×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Oracle Fixes 42 Security Vulnerabilities In Java

samzenpus posted 1 year,5 days | from the patching-things-up dept.

Oracle 211

wiredmikey writes "Oracle released its quarterly Critical Patch Update (CPU) for April, which addressed a whopping 128 security issues across multiple product families. As part of its update, Oracle released a Java SE Critical Patch Update to plug 42 security holes in Java, 19 with base CVE score of 10 (the highest you can go) and 39 related to the Java Web Start plugin which can be remotely exploited without authentication. According to security analyst Wade Williamson, organizations need to realize that Java will continue to pose a significant risk. 'The first step is for an organization to understand precisely where and why Java is needed,' Williamson wrote. 'Based on the rate of newly discovered vulnerabilities, security teams should assume that Java is and will continue to be vulnerable.' Organizations should to take a long, hard look at Java and answer for themselves if it's worth it, Williamson added. Due to the threat posed by a successful attack, Oracle is strongly recommending that organizations apply the security fixes as soon as possible."

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

211 comments

still with the java? (0)

vswee (2040690) | 1 year,5 days | (#43489071)

oracle should start a fresh new platform. java is making me dislike my bank

Re:still with the java? (2)

jtollefson (1675120) | 1 year,5 days | (#43489157)

Why your bank? They're using Java because it isn't going anywhere soon. It's highly integrated all over the place and is leading the way as the language of choice for everything from big-data processing a'la MapReduce frameworks in Hadoop to Mom & Pop shops just looking for a new college grad to put together something for their needs.

Dislike your bank because they're not treating you like their most important customer, not because they're using Java. =)

Re:still with the java? (1, Informative)

Anonymous Coward | 1 year,5 days | (#43489211)

It's highly integrated all over the place and is leading the way as the language of choice for everything from big-data processing a'la MapReduce frameworks in Hadoop to Mom & Pop shops just looking for a new college grad to put together something for their needs.

Yes! COBOL all the way!

Re:still with the java? (1)

stenvar (2789879) | 1 year,5 days | (#43489857)

Java is "the language of choice" for programming in roughly the same way that the military is "the method of choice" for dealing with diplomatic problems.

Re:still with the java? (2)

siDDis (961791) | 1 year,5 days | (#43490083)

In Scandinavia we have to use a java applet called BankID for login to our bank account. This has for the past few months become REALLY frustrating for people who really don't know what Java is. Even technicians who has a basic understanding of what a computer is, has problems keeping Java up to date(they don't know where to download it, and therefore accidentally download something they shouldn't) and all the them are infected with that Oracle search toolbar malware.

Re:still with the java? (2)

dropadrop (1057046) | 1 year,5 days | (#43490189)

In Scandinavia we have to use a java applet called BankID for login to our bank account. This has for the past few months become REALLY frustrating for people who really don't know what Java is. Even technicians who has a basic understanding of what a computer is, has problems keeping Java up to date(they don't know where to download it, and therefore accidentally download something they shouldn't) and all the them are infected with that Oracle search toolbar malware.

I'm in Scandinavia and don't need to use any java applets...

Have you considered that there are tens of banks in Scandinavia, and only a handful require java support in browsers? I would be surprised if such banks did not exist outside Scandinavia too. Just switch to something else (at least for day to day banking if you can't move loans).

Re:still with the java? (0)

Anonymous Coward | 1 year,5 days | (#43490205)

Oh come on, you Scandies are smarter than Americans. Look at your educational system and universal health care. Even this dumb redneck programmer here (me) can figure out how to update java. Go to good and type in "download java" install it. ta da! you're done.

Re:still with the java? (1)

Anonymous Coward | 1 year,5 days | (#43490767)

That will remove 42 exploits and add 17 new ones for a balance of 17243.

And no, I am not joking but estimating.

Re:still with the java? (0)

Anonymous Coward | 1 year,5 days | (#43490241)

As far as I can tell, BankID is a native application launched from your browser.

Re:still with the java? (0)

Anonymous Coward | 1 year,5 days | (#43490751)

Your bank is using Java because they can get hoards of cheap, shit-quality programmers for that task.

Re:still with the java? (4, Insightful)

symbolset (646467) | 1 year,5 days | (#43490119)

My teller offered me online banking once. But her monitor was tilted just enough that I could tell she was using IE6. "Um, no. Thanks. I'm good."

Re:still with the java? (2)

allcoolnameswheretak (1102727) | 1 year,5 days | (#43490681)

I'm getting tired of this Java bashing in the media due to security issues. Java isn't inherently more insecure than any other platform. On the contrary, it has a sophisticated, built-in security system that most other platforms lack. But of course there are bugs and holes, just like with any other software. The only reason why Java is being exploited and making headlines so much recently is because Java is so widely adopted now that it makes a big target. It's what hackers have their sights on at the moment, just like they had their sights on Flash or Acrobat Reader a while back. If enough people switched to a different platform because Java is so insecure, the only result would be that in a couple of years hackers would be targeting the new platform, because it's the new prime target. Then all of its security holes will gradually be uncovered and the switchers will be just as exposed or even more so than if they had sticked with Java in the first place.

NOT correct (0)

Anonymous Coward | 1 year,5 days | (#43490781)

With a C++ program it is up to me, the programmer to make sure there are no exploits. With Java, I am forced to expose myself to all the exploits that come rolled into the enormous platform (JVM, standard library and so on).

With Javascript, I have several alternatives.

With Sappeur (take that with a grain of salt, it's from myself), I have a reasonable chance to fix issues, as the compiler is rather small (12kloc). Unlike Java, which is a massive piece of code.

And yeah, Sappeur delivers the same security assurances as Java at almost same efficiency and real-timeness as C++:

http://sourceforge.net/p/sappeurcompiler/code-0/HEAD/tree/trunk/doc/SAPPEUR.pdf

http://sourceforge.net/p/sappeurcompiler/code-0/HEAD/tree/trunk/doc

http://sourceforge.net/p/sappeurcompiler/code-0/HEAD/tree/trunk/

Re:still with the java? (0)

Anonymous Coward | 1 year,5 days | (#43490699)

Java is the reason you dislike your bank?

I only drink coffee (0)

MarcAuslander (517215) | 1 year,5 days | (#43489107)

Removed java a while ago. I haven't found a site a cared about that needed it. We should all pressure any sites that still use it to get off it.

Re:I only drink coffee (1)

0racle (667029) | 1 year,5 days | (#43489121)

Java is used for a lot more than just powering websites.

Re:I only drink coffee (1, Funny)

jhoegl (638955) | 1 year,5 days | (#43489661)

Yeah!
Its also used for terribly engineered front end software and to slow down the most powerful supercomputer to a crawl because the guys that used it were too lazy to learn c++ and proper coding.
Oh... developed for Object Oriented Programming you say? Well hell yeah... it only take 15 lines of code to say "Hello World!"
WWWWEEEEEEEEEEEEEEE!!!!!

Re:I only drink coffee (3, Informative)

Anonymous Coward | 1 year,5 days | (#43489753)

it only take 15 lines of code to say "Hello World!"

lolwut?

if you need 15 lines of java to do a 'hello world', then the problem is with the person in the mirror.

for all its faults, the browser plugin being the most obvious, java for apps is freakin awesome. None of the obtuse BS of C and C++ but all the ability...not to mention all the free libs. Frankly, if it weren't for Java, I'd be sleeping on the streets.

Re:I only drink coffee (0)

Anonymous Coward | 1 year,5 days | (#43489815)

too lazy to learn c++ and proper coding.

Hahaha. C++ is the worst of C and Java combined together into one gigantic unreadable, unmaintainable, untestable mess.

Remind me how many different types of pointers C++ has nowadays?

Re:I only drink coffee (1)

wmac1 (2478314) | 1 year,5 days | (#43490405)

Oh boy....

Have you heard about JEE?

Besides could you give us your reasons why C++ would be a better choice?

Oh yeah (1)

symbolset (646467) | 1 year,5 days | (#43490127)

It's also used for Minecraft. And that's why I make my son boot from a fresh network image each day. He's too young to understand why enabling his Minecraft habit is a bad thing, so I do what I must.

Re:I only drink coffee (5, Informative)

binarylarry (1338699) | 1 year,5 days | (#43489169)

Few sites use Java applets (which is what you uninstalled).

Far more sites use Java to power the site on the server side (Google, Amazon, Ebay, etc).

Re:I only drink coffee (5, Interesting)

Freaky Spook (811861) | 1 year,5 days | (#43489189)

I need to use java interfaces every day, Cisco, EMC, Brocade, HP, IBM, Dell all use java for their management consoles, and I have to keep at list 6 different installers to be able to use them properly as periodic updates to java tend to break access to them if the client hasn't been keeping up with their firmware updates(which is pretty much everyone)

It can be frustrating when you need 3 different versions of java to complete one job.

Re:I only drink coffee (2)

aztracker1 (702135) | 1 year,5 days | (#43489455)

Write once, run anywhere*

* where available, void where prohibited, quantities limited, some restrictions may apply, batteries not included.

Re:I only drink coffee (1)

VeryBest52 (2897689) | 1 year,5 days | (#43489551)

Yep, +1 there, what's annoying is having to work with an old pix firewall from a modern day machine running an up-to-date version of java. Java Web Start and Java Applets are the bane of my existence and I hope they burn in hell real soon. Then we talk about updates...Has anyone ever tried to update java without admin access on a Windows box? As often as they are rolling out updates we find ourselves spending 1/3rd of our weeks just keeping java up to date on everyone's machines.

And this is where Oracle is failing... (0)

Anonymous Coward | 1 year,5 days | (#43489575)

Oracle really need to stop working on new features for Java. It is a sufficiently advanced language at this point, and pretty much all the new features I see people whining for are to satisfy some pedantic desire to make Java the UberLanguage that does absolutely everything in any way possible.

Instead, Oracle really needs to just say: NO MORE FEATURES. The language is complete (or at least for a decade). All efforts should be placed on fixing the problems in the implementations right now.

Re:And this is where Oracle is failing... (0)

Anonymous Coward | 1 year,5 days | (#43489719)

Nope. Languages need to keep up with the times, or they become an albatross.

Re:And this is where Oracle is failing... (0)

Anonymous Coward | 1 year,5 days | (#43489803)

No, they don't.

C (as a language) has hardly changed over 40+ years.

C++ isn't much different after standardization.

And the list goes on and on. The vast majority of languages very rarely change features after an initial infant lifecycle. Once a decade is probably sufficient.

And, the purpose of a language isn't to be the end-all-be-all for everyone. Languages do best when fulfilling a specific niche (which may be fairly broad). Because, in any language, there are inherent compromises. Trying to be an UberLanguage magnifies these compromises into downright terrors.

Don't confuse libraries with the core language grammar and feature set.

Re:And this is where Oracle is failing... (2)

stenvar (2789879) | 1 year,5 days | (#43489867)

Java language evolution has been cosmetic, not substantive; Sun and Oracle have refused to fix things at the VM level. As a result, Java has fallen behind more and more over the years.

Re:And this is where Oracle is failing... (5, Insightful)

symbolset (646467) | 1 year,5 days | (#43490215)

Languages need to keep up with the times, or they become an albatross.

Unless through being steeped in the art and basic principles and with an eye toward the future the authors built their language in such a way that it could be timeless art that stood for all time, like for example Brian Kernighan and Dennis Ritchie's "C".

Go ahead and learn ALGOL, FORTRAN, BASIC, SNOBOL, APL, ADA, brainfuck, R, LISP and dozens of others like I did if that's your nerd thing. It's fun. After you've done that you'll come to the same conclusion I did: programming languages are syntactic sugar. They are constructs for interpreting your ideas into references to libraries that instantiate the desired result in predictable ways.

C is. It stands like the Oedipus trilogy as a distillation of all prior art and a foundation of all subsequent art. It is beautiful and timeless in the same way. Learn this one thing and all else becomes easy. Unfortunately, like the Tau, it is not possible to really understand C until you don't need to do so any more. When you have learned enough about C to know why it is a fool's game you will have become ready to launch your own inferior language.

Did you C the light? (1)

Viol8 (599362) | 1 year,5 days | (#43490851)

Sorry, bad pun :o)

But I agree, K&R really nailed it with C. Sophisticated enough to do any major task required of it - eg linux kernel - but simple enough for a beginner to write basic apps in even if he doesn't quite understand for example the subtle difference between pointers and arrays yet.

Sure its not the best language now for a lot of things but as a general purpose language that will let you program virtually anything it can't be beaten.

Re:I only drink coffee (1)

eennaarbrak (1089393) | 1 year,5 days | (#43490403)

That is rather curios. Java has always been backwards compatible - using the latest version should always work with older code (unless these libraries use proprietary extensions, in which case this is not a Java issue but a library issue). Care to share what type of problems you run into?

v1.6 is forgotten but most use that (-1)

Anonymous Coward | 1 year,5 days | (#43489111)

Java is the scoundrel MS has made it out to be all those years ago. Write once, infect everywhere! indeed. It's like patching win7/8 but leaving XP to rot.

Re:v1.6 is forgotten but most use that (-1)

Anonymous Coward | 1 year,5 days | (#43489165)

Dumbass idiot. That POS OS you use gets zero days released for it daily.

Re:v1.6 is forgotten but most use that (3, Informative)

viperidaenz (2515578) | 1 year,5 days | (#43489483)

What are you smoking? 1.6 update 45, released a few days ago contains all these fixes.

#1 web error (3, Interesting)

EmperorOfCanada (1332175) | 1 year,5 days | (#43489177)

What I have observed is that many corporate types adopted Java about 8-10 years ago and seem to be largely sticking with it. But what I don't see are any organizations now switching to Java. The very occasional organization also seems to be dropping Java. At this rate the corporate world will still be using Java for a long time but I don't think it is where the cool kids are. Interestingly there seems to be no one thing replacing Java. I see python definitely becoming the language of choice in certain limited areas such as science and hedge-funds. I see some people tossing their java web front ends and replacing it with an array of things even including PHP.

So all in all where Java is it will probably stay and I doubt that these security concerns will damage that audience much. What reports like this will certainly do is to dissuade many potential adopters of Java based technologies.

Re:#1 web error (1)

binarylarry (1338699) | 1 year,5 days | (#43489195)

Java "front ends" never really had much market share this side of the millennium.

Java is an extremely common development technology to use for any medium to large web app though.

Re:#1 web error (2, Interesting)

Anonymous Coward | 1 year,5 days | (#43489381)

What reports like this will certainly do is to dissuade many potential adopters of Java based technologies.

Which is a shame, because these vulnerabilities (which, for the most part, are either in the web plugin itself, or in aspects of the JVM that are only exploitable through the web plugin) have no bearing on Java's suitability for its most popular uses.

The best move Oracle could make to rectify Java's public perception is to un-bundle the goddamn web plugin from the JRE. It's like a festering, oozing sore smack dab on the middle of the face of the platform.

Make it optional, part of a separate download, and bury the link somewhere behind a registration wall on the support pages where only the most determined IT pinheads will ever find it.

Re:#1 web error (1)

aztracker1 (702135) | 1 year,5 days | (#43489465)

As much as I honestly don't care for Java development, I have to agree.. giving me a browser plugin that the vast majority of sites don't legitimately use along with the runtime that's needed to make desktop/background apps run is nutty. At this point I'm avoiding Java apps all together, since I just don't want to deal with the hassle.

.Net and Java are old and busted, over-engineered slow, bulky crap these days... A lot of the dynamic stuff like Python and NodeJS get you where you're going, maybe a tiny bit slower in some cases, but much less development overhead.

Re:#1 web error (4, Insightful)

Anonymous Coward | 1 year,5 days | (#43489457)

Speaking as someone who does Release Engineering professionally, and thus tends to see all the technologies that a company uses in deploying modern systems, Java is still #1 by a long shot, and I continue to see new development done all the time.

It's all middleware, though. And, frankly, for pretty much any reasonably scalable system which has some sort of a front end web-ish part, a middleware "business logic" part, and a DB backend, Java is not only the leader, but its essentially one of two choices: .Net is the other.

Standalone apps don't much exist in Java anymore (the few that do are mostly legacy). It's also almost completely disappeared as part of the Frontend portion of content delivery (i.e. not in the dynamic content being served to the end user, nor in the "web server" portion of the infrastructure).

But in terms of middleware, well, only .Net is a serious competitor in terms of enterprise requirements. Java's got all the nice library and code support, plus plugins and stuff for all the build/deployment/test infrastructure. C++ doesn't even come close, and python/ruby/perl aren't even in the running. Now, there are architectures where there IS no middleware, and the frontend system actually is a python program which both serves content and has business logic in it, but I see them far less commonly, and they have serious scalability issues.

And, frankly, the middleware tier is also the place which minimizes Java's deficiencies, and maximizes its strengths.

As far as the future goes, I desperately wish Oracle would quit expanding the featureset of Java, and just spend all the time cleaning up the codebase. Java (the language) is more than feature-full at this time, and there's really very little need to keep adding stuff to the language. The codebase, on the other hand, needs at least couple of years of full-on cleanup. The JVM itself is still pretty solid, but everything else is suffering from neglect pretty badly.

Re:#1 web error (3, Interesting)

ADRA (37398) | 1 year,5 days | (#43490265)

Trust me, as an implementor, there are plenty of new enterprises lining up moving to Java from C/C++/legacy. The alternatives are hodge podge languages which will most likely not work for supporting large number of diverse product categories, or you go with C/C++ and pay a crap load more money for developers & more time spent. Or, you can go with .NET which is fine if you're an all MS shop (less and less) or you rely on Mono for your non-windows systems (tough sell).

Where's the panacea of general programming environments where:
1. You can integrate it with -practically anything- (whatever the customer's currently plugged into -- protocol/socket, old DB's, all those queue systems, email, batch tools, clustering(scale), etc..) with little development overhead
2. Easy access to developers with varying degrees of cost / performance
3. 100% support on mainstream deployment platforms of choice

If you're not answering these three questions, most non-dev centric businesses won't be playing ball.

"but I don't think it is where the cool kids are"
Yes, there's a big difference between what some people want to develop in, and what people actually write useful code in. Joe rock-star could do all his work in Scala/Groovy/Ruby/Python/langoftheweek, but without super unsexy long term support from competent developers, that software will crumble and die with the company forced to move their platform to something more standard just to find people to keep it alive.

Naive question (5, Insightful)

DoofusOfDeath (636671) | 1 year,5 days | (#43489215)

What's the deal with people saying Java is a major source of insecurity?

Does that mean compared to C++? Are they comparing (Java + all its libraries) to (C++ plus one instance of each library which is needed to match Java's standard libraries)? Insecurity of the JVM itself, compared to native object code?

I honestly can't tell.

Re:Naive question (-1)

Anonymous Coward | 1 year,5 days | (#43489277)

Tiny microsoft penises.

Bald ones.

Re:Naive question (0)

Anonymous Coward | 1 year,5 days | (#43489293)

It does sound like an anti-Java marketing blitz, doesn't it.

Re:Naive question (0)

Anonymous Coward | 1 year,5 days | (#43489303)

The problem with Java/JVM/JRE is that _everybody_ uses the exact same broken code, and because Java is still largely proprietary in practice it takes forever to get it fixed, not to mention to be publicly disclosed. That leaves hackers a huge window to break stuff.

Also, heap and buffer overflows aren't that common these days in widely used projects. Most of the idiot programmers don't C anymore. They moved on to Java, or even C++.

And the bugs which allow hackers to steal your social security or bank account number are just as common in Java as everywhere else, sadly.

Re:Naive question (-1)

Anonymous Coward | 1 year,5 days | (#43489349)

Because it is a shitty language and terribly implemented and is outright a major source of malware.

Re:Naive question (1)

aztracker1 (702135) | 1 year,5 days | (#43489471)

I thought it was all the abstracted interfaces and "Enterprise" grade design patterns that make software harder to maintain.

Re:Naive question (-1)

Anonymous Coward | 1 year,5 days | (#43489433)

Bugs introduced by bad programmers using a language are not the same as bugs introduced by the backbone implementation of the language itself. C programs have the former, Java has the latter.

Re:Naive question (0)

Anonymous Coward | 1 year,5 days | (#43489773)

If by "bad programmers" you mean Sun and Oracle, then yes, I agree.

Re:Naive question (4, Informative)

Anonymous Coward | 1 year,5 days | (#43489581)

What's the deal with people saying Java is a major source of insecurity?

Does that mean compared to C++? Are they comparing (Java + all its libraries) to (C++ plus one instance of each library which is needed to match Java's standard libraries)? Insecurity of the JVM itself, compared to native object code?

I honestly can't tell.

Really, none of the above. Of those, "Insecurity of the JVM itself" is closest to the truth.

The big problem with Java is the browser plugin.

For the most part, these vulnerabilities (I'm generalizing) are in the parts of the JVM that are used by the Java browser plugin, or in the plugin itself.

It's actually one of the great ironies of Java. The Java language, and the JVM, were actually pretty well designed with regards to security; things like strong typing and garbage-collected memory management go a long way toward preventing ordinary bugs from becoming security issues. Unfortunately, long ago, Sun figured Java was so safe that there would be no risk with running Java code ("applets") off the Internet, right in your browser. So they built in a sandbox into the JVM, and created the Java applet embedding browser plugin that depended on that sandbox to prevent applets from harming your computer.

And in doing that, they overreached, especially as they began adding features* that made the sandboxing of code from the Web harder and harder to enforce.

Get rid of the browser plugin, and Java is no worse than any other language/platform. Probably better than some.

C++ doesn't have this problem, because there is no equivalent browser plugin that allows random bits of C++ code from the web to get onto your comptuer.

* I have heard that JVM support for dynamic languages in the version 7 JVM is a big reason for the growth in security vulnerabilities. I'm not educated enough to say whether this is true or nonsense, but it seems plausible

Re:Naive question (0)

Anonymous Coward | 1 year,5 days | (#43489791)

What's the deal with people saying Java is a major source of insecurity?

Does that mean compared to C++? Are they comparing (Java + all its libraries) to (C++ plus one instance of each library which is needed to match Java's standard libraries)? Insecurity of the JVM itself, compared to native object code?

I honestly can't tell.

Generally, they're talking about "having a Java plug-in in your web-browser" versus "not having a Java plug-in in your web-browser". Insecurity in the Java web plugin that lets websites deliver Java code to your browser that executes on your computer. (They can break out of the sandbox and run code that does more than it should be able to.)

Re:Naive question (2)

VortexCortex (1117377) | 1 year,5 days | (#43490001)

What's the deal with people saying Java is a major source of insecurity?

Does that mean compared to C++? Are they comparing (Java + all its libraries) to (C++ plus one instance of each library which is needed to match Java's standard libraries)? Insecurity of the JVM itself, compared to native object code?

I honestly can't tell.

Yes. The design of the stack based language traded speed for size. When run as an interpreted language pure Java is very secure. However, now that it has JIT compilation you're basically just taking data, flagging that as code, then running it. That's what's inherently insecure. Not only do you have to worry about defects in the applications and library code, but also the virtual machine itself, which lowers the bar for malicious data to get itself marked as code, and executed. Combine that with the fact that in order to call an implementation "Java" it must have all those bells and whistles, PLUS backwards compatibility for deprecated features, AND a significantly huge section of "all its libraries", anything with the "Java" name attached is synonymous with Exploitable -- Anything with an attack surface that wide is. That Java is deployed on powerful well connected hardware as well as on end user machines through client side browser plugins makes it a perfect environment for anyone getting into malware development, the largely non-patched state of things and the fact that older (unpatched) versions are still sitting on your hard drive after a new update, waiting to be exploited by any malware that specifically targets them (check your installed program list and see), means that Java is considered "a major source of insecurity" by security experts world wide, yours truly included.

You and I know that a language isn't just it's implementation, however, with Java: It is. That's a requirement of Oracle's trademark license. Which is why Oracle sued over Android (which uses the language Java, but not the implementation) -- So, when they say "Java", it's not the syntax we're talking, it's "Java" as defined by its owner.

I loved Java once. Java COULD have been an amazing lightweight sandbox for application development, but it isn't. Java COULD have been the One Runtime to Rule them all if it wasn't so fracking complex, and native cross platform application development frameworks didn't exist (and work better). What is Java really though? Java is a way to make your application cross platform without releasing the source code... If you release the source code then Java's benefit is its unified API -- Which other cross platform toolchains provide. When I tally things up, including the massive source of exploits, extreme slowness (due to emulated floats -- not even using the FPU), Java just doesn't make sense for me. The advice in the submission is sound. Figure out if Java is worth it, look at the other solutions, and see if it's really the best way forward, all things considered, including security.

Also Note: monocultures become extinct IRL when a single vulnerability wipes out the species, it's not just Java that is punished for dragging along unneeded complexity and unused features, it's a dumb design that is punished by the nature of the universe itself time and again throughout history. The efficiency requirements of life (less energy to maintain a less complex system) and competition combat this in life forms... Hell, Sex was invented as a better alternative to doing shit like Java does.

Re:Naive question (0)

Anonymous Coward | 1 year,5 days | (#43490301)

If you really have to ask...

I recommend you uninstall your C++ browser plugin ASAP, and reinstall the machine from read-only media.

Re:Naive question (0)

Anonymous Coward | 1 year,5 days | (#43490477)

Good answer.

So if C++ is so much better (and can automatically avoid security problems !!!), why the browsers developed with C++ have so many security problems. Or the operating systems or hundreds of other non-Java software?

Repeat after me (0)

Anonymous Coward | 1 year,5 days | (#43489235)

It's not "Java" it's "Java browser plugin". Nothing to see, move on.

Organizations should take any long or hard looks, since there isn't really any choice when it comes to Java. You either running Java, or you running Windows. No Java, no Linux on the server side. Sorry to break it, oops.

Re:Repeat after me (5, Insightful)

viperidaenz (2515578) | 1 year,5 days | (#43489493)

yeah, it should read: 3 Java security vulnerabilities (2 are client only) and 39 Java Web Start vulnerabilities fixed.

Re:Repeat after me (1)

MareLooke (1003332) | 1 year,5 days | (#43490459)

Yeah, but that doesn't make for such an impressive OP... Spreading FUD makes for better headlines you know...

Oh come on... (4)

Zephiris (788562) | 1 year,5 days | (#43489287)

It's been worrying me that the tagline "News for nerds, stuff that matters" has been removed from Slashdot (except in the source code, but gets replaced on any/all page loads), but this story is coming behind both TFA and the actual patches being available for two full days prior.

It's no "Preskill mocks Stephen Hawking" quote from 2012, like the other article, but maybe this could've ended up -slightly- higher priority given that it fixes 1-2 remote unauthenticated exploits in Java, and IIRC 3 in Oracle DB.

Re:Oh come on... (1)

VortexCortex (1117377) | 1 year,5 days | (#43490067)

It's been worrying me that the tagline "News for nerds, stuff that matters" has been removed from Slashdot (except in the source code, but gets replaced on any/all page loads), but this story is coming behind both TFA and the actual patches being available for two full days prior.

It's no "Preskill mocks Stephen Hawking" quote from 2012, like the other article, but maybe this could've ended up -slightly- higher priority given that it fixes 1-2 remote unauthenticated exploits in Java, and IIRC 3 in Oracle DB.

Nerds submit the news here. This is the stuff they think matters. If it's not prioritized the way you like, then promote the things you like and firehose the other submissions down. Perhaps there are just more nerds that don't give a frack about Java vulns than you think. E.g: None of my 8 home Linux boxes, or the 20 I manage for my day job have that pox installed -- Then again, the only "Enterprise" things I do are related to science fiction. Guess I'm not nerd enough if I'm using Xen VMs to virtualize right on the metal instead of that slow, non FPU supporting, software VM: Java. Love ya, Gramps, but I don't share your beliefs (as should be expected).

Re:Oh come on... (0)

Anonymous Coward | 1 year,5 days | (#43490163)

been over a year since I have had any machine run Java. The last one I pulled it off was a server when I decommissioned the last support tool that we were using that required it (and yes it using Java was one of the main reasons to give that tool the arse).

So 10,000+ to go (0)

Anonymous Coward | 1 year,5 days | (#43489341)

In a 15 years java might be safe. Although still incredibly out of date for anything useful to the browser.

You're using it wrong (4, Insightful)

viperidaenz (2515578) | 1 year,5 days | (#43489439)

Java isn't evil, Browser plugins are.
Leave Java on the server side and be done with it.

Re:You're using it wrong (5, Insightful)

StormReaver (59959) | 1 year,5 days | (#43489651)

Leave Java on the server side and be done with it.

Or learn to use Java properly on the client side, which means stop using it as a browser plugin. Java makes an excellent desktop application development platform, but an absolutely lousy browser plugin.

Re:You're using it wrong (4, Informative)

viperidaenz (2515578) | 1 year,5 days | (#43489693)

Yes. That's exactly what I'm doing at my current job. Java back end, Java thick client.

Re:You're using it wrong (0)

Anonymous Coward | 1 year,5 days | (#43490137)

Double yes to this. IMMHO Java is an awesome language for developing stand-alone apps.

There's many excellent options such as packaging jars as exe's etc etc so it gets my vote.

Re:You're using it wrong (2)

stenvar (2789879) | 1 year,5 days | (#43489881)

Java makes an excellent desktop application development platform, but an absolutely lousy browser plugin.

You may like Java as a developer, but Java fails to integrate properly with any of the desktops; Java desktop apps are a nightmare.

Re:You're using it wrong (2)

dropadrop (1057046) | 1 year,5 days | (#43490207)

Java makes an excellent desktop application development platform, but an absolutely lousy browser plugin.

You may like Java as a developer, but Java fails to integrate properly with any of the desktops; Java desktop apps are a nightmare.

I've seen a lot of nice Java desktop apps and a lot of bad ones.

Re:You're using it wrong (2)

Anonymous Coward | 1 year,5 days | (#43490355)

Java makes an excellent* desktop application.

* Excellent is defined here as "slow, ugly and memory hungry."

ORACLE FIXED SOMETHING?! (1)

CheshireDragon (1183095) | 1 year,5 days | (#43489503)

Reminds me of my dad always breaking shit when he tried to fix it. Then he actually fixed something and we flipped our shit!

Re:ORACLE FIXED SOMETHING?! (0)

Anonymous Coward | 1 year,5 days | (#43489557)

How do you know that Oracle actually fixed something, and didn't break 10 other things in the process?

Re:ORACLE FIXED SOMETHING?! (0)

Anonymous Coward | 1 year,5 days | (#43489927)

If they only broke 10 other things this time around then I would say things are looking up.

Fix the model. Chicken wire isn't watertight (2)

raymorris (2726007) | 1 year,5 days | (#43489559)

With tje taste of Java exploits exceeding one per day, it seems clear the problem is bigger than the specific exploits they are fixing. The DESIGN that allows for hundreds of vulnerabilities is seriously flawed and THAT is what they should fix.

It really looks like someone trying to use chicken wire fencing to build a dam, and they keep patching each little hole. Instead, they need to ditch the porous chicken wire and use something watertight for the barrier between VM and system.

Re:Fix the model. Chicken wire isn't watertight (1)

Earthquake Retrofit (1372207) | 1 year,5 days | (#43490029)

We don't read about this many security problems with other general purpose languages. If GCC needed patches every month I sure wouldn't be inclined to use it. Why does Java need to be patched so often? What is so different that it makes it so bad? Is it because it's interpreted rather than compiled? Why does that matter? I'm amazed Java has been such a mess for so long.

Re:Fix the model. Chicken wire isn't watertight (1, Informative)

lister king of smeg (2481612) | 1 year,5 days | (#43490165)

GCC may not be patches that often but you OS is. Java is not just a language it is a VM that the compiled Java code runs in, a jit compiler that compiles the Java code, a language and a web plug-in. all collectively referred to as Java. Javas big problem is it is used in unsafe ways (via web plug-in). the main security problem is that the Java web plug in grabs arbitrary code and runs it in the same vm as Java app's and it can be abused to take control. You would never run a just any random binary you found on the Internet but you do anytime a page has Java on it.

Most biased summary, ever. (1)

Anonymous Coward | 1 year,5 days | (#43489611)

Oracle has been releasing scheduled security updates for years now, as has virtually other software vendor in the world. Java is no less secure than any other software product. If anything, it is far more secure than alternative programming languages and VMs.

When Oracle fails to patch known vulnerabilities, they get nailed for it (rightfully so). But then when they actually *do* patch known vulnerabilities, Slashdot nails them *anyway*. That's just biased!

Douglas Adams proved right again! (0)

Anonymous Coward | 1 year,5 days | (#43489665)

See, Oracle releasing patches for 42 vulnerabilities in one shot just confirms that.... Java has the permanance of a kid's tree house.

What "Java Web Start plugin"? (1)

Grim Leaper (442986) | 1 year,5 days | (#43489689)

I thought Web Start was invoked through file associations for JNLP files, not through the Java plugin. In other words, you could disable the plugin entirely and still be vulnerable to JWS exploits. Is that the case?

Ask (4, Insightful)

andrewa (18630) | 1 year,5 days | (#43489743)

Yet still they are trying to sneak the "Ask" toolbar in there.....

Re:Ask (3, Informative)

SeaFox (739806) | 1 year,5 days | (#43490441)

I've decided that must be the only reason they haven't created an auto-update system for Java. I mean, my AV software can update its own definitions, my web browser can update itself, yet I still have to click the stupid message every time Oracle farts.

My mom has been complaining about it too. The frequency of these updates are encouraging people to ignore them or turn them off like the classic boy who cried "Wolf!".

If the Java system could update itself they'd lose the opportunity to trick people into not unchecking the Ask Toobar, McAfee Security Scan, etc shovel-ware. And as people get frustrated with the constant updates they get sloppier about what they're clicking as they go though them.

Great. Headaches ahead. (3, Funny)

mindwhip (894744) | 1 year,5 days | (#43489793)

Every time they release one of these my companies IT department insists on the new version being mandatory and installs it on every PC without any testing.

This then breaks one (or more) of our externally provided and supported, business critical, small user base, Java client/server systems. After a few days of frantic phone calls and manual un-installs of the new Java version (which have to be done by IT support due to security lockdown remoting into PCs, after senior signoff) we have to keep doing to combat the overnight updates) we end up with an emergency change to install a very alpha version of the client/server system.

The updated client is normally so full of bugs that it gets several further emergency updates over the next 3 months and is just about stable and almost bug free in time for Oracle to release another patch...

Frost p(ist (-1)

Anonymous Coward | 1 year,5 days | (#43489799)

to kkep up as Another special

Warning: ask.com toolbar (5, Informative)

icknay (96963) | 1 year,5 days | (#43489843)

Suppose that when you first run the java installer, it asks you if you wan to install the ask.com toolbar, naturally you select No Ask.com Malware button, and everything installs nicely. Now later on, for each security update that comes along, there's a nice Install Important Update button .. and what do you suppose that does? It installs the Ask.com toolbar! I know Oracle is supposed to be aggressive with their practices, but I cannot believe they abuse security updates this way to get a few pennies out of Ask.com which is basically a search-result-spam engine.

The reason you have not heard about this more, is that Macs and Firefox/Chrome (not sure about IE) resist the Ask.com installer, so you just don't see it, but the crappy Oracle behavior is in fact going on each time. The result is that naive users are getting this toxic thing installed and it really messes up their whole internet experience.

Hey Oracle: you're pissing away tons of Java goodwill in exchange for pennies form the Ask.com spammers. Who on the heck thought that was a good trade? Like what techie who learns of this behavior is ever going to install Java anywhere? Aren't you trying to make JavaFX into a real client thing?

See http://www.zdnet.com/a-close-look-at-how-oracle-installs-deceptive-software-with-java-updates-7000010038/ [zdnet.com] for lots of details on how the Ask.com installer tries to trick the users and hide itself. It's kind of interesting arms race between the spamming toolbar and the browser vendors.

Re:Warning: ask.com toolbar (0)

Anonymous Coward | 1 year,5 days | (#43490153)

+ This

As an enterprise java developer for almost 8 years (shit, time flies) I honestly like the ecosystem and the language is good enough, I suppose.
But Oracle's antics with the ask.com toolbar almost make me ashamed I use java. I recently needed to uninstall the ask.com toolbar for the 3rd time from my dads' pc because he kept missing the ask.com option in the update installer (which ofcourse defaults to yes) and the only reason he had java in the first place was because of a tool I installed for him...
I know that right after the Sun takeover Oracle said they where looking into how to "Monetize" java, but they must've picked the sleasiest way to do this (honestly, I didn't think there was a way to monetize it).

Anyways, there's a petition out there to put pressure on Oracle for removing the Ask.com cancer from java, supported by Joshua Bloch, but the response has been pretty underwhelming imo .
If you care about this, please take a minute to sign it:
http://www.change.org/petitions/oracle-corporation-stop-bundling-ask-toolbar-with-the-java-installer

Re:Warning: ask.com toolbar (0)

Anonymous Coward | 1 year,5 days | (#43490275)

ask.com deal was penned by the cash-strapped Sun back in the day, not Oracle. Oracle acquired this contract with the rest of Sun, and I trust they'll eventually get rid of it; ask.com is paying 'em, but while it must've been significant coin for Sun, I'm sure it's peanuts for Oracle.

Can say the same for (0)

Anonymous Coward | 1 year,5 days | (#43489963)

According to security analyst Wade Williamson, organizations need to realize that the web browser will continue to pose a significant risk. 'The first step is for an organization to understand precisely where and why a web browser is needed,' Williamson wrote. 'Based on the rate of newly discovered vulnerabilities, security teams should assume that the web browser is and will continue to be vulnerable.' Organizations should to take a long, hard look at web browsers and answer for themselves if it's worth it, Williamson added.

Jackie Robinson and the answer to the question. (0)

Anonymous Coward | 1 year,5 days | (#43490017)

It's all coming together. You'll see. What I don't know; but it's all coming together.

These are NOT JAVA vulnerabilities (5, Informative)

coder111 (912060) | 1 year,5 days | (#43490121)

These are java APPLET or BROWSER PLUGIN vulnerabilities. Completely different thing.

Slashdot should stop with this misinformation. Java the LANGUAGE is OK. Java Virtual Machine is OK. Servers using Java as server-side language are OK. Java desktop applications are OK.

Java the BROWSER PLUGIN is vulnerable. But Java Browser plugin should never have happened in the first place and should be killed with fire.

So stop with the whole bashing of Java in general. Java is a very good and mature language, with the fastest JVM on planet today, lots of open source 3rd party libraries, servers, frameworks and tools. It's very very good for server-side development.

--Coder

Re:These are NOT JAVA vulnerabilities (-1)

Anonymous Coward | 1 year,5 days | (#43490373)

>Java desktop applications are OK.

Cool story, bro.

Re:These are NOT JAVA vulnerabilities (0)

Anonymous Coward | 1 year,5 days | (#43490707)

with the fastest JVM on planet today

Of course they have the fastest JVM - that's like saying Ferrari makes the fastest Enzo. What you mean is just "VM" or even "byte-code interpreter".

I wouldn't 'Ask' (1)

GerryHattrick (1037764) | 1 year,5 days | (#43490131)

I really would tell all my country-cousins to update their Java, but I couldn't rely on them to untick the 'Make Ask my default homepage, and add the toolbar' box. That sort of inertia-sell to the ignorant inspires no confidence at all.

Ballanced? (4, Insightful)

Racerdude (1006357) | 1 year,5 days | (#43490191)

"Organizations should to take a long, hard look at Java and answer for themselves if it's worth it, Williamson added.". This doesn't sound very balanced. It sounds like he has some sort of ulterior motive

Infinity minus 42 (0)

Anonymous Coward | 1 year,5 days | (#43490281)

Infinity minus 42...

is still infinite.

Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...