Beta

Slashdot: News for Nerds

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Oracle Rushes Emergency Java Update To Patch McRAT Vulnerabilities

Unknown Lamer posted about a year ago | from the brought-to-you-by-c-sharp dept.

Java 165

msm1267 writes "Oracle has once again released an emergency Java update to patch zero-day vulnerabilities in the browser plug-in, the fifth time it has updated the platform this year. Today's update patches CVE-2013-1493 and CVE-2013-0809, the former was discovered last week being exploited in the wild for Java 6 update 41 through Java 7 update 15. The vulnerability allows for arbitrary memory execution in the Java virtual machine process; attackers exploiting the flaw were able to download the McRAT remote access Trojan."

cancel ×

165 comments

Uninstall (5, Funny)

Dan East (318230) | about a year ago | (#43074545)

I uninstalled everything starting with "java" on my computers, and the only thing now missing is the every-other-day notification that Java needs to be updated.

Re:Uninstall (1)

Pino Grigio (2232472) | about a year ago | (#43074579)

Yup. Me too. Can't stand it.

Re:Uninstall (1)

I'm New Around Here (1154723) | about a year ago | (#43075205)

Well, what application did you have before that needed Java to start with?

I know everyone says Open Office, but that can't be the main reason so many people have Java installed.

As for the annoying update, I turned that feature off right away. I'll keep track of what I need to update, thank you very much oracle.

Re:Uninstall (2, Interesting)

Decker-Mage (782424) | about a year ago | (#43075481)

Sadly, more than a few "security" tools here require Java or .NET.

Re:Uninstall (0)

Anonymous Coward | about a year ago | (#43075535)

What does .Net have to do with this?

Re:Uninstall (0)

Anonymous Coward | about a year ago | (#43074821)

Or you stop ragging on Oracle/Java and just not click Activate/Run on applets from untrusted sites! That way you don't have to uninstall Java. I mean it's no different than me going around, running executables from random websites and then blaming Microsoft for not doing more to secure their OS. There is so much a company can do to secure it's users, the rest is up to the user.

Re:Uninstall (4, Insightful)

DigitAl56K (805623) | about a year ago | (#43074989)

I mean it's no different than me going around, running executables from random websites and then blaming Microsoft for not doing more to secure their OS.

It's entirely different, the plugin is supposed to be sandboxed.

Re:Uninstall (2)

holostarr (2709675) | about a year ago | (#43075021)

Just because it's supposed to doesn't mean you should run untrusted code.

Re:Uninstall (4, Insightful)

Deekin_Scalesinger (755062) | about a year ago | (#43075115)

Look me in the eye and tell me you compile everything from source, after verifying each line of code. Do you trust Mozilla? Canonical? Berkeley? What an asinine statement.

Re:Uninstall (0)

Anonymous Coward | about a year ago | (#43075153)

How can he look you in the eye in a web forum?

Re:Uninstall (4, Funny)

Technomancer (51963) | about a year ago | (#43075755)

Thats easy, just click on this llittle Java app.

Re:Uninstall (5, Insightful)

holostarr (2709675) | about a year ago | (#43075179)

Obviously sometimes you have no choice but to trust someone else's code, but there is a difference between blindly trusting all code versus evaluating the source of the code and deciding whether or not there is enough good faith for the source to be trusted.

Re:Uninstall (1)

Deekin_Scalesinger (755062) | about a year ago | (#43075263)

Indeed and well said Sire. My faith in tech humanity and common sense is somewhat restored (at least for tonight).

Re:Uninstall (0)

Anonymous Coward | about a year ago | (#43076251)

Obviously sometimes you have no choice but to trust someone else's code, but there is a difference between blindly trusting all code versus evaluating the source of the code and deciding whether or not there is enough good faith for the source to be trusted.

The difference being what, an insurmountable level of effort with still no absolute certainty?

Re:Uninstall (0)

Anonymous Coward | about a year ago | (#43075357)

How do you know that you can trust the compiler? How do you know that the compiler can trust the hardware?
http://cm.bell-labs.com/who/ken/trust.html
http://it.slashdot.org/story/08/05/09/164201/fbi-says-military-had-counterfeit-cisco-routers

The lesson:
Don't trust someone or something just because it claims it can be trusted.

Re:Uninstall (1)

Anonymous Coward | about a year ago | (#43075341)

But the whole point of the Java security model is so that one isn't supposed to have to worry about whether they are running trusted or untrusted code. If it's untrusted code it's not supposed to be running at all.

Re:Uninstall (0)

Anonymous Coward | about a year ago | (#43076245)

I mean it's no different than me going around, running executables from random websites and then blaming Microsoft for not doing more to secure their OS.

It's entirely different, the plugin is supposed to be sandboxed.

Oh no no no, the browser plugin on most (many.. all?) systems is NOT, not any more than the browser processes themselves.
The Java code executed by the JVM is sandboxed. THAT's the sandbox being broken out of anyway. Well, not just breaking the sandbox, but executing custom code in the JVM process itself from what I understand.

If the PLUGIN was sandboxed, this wouldn't be such a big deal.

LOL (-1, Troll)

Anonymous Coward | about a year ago | (#43074577)

Stop installing malware like Java and Flash on your systems and you become an infinitely smaller attack target.

Re:LOL (2)

ls671 (1122017) | about a year ago | (#43075571)

Ok, I am sick of this. Java is a fine language and platform and it doesn't deserve all the bad press it got lately just because it is poorly managed at the moment in one specific area: browser plugins. Banks and other corporate customers that feed Oracle couldn't care less about the flaws because they use Java server-side.

Here is my theory, I could be wrong...

Sun and Oracle philosophy were pretty different. Since Sun's was acquired by Oracle, Oracle is spilt in 2 camps and stuck with a problem:

1) Sun's former employees. The ones that haven't left yet but that are kind of resisting still from the inside.
2) Legacy Oracle employees.

Sun's employees are much closer to the real old school geeky Linux user style than Oracle employees that are closer to a Microsoft representative in their style. Sun's employees know this, they have also a strong ego.

So making Java look stupid would sure get a stab at those former Sun's employees that think they know everything and possibly make them easier to merge into the company mentality or cause them to resign.

When you bitch about Java, you may just be playing Oracle's game... But then again, could this theory possibly make sense to anybody else?

Only one program I miss (1, Insightful)

AG the other (1169501) | about a year ago | (#43074589)

Open office won't work without Java. Maybe some day I'll be convinced that they have their stuff together again and I'll reinstall it.

Re:Only one program I miss (5, Informative)

mcl630 (1839996) | about a year ago | (#43074621)

Most of the Java vulnerabilities are in the browser plugin. You can always install Java and just disable the browser plugin.

Re:Only one program I miss (-1)

Anonymous Coward | about a year ago | (#43074687)

That reminds me of the old NT4 security rating that was achieved by disconnecting the machine from the network and restricting physical access. You see, once you disable the browser plugin, that's 99% of the raison d'etre of Java gone for most end users who are downloading the thing in the first place. Without any reason to keep it on your system, just uninstall it and be done.

Re:Only one program I miss (1)

dissy (172727) | about a year ago | (#43075247)

I think you're mistaken. Open Office never ever has run in the browser plugin.
Or did you even bother to look at the conversation before spouting off?

And Open Office still runs (0)

Anonymous Coward | about a year ago | (#43075261)

Well no, because the VM is installed by Open Office. So you get Open Office, without all that Java plugin nonsense.

But these days I let Firefox simply leave the plugin switched off, and only activate it if I use a website I trust that uses it (my stock broker).

I think Adobe and Oracle really have lost their way. The last update to flash was the player crashier than before. I think they have a crap programmer on the team and he seems to be twiddling and breaking stuff. Oracle on the other hand, well that's about the standard I find all Oracle products.

Re:Only one program I miss (0)

davydagger (2566757) | about a year ago | (#43075803)

"that's 99% of the raison d'etre of Java gone for most end users who are downloading the thing in the first place"

mabey in 1996. There are almost no legimimate java web apps anymore.The biggest use for Java today are cross platform executables like i2p, freenet, and other windows-mac-linux cross platform executables. Those are pretty rare too.

the only major mainstreamish(read non darknet), app I can think that needs it is libre office. Other than that its pretty worthless. For most cross platform dev work, I think python has taken over.

python is a far far far better language.

Re:Only one program I miss (0)

Anonymous Coward | about a year ago | (#43074737)

a voice of reason! unfortunately here all we really get are: I heard that java was compromised, so i smashed my monitor.

Re:Only one program I miss (1)

etrusco (576870) | about a year ago | (#43075151)

I would agree, if only the installer had the option not to install the plugin and the option was kept when updating.

Re:Only one program I miss (3, Interesting)

TsuruchiBrian (2731979) | about a year ago | (#43074623)

You can have the java virtual machine installed without using the java applet plugin for your browser. The recent security problems are only for the java applet browser plugin, which is now disabled by default by firefox and probably other browsers as well.

Re:Only one program I miss (5, Insightful)

Desler (1608317) | about a year ago | (#43074649)

Open office won't work without Java.

Sure it does. The only parts that really required Java were a couple of wizards and the RDBMS.

Re:Only one program I miss (3, Interesting)

smash (1351) | about a year ago | (#43074859)

.... and Base is pretty damn broken anyhow. I tested it a couple of months back - create new database. create a single table with 2 fields, a primary key and a name. It crashed when I tried to save the table design. Doesn't exactly inspire confidence as far as holding my data goes, which is somewhat crucial for a DATABASE.

Re:Only one program I miss (1)

smash (1351) | about a year ago | (#43076023)

This was on a 15 minute old install of debian stable, by the way. Not some bleeding edge or ricer-cflags distribution.

Re:Only one program I miss (0)

Anonymous Coward | about a year ago | (#43076199)

Uhm... If you can't tell the difference between Java (JVM) and browser plugin, you should not be installing any programs on your computer without tech savvy supervision to begin with.

Re:Only one program I miss (3, Interesting)

Anonymous Coward | about a year ago | (#43074661)

I use Libre Office just fine without Java installed. Maybe some plugins still need it, but I've never had it complain that I was missing it.

Re:Only one program I miss (1)

rwyoder (759998) | about a year ago | (#43075255)

I use Libre Office just fine without Java installed. Maybe some plugins still need it, but I've never had it complain that I was missing it.

+1
I switched to Libre Office long ago, and can't find any reason anyone would still use OpenOffice.

Re:Only one program I miss (1)

antdude (79039) | about a year ago | (#43075119)

OpenOffice doesn't require Java for everything. What do you use for its Java?

Re:Only one program I miss (1)

AG the other (1169501) | about a year ago | (#43075225)

It says you can't install it unless you have Java installed or did the last time I tried to install it.
My wife has a multi PC copy of MS Office and I use that, most of the time anyway, for what little word processing I do that Google Docs won't do.

Re:Only one program I miss (4, Informative)

dissy (172727) | about a year ago | (#43075235)

Just install 64 bit java JRE only. There are no browser plugins in the 64 bit JRE, only the 32 bit JRE, so none of the vulnerabilities released in the past 3 or 4 years will affect you.

As a bonus, since there are no browser addons in 64 bit JRE, you won't ever see that annoying ask toolbar garbage from them again.

Re:Only one program I miss (1)

Numtek (839866) | about a year ago | (#43075837)

It does here.

Re:Only one program I miss (1)

Nivag064 (904744) | about a year ago | (#43075897)

You can use LibreOffice instead of OpenOffice, it does no depend on Java!

http://www.libreoffice.org/ [libreoffice.org]

Re:Only one program I miss (0)

Anonymous Coward | about a year ago | (#43076301)

That's interesting because I've compiled it with Java support disabled. Works fine without Java...

Seems like /. is stuck on repeat... (1)

Anonymous Coward | about a year ago | (#43074599)

I have Java on my computer, but it is warm, tasty, and resides in a mug, but most importantly is exploit proof!

Re:Seems like /. is stuck on repeat... (2)

davydagger (2566757) | about a year ago | (#43075825)

the worst part about this is the statement is inherently untrue.

If an attacker where to gain physical access to your machine, I could easily picture a nice denial of service attack one could perform with a hot cup of java on your computer.

here is a hint its the type that destroys the hardware.

I don't know your setup, but I'd also question the stability of your java platform(and the cup too). If you get a user panic error, you could easily destroy your machine.

even worse than the vulns (5, Insightful)

csumpi (2258986) | about a year ago | (#43074637)

Even worse than the vulnerabilities are the _constant_ nagging for updates. Then on top of it, the way java updates is stupid. With every update a new version is installed, and the old ones are left uninstalled. So it got uninstalled. All of it.

The language is ok, but everything else about java just plain sucks.

Re:even worse than the vulns (1)

GodfatherofSoul (174979) | about a year ago | (#43074679)

Compared to Adobe?

Re:even worse than the vulns (0)

Anonymous Coward | about a year ago | (#43074855)

Flash? No. It's no better. I was comparing to not having either of them installed. It's frustrating at times (some things don't work), but compared to the constant nagging about updates, I prefer it.

Re:even worse than the vulns (1)

Anonymous Coward | about a year ago | (#43074785)

I think java 7 installs updates in place - no more need to uninstall old versions.
It says it does this somewhere on the oracle updater site, & it seems
to be working for me on a number of platforms.

Re:even worse than the vulns (1)

Anonymous Coward | about a year ago | (#43074841)

http://docs.oracle.com/javase/7/docs/webnotes/install/windows/patch-in-place-and-static-jre-installation.html
Haven't the faintest why this isn't documented more clearly
in their other pages related to installation & patching.

Re:even worse than the vulns (2)

Nimey (114278) | about a year ago | (#43074793)

What do you mean "the old ones are left uninstalled"? Are you griping about it getting rid of old vulnerable versions, or do you have really ancient copies of Java prior to 6.0 update 10 still installed? Java 6u10 was the first version to be automatically removable by subsequent versions, so 6u7 and earlier must be manually uninstalled.

The updater still sucks in that it requires manual intervention instead of updating in the background, yes.

Re:even worse than the vulns (0)

Anonymous Coward | about a year ago | (#43075273)

So why have I had to manually uninstall Java 6 Update 31 on about 150 users at my work the past few weeks after Java 7 updates installed but Chrome still detected outdated Java?

I fucking HATE the JRE and wish my employer wouldn't use it for the client apps. The worst part is the 2 client apps we use Java for could easily be just a simple HTML form.

Sigh I can't wait till I die from all the alcohol I drink from dealing with my job.

Sorry about that last sentence I'm drunk and I blame Oracle!

Re:even worse than the vulns (2)

Nimey (114278) | about a year ago | (#43075343)

Because Java 7 ignores previous Java 6 installs. New Java 7 updates will remove previous Java 7 instances.

It probably makes sense in some use cases.

Re:even worse than the vulns (0)

Anonymous Coward | about a year ago | (#43074871)

Wa wa wa. For the 13 current comments on this article, someone is already complaining about OpenOffice, about Java being the worse thing ever, and that it's updates suck.

Do you people ever read and understand what you read? Java update articles have been on Slashdot long enough for you to know better.

1) OpenOffice and LibreOffice don't require Java.
2) A buggy browser plugin doesn't mean the entire language and JVM and bad as well. No one ran around spreading fear and trying to get everyone to uninstall everything remotely related to Adobe because of Flash plugin bugs (they wanted Adobe gone for other reasons such as bloat).
3) A full Java installation doesn't break old software. Tons of people complain every time Firefox updates and breaks something. Java doesn't do that because you still have the older version. Whichever update method you pick, someone will always complain. There are pros and cons to both methods. Simply complaining about one way is only whining. It is also possible to have Java auto-update without bugging you or to turn updates off. There's no harm from the current problems if you turn updates off and disable the browser plugin.

Sorry csumpi, I'm not trying to personally attack you even if it sounds that way.

Re:even worse than the vulns (4, Informative)

gstoddart (321705) | about a year ago | (#43074945)

Even worse than the vulnerabilities are the _constant_ nagging for updates.

And proclivity for trying to install the Ask.com toolbar.

Currently that is my biggest beef with Java -- after the fact that it seems to be glaringly insecure, and I can't figure out if they broke it, or it was always broken. :-P

Re:even worse than the vulns (0)

Anonymous Coward | about a year ago | (#43075027)

Not to mention they're (or at least were, the last time I noticed this) terrible at including the version info in the string that is read by the installed programs 'control panel', so you're left with multiple (virtually) identical entries, trying to puzzle out which one is safe to remove. Fortunately MS seems to have realized things like this were and issue, and made more information available to you about each entry in the 'Add/Remove Programs' CP (or whatever it's called in 7+).

Re:even worse than the vulns (1)

smash (1351) | about a year ago | (#43076041)

Even worse - a recent Java update decided to upgrade me from Java 6 to Java 7 (I know this is the case, because I don't install Java 7 myself). It left Java 1.6u38 installed, and no update to Java 6. I have applications that do not run on Java 7. So i'll be running Java 6. Which is still insecure on my machine.

Re:even worse than the vulns (1)

smash (1351) | about a year ago | (#43076349)

Confirmed on a second machine.

Last Java 6 public update (1)

yuhong (1378501) | about a year ago | (#43074677)

http://www.oracle.com/technetwork/java/javase/6u43-relnotes-1915290.html [oracle.com]
After this one you will need to pay for a support contract or upgrade to Java 7.

Re:Last Java 6 public update (1)

viperidaenz (2515578) | about a year ago | (#43074757)

I was checking java 6 builds the other day and I'm almost positive that "This is the last release" message was in the update 41 release notes before 43 was released.

Re:Last Java 6 public update (1)

yuhong (1378501) | about a year ago | (#43074777)

Not this one:
http://www.oracle.com/technetwork/java/javase/6u41-relnotes-1907743.html [oracle.com]
Keep in mind this update is out of band.

Re:Last Java 6 public update (1)

viperidaenz (2515578) | about a year ago | (#43075035)

They changed the release notes for 41.
That's my story and I'm sticking to it. Even though the google cache of that page on the 25th says otherwise. Wikipedia hasn't been updated yet and says 41 is the last.

Re:Last Java 6 public update (1)

Nimey (114278) | about a year ago | (#43074801)

Marvelous. We just bought a package that requires 6 to work and doesn't with 7, /and/ it needs the browser plugin.

Eat a bag of dicks, Ellison.

Re:Last Java 6 public update (1)

yuhong (1378501) | about a year ago | (#43074813)

Just bought? The support lifecycle for Java is public: http://www.oracle.com/technetwork/java/eol-135779.html [oracle.com]

Re:Last Java 6 public update (1)

Nimey (114278) | about a year ago | (#43074885)

I wasn't involved in the purchase, but the program requires JavaFX and does not appear to work with any Java 7 REs I've tried.

Re:Last Java 6 public update (2)

wmac1 (2478314) | about a year ago | (#43075007)

How about expecting the new software's company to support their newly sold software (and update it to support 7) instead of asking Oracle to support its many years old free software?

Re:Last Java 6 public update (2)

Nimey (114278) | about a year ago | (#43075039)

It's a lot easier to bitch about Oracle, especially given how shoddily written their software is.

I mean, fuck. They've managed to take the crappy security award away from Adobe.

Re:Last Java 6 public update (0)

Anonymous Coward | about a year ago | (#43075541)

that would be fine if 7 wasn't a messed up bucket of shit that has caused more problems than it solved. so many things broke with this supposedly write once run anywhere technology.

Re:Last Java 6 public update (1)

Kenshin (43036) | about a year ago | (#43075521)

Brilliant. That's like buying new software that requires Windows XP.

Re:Last Java 6 public update (3, Informative)

Nimey (114278) | about a year ago | (#43075707)

Ever dealt with "enterprise" vendors? With that attitude I bet you haven't.

Re:Last Java 6 public update (1)

willie150 (95414) | about a year ago | (#43074929)

We're lucky to get that one. Oracle have publicly stated that there wont be any updates to Java 6 post February 2012. http://java.com/en/download/faq/java_6.xml [java.com]

Re:Last Java 6 public update (1)

yuhong (1378501) | about a year ago | (#43074961)

Yep, this update is out of band which is probably why.

Warning: Oracle installs ask.com toolbar (5, Informative)

icknay (96963) | about a year ago | (#43074743)

Warning: the Java installer will install the ask.com toolbar if you click the "yes, please just install my security update" button, even for the original install you declined the toolbar -- really an obnoxious abuse of updates. Here is a very interesting analysis [zdnet.com] of the whole back and forth between the ask.com installer and the browsers trying to keep junk out. Interesting tidbit: apparently the ask.com installer sleeps for 10 minutes, so if you try to "remove" right afterwards, it's not there yet. This is on Windows, not sure across all platforms. Oracle taking this little tiny income stream from ask.com in exchange for screwing over tons of users and admins seems like a big mistake by Oracle, and would just sort of bug me if I were an engineer at Oracle spending all this time trying to make Java better.

Re:Warning: Oracle installs ask.com toolbar (0)

Anonymous Coward | about a year ago | (#43074799)

http://www.java.com/en/download/manual.jsp

Re:Warning: Oracle installs ask.com toolbar (1)

Qwavel (733416) | about a year ago | (#43074833)

But that's just Oracle - and always has been Oracle. Being aggressive and obnoxious hasn't hurt them before (check their stock price).

Re:Warning: Oracle installs ask.com toolbar (1)

Anonymous Coward | about a year ago | (#43075009)

If running Windows use ninite (ninite.com) to install java and other stuff w/o getting any of the toolbars. Added bonus you only have to download the installer once, it will still update everything to latest version. It does install both 32 and 64 bit java if you're running 64 bit windows.

Re:Warning: Oracle installs ask.com toolbar (0)

Anonymous Coward | about a year ago | (#43075493)

Remember, Oracle cares about one thing and one thing only: money.

Re:Warning: Oracle installs ask.com toolbar (2)

smash (1351) | about a year ago | (#43076069)

Also - watch out, it may also re-enable the Java plugin in your browser if you had previously turned it off, on at least one box I've updated on (previous update).

Re:Warning: Oracle installs ask.com toolbar (3, Insightful)

bloodhawk (813939) | about a year ago | (#43076249)

It's a damn slap in the face. You install updates to protect yourself and you get the fucking ask.com malware as your reward.

OpenJDK .. (3, Interesting)

dgharmon (2564621) | about a year ago | (#43074811)

Does this exploit work under the OpenJDK [wikipedia.org] Runtime Environment?

Re:OpenJDK .. (1)

sourcerror (1718066) | about a year ago | (#43074939)

As far as I know, OpenJDK is not really a fork, just a stripped down version of the Oracle JDK.

Re:OpenJDK .. (3, Informative)

ChunderDownunder (709234) | about a year ago | (#43076013)

So yes, probably.

The security flaw isn't necessarily in the browser plugin per se. Rather it's in the class libraries that are 'sandboxed' when running in a security manager.

Were one to substitute, say, the IcedTea browser plugin, one would still be accessing the same underlying libraries and security manager implementations. i.e. following each security patch to Java, a Red Hat employee is quick to roll out a new IcedTea release with those patches.

So, Oracle managed to mess this one up as well... (1)

SpaceCracker (939922) | about a year ago | (#43075003)

All these security holes are loosing credibility for Java.
That's good news for .Net.
What about the rest of us?

It seems like the right time for a new alternative to show up. Any takers?

Re:So, Oracle managed to mess this one up as well. (0)

Anonymous Coward | about a year ago | (#43075391)

here's one way of doing things: the right tool for the job. when the fuck did computer science become computer ass-hattery?

web:
server side web: node.js
client side web: javascript

systems:
embedded/kernel/drivers/network/etc: C
scripting: bash, perl, clphp, python

application:
C++

notice: there are 2 real language types here. C and perl. (i am taking the liberty of looping the shells in with the perl family.). Java is in the C family anyway, and going from OOP to non-OOP is easy (other way around not so much). i thought java was bad in the clutches of sun, but i still loved it. now it is useless.

second route:
fuck the java standard and make due with gcj or something like that. it isnt compatible with oracle because it doesnt implement everything, but so what? write more code lamer. why did programming change from algorithms and procedures to prepackaged function calls against standard libraries? why?! WHY?!

for the record C++ is still a piece of shit, just less so than before. new standard should implement orthogonality and make iostream less retarded. that said until we liberate java by ditching oracles standard it is ok i guess. /rant

Re:So, Oracle managed to mess this one up as well. (1)

TheSunborn (68004) | about a year ago | (#43075439)

Sorry, but I will keep using java server side. I just hope I don't end up with that "Ask toolbar" on our server :}

And the fact that the Java Security Manager is as safe as an open door, does not really matter because 99% of all server side java code, is running without the security manager. (Or at least without relaying on the Security manager to provide security).

 

Re:So, Oracle managed to mess this one up as well. (0)

Anonymous Coward | about a year ago | (#43075687)

same AC here...

given you want to keep java and this mess is happening around us, that is a good strategy if it is implemented well (and i'm not saying that you don't implement it well).

if you are depending less and less on oracle's java ecosystem in its entirety, you could probably eventually just stick to the commenly implemented features in alternative implementations of JVM/compiler/etc. if you did (carefully i would add), your code would be compatible with with oracles JVM if you needed that level of portability at some point. (because it would be an overlapping subset of what oracle provides). we have a decent level of compatibility between weblogic, tomcat, jboss, glassfish, etc... if someone were careful they could write code that could run in all environments with little more than minor tweaks for each... we need to do this for JDK.

Re:So, Oracle managed to mess this one up as well. (-1)

Anonymous Coward | about a year ago | (#43076215)

The rest of us (not using Windows) pretty much run everything on Java. In fact, except for browsers, all software that I use daily is written in Java.

Like it or not, .NET is irrelevant due to it's single platform nature and nobody these days wants to bother developing UI in C/C++.

I would get used to it (Java). And, do disable the plugin.

As far as system-wide JVM install on Windows, I wouldn't worry too much: those app that need JVM can and should bring their own.

I'll stick with the Java that I can drink. (1)

Darth Twon (2832799) | about a year ago | (#43075161)

And Barry Allen.

"3 Billion Devices Run Java (0)

RudySolis (1438319) | about a year ago | (#43075515)

Computers, Printers, Routers, Cell Phones, ATMs, Home Security Systems"... and none can be updated because of compatibility issues.


Great isn't it?

Love Java, but dislike Javascript (0)

Cito (1725214) | about a year ago | (#43075517)

I love java, and about a year ago starting writing little programs in java, although I usually turn javascript off in the browser or run noscript.

lot of people tend to think javascript == java but it's 2 different creatures all together. http://kb.mozillazine.org/JavaScript_is_not_Java [mozillazine.org]

I've made a few little fun gadgets for personal use, a winamp type clone using the jlayer library to stream shoutcast/icecast stations as well as my own playlists. Spent weeks learning java swing mainly manually before I started playing with Eclipse windowbuilder plugin for swing/awt/etc. the windowbuilder plugin made it so simple for me to make my little winamp clone skinnable. :)

course i've spent a year or little more learning Java and have just now started playing with opengl 3d graphics but can't make up my mind which opengl library I like best yet, so far I've played around with JOGL and LWJGL, which I think are the 2 most popular libraries, Minecraft and most the indie steam games use LWJGL.
So I've sorta been sticking with it.

Anyhow you have the option to uninstall Java browser plugin and just keep the SDK installed, but I usually just disable it in browser just in case I ever do come across a need for it I can enable it for a specific site if need be.

Java? (0)

h8sg8s (559966) | about a year ago | (#43075573)

Just say no. I've lived without it on the client side for almost 2 years. On the server side, it's only the JVM that's of any use and using the java language on it is now totally optional. The raft of JVM languages means total portability and architectural freedom without being tied to the language.

It's Upload, Not Download (3, Informative)

StormReaver (59959) | about a year ago | (#43075741)

When someone is transferring something to your computer, they are uploading. They managed to upload the McRAT trojan. They did not manage to download the McRAT trojan; They already had it, and weren't trying to get it from the victims' computers.

Please don't try learning your computer terminology from Hollywood, as they get it wrong 99% of the time. I think in all seven years of STTNG, they got it right only once.

Re:It's Upload, Not Download (1)

ChaseTec (447725) | about a year ago | (#43076035)

Why? You downloaded an applet from a website which then downloaded the McRAT trojan. The article was misleading about who or what was doing the download but not the initiator of the transfer.

Re:It's Upload, Not Download (1)

slimjim8094 (941042) | about a year ago | (#43076257)

It's completely correct. The user's computer downloaded the applet, which then proceeded to download the trojan from some Internet location and install it through this vulnerability. Uploading implies that the attackers were the "active" party; that would generally be a worm.

Troolbar (1)

snsh (968808) | about a year ago | (#43075873)

Will this update install the Google toobar, Yahoo toolbar, Bing toolbar, or Ask.com toolbar?

Evil Masterminds (1)

bill_mcgonigle (4333) | about a year ago | (#43076079)

I get the impression that a group of hackers is working on a collection of Java vulnerabilities with the goal of releasing a new 0-day for the Java plugin a day after every Oracle update.

I can think of a half-dozen ways Oracle could respond to such a tactic and each is a bit more chuckle-inducing than the last.

Re:Evil Masterminds (0)

Anonymous Coward | about a year ago | (#43076291)

Who would benefit?
Perhaps a certain corporation in Redmond, Washington.

Monthly update check (0)

Anonymous Coward | about a year ago | (#43076115)

Oracle needs to reconfigure Java to automatically check for updates daily, not monthly. Why are they so ignorant of the stupidity of monthly updates for a proven virus magnet?

How to stop applets from running (3, Insightful)

TrueSpeed (576528) | about a year ago | (#43076155)

The Java Control Panel (in the Windows control panel) contains a checkbox under the Security Panel called "Enable Java content in the Browser". Uncheck this if you do not want applets to run. This selection stays persisted each time you update the JRE.

Once again,

Windows Control Panel->Java Control Panel->Security Panel. Make sure the "Enable Java content in the Browser" checkbox is unchecked.

This one is different (1)

Anonymous Coward | about a year ago | (#43076259)

Sounds like they have run out of pure sandbox vulnerabilities. Most of the previous ones were exploiting a properly running client sandbox and hence were pretty straightforward and reliable.

  This one is apparently related to JPG image handling. It just tries to corrupt JVM memory and often crashes it.

My guess is, the rate at which vulnerabilities are discovered now is going to be a lot slower. The language sandbox is now probably fairly decent. Exploit writers are going to have to resort to finding bugs in native libraries used by JVM. I would not expect any new ones soon.

Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Create a Slashdot Account

Loading...