Polish Researcher: Oracle Knew For Months About Java Zero-Day

dutchwhizzman writes "Polish security researcher Adam Gowdiak submitted bug reports months ago for the current Java 7 zero-day exploit that's wreaking havoc all over the Internet. It seems that Oracle can't — or won't? — take such reports seriously. Is it really time to ditch Oracle's Java and go for an open source VM?"

But still people was using Oracle's java?

But still people was using Oracle's java? O_o

No

[ExE122]

This is not a sign that you need to start ditching Oracle. The reason more security loopholes are discovered in Oracle are because it is the most widely used JVM. Other VMs will still have a ton of issues, they just don't get attacked as much (yet).

A similar argument used to be debated years ago with Apple v Microsoft... Apple toted it's superior security over MS when in reality, nobody gave a crap about attacking Mac users which only made up 10% of the market. Once they gained popularity, they started getting hit more as well.

The real scary part is that MS at least takes its security flaws somewhat seriously. Oracle seems to have smugly ignored Mr. Gowdiak. He can now smugly turn around and give them a big "I told you so!"

Re:No

[pointyhat]

Dear Blakey Troll,

Java desktop application guy here

Last place I worked, I was the lead architect for a real-time patient care system deployed to 120,000 users across 2500 hospital sites around western Europe across Windows, Linux and Solaris platforms.

It stopped the users' patients from dying, so they are quite happy with it as are their patients. It is incredibly fast (2 orders of magnitude faster than the C++ based MFC native Windows app our competitor was throwing out), it has had no downtime (ever!) by nature of the architecture which must not go down under any circumstance (everything was fully distributed), the UI definitely does not suck and it's certainly not bloated at 52Mb including the JVM (our competitor hit 2Gb including the local SQL server instance installation).

What do you propose we use instead and how do you propose we start rewriting the 1.9 million lines of code we've already got?

Re:No

[pointyhat]

No - you are actually totally clueless here and are just trying to get karma by jumping on the anti-Java bandwagon.

No our application is not contributing any such risk whatsoever:

1. We shipped the JVM with the application in its own standalone directory. No applets, no browser plugins. It's launched by a wrapper exe on windows and a script on Linux+Solaris. Basically it runs java[.exe] -jar application.jar. There is no target vector for this exploit.

2. we ship JVM 1.6 which is not vulnerable.

3. It uses SWT which looks native on all platforms - look it's not ugly at all: http://www.eclipse.org/swt/

Re:No

[pointyhat]

Seeing as I made a claim, I'll explain further.

No it's definitely faster if you know what you are doing. The reason C++ is "fast" is that you can easily sacrifice clean interfaces and modularity for raw performance i.e. by using raw memory and pointers etc. The moment you throw that away to build clean interfaces and modularity in (which is essential on larger projects like ours), your performance advantage goes out of the window. We're not doing it wrong - we're leveraging the right technology. It's easier to make serious mistakes in C++ as well and the additional checks required to verify that they are not being made are expensive. In Java, most of this is handled at compile time (g++ checks+valgrind are not sufficient btw).

Regarding downtime. Consider CAP theorem. We use a PAXOS consensus algorithm based protocol between nodes and our own event driven message-oriented container which runs inside the client process. Effectively the system, per-installation is a big message bus. There is no central point of failure. There are no servers to fail. If a single node is up, the system is operational. Scalability comes from CAP theorem - we sacrificed C (consistency) yet apply P (partition tolerance) and A (availability). We have unique reliability requirements which means we don't use a COTS container like Tomcat, Glassfish or Jetty which is what you are most likely used to.

1.9 million lines is due to the complexity of the product - the task it is required to do is not easy to visualize, is processing heavy and is complex. We also have about 2.9 million lines of jUnit and selenium RC tests. It's modular and well maintained as it's built by people who know what they're doing.

I earn plenty thank you.

This is a proper software engineering project, not a startup, internet fad, cost cutting low-rate business.

IBM

[Spiked_Three]

Whatever happened to them? Didn't they at one time have a Java implementation?

I'm not ready to give up on Java. It is not because I think it's the best, I still think C# beats it as a language, but at times when a client requires non-microsoft, it is my only choice for a modern language. Yeah, I know C++11, I've looked at it quite a bit, and it is better than it was, but as long as it needs header files, I don't put it into a modern language category.

So, anyhow, Eclipse seems to have really gone in the dumpster as far as quality lately, and IBM is silent as a Java leader too. Is IBM bailing on Java? I see the have a new big push to virtualization to a level that makes sense, by using a mainframe. Maybe they have (bailed). So what post java, other than c#, is available?

Re:IBM

[AwesomeMcgee]

I must say, and take a deep breath before reading this so your don't laugh yourself hoarse, but after you're done laughing listen to me. I'm an ardent C# developer for years, but I have found another extremely high level modern language that I would use in place of C# in a non-microsoft shop... Haskell. I know I know.. "academic bla bla bla" whatever, seriously, it's garbage collected, strongly typed, loaded with type inference to help you develop faster, has tons of packages for most things you may want to do, has *nix and windows compilers which will build the same code (you'll just have to swap out the modules you use for FFI to librarys if the dependent libs like UI you use are different).

Though I preface that with, while people have done UI's in Haskell, the idea to me is mindboggling, and I would just stick with UI in HTML using Haskell to serve web-pages in a non-microsoft shop. I wouldn't use java for UI in a non-microsoft shop anyway, java UI is absolutely gnarly bad and we all know it. If forced to do a desktop UI app in non-microsoft I would immediately be looking at tcl/tk, yes- ugly, but no one can argue with the fact that it always performed very well.

Re:Why are people still using this?

[NettiWelho]

I'm currently doing my internship at the IT dept. of a joint-municipal group responsible for about 15k windows computers(mostly for schools, vocational schools and a uni of applied sciences) and today the department heads made the decision to uninstall java from all machines except those in lab networks disconnected from outside world.

Re:Why are people still using this?

[Blakey+Rat]

It's more accurate to say that Java shouldn't be used on the desktop. And ESPECIALLY not in a browser.

On the server, Java's not bad. (I'd still prefer something else, but I wouldn't fault someone for picking Java.)

On the desktop, I've yet to see a single application written in Java that didn't have huge flaws, even if you ignore the huge flaws in the JRE itself.

Re:Why are people still using this?

[Pieroxy]

Can you elaborate on what is awful about the Java platform? And no, lack of an open source option is NOT one of the drawbacks since Java has those as well (which is not true of C# btw where the open source alternative is not really operational).

Now, before you jump in realize that I'm not asking about JAVA APPLETS, but about the Java platform.

Go.

Re:Why are people still using this?

[Pieroxy]

You have a far bigger problem with local apps. The problems are your APIs. You have (presumably) a web server somewhere serving data to your local apps. And every time you will release a new version of your app, you will also release a new version of your API. But you also should remember to keep the old one working, because guess what: Some people will upgrade, and then some will not.

All of a sudden, you have your server and a gazillion apps out there, some more or less buggy than the others.

THIS is the biggest benefit of a web based app, not the reach of the 1205 users of FreeBSD. You have a bug? Fix it. Instantly, no one has a bug anymore. THAT is convenient.

Re:Why are people still using this?

Performance. Flash may be pure hell, but at least it runs, and doesn't bring one's Web browser to a lurching halt like Java does.
JVM hell, where something that works on one JVM may not work 100% on another.
Platform differences. Same JVM might run code on Windows, but will break on a Mac.
Apparent neglect of the platform by Oracle.

Re:Why are people still using this?

[KlomDark]

Have you worked with C# under the .NET 4.x framework now that they've added Entity Framework to it?

It is so much more efficient that any other data access abstraction I've ever seen. It even makes Hibernate/NHibernate look like a lame hack.

I am able to do extremely complex things with 10% of the amount of code I used to have to write.

Microsoft might be making a LOT of mistakes lately, but Entity Framework is not one of them. I don't know if I'll ever have the patience to use another language again - C# with Entity Framework is that much better.

Re:Why are people still using this?

[VGPowerlord]

It really depends on what you're doing. If you're developing a database-backed website, I suspect that the Java solution* would be the quickest to deliver, followed by Python with C/C++ coming in dead last.

*That is assuming that the dev team uses appropriate technologies such as Spring and Hibernate, and not straight Servlets/JSPs/JSFs and JDBC.

Re:Java is used everywhere in the office

[Billly+Gates]

As someone pointed out in the last story it is the IE 6 that wont go away, or at least the Cobol of the 21st century.

Every banking site requires it so it can wrap win32 com objects like excel spreadsheets for lines of credit reportsthat can be cut and pasted using security holes from 1.4.1 or some ancient version. So java is used to activeX like functionality with no security controls and is a requirement for anyone in finance. Some support java 6 but have to include some security holes so they can access windows dlls for the accountants.

Manpower and Kronos for clocking employees in and out also use Java. Java is still the most widely used language in the world if you check any website.

The irritating thing is not that Oracle wont fix java and should be liable, but rather apps and banking sites require such ancient versions of it that only work with XP and are filled with 30 or more security holes.

Many of these accountant laptops just get re-imaged on a weekly basis from infections. These same accountants only look at the cost of upgrading and not the productivity loss.

Re:Java on Slashdot is almost a meme now

[pnot]

Amen to that. As any /. Java comment thread demonstrates, the chief functionality of the Java browser plugin these days is tarnishing the reputation of the entire Java platform and ecosystem.

Doubtless there are still websites out there that need the plugin, but I don't remember the last time I saw one. Definitely time to make it opt-in, not opt-out.

Oracle doesn't care about Java in the browser

[SomewhereInTheUs]

Java is worthless in the browser and I doubt that Oracle cares if it's removed. They might even prefer it.

Rather, Java's worth to Oracle is primarily as an internal tool for creating products/services and secondarily a means for providing easy extensibility and connectivity to developers that code to the interfaces those products expose.

The days of Sun evangelizing Java as the Second Coming and pimping it everywhere they can are over. It's just a means to an end at Oracle.