortion that most people can't be rational and talk about.

Basically the problem is affirmative action. As a large employer this company is required to hire certain numbers of minorities. Diversity is fine and good but not when it results in less qualified people getting jobs because they have the right color skin meanwhile more qualified people don't. It makes lots of sense when you think about it. This is a huge HUGE megacorp that can afford the best expertise available. They don't have it because hiring somebody is no longer about getting the best candidate at a decent wage. It's political now.

Look reverse racism is still racism and all racism is wrong. This kind of governmental social engineering creates more problems then it solves. It is a total rejection of the free market as well. Affirmative action has made a kind of stigma attached to minorities. You see a white guy working you know he is qualified. You see a woman or a person of color working and you really have no idea how qualified they are or if they just got in because they had the "right" color or gender. This is a big problem. It explains lots of screwups that are hard to explain without it.

I hope no racist trolls jump in here because it would be nice to have a ratonal conversation about it.

Re:Effectiveness of a cop... (-1)

Anonymous Coward | about a year and a half ago | (#42767337)

The onus of evidence is, as ever, on the party making the assertion.

So, other than your own sexist, racist morality, is there any actual, SUBSTANTIATED PROOF that you can offer to support your contention that the "non-white, non-male" portion of Oracle's programming team is in some way inferior to the whites?

Unless you're in HR there, or overseeing the Java development teams, I can't see how you could have any basis for your claim beyond latent sexist/racist beliefs. Afterall, for all you know, it could actually be a bunch of ignorant, lazy, fat, white, mom's-basement-dwelling, assholes like you that are dragging the division down...

-AC

Re:Effectiveness of a cop... (-1)

Anonymous Coward | about a year and a half ago | (#42767377)

You just got trolled, man. C'mon. What are the odds that was a real post?

Re:Effectiveness of a cop... (-1)

Anonymous Coward | about a year and a half ago | (#42767385)

Don't feed the trolls.

Especially the obvious cut'n'paste ones.

Re:Effectiveness of a cop... (-1)

Anonymous Coward | about a year and a half ago | (#42767431)

SUBSTANTIATED PROOF that you can offer to support your contention that the "non-white, non-male" portion of Oracle's programming team is in some way inferior

They were hired because they were non-white or non-male, not because they were skilled. Duh!

Re:Effectiveness of a cop... (-1)

Anonymous Coward | about a year and a half ago | (#42767725)

How dumb are you? Look at any one of the job postings on Oracle's site and you'll see exactly what he's talking about.

Re:Effectiveness of a cop... (-1, Troll)

drkstr1 (2072368) | about a year and a half ago | (#42767731)

It sounds to me like you are just trying to blame minorities for your own lack of skills. This whole "companies are forced to hire sub-standard employees because of affirmative action" is pure bull shit. The entire premise of this argument stems from a false notion that minorities are inherently inferior. Without this notion, the "problem" you invented is washed out by statistics. No one needs to have a rational conversation about it, because the problem simply doesn't exist. Sure it might happen every once in while, but the only people bitching about it are a bunch of old, out of touch, white dudes who need an excuse to tell their wives why they don't have a job. This is the internet age buddy. The white man's monopoly on knowledge has come to an end, and minorities are indeed coming for "our" jobs. Better adapt, or get left behind.

Re:Effectiveness of a cop... (-1)

Anonymous Coward | about a year and a half ago | (#42768143)

It sounds to me like you are just trying to blame minorities for your own lack of skills. This whole "companies are forced to hire sub-standard employees because of affirmative action" is pure bull shit. The entire premise of this argument stems from a false notion that minorities are inherently inferior. Without this notion, the "problem" you invented is washed out by statistics. No one needs to have a rational conversation about it, because the problem simply doesn't exist. Sure it might happen every once in while, but the only people bitching about it are a bunch of old, out of touch, white dudes who need an excuse to tell their wives why they don't have a job. This is the internet age buddy. The white man's monopoly on knowledge has come to an end, and minorities are indeed coming for "our" jobs. Better adapt, or get left behind.

Wow you sound so confident and self-assured, so ready to dismiss what other people might think. Bravo!

So then, you will have no problem answering a simple question, right? If minorities are not inherently inferior, then why would they fear a color-blind hiring process based entirely on the skills and merits of the applicant? Why would they need preferential treatment if they are equal or better?

If you can answer that without the hysterics you will definitely put the whole matter to rest.

Re:Effectiveness of a cop... (1, Insightful)

drkstr1 (2072368) | about a year and a half ago | (#42768169)

Hah, can't believe I got baited into that. No more reading /. at the end of a long day. You win this time, Troll.

Re:Effectiveness of a cop... (-1)

Anonymous Coward | about a year and a half ago | (#42768411)

Hah, can't believe I got baited into that. No more reading /. at the end of a long day. You win this time, Troll.

So you freely admit then, that you are unable to tell me why skillful minorities would ever fear a color-blind hiring process?

Interesting. It's as though you are too cowardly to say it, but sincerely do believe that they are not really so skillful and fear a fair comparison.

Are you sure you are not a "racist" yourself?

Re:Effectiveness of a cop... (0)

Anonymous Coward | about a year and a half ago | (#42768115)

Yeah, it couldn't possibly be the far simpler explanation that maintaining software doesn't maximize profits in the near term.

Protip: When you hear hoof beats, think horses, not zebras.

Re:Effectiveness of a cop... (0)

Anonymous Coward | about a year and a half ago | (#42768277)

Unless you live in Africa?

Re:Effectiveness of a cop... (0)

Anonymous Coward | about a year and a half ago | (#42768061)

I'm not sure a cop analogy is a good idea.

I thought the kind of society where cops are walking around actively trying to stop people from committing crimes before they happen is frowned upon on /.

Re:Effectiveness of a cop... (0)

Anonymous Coward | about a year and a half ago | (#42768391)

Supercop Oracle: Because profiling is illegal.

Confused. (5, Insightful)

Anonymous Coward | about a year and a half ago | (#42767151)

I'm not sure how I feel about this;

1. Good. It's awesome that Oracle are finally taking notice of java security issues and doing something positive.
2. Bad. That's a lot of CVSS2.0 score 10 bugs they've been letting slide.
3. Confused. How many more are there?

Re:Confused. (5, Insightful)

_xeno_ (155264) | about a year and a half ago | (#42767637)

3. Confused. How many more are there?

I'm sure there are enough that I feel fairly confident in my advice to just not install Java unless you really, really need it. Which, unless you're a developer or a Minecraft addict, you really don't.

So I have the JDK installed, but the plugin disabled. (Well, I have the 64-bit JDK installed and use 32-bit Firefox, which works well enough on that front.)

Re:Confused. (2)

sunderland56 (621843) | about a year and a half ago | (#42767715)

4. Pissed. That Oracle waited and collected bug fixes, not releasing any until they'd collected 50 in total, so they'd look like heroes.

Re:Confused. (1)

Anonymous Coward | about a year and a half ago | (#42767809)

You'd prefer an update a day for 50 days?

Re:Confused. (2)

Runaway1956 (1322357) | about a year and a half ago | (#42768287)

Why not? When a fix is fixed, it should be released! Whether I apply the fix is then my decision, and the consequences are mine to deal with.

Re:Confused. (0)

Anonymous Coward | about a year and a half ago | (#42768441)

You've never worked in IT have you.

April Fools! (1, Informative)

Trubacca (941152) | about a year and a half ago | (#42767223)

Wait.. two months early. This still has to be a joke, right?

Java sucks. (-1)

Anonymous Coward | about a year and a half ago | (#42767233)

Does one of those patches s/GPL/BSD/g and release all the patents?

Does another patch change the fact that Java runs slower than new programming languages like Nimrod [nimrod-code.org] , which let developers accomplish the same tasks in far less code?

If not, I just don't see why anyone would still be using Java...

--libman

Re:Java sucks. (4, Insightful)

Dr. Tom (23206) | about a year and a half ago | (#42767345)

I like the way it took a Federal agency (DHS) to recommend deinstalling Java before Oracle did anything.
I think the Fed recommendation stands. Stop using Java.

Re:Java sucks. (0)

Anonymous Coward | about a year and a half ago | (#42768361)

How do you know Oracle wasn't working on the bugs before? They could simply be really slow. It wouldn't be the first time.

Re:Java sucks. (4, Interesting)

mark-t (151149) | about a year and a half ago | (#42767501)

Ask IBM.

Substantial portions (>80%) of Watson are written in Java.

The remainder is C++ and, of all things, Prolog.

Re:Java sucks. (3, Informative)

Anonymous Coward | about a year and a half ago | (#42767733)

The remainder is C++ and, of all things, Prolog.

Prolog is actually very appropriate.

Re:Java sucks. (2)

mark-t (151149) | about a year and a half ago | (#42767849)

My remark suggesting that I am surprised by their use of Prolog is not because I felt that the language choice was inappropriate... quite the opposite, in fact. My remark was more because I previously hadn't really heard of anything practical that used Prolog for quite a number of years (not since the 20th century, in fact).... and as far as I knew, it had long since seemed to slip into obscurity. I was just a bit surprised to read that parts of Watson had actually been developed with it.

Re:Java sucks. (2)

fahrbot-bot (874524) | about a year and a half ago | (#42767871)

Ask IBM.

Substantial portions (>80%) of Watson are written in Java.

The remainder is C++ and, of all things, Prolog.

I did LISP and Prolog programming as a college research assistant in automatic and fault-tolerant programming techniques, back in the mid '80s. Both languages are awesome. A/C responder is correct, Prolog is appropriate for Watson.

Re:Java sucks. (1)

Anonymous Coward | about a year and a half ago | (#42768009)

And if IBM jumped off a bridge, would you do the same?

A lot of corporate software is written in technologies the company has a stake in, or because of skillset momentum. IBM is a very rigid place, and it's also huge. It can throw a lot of money at some projects, but that doesn't mean they're ideally designed. I'm surprised Watson's coccyx isn't written in COBOL...

--libman

Re:Java sucks. (1)

mark-t (151149) | about a year and a half ago | (#42768189)

Poster said they don't know why anyone would use Java. I wasn't advocating it... I was just pointing out that they do, and if the poster does not know why, perhaps he should ask someone who does.

Re:Java sucks. (3, Insightful)

farble1670 (803356) | about a year and a half ago | (#42767599)

Does another patch change the fact that Java runs slower than new programming languages like Nimrod [nimrod-code.org], which let developers accomplish the same tasks in far less code?

there's a new latest greatest language every 6 months. customers don't like to re-write their platforms every 6 months when language X goes out of favor and they can't hire people to maintain their code or get updates for the runtime / tools.

do you think it's possible that nimrod also has security flaws, but they haven't been exposed ... consider the usage of java vs. nimrod and therefore the interest of hackers in finding the security flaws?

Re:Java sucks. (0)

Anonymous Coward | about a year and a half ago | (#42768265)

I was specifically criticizing Java for things other than security.

First of all, it's not genuinely free software [copyfree.org] . A freer alternative implementation, Apache Harmony [wikipedia.org] , was killed off by patents. Why marry a language when there are limits, both practical and theoretical, to what you can do with it? Some of Java's security problems are directly related to Java's relative closedness and bad will with the hacker community.

Secondly, it fails both as a high-productivity language and as a high-performance / systems language. People could always build better software more productively by using a scripting language like Python or Ruby, and then rewriting performance-critical modules in C. Unfortunately Ousterhout's Dichotomy [wikipedia.org] never caught on in large bureaucracies, the excuse being that they wanted one language for a balance of productivity and performance, which, with enough statistical torture, Java could be shown to be. Until recently.

Many things have changed in the last decade to make real (compiled to machine code) programming languages competitive with bytecode VM's: better platform-independent build tools, faster compilers (plus network distributed compiling), sandboxing / OS-level virtualization, etc. We've had languages like D, Go, and now Rust that would offer better productivity than Java, and should in theory eventually come closer to the performance of C. (Haskell sucks.) And the language that in my opinion currently does the best job, both in terms of syntax [github.com] and performance [bitbucket.org] , is Nimrod.

--libman

Clean up your shit, Oracle. (5, Informative)

Anonymous Coward | about a year and a half ago | (#42767235)

I know Oracle didn't write Java to being with but they sure had a hard-on to acquire it, presumably so soak up profits by wedging themselves in to yet more enterprise services. I'd like them to take ownership of this issue and really hammer out these nasty problems. I know it's just the client side JVM-plugin-whatever but Oracle's behavior isn't really making me want to go out and seek other Oracle products.

And fuck, if I can't escape this piece software at work. I've got client applications, and web applications that we rely on that absolutely require the full fat oracle JVM. I'd love to disable the plugin or do away with it all together but I can't.

For that matter, deploying this supposedly enterprise piece of software is a massive pain in the ass. If you want to deploy it like usual (Published through AD) You've got to open the installer EXE, go to your temp folder to copy out the .msi, then use an .msi editor to create an .msp file to disable the really annoying and awful java auto-updater. (The auto updater requires admin privs to install.. And it will trigger on it's own without user intervention. It's really annoying to end users to have a UAC prompt pop up randomly out of nowhere when they're working)

Oh yeah, and if you run the exe manually to install? Make sure you uncheck the yahoo toolbar! And this is supposed to be business software?

Re:Clean up your shit, Oracle. (4, Insightful)

fluffy99 (870997) | about a year and a half ago | (#42767367)

I know Oracle didn't write Java to being with but they sure had a hard-on to acquire it, presumably so soak up profits by wedging themselves in to yet more enterprise services. I'd like them to take ownership of this issue and really hammer out these nasty problems.

Didn't they just do exactly that? Granted there are probably still lots of other unannounced issues, but this is a good step in the right direction.

Re:Clean up your shit, Oracle. (1)

Anonymous Coward | about a year and a half ago | (#42767557)

All of your criticisms are warranted and correct (although how an enterprise can use AD to deploy software is beyond me - perhaps your enterprise is very small). Anyway, scale up to a full on enterprise (we have 90,000 + machines) and you can't even fucking deploy Java updates. This is because Oracle doesn't understand the meaning of the word "patch". They just do a whole new version each time. And, each time, they deprecate features, break features, and add new features. Every single time we have app after app that is broken by these "updates" that are not patches. Yes, we have our share of badly written Java apps that break every time. We also have just random ones that break sometimes. For example an app that works fine with a few different versions all of a sudden has the logon screen turn to blue background with blue text so the users can't read it and can't see what they typed. It is terrible software maintained by either idiots or people that hate us.

Re:Clean up your shit, Oracle. (0)

Anonymous Coward | about a year and a half ago | (#42767591)

It is terrible software maintained by either idiots or people that hate us.

Could always be both...

Re:Clean up your shit, Oracle. (5, Insightful)

phantomfive (622387) | about a year and a half ago | (#42767787)

Oracle's behavior isn't really making me want to go out and seek other Oracle products. And fuck, if I can't escape this piece software at work.

Two good points, and the later is why Oracle doesn't care about the former.

The word is "its" (-1)

Anonymous Coward | about a year and a half ago | (#42767317)

"it's" means "it is"

Re:The word is "its" (2, Funny)

Anonymous Coward | about a year and a half ago | (#42767419)

timothy fail English? That's unpossible!

Re:The word is "its" (-1)

Anonymous Coward | about a year and a half ago | (#42767617)

Maybe he bent his wookie.

I -still- hate programming in Java. -- TRUE (-1, Troll)

eyenot (102141) | about a year and a half ago | (#42767415)

I'm serious! Why did you go on to read the body of this message? Didn't you belieeeve meeeee hmmmmm? Don't you think I should be trusted? Maybe it's YOUR fault.

1.6? (1)

Anonymous Coward | about a year and a half ago | (#42767421)

We're required to maintain the 1.6 line and so have disabled the auto update as it constantly tries to upgrade to 1.7. So, in order to get the patch we turn on update to install the update and turn it off immediately or will it go straight to seven again forcing me to uninstall and reinstall the updated version?

Re:1.6? (-1)

Anonymous Coward | about a year and a half ago | (#42768327)

1.6 is EOL this month. Deal with it.

Technically Java should be illegal (1)

Anonymous Coward | about a year and a half ago | (#42767433)

Didn't they sue Microsoft for copying Java, and then sued again because Microsoft were unable to produce security updates because of the first lawsuit?
Well the same thing should apply to them due to THEIR poor security track record.

It doesn't matter how many patches they make, they are completely ineffective because it requires user intervention to update, which most users don't understand. They also force third party products by default with security updates, which make IT people not want to tea h users to update.

Better to uninstall Java and be happy, unless you REALLY need it.

Re:Technically Java should be illegal (0)

Anonymous Coward | about a year and a half ago | (#42768557)

Meh, Java is great.

Craplets have always sucked and always will.

Ooh goody... (0)

Melakh (2670043) | about a year and a half ago | (#42767471)

...150+ new security flaws added

Re:Ooh goody... (4, Funny)

spykemail (983593) | about a year and a half ago | (#42767597)

We apologize for the fault in the software platform. Those responsible have been sacked.
Mynd you, m00se bites Kan be pretty nasti...
We apologize again for the fault in the software platform. Those responsible for sacking the people who have just been sacked have been sacked.

And the update is here. (5, Informative)

mhotchin (791085) | about a year and a half ago | (#42767561)

Would it kill you idiots to post a direct link to the update in a story that is about nothing *but* the update?
http://www.oracle.com/technetwork/java/javase/downloads/index.html [oracle.com]

Re:And the update is here. (0)

Anonymous Coward | about a year and a half ago | (#42767817)

Would it kill you idiots to post a direct link to the update in a story that is about nothing *but* the update?
http://www.oracle.com/technetwork/java/javase/downloads/index.html [oracle.com]

Good point. Link added. [-Ed]

Where there are 50 found... (3, Insightful)

mysidia (191772) | about a year and a half ago | (#42767653)

There are probably 500 unaddressed.. you know...

Oracle's you know... rearranging the deck chairs on the Titanic. plugging a few of the small leaks here in there. Doesn't mean the ship is saved:)

Recall Cisco just released this big 2013 annual security report the other day, showing Java exploit as a #1 infection vector for malware.... :)

*sigh*.... Java... (5, Interesting)

wierd_w (1375923) | about a year and a half ago | (#42767655)

I like the *idea* of java.... but I don't like java.

It has been my experience, even way back when the JVM was owned by SUN, and when MS tried their crazy IE only "not really a real JVM but we say it is!" Bull--- that the JVM was a festering turd, that was slow, carried around a lot of baggage, and was a vector through wich malicious programs could be executed in secret due to its bugs.

Granted, that is just an anecdote. So, here's some old, tinned bugs from days of yore... clicky. [ait.ac.th]

As far as I can tell, Java has always been a very attractive target for malefactors who want to run malicious executable code on remote systems, because the innate abstraction provided by the JVM makes it an ideal incubator for that malware. As such, malefactors have consistently looked for, found, and exploited holes in Java to accomplish their nefarious tasks, despite the JVM dev team's best efforts.

In short, Java has always been a security risk. The question I have always asked myself is if the benefits of that security risk outweigh the benefits. So far, my answer has always been "no." When it comes to desktop computing. For the originally intended ecosystem that Java was made for, (things like portable computers, set top boxes, and custom computing devices) java is a godsend that makes development time get spent more efficiently. For a mostly monolithic desktop hardware space, java doesn't make nearly as much sense, and carries with it a very large attack surface.

In short, I would rather do without your software, than expose myself to java's attack surface, if you refuse to write your software in a properly portable fashion, and choose to rely exclusively on the JVM.

  If you need cross platform support, use cross platform libraries, and compile platform appropriate executables from your codebase. Maintaining platform agnosticism through writing exclusively portable code will force you to write better code anyway.

Leave Java in the ecosystem it belongs in: one off hardware implentations, novelty devices, and low power computing platforms. Bringing java kicking and screaming to the desktop ecosystem makes it too big of a target for malefactors, and only exposes your own unwillingness to practice best practices when writing your software.

Re:*sigh*.... Java... (5, Insightful)

trims (10010) | about a year and a half ago | (#42767913)

You forget the place that Java has had the most success: Enterprise computing.

I'll agree that the sum total of the Java Plugin + JDK Libraries + JVM provides too much opportunity to attack on the desktop / web app space. There's simply too many flaws in the plugin and libraries. The JVM itself, though, is very solid (fewer than 10 major flaws over 15 years).

However, Java as a middleware platform is simply far better than any of the alternatives, and that's where I expect it to remain. Insulated from the types of attacks that render Java dangerous on the desktop, middleware app servers play directly to Java's big strengths: speed, ease of development, and massive library support, plus a framework which helps discourage the types of coding flaws that hurt middleware computing the most. Java will likely remain king of middlewhere for a long time, and deservedly so.

On the desktop or as a downloadable app, well, yes, Java is simply never going to measure up to the better cross-platform alternatives.

-Erik

Re:*sigh*.... Java... (1)

LWATCDR (28044) | about a year and a half ago | (#42767971)

What better cross-platform alternatives? .Net????

Re:*sigh*.... Java... (1)

wierd_w (1375923) | about a year and a half ago | (#42768035)

Actually implementing best practices, and using portable libraries. (Like, not taking things like byte order for granted, not taking system behaviors for granted, etc.)

Oh, but that means you need to learn C, and not some platform specific language. My bad. /snark

Re:*sigh*.... Java... (0)

Anonymous Coward | about a year and a half ago | (#42768315)

Qt. Nothing else is up to snuff.

Re:*sigh*.... Java... (1)

wierd_w (1375923) | about a year and a half ago | (#42768299)

No question. Java is a very valuable and useful tool.

But it needs to stay away from the high risk environment of the desktop.

Like I said, I like the idea of java. It really is a good idea, and if java was just more discrete about where it tried to dangle its little toes, I would have zero problem with it.

But when it serves as a universal attack vector in the desktop space, there is a serious problem, and it needs to be dealt with. I feel the best solution there is to Just Say No.

I refuse to install the JDK and browser plugins on any desktop system that also touches the internet. The risk is just too damned high.

Re:*sigh*.... Java... (2)

jafac (1449) | about a year and a half ago | (#42768023)

Java was Sun's last-ditch effort to preserve an ecosystem of different operating systems and different CPU platforms anyway. That didn't really work-out so well for Sun in the long run. Rather unfortunately.

It's nice that we still have a diverse range of operating systems, but really, it kind of just boils down to Intel now.

Re:*sigh*.... Java... (1)

wierd_w (1375923) | about a year and a half ago | (#42768123)

Java still shines on handheld devices, like tablets and phones, and on settop devices, like DRVs and cable boxes. An application written for the JVM can theoretically run on any architecture that has a suitable JVM implementation. That's the whole point. A device maker can use whatever chip-du-jour is the cheapest that year, and at least in theory not break all their app support, because all they have to do is make sure the JVM works.

This means a cable company can write a DVR applet for a cable box, and regardess of what horror lies inside as the bare metal, expect their already written package to run without going back and hunting down weird bugs.

But most hackers aren't interested in your cable box, or your DVR. They want something they can use to brute force passwords with, send email to others through, force into a ddos, or just use to plain straight up steal personal data with.

In short, malicious hackers want your desktop. So, if you want to keep Java as a useful tool, KEEP JAVA OFF THE DESKTOP.

It's really just that simple.

Re:*sigh*.... Java... (0)

Anonymous Coward | about a year and a half ago | (#42768587)

I liked Java until everyone started decompiling it then it became not so fun

oracle are fags that fuck customer and leave brown (-1)

Anonymous Coward | about a year and a half ago | (#42767681)

stain

Mod parent up! (-1)

Anonymous Coward | about a year and a half ago | (#42767721)

parent is right.

Things must be bad (0)

Gadget_Guy (627405) | about a year and a half ago | (#42767683)

Wow! It shows how bad things are getting on the Java security front when even Oracle start taking notice of the problem!

Nostalgia (2, Interesting)

mrbester (200927) | about a year and a half ago | (#42767757)

I remember those halcyon days when Java had just emerged, acorn like if you will, from Oak. It promised a brave new world of write once, run anywhere programming that was to usher in a wonderful alternative to all that dangerous mucking about with C++ and flatten the disparate paradigms of software development from Microsoft, Apple and others. I went to trade shows and conferences with like minded souls all excited about this Next Big Thing. Hell, I even bought books and marvelled how easy it was to get Duke to cartwheel on any OS with a JVM.

Then it all went to shit with internecine wars and disparate implementations.

But it didn't stop there. It then carved out of the psyches of beleaguered programmers the world over a new level of hell just for itself.

Adieu. At least it was fun in the beginning.

Re:Nostalgia (0)

Anonymous Coward | about a year and a half ago | (#42768103)

Ah, I must be a babe by comparison. I remember downloading the freshly released HotJava so that I could see Duke carwheeling round the screen in university. At the time I thought "this is going to be big", but of course we were all young and naive once. :)

Re:Nostalgia (2)

jgrahn (181062) | about a year and a half ago | (#42768479)

I remember those halcyon days when Java had just emerged, acorn like if you will, from Oak. It promised a brave new world of write once, run anywhere programming that was to usher in a wonderful alternative to all that dangerous mucking about with C++ and flatten the disparate paradigms of software development from Microsoft, Apple and others. I went to trade shows and conferences with like minded souls all excited about this Next Big Thing. Hell, I even bought books and marvelled how easy it was to get Duke to cartwheel on any OS with a JVM.

I was there too in the late 1990s. My company was C/Unix-oriented, and Java looked like a nice upgrade for a few months.

Then I found that I couldn't get a free Java interpreter for my Linux box; that I couldn't write a standard Unix getopt(3) parser; that C++ had better data structures for vectors, linked lists and search trees ... and I passed on Java.

But it didn't stop there. It then carved out of the psyches of beleaguered programmers the world over a new level of hell just for itself.

It turned into a platform. You already had Windows programmers and Unix programmers who didn't talk to each other; now you had Java programmers too.

They managed to let 50 critical flaws unpatched??? (3, Insightful)

gweihir (88907) | about a year and a half ago | (#42767767)

I wonder how many are still open after this publicity stunt and how many they did patch badly (as before), but now the attackers know what to look at.

Lets face it: Java is a mess. Use in anything but protected environment where the Java code and runtime cannot be attacked is highly unprofessional and borders on gross negligence.

Re:They managed to let 50 critical flaws unpatched (-1)

Anonymous Coward | about a year and a half ago | (#42767963)

Your intelligence borders on gross negligence.

Look at your Windows Updates (0)

Anonymous Coward | about a year and a half ago | (#42767921)

You'll find hundreds and hundreds of security patches with more being released every Tuesday. If you really want to see a leaky sieve of an OS look no farther than Windows.

The stupidity hurts my head. (1)

davidoff404 (764733) | about a year and a half ago | (#42768119)

Getting a patch to fix security issues is great, but not if it breaks other fucking software on my system.

As of right now, this patch won't install for me unless I allow it to uninstall Java 6. The blithering fucking idiots.

Do they not understand that we might have business-critical software that works only with Java 6?

Re:The stupidity hurts my head. (1)

Miamicanes (730264) | about a year and a half ago | (#42768349)

Oracle is really doing its best to kill Java. For them to even *THINK* auto-uninstalling 1.6 is a good idea at this point in time is like the Titanic's crew chopping holes in their lifeboats upon seeing the iceberg...

Re:The stupidity hurts my head. (1)

characterZer0 (138196) | about a year and a half ago | (#42768393)

If you are installing Java 7, why would you need to keep 6? Do you have an example of something that works with 6 but not 7?

How is it different from IE8 requiring that you uninstall IE7?

It only takes one (1)

nuckfuts (690967) | about a year and a half ago | (#42768133)

unpatched hole for you to get screwed through.

CPU Fixes (-1, Troll)

sgt scrub (869860) | about a year and a half ago | (#42768139)

I like how they call them CPU fixes. Oracle strongly recommends that customers apply CPU fixes as soon as possible. It is obviously done that way so people will associate the issue with hardware instead of Java. I can see it.

Manager: Oracle says my CPU needs to be fixed. Why do I have a bad CPU?
Support: oO

Java sucks (1)

boddhisatva (774894) | about a year and a half ago | (#42768149)

It's so shot full of security problems that it's virtually a malware writing language. The promised code reuse. Code reuse? 30% of Java programmer time is spent maintaining legacy code because of changes in the language and libraries. Single framework. That's a laugh. It's so shot full of security holes it's virtually a malware writing language.Write once, run everywhere? What a laugh. 99.9% of the stuff on the web is Javascript. Performance? It stinks. Period. C++ is better and Linus Torvalds says "C++ is a horrible language." Java is C++--.

ten bucks says (0)

Anonymous Coward | about a year and a half ago | (#42768339)

50 makes ten more.....

Mom, look! MOM! Look! LOOK! (0)

Anonymous Coward | about a year and a half ago | (#42768481)

Look how many easily patch vulnerabilities I've been sitting on, and I did them all at once now that you're paying attention. Aren't I a big boy?

Still comes with the Ask Toolbar (2)

goochman (303570) | about a year and a half ago | (#42768545)

fix those vulnerabilities before someone installs a toolbar you don't want... oh wait. nevermind.

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?