Slashdot Mirror
Polish Researcher: Oracle Knew For Months About Java Zero-Day
dutchwhizzman writes "Polish security researcher Adam Gowdiak submitted bug reports months ago for the current Java 7 zero-day exploit that's wreaking havoc all over the Internet. It seems that Oracle can't — or won't? — take such reports seriously. Is it really time to ditch Oracle's Java and go for an open source VM?"
Suck it, bitch.
But still people was using Oracle's java? O_o
You think Uncle Larry gives a fuck?
No. Now pay him his money.
Mod me down, my New Earth Global Warmingist friends!
It's a ZenZaZhun !!
Pile on the attorneys and litigation.
is there any other way to teach these lazy monopolistic companies anything?
Maybe it's time to ditch Java altogether!
It's way past time.
Oracle probably doesn't care about the use of Java as a client side VM, Oracle is a server company.
But this means that they could in principle split Java into client side and server side concepts and maybe sell off client side Java to somebody who actually gives a shit.
You can't handle the truth.
Seriously, it isn't even like Java is a particularly good language/environment. Frankly, I would rather deal with architecture issues and multiple platforms and just use C/C++ than put up with Java's issues.
Just like with the flash thing, it doesn't matter if YOU ditch it, we need websites to ditch it as well.
As a developer, I'm glad I abandoned Java after testing it out with some of my college courses (which was really due solely to swing).
As a Sys Admin, the Sun JVM kept wanting updates, and updates kept breaking applications... I liked the Microsoft JVM, and I extracted it from XP SP1 after it got yanked from SP1a, so that I could keep using it (albeit only for a short period of time).
Microsoft's JVM never seemed to cause me the problems that Sun's did... I was hopeful that Oracle's purchase would improve the problems that I'd experienced before... since that's not going to happen, I vote for Microsoft to get back into the JVM business.
The saddest day of my life was the day I found out Sun was selling java to oracle.
This is the programming language that still bundles the "Ask Toolbar" crapware with their installer. Nuff said.
As a developer, I totally understand the problems with holding software developers liable for security vulnerabilities. But when it comes to cases like this, I can't help but think there should be some legal liability for mega-corporations knowingly distributing vulnerable products.
Bogtha Bogtha Bogtha
This is not a sign that you need to start ditching Oracle. The reason more security loopholes are discovered in Oracle are because it is the most widely used JVM. Other VMs will still have a ton of issues, they just don't get attacked as much (yet).
A similar argument used to be debated years ago with Apple v Microsoft... Apple toted it's superior security over MS when in reality, nobody gave a crap about attacking Mac users which only made up 10% of the market. Once they gained popularity, they started getting hit more as well.
The real scary part is that MS at least takes its security flaws somewhat seriously. Oracle seems to have smugly ignored Mr. Gowdiak. He can now smugly turn around and give them a big "I told you so!"
Capitalism: When it uses the carrot, it's called democracy. When it uses the stick, it's called fascism.
Whatever happened to them? Didn't they at one time have a Java implementation?
I'm not ready to give up on Java. It is not because I think it's the best, I still think C# beats it as a language, but at times when a client requires non-microsoft, it is my only choice for a modern language. Yeah, I know C++11, I've looked at it quite a bit, and it is better than it was, but as long as it needs header files, I don't put it into a modern language category.
So, anyhow, Eclipse seems to have really gone in the dumpster as far as quality lately, and IBM is silent as a Java leader too. Is IBM bailing on Java? I see the have a new big push to virtualization to a level that makes sense, by using a mainframe. Maybe they have (bailed). So what post java, other than c#, is available?
slashdot troll = you make a compelling argument I do not like the implications of.
But Oracles VM is OpenJDK right? Why not just fork it and mantain an updated patched version?
Yes
and one of the key reasons android blows
This is why reporting bugs to the software developers is stupid. Post the bug into the public, so they have no choice but to upgrade. Corporations are run by people who want to spend as little as possible to make as much money as possible. They won't patch bugs unless they are forced. They need to be forced.
Be seeing you...
Unless an SVP gets involved, it's unlikely that it will be rushed.
Really. When did this happen? The claim that Microsoft has more viruses because they have more market share is patently ridiculous, if only becaue Linux has a huge market share on the targets that hackers really want, to wit servers. It is a classic myth pulled out of the ether by people who have no understanding of security. The fact which every security expert knows is that you can't layer security on; it needs to be designed in from the ground up. Microsoft has always been more concerned about making money than anything else, and only began to take security seriously when it started to affect their bottom line (i.e. after the fact, rather than from the ground up.) This is the reason why Windows hosts well over 90% of the exploits, and for no other reason.
Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
Why not run the java interpreter on a java interpreter written in java, running on a java interpreter written in java?
This would give the advantage of layering, and a HUGE speed increase, since everyone knows Java is faster than C/C++.
Think of the security and speed advantages!.
I, for one, got rid of all Java from my machine a long time ago. I think that everyone at slashdot did that too. You don’t know how angered I am when my set-top box has some problems (eg. today it stopped sending audio over HDMI, I needed to set it to standby and wake it up again) or when I got my Kindle today. Both are in Java. Unfortunately.
Seems to me that it's the fast and loose operating system allowing such easy penetration like a drunk whore that's the problem.
“He’s not deformed, he’s just drunk!”
Yeah, I know C++11, I've looked at it quite a bit, and it is better than it was, but as long as it needs header files, I don't put it into a modern language category.
This is the most bizarre statement I've seen here today. Can you explain your reasoning?
Note to ACs: I won't mod you up, even if you are being funny or insightful. So take a chance! It's not real life!
ImageJ is a wildly popular image processing toolkit written in Java. Users are able to write their own plugins as .jar files, and thanks to that, there are loads of plugins for doing every image transform imaginable.
Same old jokes and criticisms. Reading these posts, you'd think Java was relegated to driving outhouse fans in Siberia and not the #3 language by popularity in the world.
That being said, the Java *browser* vulnerabilities need to be taken far more seriously. The only exploit that I know I've been hit by was through an unpatched Java install and it was nasty; as in rebuild my laptop from the ground up nasty.
I swear to God...I swear to God! That is NOT how you treat your human!
Simply put, we plan and expect bullshitting for 2 hours a day at work. Facebook is frowned upon, but reading tech sites and the news is listed as appropriate things to do on work time. We also encourage crashing other people's cubes and telling stories about other things you've done in related fields.
I am not a web developer, and haven't worked as one since dot com (doh, first one in the 90s, not the social media meltdown that going on right now) bubble. Back then you could make a clear case that java was absolutely necessary.
What about today? Can we do without it? I run with no-script on all the time, and only occasionally have to enable something, it hardly ever breaks web pages these days.
I don't think that word means what you think it means
As someone pointed out in the last story it is the IE 6 that wont go away, or at least the Cobol of the 21st century.
Every banking site requires it so it can wrap win32 com objects like excel spreadsheets for lines of credit reportsthat can be cut and pasted using security holes from 1.4.1 or some ancient version. So java is used to activeX like functionality with no security controls and is a requirement for anyone in finance. Some support java 6 but have to include some security holes so they can access windows dlls for the accountants.
Manpower and Kronos for clocking employees in and out also use Java. Java is still the most widely used language in the world if you check any website.
The irritating thing is not that Oracle wont fix java and should be liable, but rather apps and banking sites require such ancient versions of it that only work with XP and are filled with 30 or more security holes.
Many of these accountant laptops just get re-imaged on a weekly basis from infections. These same accountants only look at the cost of upgrading and not the productivity loss.
http://saveie6.com/
The US Patent and Trademark Office (USPTO) requires Java in order for outside users (such as patent agents and attorneys) to access their files on the USPTO servers. They have been warning for months that their systems are not compatible with Java 7, and only work with earlier versions of Java.
This is a big pain, since it forces you to keep your entire system at Java 6.X. Earlier I thought that this delay was mere bureaucratic foot dragging. Now I'm thinking that perhaps they had a "heads up" warning.
If you find a security 'sploit in Java, test in OpenJDK/IcedTea and report it to the security teams at Red Hat, Ubuntu and Debian. They are rather less likely to sit on it for months. I notice a fix in OpenJDK came through in Ubuntu this morning.
http://rocknerd.co.uk
It's not a zero day if it was privately submitted over a month before. Zero Day means "a previously unknown vulnerability". It just wasn't public, so they didn't have as much urgency in fixing. Just stop calling it a zero day bug if the developers knew about it before hand.
-- these are only opinions and they might not be mine.
I know they are referring to an open source Java Machine.. but using a term like "open source VM" is kind of unclear. Especially when oracle has both Virtualbox and a product called "Oracle VM" http://www.oracle.com/us/technologies/virtualization/overview/index.html?origref=http://duckduckgo.com/post2.html
What are we going to do tonight Brain?
It has nothing to with "Java as a JVM and language" but everything to do with silly browser plugin, which nobody should be using in the first place.
Oracle is a huge organisation. I mean mindbogglingly huge (think planet Vogon). There is a lot of red tape that you have to cut to get anything done, and in 4 months they're probably still scheduling meetings to figure out if it should be fixed, and when, and by whom. Unless an SVP gets involved, it's unlikely that it will be rushed.
Perhaps they should, you know, have a department dedicated to handling these kinds of things in a timely manner then?
Oh, don't worry, it's in the works -- the planning meeting for starting the process of organizing to set up such a department is scheduled for early 2013.
"What in the name of Fats Waller is that?"
"A four-foot prune."
IANAL, so I have to ask. If the company *knows* their software has a security hole, and intentionally disregards it, do they then become liable for some or all of the damages?
I have to imagine that if they were seriously trying to fix this, and it was just taking a while that there would not be such an outcry. Would it be necessary in the suit to prove that they are ignoring the problem?
Sorry OP, time to stop using Java as a serious development language and consider it damaged. Java is the worst part of Android as well as the worst part of pretty much all mobile devices. Java was promising for certain things, but honestly the future is just EMCAScript JIT for everything that isn't native compiled.
Java is worthless in the browser and I doubt that Oracle cares if it's removed. They might even prefer it.
Rather, Java's worth to Oracle is primarily as an internal tool for creating products/services and secondarily a means for providing easy extensibility and connectivity to developers that code to the interfaces those products expose.
The days of Sun evangelizing Java as the Second Coming and pimping it everywhere they can are over. It's just a means to an end at Oracle.
My suggestion to look for an alternative VM was because of how Oracle deals with the vulnerabilities. It's not about how bad the VM is, because given all alternatives, it's one of the best out there in terms of features, stability and performance.
When you deal with large amounts of software, several platforms and millions of people using it, you are going to get bugs. Nasty, insecure, application breaking bugs. Given the same quality of code, what differentiates the good from the bad vendors, is how they deal with those bugs. Oracle seems to default to dealing with grave security problems by keeping the submitters and their end users in the dark and not fixing them for over 3 months, even though their release cycle is every three months. I consider that to be bad.
If this 0-day didn't get the exposure it got, we would all probably be still vulnerable to it for who knows how long. We know about this vulnerability, but Gowdiak reported more. There are more people like Gowdiak. Statistically speaking, chances are probably very close to 100% that Oracle is sitting on more known severe 0-day bugs that they haven't fixed for many many months.
If that is Oracle's policy, they have a dangerous VM and it will remain dangerous until they either change the policy, or it gets replaced by an alternative. That's why I think that people that choose to use Java for who knows what reason, should seriously consider looking at alternatives for the Oracle Java VM.
I was promised a flying car. Where is my flying car?
Proving that they intentionally disregarded it when they have a fix planned for the October update would be pretty difficult. I don't think you can charge a company with a crime because they have a 4-month patch cycle. Instead I would like to see browser vendors make a move to block the Java plugins by default and require explicit user activation to enable them on a 1-time-use basis (obviously with advanced options to fine tune this behavior). If Oracle doesn't want to update Java frequently fine, but someone needs to protect the users if it's not Oracle.
"Our two-party system is like a bowl of shit looking at itself in a mirror." - Lewis Black
This is the programming language that still bundles the "Ask Toolbar" crapware with their installer. Nuff said.
It asks you whether you want to install the Ask Toolbar, defaulting to yes, of course, every time you install a security update.
"Screw Sun, cross-platform will never work. Let's move on and steal the Java language." - Visual J++ Product Manager
I suspect you're thinking of Javascript, which is wholly unrelated to Java. That's a completely different language, originally and generically called emacsript. One brand of emacscript script was renamed "javascript" just to make it sound like Java.
In fact, Java and Javascript are no more related than Susan Smith and Will Smith.
..the security implications of your fat client approach ?? Dick and Joe have a direct SQL connection to the corporate database ? If they bring John D. Criminal into their office he will run Wireshark, extract the database password and then mess with your database. He won't do "drop table XX", he will instead do something like "update accounts set outstanding = outstanding + 17 where customer_id > 170000 and customer_id 175000". That will destroy the integrity of your database without you realiizing it immediately. So the corrupted stuff will be backed up nightly and three months later you will only smell lots of shit, but you will not know were and when it came from. Fat clients are the dumbest idea you can think of.
As efficient as C++ with the same memory-safety assurances as Java or C#: http://sourceforge.net/projects/sappeurcompiler/
Or, take a look at Lazarus and disregard the "Pascal is outdated" B$. Very fast compilation, efficient execution. Quick development/debug cycles. Great IDE.
And what about on Android devices. Since Android is basically a Java based technology.
-- I ignore anonymous replies to my comments and postings.
Tuxedo Server has been been around since the 1980s and is the C/C++ analog to JEE servers. From my understanding it started out for use with C and COBOL and then C++ to solve the same issues JEE back end containers are meant to solve. I have seen it used with other languages as well (as clients) including Visual Pascal, Visual Basic, and Visual C++, as well as tying into JEE systems and other web based clients. It started with AT&T, moved to BEA, which was then bought by Oracle. So you have come back full circle to the Oracle cunnundrum. And it isn't open source and it isn't free. But it works very well and scales massively. I have seen it run systems that handle tens and hundreds of millions of customer accounts, and highly complex and incredibly high volume of transactions.
-- I ignore anonymous replies to my comments and postings.
Aren't repeated letters to a manufacturer, that remain ignored, evidence of "ignoring the problem"? As far a the"patch cyle" goes, can they really get away with.. "it's only caused infected or hijacked PCs for a third of a year, that's neither s a significant amount ,nor our responsibility .. That appears how this played out, to me,...
You're going to have to prove that they ignored the problem internally, rather than simply not sending a reply to the letter. I don't reply to every bug report, but I still fix them. Considering that they already released a patch for this issue yesterday though, it sounds like a moot point. Obviously they didn't ignore it.
"Our two-party system is like a bowl of shit looking at itself in a mirror." - Lewis Black