Slashdot Mirror
Polish Researcher: Oracle Knew For Months About Java Zero-Day
dutchwhizzman writes "Polish security researcher Adam Gowdiak submitted bug reports months ago for the current Java 7 zero-day exploit that's wreaking havoc all over the Internet. It seems that Oracle can't — or won't? — take such reports seriously. Is it really time to ditch Oracle's Java and go for an open source VM?"
You think Uncle Larry gives a fuck?
No. Now pay him his money.
Mod me down, my New Earth Global Warmingist friends!
It's a ZenZaZhun !!
So your business model is:
1) Ditch Java
2) ???
3) Profit!
You and the underpants gnomes should hook up!
Mod me down, my New Earth Global Warmingist friends!
Maybe it's time to ditch Java altogether!
Yes, I'll switch to Scala. It will run on my Java web server and allow full access to Java class lib ... oh wait!
Seriously, it isn't even like Java is a particularly good language/environment. Frankly, I would rather deal with architecture issues and multiple platforms and just use C/C++ than put up with Java's issues.
Just like with the flash thing, it doesn't matter if YOU ditch it, we need websites to ditch it as well.
This is the programming language that still bundles the "Ask Toolbar" crapware with their installer. Nuff said.
As a developer, I totally understand the problems with holding software developers liable for security vulnerabilities. But when it comes to cases like this, I can't help but think there should be some legal liability for mega-corporations knowingly distributing vulnerable products.
Bogtha Bogtha Bogtha
I mean, it is hard to run a business if you aren't running a profit and generating income.
This is not a sign that you need to start ditching Oracle. The reason more security loopholes are discovered in Oracle are because it is the most widely used JVM. Other VMs will still have a ton of issues, they just don't get attacked as much (yet).
A similar argument used to be debated years ago with Apple v Microsoft... Apple toted it's superior security over MS when in reality, nobody gave a crap about attacking Mac users which only made up 10% of the market. Once they gained popularity, they started getting hit more as well.
The real scary part is that MS at least takes its security flaws somewhat seriously. Oracle seems to have smugly ignored Mr. Gowdiak. He can now smugly turn around and give them a big "I told you so!"
Capitalism: When it uses the carrot, it's called democracy. When it uses the stick, it's called fascism.
Whatever happened to them? Didn't they at one time have a Java implementation?
I'm not ready to give up on Java. It is not because I think it's the best, I still think C# beats it as a language, but at times when a client requires non-microsoft, it is my only choice for a modern language. Yeah, I know C++11, I've looked at it quite a bit, and it is better than it was, but as long as it needs header files, I don't put it into a modern language category.
So, anyhow, Eclipse seems to have really gone in the dumpster as far as quality lately, and IBM is silent as a Java leader too. Is IBM bailing on Java? I see the have a new big push to virtualization to a level that makes sense, by using a mainframe. Maybe they have (bailed). So what post java, other than c#, is available?
slashdot troll = you make a compelling argument I do not like the implications of.
But Oracles VM is OpenJDK right? Why not just fork it and mantain an updated patched version?
Yes, actually, it does. Everything we do has a business case attached. The level of effort we put into the business case is proportional to the money involved, but yes, we do a business case analysis for each decision. With decent mentoring, it teaches your employees to think about the second order affeects of decisions. Risks and assumptions are clearly stated, and it's very easy to defend risks that didn't work out, since they've already been defended. Good for everyone.
Yes
The saddest day of my life was the day I found out Sun was selling java to oracle.
WHAT? Oracle bought Sun, Sun are gone. Java was part of the deal/
Sure, but some actions are taken to minimize cost centers.
Like cleanup after a security breach.
Ditch Java applets entirely.
Go green: turn off your refrigerator.
What hokey coded-overnight-while-drunk were you running, that routine JVM updates broke things?
For large sets, this will be our guide even unto death, for the LORD will work for each type of data it is applied to...
This is why reporting bugs to the software developers is stupid. Post the bug into the public, so they have no choice but to upgrade. Corporations are run by people who want to spend as little as possible to make as much money as possible. They won't patch bugs unless they are forced. They need to be forced.
Be seeing you...
Unless an SVP gets involved, it's unlikely that it will be rushed.
Indeed.
Microsoft, Mozilla, Google, and Apple should all be seriously considering enacting the death penalty after this latest exploit. These browsers should be actively blocking the Java plugin by default. Java applets have outlived their usefulness and now are good for little else besides drive-by exploits.
Really? In what way? Specifics, man!
According to my info, it has some Java, but it is mostly C, C++ and Python and is based on the Linux kernel.
Really. When did this happen? The claim that Microsoft has more viruses because they have more market share is patently ridiculous, if only becaue Linux has a huge market share on the targets that hackers really want, to wit servers. It is a classic myth pulled out of the ether by people who have no understanding of security. The fact which every security expert knows is that you can't layer security on; it needs to be designed in from the ground up. Microsoft has always been more concerned about making money than anything else, and only began to take security seriously when it started to affect their bottom line (i.e. after the fact, rather than from the ground up.) This is the reason why Windows hosts well over 90% of the exploits, and for no other reason.
Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
Any software written by ADP?
I'm pretty sure Apple (a) doesn't include Java by default and (b) even once you install it, they make you jump through hoops to allow it in the browser/applet context. I seem to recall them being called evil for making those decisions a while back.
The CB App. What's your 20?
Everything we do
I'd like to see the formal business case you made for posting on Slashdot.
No.. I think his business model is: .NET one of assuredly many other available VMs
1) Ditch Java
2) Use mono or LLVM or
3) Profit!
Not too extreme really..
Mono sucks and is inferior to OpenJDK .NET
LLVM is awesome but a different technology all together
LOL @
Mod me down, my New Earth Global Warmingist friends!
And if you have not used Java in 30 days, Apple disables it in the browser. (At least Java 6 and I believe any Java version). :-)
e.g., see http://www.christopherprice.net/making-sense-of-oracle-java-7-for-os-x-2119.html
Networking is good.
Why is it so hard to only have politicians for a few years, then have them go away?
WAY back in the day, the company I work for paid a LOT of money for a technology known as "Arcot WebFort" which was some sort of secure login technology. There was a client-side (browser) applet that managed a "wallet" which contained some sort of keys that let you log into the website. If your "wallet" didn't have a key for the site you were logging into, you had to answer a bunch of questions, etc. It was shit, and we knew it even then, but the investors liked the shiny logos.
We found that the browser applet stopped working after some particular update. This was back in the 1.2 or 1.3 days, I believe. The client needed a very specific version, 1.2_35_b41 or some confusing version number (hey, it's been over a decade now...), or the applet would simply never create the wallet, appearing to be hung. Well, we decompiled that thing, and it was failing to create a random number for some strange reason on other versions of the JVM, so we wrote in a quick fix, recompiled it, and off we went.
Posting anonymously for obvious reasons.
Amen to that.
Karma: Poor (Mostly affected by lame karma-joke sigs)
I, for one, got rid of all Java from my machine a long time ago. I think that everyone at slashdot did that too. You don’t know how angered I am when my set-top box has some problems (eg. today it stopped sending audio over HDMI, I needed to set it to standby and wake it up again) or when I got my Kindle today. Both are in Java. Unfortunately.
!? Java is basically the only language you can seriously use to write apps on Android. The NDK? It's awful. I love Android but I seriously hate Java. As a language it's terrible, and anyone who says otherwise needs to pull their head out of their ass and play with some other languages. What's awesome about Java is the JVM... which is basically just an open standard. It doesn't necessarily need to run Java code just Java *bytecode*. There are some fantastic alternatives that run on the JVM too, like Scala (and in sort of a different way JRuby). Unfortunately Scala on Android isn't so mature and is a nightmare to get working or really use.
Not fully supporting the NDK is one of the biggest things that pisses me off about Android. I'd drop Java in a heartbeat for C++ if the NDK was decent. Google would do well to start supporting some scripting languages natively too - there's a reason there are so many projects trying to make platforms in Python and Ruby for Android, but they all end up half assed or running out of time/money and they start going non-free.
Seriously Google, give us some alternatives. Java is the absolute worst part of Android.
Is that a Gosling quote from when he says Ruby is inferior without actually knowing anything about Ruby and just making shit up, or is it from the time when he claimed non-optimized Java bytecode will run faster than hand optimized ASM on ARM?
Oh, and while I'm here let me just give a shout out to James: Hey James! Fucking die!
Yeah, I know C++11, I've looked at it quite a bit, and it is better than it was, but as long as it needs header files, I don't put it into a modern language category.
This is the most bizarre statement I've seen here today. Can you explain your reasoning?
Note to ACs: I won't mod you up, even if you are being funny or insightful. So take a chance! It's not real life!
No it doesn't. And the goal of every action is certainly not profit.
There was no business decision being made when I had peach with my breakfast instead of grapefruit this morning. There was no profit when we played Alhambra last night instead of Carcassonne.
ImageJ is a wildly popular image processing toolkit written in Java. Users are able to write their own plugins as .jar files, and thanks to that, there are loads of plugins for doing every image transform imaginable.
Posting anonymously is not networking.
Maybe it's time to ditch Java altogether!
Can I keep LibreOffice if I remove Java completely?
Calm down... You can keep it - sure. ;-)
(Whether it still works is another question.
Same old jokes and criticisms. Reading these posts, you'd think Java was relegated to driving outhouse fans in Siberia and not the #3 language by popularity in the world.
That being said, the Java *browser* vulnerabilities need to be taken far more seriously. The only exploit that I know I've been hit by was through an unpatched Java install and it was nasty; as in rebuild my laptop from the ground up nasty.
I swear to God...I swear to God! That is NOT how you treat your human!
It is if your name is Anonymous.
Why is it so hard to only have politicians for a few years, then have them go away?
I am not a web developer, and haven't worked as one since dot com (doh, first one in the 90s, not the social media meltdown that going on right now) bubble. Back then you could make a clear case that java was absolutely necessary.
What about today? Can we do without it? I run with no-script on all the time, and only occasionally have to enable something, it hardly ever breaks web pages these days.
I don't think that word means what you think it means
Everything we do has a business case attached
I'd like to see the formal business case you made for posting on Slashdot.
Well, it was originally a 78 page densely-written scenario analysis document circulated four weeks ago to more than 20 executives and managers. They liked it, so I was authorized to spend a week making 45 slides to reinforce the case, and these were presented two weeks ago to a specially selected focus group of at least 30 managers and engineers. We discussed it for a whole day at the meeting. There were lots of fancy headings, beautiful fonts, pie charts, animations, etc., and I got excited and did a lot of arm-waving which helped persuade the focus group to pass the business case onwards. I'm not sure which team they passed it to, but our processes must be streamlined, because it already got approved today, which was pretty fast.
Anyway here it is, reduced disgracefully down to a single paragraph:
"By encouraging all businesses to waste effort making business cases to justify every decision (including trivial ones), we can cripple our competitors in terms of costs (their management overheads skyrocket), reaction time (all their decisions get delayed), and flexibility (they must omit/neglect some possible decisions). Posting as an AC on Slashdot will advance this goal."
Those who can make you believe absurdities can make you commit atrocities. - Voltaire
As someone pointed out in the last story it is the IE 6 that wont go away, or at least the Cobol of the 21st century.
Every banking site requires it so it can wrap win32 com objects like excel spreadsheets for lines of credit reportsthat can be cut and pasted using security holes from 1.4.1 or some ancient version. So java is used to activeX like functionality with no security controls and is a requirement for anyone in finance. Some support java 6 but have to include some security holes so they can access windows dlls for the accountants.
Manpower and Kronos for clocking employees in and out also use Java. Java is still the most widely used language in the world if you check any website.
The irritating thing is not that Oracle wont fix java and should be liable, but rather apps and banking sites require such ancient versions of it that only work with XP and are filled with 30 or more security holes.
Many of these accountant laptops just get re-imaged on a weekly basis from infections. These same accountants only look at the cost of upgrading and not the productivity loss.
http://saveie6.com/
The US Patent and Trademark Office (USPTO) requires Java in order for outside users (such as patent agents and attorneys) to access their files on the USPTO servers. They have been warning for months that their systems are not compatible with Java 7, and only work with earlier versions of Java.
This is a big pain, since it forces you to keep your entire system at Java 6.X. Earlier I thought that this delay was mere bureaucratic foot dragging. Now I'm thinking that perhaps they had a "heads up" warning.
It goes more like this:
1) ???
2) Ditch Java
3) Profit!
Maybe it's time to ditch Java altogether!
Can I keep LibreOffice if I remove Java completely?
Calm down... You can keep it - sure. (Whether it still works is another question. ;-)
IIRC, Java's only used for LibreOffice Base - the rest will work fine without it.
No colour or religion ever stopped the bullet from a gun
Um, could you forward me those slides?
The soylentnews experiment has been a dismal failure.
If you find a security 'sploit in Java, test in OpenJDK/IcedTea and report it to the security teams at Red Hat, Ubuntu and Debian. They are rather less likely to sit on it for months. I notice a fix in OpenJDK came through in Ubuntu this morning.
http://rocknerd.co.uk
It's not a zero day if it was privately submitted over a month before. Zero Day means "a previously unknown vulnerability". It just wasn't public, so they didn't have as much urgency in fixing. Just stop calling it a zero day bug if the developers knew about it before hand.
-- these are only opinions and they might not be mine.
I know they are referring to an open source Java Machine.. but using a term like "open source VM" is kind of unclear. Especially when oracle has both Virtualbox and a product called "Oracle VM" http://www.oracle.com/us/technologies/virtualization/overview/index.html?origref=http://duckduckgo.com/post2.html
What are we going to do tonight Brain?
Unlike OpenOffice.org, LibreOffice has been intentionally trying to reduce or remove Java dependencies. (I don't know whether it's because they're worried about Oracle too, or for some other reason, like "why would an office suite need Java anyway?".)
(1)DOCOMEFROM!2~.2'~#1WHILE:1<-"'?.1$.2'~'"':1/.1$.2'~#0"$#65535'"$"'"'&.1$.2'~'#0$#65535'"$#0'~#32767$#1"
I was referring to Android, the OS, that the AC was blasting, not the development kit(s).
I have not tried to develop for the Android because I was so disauded by others by the very issues you bring up.
Oracle is a huge organisation. I mean mindbogglingly huge (think planet Vogon). There is a lot of red tape that you have to cut to get anything done, and in 4 months they're probably still scheduling meetings to figure out if it should be fixed, and when, and by whom. Unless an SVP gets involved, it's unlikely that it will be rushed.
Perhaps they should, you know, have a department dedicated to handling these kinds of things in a timely manner then?
Oh, don't worry, it's in the works -- the planning meeting for starting the process of organizing to set up such a department is scheduled for early 2013.
"What in the name of Fats Waller is that?"
"A four-foot prune."
IANAL, so I have to ask. If the company *knows* their software has a security hole, and intentionally disregards it, do they then become liable for some or all of the damages?
I have to imagine that if they were seriously trying to fix this, and it was just taking a while that there would not be such an outcry. Would it be necessary in the suit to prove that they are ignoring the problem?
They all just say "Synergy" over and over...
1) Profit
2) Java
3) Ditch
4) ???
Java is worthless in the browser and I doubt that Oracle cares if it's removed. They might even prefer it.
Rather, Java's worth to Oracle is primarily as an internal tool for creating products/services and secondarily a means for providing easy extensibility and connectivity to developers that code to the interfaces those products expose.
The days of Sun evangelizing Java as the Second Coming and pimping it everywhere they can are over. It's just a means to an end at Oracle.
Seriously Google, give us some alternatives. Java is the absolute worst part of Android.
Indeed. I'm finding it's particularly bad for game development where you want to avoid continuously allocating objects on the heap. So if you need to continuously call some mathematical function from the game loop that uses a temporary vector as part of the calculation, this is an issue. How do you create this temporary vector? If we create a new one in the function, it will go on the heap, so we don't want to do that. You could have some module-level variable that the function uses, but that's rather messy. I ended up having to make an object caching system. When a function needs a vector, I pop one off the global vector cache, do the calculations, then push it back. This is messy and dangerous in its own way too though.
In C# you could just implement the vector as a struct, since structs go on the stack rather than the heap (and in C++ you can put what you like on the stack). C# stucts have value semantics too, which I think is an added bonus for something like a mathematical vector. Java is quite crippled in this respect. Another annoyance I immediately found with Java is that you can't pass parameters by reference. Why does Java have such a restriction? Even Visual Basic 6 could pass by reference. It's not that often that I want to pass a parameter by reference, but sometimes you really need to.
I also made the mistake of trying to use Generics in Java. I knew ahead of time that due to type erasure, there would be no performance improvement, but I didn't quite realise how crippled the Generics were. I first noticed this when trying to declare an array of a generic type. This does not work due to type erasure. Java Generics really is a train wreck.
It's a shame C# is so strongly tied to windows (and Microsoft) because it's one of the most advanced modern languages there is. Compared to Java, it really is a joy to use. It doesn't get in the way of what you want to do.
Amazon did it for a couple of years. So did E-Bay. They had income, but no profit.
All you need is enough venture capitalists to keep you going until you hit critical mass.
"If a nation expects to be ignorant and free in a state of civilization, it expects what never was and never will be."
More like
1) Ditch Java
2) Prevent potential catastrophic loss
3) Profit!
Have they removed the pop ups yet? The last time I installed LO it complained left and right because the system didn't have Java on it, one of the reasons I don't ever install LO the traditional way anymore, I just go to Ninite and use their fully automated install for LO along with any other must have software the user needs, no bitching about Java with Ninite and no Java install either, double good.
ACs don't waste your time replying, your posts are never seen by me.
Let me try and sum that up for you: Java lacks a lot of language level functionality and has an over-simplified object and instance model which means you need to write massive blocks of code with the sole purpose of implementing functionality that's immediately available in other languages.
Oh man don't even get me stated on this. I've written hundreds of lines of code in Java to mimic functionality that can be achieved with a single operator with Ruby. Java has so many weird quirks too, like the fact that you can't compare a string object and a string literal with ==... I mean I get it for obejct comparison but seriously, how often do you compare string objects with other string objects to determine if they are the same object instance? I've done that... never. How about at least allowing operator overriding for [] so we can use vector... err.. "ArrayList" or whatever a little cleaner. And why can't we override or append constructors (without intentionally leaving an overridable method call)? I could go on forever here... but seriously anybody who wants to start attacking me for these complaints should sit down with Scala for a few hours. There's reasons Scala exists and just some of those are what I listed here - all the advantages of the JVM without having to write method after method of crap that should be a language feature to begin with.
My suggestion to look for an alternative VM was because of how Oracle deals with the vulnerabilities. It's not about how bad the VM is, because given all alternatives, it's one of the best out there in terms of features, stability and performance.
When you deal with large amounts of software, several platforms and millions of people using it, you are going to get bugs. Nasty, insecure, application breaking bugs. Given the same quality of code, what differentiates the good from the bad vendors, is how they deal with those bugs. Oracle seems to default to dealing with grave security problems by keeping the submitters and their end users in the dark and not fixing them for over 3 months, even though their release cycle is every three months. I consider that to be bad.
If this 0-day didn't get the exposure it got, we would all probably be still vulnerable to it for who knows how long. We know about this vulnerability, but Gowdiak reported more. There are more people like Gowdiak. Statistically speaking, chances are probably very close to 100% that Oracle is sitting on more known severe 0-day bugs that they haven't fixed for many many months.
If that is Oracle's policy, they have a dangerous VM and it will remain dangerous until they either change the policy, or it gets replaced by an alternative. That's why I think that people that choose to use Java for who knows what reason, should seriously consider looking at alternatives for the Oracle Java VM.
I was promised a flying car. Where is my flying car?
Proving that they intentionally disregarded it when they have a fix planned for the October update would be pretty difficult. I don't think you can charge a company with a crime because they have a 4-month patch cycle. Instead I would like to see browser vendors make a move to block the Java plugins by default and require explicit user activation to enable them on a 1-time-use basis (obviously with advanced options to fine tune this behavior). If Oracle doesn't want to update Java frequently fine, but someone needs to protect the users if it's not Oracle.
"Our two-party system is like a bowl of shit looking at itself in a mirror." - Lewis Black
This is the programming language that still bundles the "Ask Toolbar" crapware with their installer. Nuff said.
It asks you whether you want to install the Ask Toolbar, defaulting to yes, of course, every time you install a security update.
"Screw Sun, cross-platform will never work. Let's move on and steal the Java language." - Visual J++ Product Manager
Everything back in the days prior to 1.4 was a nightmare. Unfortunately, that is were most criticisms of java originated. Quite a few enterprise apps i've been forced to use have never been recompiled since 1.3 and are very temper-mental, usually requiring an older JVM and swing was horrid back then. Java really came into it's stride IMO once it hit 1.5. Since then, most (not all) complaints about performance, ui performance, and a lot of other things are moot, but people still like to kick those cans down the road. It'll never be as fast as c++, but it's pretty damn fast in the modern era.
And what about on Android devices. Since Android is basically a Java based technology.
-- I ignore anonymous replies to my comments and postings.
Tuxedo Server has been been around since the 1980s and is the C/C++ analog to JEE servers. From my understanding it started out for use with C and COBOL and then C++ to solve the same issues JEE back end containers are meant to solve. I have seen it used with other languages as well (as clients) including Visual Pascal, Visual Basic, and Visual C++, as well as tying into JEE systems and other web based clients. It started with AT&T, moved to BEA, which was then bought by Oracle. So you have come back full circle to the Oracle cunnundrum. And it isn't open source and it isn't free. But it works very well and scales massively. I have seen it run systems that handle tens and hundreds of millions of customer accounts, and highly complex and incredibly high volume of transactions.
-- I ignore anonymous replies to my comments and postings.
.Net's not bad but ties you into Windows. Mono though, ugh - memory leaks out the wazoo on long-running servers that run fine under Microsoft .Net, a garbage collector that sucks compared to what Java had in 1992 let alone 2012, and as for backwards compatibility...
I'll bet it failed because the slides weren't in Comic Sans.
Well, you're right, except that the modern, non-vulnerable version was apparently vulnerable!
The CB App. What's your 20?
Aren't repeated letters to a manufacturer, that remain ignored, evidence of "ignoring the problem"? As far a the"patch cyle" goes, can they really get away with.. "it's only caused infected or hijacked PCs for a third of a year, that's neither s a significant amount ,nor our responsibility .. That appears how this played out, to me,...
You're going to have to prove that they ignored the problem internally, rather than simply not sending a reply to the letter. I don't reply to every bug report, but I still fix them. Considering that they already released a patch for this issue yesterday though, it sounds like a moot point. Obviously they didn't ignore it.
"Our two-party system is like a bowl of shit looking at itself in a mirror." - Lewis Black