Slashdot Mirror

← Back to Stories (view on slashdot.org)

Polish Researcher: Oracle Knew For Months About Java Zero-Day

Posted by timothy on from the well-I-mean-oracle-duh dept.

dutchwhizzman writes "Polish security researcher Adam Gowdiak submitted bug reports months ago for the current Java 7 zero-day exploit that's wreaking havoc all over the Internet. It seems that Oracle can't — or won't? — take such reports seriously. Is it really time to ditch Oracle's Java and go for an open source VM?"

3 of 367 comments (clear)

  1. No by ExE122 · · Score: 5, Interesting

    This is not a sign that you need to start ditching Oracle. The reason more security loopholes are discovered in Oracle are because it is the most widely used JVM. Other VMs will still have a ton of issues, they just don't get attacked as much (yet).

    A similar argument used to be debated years ago with Apple v Microsoft... Apple toted it's superior security over MS when in reality, nobody gave a crap about attacking Mac users which only made up 10% of the market. Once they gained popularity, they started getting hit more as well.

    The real scary part is that MS at least takes its security flaws somewhat seriously. Oracle seems to have smugly ignored Mr. Gowdiak. He can now smugly turn around and give them a big "I told you so!"

    --
    Capitalism: When it uses the carrot, it's called democracy. When it uses the stick, it's called fascism.
    1. Re:No by pointyhat · · Score: 5, Interesting

      Dear Blakey Troll,

      Java desktop application guy here

      Last place I worked, I was the lead architect for a real-time patient care system deployed to 120,000 users across 2500 hospital sites around western Europe across Windows, Linux and Solaris platforms.

      It stopped the users' patients from dying, so they are quite happy with it as are their patients. It is incredibly fast (2 orders of magnitude faster than the C++ based MFC native Windows app our competitor was throwing out), it has had no downtime (ever!) by nature of the architecture which must not go down under any circumstance (everything was fully distributed), the UI definitely does not suck and it's certainly not bloated at 52Mb including the JVM (our competitor hit 2Gb including the local SQL server instance installation).

      What do you propose we use instead and how do you propose we start rewriting the 1.9 million lines of code we've already got?

    2. Re:No by pointyhat · · Score: 5, Interesting

      No - you are actually totally clueless here and are just trying to get karma by jumping on the anti-Java bandwagon.

      No our application is not contributing any such risk whatsoever:

      1. We shipped the JVM with the application in its own standalone directory. No applets, no browser plugins. It's launched by a wrapper exe on windows and a script on Linux+Solaris. Basically it runs java[.exe] -jar application.jar. There is no target vector for this exploit.

      2. we ship JVM 1.6 which is not vulnerable.

      3. It uses SWT which looks native on all platforms - look it's not ugly at all: http://www.eclipse.org/swt/