Slashdot Mirror
Cross-Platform Java Sandbox Exploit
DrWho520 points out this report at silicon.com which begins "A flaw in Sun's plug-in for running Java on a variety of browsers and operating systems could allow a virus to spread through Microsoft Windows and Linux PCs. The vulnerability, found by Finnish security researcher Jouko Pynnonen in June, was patched last month by Sun, but its details were not made public until Tuesday." The hole affects Linux and Windows.
...Or better, since Java runs in a (relatively) secure sandbox. It's worth noting, from the article, that there hasn't to date been a single Java virus. This is bad, but it has to get a lot worse before comparison with ActiveX is warranted.
This is where the serious fun begins.
I think this tries to highlight another reason why allowing a third party review your code is a good thing
Generally, the most cost effective way can be an open source model.(there are others !)
[ Monday is a terrible way to spend one seventh of your life. ]
Its the browser-based sandbox that's the culprit here, not Java. Saying its a problem with Java, is like saying an IE exploit is a problem with HTML.
This bug affected IE and Firefox, but not the Opera Browser.
Opera Watch - An Opera browser blog.
And it's a java plugin vulnerability so a website running java on the serverside is not affected.
while (!asleep()) sheep++
There are already proof of concept viri that work on both linux and windows.1 a.htm/ l in// /. article if i remember right, but i can't seem to get the right search terms to find it.
http://antivirus.about.com/library/weekly/aa03280
http://www.itworld.com/AppDev/1312/IWD010328hnvir
looks like this has been happening since 2001 according to the itworld article (look at the date in the upper left hand corner.)
the only thing that has changed is the vector of infection. There was also a
Stop signs are only Suggestions
From the Sun website:
"...through JavaScript calling into Java code, including reading and writing files with the privileges of the user running the applet."
A unix-like OS like Linux is somewhat safer than Windows, as one user account compromised doesn't trash the stuff that user doesn't have read/write permissions on (such as root or other users). So it's possible to contain on Linux, but on Windows... people usually run as Administrator.
"Backups are for wimps. Real men upload their data to an FTP site and have everyone else mirror it." -- Linus Torvalds
Write once, exploit everywhere!
:)
This the only cross plattform security issue known. and it's a theoretical one, no exploits known.
One failure in a secure sandbox environment is still not as bad as an environment where any code is executed and the security consists of the developer saying:
"I don't think I built in something harmfull and sign that belief with this digital signature"
while (!asleep()) sheep++
The "patch before admitting the problem" thing DOES happen on Windows.
But when it happens on windows it is microsoft "covering up their vulnerabilities".
Apparently, for you, when someone else does it they are doing something good...
Security by Obscurity, no matter who does it, it is still bad. Just because the WHOLE WORLD didn't know about it, doesn't mean some virus writer didn't; it just meant everyone continued to use un-patched Java installs in blissfull ignorance of the risk.
There are differences. This is a bug in the security implementation of Sun. That's bad, since it goes for every platform. However, this is a single bug. With active X, you are in problems if there is a bug in *any* ActiveX component that is safe for scripting. So the target is way smaller with Java. Obviously that also makes it possible to vigourously (no spell check available - dang) test that part, so no excuse for Sun for not doing that.
Note that there are very few security notifications with Java. I can remember a few buffer exploits in the VM (not in the Java applications itself, that's impossible, unlike active X). Java makes it much easier to write secure code. So the chance on serious bugs occuring is smaller (bugs tend to be in the design, not so much in the implementation). But it is definately not a holy grail, mistakes can be made as you can see.
So is it a serious bug: answer YES. Does that make Java (/.NET managed code) a bad idea: NO. Do you need to upgrade: certainly. Is java as bad as ActiveX in the browser: definately not.
" There are differences. This is a bug in the security implementation of Sun. That's bad, since it goes for every platform."
What you should have really noted was that this is a bug in the security implementation of java. Which is bad.
ActiveX, on the other hand, doesn't HAVE a security implementation in which to get such a bug, which is terminally bad.
A virus writer's dream!
Kevin
"It's not the cough that carries you off, it's the coffin they carry you off in" O. Nash
> > hasn't to date been a single Java virus. ...that we know about...
>
True, and it's worth noting that the quote I offered above came from Jonathon Schwarz, who - just possibly - might be biased. I'm still inclined to trust a platform with no visible viruses than platforms with very obvious viruses. Put another way, I'm in no hurry to locate a browser that supports ActiveX.
This is where the serious fun begins.
Is the Java that comes on Macs exploitable by this too? (Maybe not, since Apple might have changed something, but I don't know)
Also, what about BSD?
"[Regarding the 'cloud,'] ownership was what made America different than Russia." -- Woz
From the horses mouth right here. The issue is actually with the plug-in, not Java itself. In brief, you can load a Java class in an applet via JavaScript using getClass().forName() and use that reference to make calls outside the confines of the sandbox.
The "sandbox" that cordons off Java applets from the rest of the system has typically worked well.
When Java first came out, people found lots of security problems with its sandbox; there were both fundamental flaws in Java's type system and problems in Sun's implementation. That aspect of Java was subject to intense scrutiny back then because Sun had positioned Java as a new way of delivering client applications, which depended critically on sandboxing. The vision was that Java would replace heavy desktop apps.
These days, it doesn't matter much anymore: Java has failed to achieve its goals on the client; you can browse perfectly fine with applets disabled and never even notice. And for Java's current server side uses, sandboxing isn't really that important. So, people stopped finding flaws in Java's sandbox because they stopped looking--it just doesn't matter to anyone anymore.
I think Java's original vision of a thin client platform for high-quality applications delivered through the Internet is still relevant, but Java won't be able to fulfill it anymore: it has become too bloated and too complex. More likely, that niche will be filled by an updated version of Flash (yuck), XUL, or, perhaps, something entirely new.
www.java.com is only offering j2re-1.4.2_05, a vulnerable version.
Version 1.5.0 is available from java.sun.com.
WAKE UP SUN!
There is no patch, there is only the next release of the JRE, why is that? Wouldn't it make more sense to also release an executable patch rather than forcing a 14MB download (not that I care, I download it at 400KB/s?)
You can't handle the truth.
Open source, although a wonderful thing which should be given away at school bake sales, church meetings, and nascar rallies, is not a silver bullet. Case in point - the Firefox browser (which I use and love) has already had several security flaws (e.g. the same JPG flaw as IE) for which exploits have been released. The major reason we don't see more is *not* because it's so much more robust - it's because it still doesn't have the visibility and marketshare of IE, not to mention the raw hatred of ubergeeks around the world. I know, I know - the marketshare is going up, and as a faithful user I'm honestly torn. I'd love for it to be successful, and for Microsoft to have some kind of competition, but for now, Firefox is pretty safe. Give it the marketshare, and watch all those 2600-loving eyes start reappraising their goals.
daniel
Browsers aren't responsible for sandboxing plugins--in fact, they couldn't do it if they wanted to. Sandboxing is exclusively a function of the language and its runtime, in this case Java. If Sun's Java plugin allows the execution of dangerous code by untrusted code, it is Sun's fault. Note also that this is not the first time that this has happened.
Fortunately, the solution is simple: just turn off Java applets in your browser. These days, you won't be missing anything important on the web by doing so.
I agree with you, browsers aren't responsible for the sandboxing, and it is Sun's fault for having a buggy plugin. But sandboxing is not a function of the language - it is solely a function of the runtime. I could use a different runtime with the same compiled Java code and not have the problem. Therefore its not a problem with the language.
" Lets make a deal: it is a bug in the security implementation of Java by Sun. Sheesh. That's what I said, didn't I?"
I think you read an implied slur into me simply having chosen to use the word "java" instead of "sun" when paraphrasing instead of actually quoting you. None was intended.
On to the point; as I recall the 2 main problems with ActiveX security are:
1; the browser (IE being _the_ ActiveX browser IIRC) pushes "security" options such as "allow signed scripts to run". Johnny Hacker is quite capable of signing his code, thus getting it run without question on most installs.
2; it is quite plausible to spoof your signature. Then even if you are requiring manual authentication of each signature before you let it run, it may well look to the casual user like a macromedia or Microsoft signature, and therefore it gets run.
Contrast with the (intention of the) Java security model, where it is not supposed to be possible to GET the kind of access that allows destruction / subversion in the first place.
Its the (piss-weak) "security" attitude that "if company X wants access that would let it format your drives, but only after scanning all the files on them, then its OK, because its company X, isn't it?" that is the problem with ActiveX.
No "program" run through your browser has legitimate need to that level of access to your local machine.
My personal opinion is that there are 2 fundamental flaws in how some companies view "browsers":
1 - they think that the web browser and the file manager shouyld become one.
2 - they think that goal justifies tying the browser tightly to the file system on the local machine, and justifies including low-level local access mechanisms into the browser and the things it can browse.
Personally I disagree; I think that having any "web format" of data/program able to escalate its rights to that kind of level is suicidal in terms of security, and therefore the risks of the required infrastructure make having your web browser serve to handle your local file system vastly outweight the minimal benefit of dropping one program from the machine.
I also think that may have been the longest sentence I've ever written; so I'll preserve it for posterity!
The nice thing is, is that if you are using Linux, Java is most likely not running as root, and therefore less likely to mess around with your OS, Or files which that user does not have access to. Therefore, it's probably hard to get something into a startup script, and to create a virus that would be around after you rebooted the computer.
End of Line.
Who the hell moderates stuff like this as "insightful". I don't have any exact numbers in front of me (nor will I spend the time to find them), but I can safely tell you that over their respective lifetimes, ActiveX has suffered many orders of magnitude more exploits than Java ever will. The only meaningful caveat I can think of to this statement is the "default" Java runtime environment (that used to be) packaged with Internet Explorer that is written by Microsoft. Of course, you can hardly attribute any problems with that to Java because Microsoft built it on top of ActiveX and took very little interest in security when doing so.
Also, I should point out that any of theoretical exploits will have the most damage on Windows than other platforms because Windows is insecure. It seems that any code running on a Windows box has, one way or another, unbridled access to resources that should be above the user's privileges, but that's an entirely different situation altogether...
Why bother.
> But sandboxing is not a function of the language - it is solely a function of the runtime.
Pedant alert. In this case, ignorant pedant alert. the runtime is the Sun(R) Java(tm) Runtime Environment(tm), and Sun has lawyers who will do bad things to you if you claim the Java moniker does not apply to the JRE (which includes plugins for several popular browsers). Cue "Java is a platform" blather from Sun execs.
In this case, they are simply being hoisted on their own petard. It is a bug in Java. The Platform (or, if you prefer, the thingamajig they sell/give away). Period.
Go somewhere random
I just downloaded 1.4.2_06 from Sun's website. Go to java.sun.com and look for J2SE. You can get both 1.4.2_06 and 1.5 there, on the page. I didn't use the automagic update, myself, so I don't know what's going on there.
Farewell! It's been a fine buncha years!
Sadly, the "Update Now" button in my J2SE 1.4.2_05 RE Plug-in Control Panel still informs me that I already have the latest version installed. You'll probably have to update manually, for now.
Another thing: the auto-update timer in that same Control Panel is set to go off once a month by default. You might want to turn that up a notch for fixes like these.
while (!asleep()) sheep++
Disable Java in your browser unless you absolutely need it (rare). Period.
/usr/bin one in /usr/local/bin. If the (l)user has sufficiently screwed up their PATH statement, or uses a broken shell (like bash which cannot decide which dotfiles to load under which invocation, don't get me started with (t)csh)) then the wrong instance of python gets loaded, and I have to go through my speach again about how #!/usr/bin/env python is wrong. But since it works most of the time, I don't rant about it like Java.
Why is this flamebate?
My browser has _no_ plugins running by default. Also, my browser (Safari) has a separate Java and plugin preference checkbox, and I rarely load Java. The last time I did was to look at some buggy applet that someone wrote at work.
Over the years I have come to dispise Java. It would be different if it worked, but for me, Java has caused many problems, and I have seen 0 benefits from it.
So, I won't get modded as flamebate as well, I'll elaborate.
Oracle's "Universal Installer" is written in Java so that it could be crossplatform, etc, etc. to make it easier and universal for people to install Oracle. How convenient that it took me _hours_ to install it on a NT machine because of a bug in Java made the installer fail if the display was using more than some arbitrary number of colors (256, 16k, dunno, don't care). Thanks.
There are many "web installers" or whatever written in Java for Solaris machines. I've had these fail about 40% of the time.
I've had Netscape crash at least on the order of hundreds of times because of Java.
Java in a browser applet is very slow loading.
My brand new Apple Xserve RAID came with a GUI admin program written in Java. It worked for about a week, now it doesn't, and I have to call Apple and bitch when I get the time.
Java applets _never_ looked near the same on different OSes or even on the same OS with different browsers. Besides the silly thing a coworker wrote, I don't rememember the last time I had to load the Java plugin for a website.
I have installed Websphere once, I won't go into details from here.
One of Java's cool "features" is that it does not have pointers. I can't tell you how many times I've run a Java program and gotten a traceback which mentions a "null pointer exception".
I'm familier with Java for years. This is not some blind "this sucks" thing. I've coded in Java to write applications and applets that run native on a normal OS, and in browsers, and on embeded devices like smartcards and iButtons.
I don't particularly care for Python either, but at least most of the python applications that I have used work, so I have no real objections to it besides I just don't like the language or the quirky way python and python programmers do things. For example, the damn #!/usr/bin/env python thing kills me. Try explaining to (l)users over and over again that there are 2 versions of python on the system. One in
I'm just talking from my experiences here, and I have not had a pleasant experience with Java.
I found this onethis one using "cross-platform virus site:slashdot.org".
I have always found the idea of viruses on Unix amusing. I mean, any user can cause damage to his/her files, either manually or by running a script or binary. But this is not an "infection" as the system is left completely untouched. What worries me though is the way the news sites report "Linux viruses". Someone unfamiliar with Linux/Unix might think: "Oh! So Unix also has viruses, just like Windows." This I think is giving a completely wrong impression about Unix to such people.
-- anux
Browsers should allow you to configure java and javascript on a per site basis. Much like you can allow pop-ups from certain sites.
I prefer to have javascript off all the time.
Being able to selectively enable them for certain sites would be nice and would improve security.
Security by Obscurity, no matter who does it, it is still bad. Just because the WHOLE WORLD didn't know about it, doesn't mean some virus writer didn't; it just meant everyone continued to use un-patched Java installs in blissfull ignorance of the risk.
You're saying that vulnerability details should be announced before patches are completed? I'm afraid I disagree. There's a fair bit of evidence (see stories here and here) that black hats are using vulnerability announcements and patches to find exploits rather than finding them themselves. If that's the case, keeping vulnerabilities quiet until the software company's had a chance to patch them is a good idea, even if security through obscurity is in general a bad idea.
Wow, that's worse than I've seen.
.. if first appeared in 1.3.1-02, was fixed in 1.3.1-05, broke again in 1.3.1-06 and never fixed since).
The worst problem I've had was writing a commercial app that had a Java frontend. Because Sun kept making seemingly random changes to the API and not fixing bugs (or worse, breaking the bugs that they fixed on the last version) we were stuck with 1.3.1-05 almost right until the java code was abandoned (went to c# - we only supported Windows servers anyway).
One customer wanted a 1.4.0 release, which we duly did (required a special fork and about a month of developer time) - then rejected it because it wouldn't work through MS Proxy server (a java bug which has never been fixed to this day
You sir are reacting like an idiot. You list applications that do not work and then blame the language. Blame the application writers, not the language. This is like saying "C++ sucks, look how buggy and insecure windows is, C++must be to blame, not the developers." Thanks then post.
so in Linux it can "only" trash the user's home directory.
I think a lot of Linux zealots tend to downplay the importance of the home directory. After all, if you're a smart user and don't run as root, all your important data is going to be in the home directory (and possibly other directories where your user has permissions). I could care less if the OS install gets wiped out -- that can easily be replaced. The data in my home directory can't. In that regard, losing your home directory is just as bad as losing the entire system.
while (!asleep()) sheep++
All of what you say is true, but you omit the possibility of a multi-user system. If a single user has non-root permissions he can only destroy his own data, not those of others.
Why is anything anything?
Actually, now you can download the source to Java 6 and soon you will be able to submit patches. It's opening up bit by bit:
Patches
Meep.
4 months is quick? Boy, I'm sure glad there's such a large anti-full disclosure mentality going around lately. Now, vendors don't have to secure their vulnerabilities in a timely manner!
....
1. Get notified about a serious security flaw
2.
3. Release a patch a quarter of a year later
4. Profit!
Your totally right. Here's how you solve the problem.
1. Create a seperate user called "webuser". Thus when some stupid java exploit attempts to delete your home directory, it can't.
2. configure your selinux security so that the JIT can't create/delete stuff except inside of a "java temp" directory. Fine let the virus go wild, too bad it won't get anywhere.
3. Impliment a sensible backup plan. What's really important for you to backup? Software can generally be downloaded again. The only stuff that's not replaceable is code and settings.
Yes Francis, the world has gone crazy.
So you have plugins including Java applets turned off but then say you haven't seen any useful applets. So let me get this straight: you hide them and then complain that you can't see any good ones. Self-fulfilling prophecy? By that metric, do you drop all usage of OS X if you come across a badly written program on the Mac? Starting the plugin the first time is slow, granted. But I've been running Safari on a 500MHz iBook and Java applets haven't been a problem for me. The best written ones have been the ones where I almost didn't notice they were applets. Well-written ones are like this. A lot of folks who denigrate Java out of hand have come across good applets but not recognized them as Java.
Have you used Java since the old Netscape days? The plugins in IE, Mozilla, Firefox and Safari have not caused me any problems in years. I find it hard to believe that I've just been the only person in the world and/or am extremely lucky.
Well... except for that one applet that was a site logo rippling like it was underwater. Pure eye candy that sucked up 60% CPU time sustained on a 3GHz processor. Once again, good technology, bad applet writer.
That said, I prefer DHTML and related technologies to visual Java applets these days. In a better world, I would have the UI handled by the browser's renderer and the logic handled by Java. Javascript is nice and all, but sometimes you want to do some heavier lifting. And I sure as hell am not going to use ActiveX for that even if it was supported on non-IE and non-Windows environments.
And I too am talking from experience as I have developed on Java on Windows since Win95, OS/2 Warp, Novell NetWare, Solaris, OS X and Linux. Applets, servlets, EJBs and standalone apps. Aside from filesystem path differences, I have had maybe two problems in the last seven years moving my code from one platform to the next. And yes, I can code in C (K&R and ANSI) and C++ (including ISO98) too. Learned them before Java, so it's not because I haven't seen any other platforms.
By the way, your mention of NullPointerException is funny to me. Take a C app and access a null pointer. Boom! Hope you have core files enabled so you load the image in a handy debugger. Take a Java app and access a null reference (pointer). Not only can the exception be caught so that it doesn't completely take down the app, but you get an easy to read (relative to C and C++) stacktrace telling you exactly where it occurred so that you can fix it.
It's not the only language in the world and definitely isn't the only language you should have in your toolbelt, but it doesn't deserve the maligning you just gave it.
- I don't need to go outside, my CRT tan'll do me just fine.
You were comparing references (memory addresses) instead of actual values. I think you should have used:
Java.equals(JavaSandbox)
instead. It's a common mistake, don't sweat it.
James Tiberius Kirk: "Spock, the women on your planet are logical. No other planet in the galaxy can make that claim."
"There are already proof of concept viri that work on both linux and windows."
This has been covered ad-infinitum, and is a non-issue. If you can write to an executable file, you can potentially create a virus for the host system. This has always been a big problem for Microsoft based systems because such systems have no file protections. Anything on Microsoft systems can write to any executable file, hence viruses flourished this way.
Microsoft then must have decided that virus writers had to work too hard to destroy Windows based systems, because Microsoft then coupled automatically-executed scripting languages with all its major products.
Linux systems have files with both an owner and access rights. By default, all executables found on non-developer machines are owned by the administrator and are unwriteable by regular users. Hence the difficulty of Linux viruses propagating.
Adding to that, no one has been been brain damaged enough to create a Linux based email program that includes a scripting language that automatically executes attachments. If Microsoft -really- wanted to harm Linux, it would port all its products over to Linux. Nothing destroys security faster than Microsoft. Further yet, no one has been brain damaged enough to write a Linux based email program that sets the execution bit on a downloaded file.
All known supposed "proof of concept" viruses for Linux are nothing of the sort, since they don't work. No one has yet figured out how to make a virus propagate on a typical Linux system without the express permission of the administrator.
The best anyone has been able to do to Linux is to manually exploit buffer overflows in specific server software on specific sites. Linux users will still be safe from viruses for the foreseeable future. It will require ineptitude of Microsoftian proportions to change that.
I think this tries to highlight another reason why allowing a third party review your code is a good thing
How?
Haven't exploits been found in third party reviewed
code?
I tested my PC, which the sample code worked on, but it didn't seem to work on my mac which runs OSX 10.3.6 in safari or firefox. Safari comes back with a "Class undefined" and firefox just seems to ignore the javascript alert at the end.
Anyone else try this on the mac and have similar results?
Time to re-calibrate the dial on ye olde time machine dude.
For at least a decade there have been "Windows-based systems" with file system access control much more sophisticated than anything offered by Linux (at least in typical configurations using rwxrwxrwx style permissions) even today.
Not to say the hard shell on most Windows systems doesn't more closely resemble swiss cheese, but you don't need to resort to inaccurate statements to make that case.
Certainly some people get overly smug about free software being more secure. More users means more people finding normal bugs. Security holes, however, aren't usually found by casual users trying to use the software as intended. Security is achieved not by exposing the source to many eyeballs, but to the right eyeballs.
I don't rememember the last time I had to load the Java plugin for a website.
I actually have several websites with banking etc that use applets. The JVM load time is annoying though, I agree with that.
One of Java's cool "features" is that it does not have pointers. I can't tell you how many times I've run a Java program and gotten a traceback which mentions a "null pointer exception".
Yes, that is an unfortunate wording in the JVM. It should say "null reference exception". Everything except primitives are pointers in Java, but unlike C/C++, Java does not allow pointer arithmetic, so they call them references instead.
If you see "null pointer exceptions" often, you must be unfortunate enough to have to be running some pretty amateurish programs though (no offence). Null pointers are not hard to avoid in normal code, and in situations where they might fail from an external source (for instance loaded from file), the programmer should of course wrap that in checks to see that the instance is properly initialized before proceding.
I have not had a pleasant experience with Java.
So I see.... sorry to hear that. My experiences have been much better. Eclipse and Azureus kicks ass. I couldn't do without Java on my mobile phones these days.
Being bitter is drinking poison and hoping someone else will die
"found by Finnish security researcher Jouko Pynnonen in June, was patched last month by Sun, but its details were not made public until Tuesday."
But according to the Bugtraq posting Sun Microsystems was informed on April 29, 2004.
Don't waste those cycles! Put them to use! http://www.distributed.net/
The parent is right, client-side Java is dead.
Web developers make sure not to have the functionality of their website depend on applets, as Windows only comes with a mutant of java 1.2 - if any - installed, and of the clients on the interweb, the overwhealming majority will be windows PCs with Internet Explorer. You just can't count on visitors being willing to download a 14 megabyte installer to use your site.
Also the performance of client side Java is still very poor compared to the alternatives, and in the early years, when Java was still heralded as the future of computing, it was so unreliable, that it's image has been tainted forever.
Only on slashdot would a comment that this exploit is "Not that critical" receive a "Score:4, Insightful" rating.
Last night, while sitting at my machine, I noticed a Java icon appear in my taskbar. "That's wierd," I thought, "I'm not doing anything or hitting any pages that should need the JRE." Since I don't use the JRE much anymore (I installed it while testing a java-based web server) I went to "Add/Remove Programs" and uninstalled j2re-1.4.2_05.
Too late. This morning I browsed to Slashdot and saw the parent article telling me why the Java icon had popped up.
Whatever payload the thing delivered appears to have punched a hole in Norton AntiVirus (the Norton Firewall console is reporting that Norton AntiVirus requires "Urgent Attention" but the annunciator on the AntiVirus tab appears to have been disabled in an effort to hide whatever was done to the AntiVirus). It may also have installed the bat/mumu-a worm (one spyware scanner is reporting an infection by the worm, but Symmantec's bat/mumu-a removal tool reports the machine is clean).
Once a drive has been compromised by something more complicated than a simple virus, there's no way you can ever trust the machine again because there is no way to know what sort of rootkit the exploit delivered.
I've already disconnected the machine from my network and picked up a new hard drive. The old hard drives will go into an external drive housing that I'll only connect to the machine (a) after I have antivirus software reinstalled and (b) only if I absolutely have to pull data from the drive.
"Not that critical" hah! This is by far the most serious attack I've ever been hit with, and I downloaded j2re-1.4.2_05 at most two months ago (elsewhere in the comments someone is reporting that j2re-1.4.2_05 is still available for download from sun.com, I can't confirm that but this is hardly an antiquated version).
There goes my day...
-Don
open source does not prevent security bugs. why don't you go google for mozilla or firefox security problems. they existed. they were quickly patched, as was the issue you're ragging on sun about. for a platform that is as widely used as java, there have been amazingly few security issues. huh? i guess that proves that open source is not the way to go right?
slashdot reminds me of right-wing radio more and more. it's a place where people come to have their beliefs re-affirmed and not for real discourse and facts.
now, this thread, like many others, is just a bait to get
the last thread i read about sun had some guy stating that sun was crap because they didn't include enough tools, and he cited the lack of gzip. solaris has bundled gzip for many, many years. you know what also? when i installed linux back in 1994 on my 80386, 66Mhz PC, linux didn't inlude gzip either. huh! linux sucks!