Slashdot Mirror
Why You Can't Dump Java (Even Though You Want To)
snydeq writes "Since so many recent exploits have used Java as their attack vector, you might conclude Java should be shown the exit, but the reality is that Java is not the problem, writes Security Advisor's Roger Grimes. 'Sure, I could opt not to use those Java-enabled services or install Java and uninstall when I'm finished. But the core problem isn't necessarily Java's exploitability; nearly all software is exploitable. It's unpatched Java. Few successful Java-related attacks are related to zero-day exploits. Almost all are related to Java security bugs that have been patched for months (or longer),' Grimes writes. 'The bottom line is that we aren't addressing the real problems. It isn't a security bug here and there in a particular piece of software; that's a problem we'll never get rid of. Instead, we allow almost all cyber criminals to get away with their Internet crime without any penalty. They almost never get caught and punished. Until we solve the problem of accountability, we will never get rid of the underlying problem.'"
Good luck with that, we humans have entire criminal justice systems which are supposed to bring accountability... pretty sure you know where I'm going with this one.
but we can still remove java and have less risk right ?
He may be right, but he's also totally unrealistic. Nothing you ever do will stop the "underlying problem". But we can fix security holes, and pressure companies to release more secure code.
No point hoping for what is "right", or "best". Aim for something realistic instead.
Security is one problem -- the other being that you'll get sued for using it. Just ask Microsoft and Google.
There's no -1 for "I don't get it."
Java isn't insecure, criminals just aren't being punished.
That applies to EVERY piece of software. Why should Java get a free pass?
We should legislate away our technical problems?
No thanks. It's been shown time and time again that not only doesn't it work, but it tends to make the technical problems worse.
If everyone thinks "i can just sue them later" them attention to security will drop even farther.
There are very good security systems out there that very few people and organizations bother to implement or continue.
We punish drug dealers and users... they keep on pushing and using.
We punish robbers and gangsters... stores get robbed and people gangbanged every day.
We punish rapists and other sex offenders...new ones crop up.
We punish murderers and and wife beaters... people still get killed and wives beaten every day.
Punishment it little if any deterrent. In countries with far less harsh criminal penalties than the United States, the crime rate stays about even to all other industrialized countries, even given the lesser punishments.
And somehow Grimes thinks that punishing crackers (not hackers.. I am proudly one of those), is going to make a difference. Even if you did manage to snuff it out in one place (highly unlikely), the internet is worldwide and you will have places with less lax laws or corrupt officials where those of a criminal bent can launch whatever they choose.
Most crime (not all)is cause by real or perceived poverty or other social disparity. Spending billions to incarcerate the underprivileged does nothing but further this disparity and create -more- crime.
Try looking at the world with empathy instead of greed and anger and try to lift people up. You may be surprised what a difference it makes.
Silence is a state of mime.
Title:
Why Elephants Are Large
Story:
An Elephant's trunk is very flexible. Even more amazing are the flexible snakes in the grass. Click this link to learn all about why bird's eggs are shaped the way they are.
intellectual property law is philosophically incoherent. it is your moral duty to ignore it or sabotage it
Instead, we allow almost all cyber criminals to get away with their Internet crime without any penalty.
Beloved, this is not being true! I have sure-fire way to stop crimes and makes you not being victims of many internet crimes ever. Alls I needs is your passwords to your accounts, and I makes them very secures. Especially yours banks passwords accounts numbers, I very much promising. I extra interested if you been scammed before. I help most much.
To show I most sincere, I also give you free 500 Viagra pills extra-effective man-stick for your every account you wants me protect! Your woman moan against your amazing he umbrella many time.
They (cyber criminals) almost never get caught and punished. Until we solve the problem of accountability, we will never get rid of the underlying problem.
Hang on... what about the accountability of the software producer? Oh, yeah, the DISCLAIMER in the copyright/license legalese... it passes the responsibility to deal with the effects to the users. So why are the users complaining?
Before you jump on my throat: I reckon the "social cost" of going after hackers would be higher than the cost of the "war on drugs" (even if only because a running software is intangible and the attack vectors are easier to anonymize).
Even more, the "cost of discovering/deterring/preventing the cyber criminals" will be supported from taxes, even if the bug allowing the exploited is caused by the software producer... feels like a great incentive to reduce the cost of quality assurance stages in a software project, by externalizing them to the society... that's what corporations are excellent at, ain't it?
Questions raise, answers kill. Raise questions to stay alive.
... it can't be patched.
I run a Windows 7 computer with auto-updating turned on for both Windows and Java. Every time I boot, I get a message telling me there are Java updates to apply. I click 'Yes' to apply them, and nothing happens. No update, and no error message to give a clue as to why.
Maybe it's an admin privileges thing. But most processes give options to get around that requirement. Java Update doesn't.
So there it is, an unpatched Java installation. I've tried to uninstall it, and that's a similar usability nightmare but long story short, that doesn't work either.
I'm sure Java would be kept a lot more up to date if version 'x' could still run software built when version 'n' was current.
The Java Update notification shows up in the tray (on Windows Vista and XP), you click on it and get an error message to the effect of Java couldn't be downloaded or installed. What I have to do is logout and log back in as the Admin. Now, it would be nice if there were some program in the Programs list were I could click on it and just do an update, or easily bring up the java console - like Windows Update is easy to find and run. With Java, I have to search the web or better yet, bring up a page with a java applet which then brings up the Java console and then I can update - because the auto update sucks.
Now, I understand about the permissions and all that because I have a similar problem with Firefox and other Mozilla programs BUT I can do a "Run As" and run them as an admin and continue with the install - not really a problem. Java, on the other hand, requires an entire new download and then installing - only from the Admin account and digging for the damn Console in the control panel. BTW, the Java icon can only be found in the "Classic" view. And if I, an ex-programmer IT person thinks this is a pain, I wonder how many people get the error and then forget about the update?
tl;dr Updating Java is a pain in the ass if you run your machine under a user account. Java needs an easier way to bring the Java console. And this security problem is Java's fault.
The big security problem with Java software is that you can't differentiate between them since they all run on the jvm. For example, you can't block net access from a Java program in a firewall, because you would have to block the whole jvm.
Few successful Java-related attacks are related to zero-day exploits. Almost all are related to Java security bugs that have been patched for months (or longer),' Grimes writes.
I'd like to see a reliable reference for this.
Would also like to know the impact of "zero month" exploits. Much more relevant, since Java's auto-updater pings once a month.
Personally I only use Java for a handful of local applications, and I always disable the auto-updater attack vector.
Now, it's been a while since I looked into this so don't bite my head off if my information is not current, but last I checked Java had problems with DEP and ASLR and did not opt into them (on Windows). Even if a flaw is not 0-day, it's much easier to attack without DEP and ASLR, so in my opinion that's another reason to heap a high level of scorn upon it. Found this from June 2010: http://secunia.com/gfx/pdf/DEP_ASLR_2010_paper.pdf - not sure if anything has changed with java but I know some of the other apps have switched on DEP and ASLR.
"...I think the Microsoft hatred is a disease." - Linus Torvalds
I haven't had Java installed on my desktop machines in years, and don't seem to be missing out on anything. Some of the less important OpenOffice functions didn't work, but that was about it.
This conclusion doesn't really seem to follow the premise. If the security issue is already-patched exploits being used for attacks, isn't the real issue people not keeping their Java up-to-date with security fixes. We're always quick to jump on Joe Sixpack for not keeping their Windows installation current on hotfixes, or the webserver team for not keeping PHP/Apache/etc behind, how is this any different?
You know what would make this a lot less of a problem? Silent automated updates The Java updater appears often enough to be a nuisance for some (me included), yet Java itself is obscure enough to the end user some don't know what it is, unlike Flash. "What? A new version of Java is available? What's that? Don't click 'install' dear, I've never heard of it, it might be spyware!" I'm sure this happens more often than Oracle thinks.
The problem isn't applying patches. The problems occur when applying the patch causes a mission critical application, or a very critical application to the end user to stop working. The end result is the IT department ends up fielding a ton of phone calls from irate users, and / or getting blamed for the patch, even if they have nothing to do with it.
It is no wonder IT departments are always behind on getting patches rolled out. They need / want to test them.
And if an individual or department have some sort of 3rd party software that is not well defined and IT does not know about, there is no guarantee that they include it in testing.
Basically, patching is strongly needed. But end users get incredibly leery when patching the blasted stuff breaks the application, especially when the patch does not address the end user's prioritization of problems.
I dump java all the time. Try kill -3 `pidof java`
Because we can't do anything. We're helpless (never mind keeping up to date on Java patches). It's all hopeless. We need authority to trace the criminals and possibly take preemptive measures to shut them down and seize their servers.
And then all you do is chase down people sharing Lady Gaga MP3s. Yeah, right.
Have gnu, will travel.
As much as it sucks to have a vendor pushing patches without explicit dialogs/permission, I would argue that the global damage from lack of patches far outweighs the downsides at this point.
This is one area Chrome gets right. Java (along with Firefox, Windows, et al) should automatically download and apply all security patches without prompting or notifying the user in any way unless you go in and manually disable it.
I've seen people see the Windows Update dialog and immediately click cancel. They just see it as another annoying useless dialog box and dismiss it.
Natural != (nontoxic || beneficial)
I have Java installed on my systems, but have the Java plugin disabled in the web browsers I regularly use. I came across exactly one site that required a Java applet to run in the last year or so: a system to book appointments at the local government office. Maybe it's different in the enterprise; the last big company I worked for had some kind of SAP front-end as a Java applet. But for home use Java is no longer necessary on a daily basis.
At least in my web browsers. Can't say I've noticed that anything useful has been affected. Heck, I'm not sure I've seen any affect at all.
Besides, understanding what the real root cause of these Java exploits is has very little bearing on whether I can dump Java. I can choose to dump it regardless of its relative security. On the web, client-side Java tends to make Flash look light and nimble - so I said no thanks to Java some time ago.
#DeleteChrome
But that isn't going to happen as long as we have $600K of Oracle ERP software running in the company.
Swift public punishment of convicted offenders is intended to act as a deterrent for the rest of society. It's not to reform the offender, and it's not to provide justice for the victim or the victims family.
I don't necessarily agree with taking Rousseau's Social Contract to that extreme, but that's the theory in practice in these situations.
-- Terry
there are people who grow up in grinding poverty who would never do anything unethical
then there are assholes like this:
http://en.wikipedia.org/wiki/Leopold_and_Loeb
very intelligent, very rich, and they decided to kill a 14 year old just for the hell of it. why? because evil is real in this world, and it exists independent of poverty, neither as cause nor effect, and independent of stupidity, neither as cause nor effect
class != morality != intelligence
there are poor people who are good
there are dumb people who are rich
there are smart people who are evil
mix and match to your heart's content and please get your simpleminded idiotic way you think about your world out of your head
we punish criminals on PRINCIPLE. it's not about deterrence. it's not about revenge. it's about morality
you'll get it some day, i hope
intellectual property law is philosophically incoherent. it is your moral duty to ignore it or sabotage it
One of the reasons that I can't dump java is because I still use a bunch of software written in java like, say, apps on Android. And don't forget that there are pieces of software like LibreOffice that still have legacy dependencies on java. Sure, LO is working on rewriting those pieces, but it won't happen overnight.
Even if Oracle loses regarding copyright and patents on the Java language, the Java APIs, etc.., they have shown that they regard the Java language as a business bargaining chip and not as an unrestricted computer programming language. Why take the hassle and risk? Just go use someone else's language like Python or Ruby.
With all of the shit that Apache has gotten from Sun/Oracle re: the JCP, Harmony, and the TCK, I'm surprised that they haven't just said that they're going to fork Java. I guess the problem is that (1) Apache doesn't think that they have enough clout to make their fork dominant (or at least viable), and (2) Oracle could just go after the fork with their patents. At this point, I'm not even sure that Apache could get Google onboard for a fork, as that might hurt all of Google's need-for-compatibility claims in the current litigation.
coding is life
...because you need it to run Minecraft. Or am I missing something?
Unfortunately a lot of us have to keep old versions of java around and apps are free to ask for old versions and get them. Java for being "portable" is far far from it every java app only seems to works on a specific range of java versions. You know those fun apps networking kit seems to love. Work with a few different vendors and different version of there firmware and quickly you need a half dozen outdated versions installed.
No sir I dont like it.
I don't think the OP's primary concern was with exploits, but with the general ugliness of java.
Someone had to do it.
Almost all are related to Java security bugs that have been patched for months (or longer),' Grimes writes. 'The bottom line is that we aren't addressing the real problems. It isn't a security bug here and there in a particular piece of software; that's a problem we'll never get rid of.
And so the appropriate thing is to see why in the heck we don't have all software always patched up to date. And the reason for that in Java is that it's bloody stupid updater takes 5 minutes and 10 clicks. Change it to be like Chrome -- background auto-update itself silently* with zero user input (or one click) -- and you'll have 99% of the installs up to date without issue.
To be clear, for the control-freak BOFHs, enterprisey people and hobbyists that actually enjoy computer maintenance, there should be a checkbox in options that says "Disable All Automatic Updating until I uncheck this box". If the user checks it, turn on the webcam and require them to raise their right hand and swear "I AM RESPONSIBLE FOR KEEPING THIS SOFTWARE UPDATED, ANY ILL THAT BEFALLS ME FROM NOT PATCHING IS MY OWN DAMNED FAULT AND I DESERVE IT". Make sure that preference persist between installs.
IOW, I'm not saying everyone has to do automatic silent updating, I'm saying that it should be the default setting unless the user expresses a desire to maintain it updated himself and is appraised of the risk of doing so. Let the user decide, but provide a better default behavior that's appropriate for most users.
One could argue that Java had a place in the horrible 1997 web, with its ridiculous fphover.class FrontPage sites. Everything was awful there, and it fit in nicely. However, it's only a liability these days with respect to browsing.
Java can be quite useful in other forms, like stand-alone applications, but stay the F away from my web browser!
Tools -> Add-ons Manager -> Java Plug-In -> Disable
Sure, that only disables it in the browser, but the interwebs is where this crap is coming from.
Now shut up and let me get back to Minecraft.
#naabhaprzrag, #sverubfr-000, #agi-fcbafberq, negvpyr[pynff*=' negvpyr-ary-'] { qvfcynl: abar !vzcbegnag; }
Add signed 3rd party software repositories to Windows Update and remove the need for all these programs to add their own, often intrusive update processes.
Don't want java? Fine. Don't install and don't add the repos & key.
Want java? No problem add keys and repo and get it updated in a sane manner not an obtrusive installshield app that always seems to fire up when I;m right in the middle of doing something.
This is an area where pretty much every Linux disro wins.
Failing that, an alternative would be an open-source package manager for windows. Bit of a nightmare to make though - as I assume every windows software developer would want you to run their install executable so they can make you accept EULAs etc.
What if I want something more professional than simple PHP?
I am starting a business and was planning on going to Java next year when I need scalability and would host it on Linux. My only other choice is Windows and a IIS/.NET solution and $100,000 in Microsoft licensing fees.
That is a terrible choice if you ask me. Dumping Java? What gives if the alternatives need 3x the amount of hardware and do not work as good? ... and please do not tell me Mono is somehow a serious enterprise solution with no downtime.
Could IBM Java be a way out? Would Oracle go after them or me next?
http://saveie6.com/
Java's main drawback has been it backwards compatibility and the resistance of IT to actually do system updates consistently. It is under the belief that if they update java every java app will break. So they run old outdated version of Java. Patching shouldn't be optional on machines that are exposed to the internet, and yet may IT shops do just that. Java is the problem because it's a single point of failure shared by many systems. If you have 5 java apps they all have the same exploits, and IT fears updating because they don't want things to break. No matter how hard Java works to maintain backwards comparability IT will still be the sniveling update cowards they are.
True... but most exploits are *NOT* zero-day.
File under 'M' for 'Manic ranting'
then, please, do generate this wondrous model which we simpletons cannot... and also please note that whatever your model is, a turing machine will be almost surely be able to simulate it anyway. although i am open to the idea that a different model can emphasize certain aspects which may be useful, i would certainly like to see even a prototype, rather than a lot of hot-air insults of "academics."
"They were pure niggers." – Noam Chomsky
and blackholed the domain even as it loves to reinstall itself. You absolutely don't need it. Maybe 1 thing out of a thousand doesn't work (usually some lame video thing) and nothing is that critical. And the problems you don't have by eliminating it?
Forget the security stuff it's the part where it takes ages to load then hangs is what did it for me. And on a 4-way scsi raid should it really still be slow?
Worthless garbage. Always was, and now it's way way worse.
Need Mercedes parts ?
I prefer C/C++/ObjC/ObjC++ family of programming languages to work with and have in my 3rd party apps. I would really like LibreOffice to dump the need for Java all-together. I don't mind C# with Mono apps but if GNOME switched to Mono and C# for GTK+/GLib I'd dump GNOME all together.
You will never have the accountability dreamt of by the article's author...
Not only are most cases of internet crime so petty that it would be a complete waste of resources to pursue them, but you have a global network with lots of different countries, all with their own set of rules. If someone in a non extradition country is attacking you, what can you do? What if someone is launching their attack from a country where their actions aren't illegal at all? If that's the case then they haven't actually done anything wrong, they are fully complying with the laws that apply in their jurisdiction.
The reason java is a good target is a combination of:
1, it's ubiquitous.. installed everywhere and on 99% of installs its the same code (eg unlike the browser market where there are now 3 major codebases to target)...
2, it's often not updated
the same reasons apply to flash and acrobat..
Issue 1 can be eased by opening up the market to have multiple implementations, much like what happened with web browsers...
Issue 2 is actually microsoft's fault for not providing a decent centralised update system. When i encounter linux or mac users, their java installs are almost always up to date (and if not, theres either an explicit reason or nothing at all is being updated) yet when i encounter windows users that is rarely the case, especially in corporate environments.
Windows encourages kludges like the "java updater", a binary program which runs in the background checking for updates. Such a system is error prone, highly inefficient since you end up with lots of bloated background update checkers for all the different apps you have installed, and utterly useless in an environment where the logged in user doesn't have the necessary privileges to actually apply the update.
http://spamdecoy.net - free throwaway anonymous email - avoid spam!
Minecraft.
I enjoy large posteriors and I cannot prevaricate.
The big question in the case is who picked a fight with who. The person who called the police and campaigned on behalf of a black homeless person against a white sheriff OR the self proclaimed gangsta nigga (his own nickname). I wouldn't trust the bleeding heart side with this one, they also make much that the HISPANIC guy lived in a gated community, but so did the black guy. Apparently white guy in gated community, racist. Black guy in gated community, victim.
I think it is even odds that Travor wanted to go crazy n* on the dudes as, thinking he could scare him off. In holland a group of youth immigrants formed a gang called the "crazy foreigners" operating on the same method, trying intimidation, knowing any white victim would be wary of standing up to them for fear of racist charges.
We shall see in the court case what both sides claim really happened.
MMO Quests are like orgasms:
You may solo them, I prefer them in a group.
MS wouldn't be patching 3rd party software (you're right, that'd be crazy). MS would provide a general framework for maintaining installed software which 3rd party vendors could hook into.
Instead of every package implementing its own updater with its own background service and configuration system, they'd be one updater that everyone used which presented updates to the user in a central place. Instead of 10 badly implemented updaters, you'd have one good one.
This is what all linux distributions do and it works pretty well. I expect the win8 app store will do something like this.
The US hosts a fourth of the world's inmates. How are you not there already?
I wish articles like this would clarify what they are talking about, to avoid sensationalist headlines like this. This article, and all recent articles bashing Java, are all talking about java APPLETS and web-browser based Java - which is the INCREDIBLE MINORITY of what the language is used for.
Java is a perfectly fine platform for developing secure, stable, enterprise-grade applications. And really it is one of the only such platforms that is both cross-platform and production ready (no I do not consider .Net + mono to be production ready)
One exception: maybe the Chrome one is decent.
But most of them start updating - making your system/app unusable - exactly when you need the system/app the most (because nobody keeps the computer running at 3am).
So people set it on manual. Additionally, a thousand vendors make a gazillion background auto updater services that run all the time, wasting memory, CPU and IO. Then we find ways to take down those pesky background services too.
And then we forget(or low prioritize) to update. And we are vulnerable.
Lets stop pointing fingers and fix the update system - find ways to make autoupdate smooth, viable and with ZERO disruption to the running system. And make it not optional anymore. Then everyone will be forever up to date.
There should not be a -different- way of updating every different software package I have. There should be one system for doing updates, and each software package hooks into it. I dont care if java has to pay to get distributed by windows update or if we force windows update to cater to java. But these little toolbar popups are crap and everyone knows it. They are a joke, and advertising opportunity that no one believes in. Was that a real update, or did they just want to install their toolbar again? And that goes for Mac update too.
Fix the god damn infrastructure.
That includes offers of new software, or requests for handouts. These are important. And software developers should be apologizing for not getting it right the first time. Not asking for handouts or advertising data. Just fix the damage they did to YOUR computer.
On a scale of 1 to 10(1 least creditable, 10 most) how much does the use of the word "cyber" affect the credibility of the article and/or author with you?
Previously I would stop reading any article that used "cyber", aside from government articles where I was attempting to get a feeling for their train of thought. Now I feel I'm forced to consider that the article may be meaningful and possibly persuasive even with the use of "cyber" which the opera spell check continuously tells me is incorrect.
Add signed 3rd party software repositories to Windows Update
Then what CA would sign the certificates of individual developers of free software for Windows? The only qualification to get Ubuntu to trust the keypair associated with a PPA are that the PPA's operator can 1. receive e-mail at a non-webmail address and 2. operate OpenPGP. Microsoft, on the other hand, has tended to insist on paid certificates from a commercial Authenticode CA, and most major Authenticode CAs that I've investigated issue certificates only to corporations and LLCs, not individual developers.
I assume every windows software developer would want you to run their install executable so they can make you accept EULAs etc.
I thought accepting terms was one of the things that could be done in the debconf step of a dpkg.
every time a website requires flash I launch it on my phone to get a standard HTML version that does not.
From standard HTML and standard JavaScript, how should a web page access the camera and microphone of the machine that the browser is running on (with the user's permission)? For example, how would a JavaScript VoIP app or barcode scanner app work? I've read rumors of a "device API" or "media capture API", but I haven't seen it implemented.
they sometimes feel they need to use non-portable libraries/imports when under pressure by management to "just get it done".
The last time I checked, accessing a USB joystick from a Java program required the use of Jinput, a third-party library containing native code, because Java provides no portable way to access common home PC input devices other than a mouse and keyboard. Libraries to do some form of I/O that Oracle forgot are by their nature non-portable, even if the native back-end is provided for all popular platforms.
Look, Java has issues, just as all software and development tools do. However, when I search for "java exploits" I see *a lot* of microsoft blogs running posts with this them. Is this just astroturfing?
Your pluralses are showing. Are you a Selkie fan?
Back in the day java applets were everywhere.
Today everything is flash or html5. By not having java installed you are not missing out on anything. Hopefully in the not too distant future the same will be true for flash.
Flash and all adobe products are a horrendous failure from a security POV however we still tend to use them because they provide VALUE.
No website in their right mind requires java anymore. By not having it installed I am not missing out on anything. The value to having java installed for me is nill.
Andriod platform is Javas last remaining "killer" app.. Oracle is hard at work doing its level best to kill even that. Nobody wants to use a closed "copyrighted" programming environment. From a technical perspective .NET is superior to java. It has all but erased any inrodes Java had in the enterprise.
This leaves java with what? telecom, academia and niche verticles?
"Instead, we allow almost all cyber criminals to get away with their Internet crime without any penalty."
Why do you never hear about covert CIA flights from China, Russia and Nigeria with a shit load of spammers / scammers / other scum on board?
THAT'S the real problem.
Privacy is terrorism.
but we can still remove java and have less risk right ?
Indeed. I will have to disagree with "security advisor Roger Grimes" and point out that complexity breeds bugs; bugs breed security holes; Java's JIT and supporting libraries are just way too complex for their own good. This problem is made way more severe by Java's closed development model.
Java can be made secure, just not any time soon, not until Oracle gets a clue and opens up the development process.
What exactly is closed about it? You can see the libraries' code, and I'm not sure how the JIT has anything to do with the vulnerabilities being discussed.
Don't get me wrong, I do believe an open development process *can* (not necessarily will) ensure more desirable safety qualities. But what you are doing here is creating an argument for openness with a conclusion that does not follow the premise in a "is/ought" fallacy fashion. Unless you put some tangible "meat" in it, it simply does not follow.
JDownloader is too usefull for me to dump java
The REAL problem, is that there is this culture-of-inertia acceptance of an "update" button, which almost always brings security "fixes".. COMBINED WITH MORE "features", I mean bugs.
Until vendors start offering more options, there's almost no point in updating, from a security standpoint. You're just posponing your hackability.
Your safest means of protection currently, is to only run java from trusted sites.
Vendors need to offer a "just security patches, NO new feature code" auto-update button.
*especially* the java vendor(s)
"so many recent exploits have used Java as their attack vector, "
You guys are sure the increase exploits are not because of the hatred of Oracle in Oracle V. Google? Hmmm... Last year is was /. trolling with Flash since Apple made it's argument. Before that it was AVC (vs Ogg or WebM, cause of Apple, Google, FOSS).
This year it appears to be Java.
Even not considering those politics, most attacks, in Java and all frameworks are due to poor implementation by the appdev.
I pulled Java off of all my systems because of the incessant nagging of updates and the fact is would add 16 versions to the computer rather then updating a single version. I found that anything using Java on a desktop was not useful or missed anyways.
I've also gotten rid of Adobe (service) products for the same reason, ridiculously annoying install nagging and update process and yet another security hole with not much benefit. Silverlight too.
The only reason for a website to use Java technology these days is because "the fossil" a company hired 20 years ago refuses to learn something new.
The only reason for a website to use Flash is because they got a bunch of graphic designers who will crap their pants if they see an actual line of code.
The only reason for a website to use Silverlight is because Microsoft wanted fossils and graphic designers to use their platform instead.
As for updating, FTW would companies please adopt Google's model in Chrome of constant BACKGROUND updating rather then nagging "You have an update!" popup's or explicitly requiring to manually update. I love the fact that the software I am running is known to be current, relevant, stable, and secure without having to do anything but simply use the product.
The best way for a company or technology to become irrelevant is to constantly announce your failures and expect people to invest time and effort to fix them.
I haven't thought of anything clever to put here, but then again most of you haven't either.