Slashdot Mirror
Polish Researcher: Oracle Knew For Months About Java Zero-Day
dutchwhizzman writes "Polish security researcher Adam Gowdiak submitted bug reports months ago for the current Java 7 zero-day exploit that's wreaking havoc all over the Internet. It seems that Oracle can't — or won't? — take such reports seriously. Is it really time to ditch Oracle's Java and go for an open source VM?"
You think Uncle Larry gives a fuck?
No. Now pay him his money.
Mod me down, my New Earth Global Warmingist friends!
So your business model is:
1) Ditch Java
2) ???
3) Profit!
You and the underpants gnomes should hook up!
Mod me down, my New Earth Global Warmingist friends!
You sound like someone who shouldn't be giving technical advice.
C/C++ has advantages over Java, just like Java has advantages over C/C++
Saying you should use one over the other for every purpose is foolhardy.
Mod me down, my New Earth Global Warmingist friends!
Hey Larry, what's your surname?
This is the programming language that still bundles the "Ask Toolbar" crapware with their installer. Nuff said.
I mean, it is hard to run a business if you aren't running a profit and generating income.
This is not a sign that you need to start ditching Oracle. The reason more security loopholes are discovered in Oracle are because it is the most widely used JVM. Other VMs will still have a ton of issues, they just don't get attacked as much (yet).
A similar argument used to be debated years ago with Apple v Microsoft... Apple toted it's superior security over MS when in reality, nobody gave a crap about attacking Mac users which only made up 10% of the market. Once they gained popularity, they started getting hit more as well.
The real scary part is that MS at least takes its security flaws somewhat seriously. Oracle seems to have smugly ignored Mr. Gowdiak. He can now smugly turn around and give them a big "I told you so!"
Capitalism: When it uses the carrot, it's called democracy. When it uses the stick, it's called fascism.
Whatever happened to them? Didn't they at one time have a Java implementation?
I'm not ready to give up on Java. It is not because I think it's the best, I still think C# beats it as a language, but at times when a client requires non-microsoft, it is my only choice for a modern language. Yeah, I know C++11, I've looked at it quite a bit, and it is better than it was, but as long as it needs header files, I don't put it into a modern language category.
So, anyhow, Eclipse seems to have really gone in the dumpster as far as quality lately, and IBM is silent as a Java leader too. Is IBM bailing on Java? I see the have a new big push to virtualization to a level that makes sense, by using a mainframe. Maybe they have (bailed). So what post java, other than c#, is available?
slashdot troll = you make a compelling argument I do not like the implications of.
I'm currently doing my internship at the IT dept. of a joint-municipal group responsible for about 15k windows computers(mostly for schools, vocational schools and a uni of applied sciences) and today the department heads made the decision to uninstall java from all machines except those in lab networks disconnected from outside world.
Does it really matter how verbose a language is if it gets compiled down byte code? If it's good code, it doesn't matter. You have the same logic that managers have, i.e., counting lines of code is a measure of productivity. There's plenty to dislike about the way Oracle has handled Java, however, complaining that it takes too many lines to accomplish something is not one of them. My guess is that there's a Perl programmer out there who thinks C++ is bloated.
The complaint I see, but hasn't been verbalized, is that Oracle isn't making money off of the Java language so their technical support has failed. That's as bad as Microsoft screwing with the VB to VB.NET change. That's a reason to reconsider your programming language choice. However, nothing better has come along.
For now, Java is good enough.
Ditch Java applets entirely.
Go green: turn off your refrigerator.
So I know what you're thinking; "Well then how do I talk to a database?" Well as it turns out, every database has a library that local applications can use to send SQL queries to the database. It's true! You can also roll a socket protocol to talk to damn near anything else on the internet. You don't even have to use XML if you don't want to!
Now, these applications are linear in execution, so you don't have to maintain a session state or anything like that. When you're in the application, you're just wherever you are in the application. This might take some getting used to.
Now I know what else you're thinking; "But Java is write once run everywhere!" Well your IT department has the same version of Windows installed on every system in your company, so what's the problem? If you use cross-platform libraries like Boost, GTK or QT, odds are good you'll just be able to recompile your binaries if you need to support Linux or OSX, anyway.
I'm trying to teach myself to set people on fire with my mind... Is it hot in here?
This is why reporting bugs to the software developers is stupid. Post the bug into the public, so they have no choice but to upgrade. Corporations are run by people who want to spend as little as possible to make as much money as possible. They won't patch bugs unless they are forced. They need to be forced.
Be seeing you...
Unless an SVP gets involved, it's unlikely that it will be rushed.
I know you were trying to be clever, but since you asked:
https://en.wikipedia.org/wiki/Comparison_of_Java_and_C%2B%2B
good honest work :)
All those things are artifacts of how crappy java is, in order to get anything done you need a metric ton of framework crap slapped on, and this is why people say "java is fast to develop in" - they mean, the frameworks make it faster to develop stuff, as long as you're developing exactly the kind of thing those frameworks are designed for. C/C++ world tends to have libraries that provide you with functionality you then plug in to your code, rather than having to code the way the framework wants you to (roughly).
You could use Ruby on Rails and get much better developer productivity, or Python, or node.js
As for C++, we don't tend to use EJBs - straight forward classes are fine, though you could use COM if you're on Windows (or COM+). The JSP frameworks are covered by either Microsoft's new Casablanca project or various web-server libraries like cppCMSS. C++ doesn't have much in the way of ORMs, preferring faster access to DB code but there are still plenty, eg ODB
For example, you need tomcat to host your java beans and pages, but C++ would just run off Apache - either as a mod_xxx module, or via pass though to a running service. A C++ developer wouldn't necessarily embed a webserver into his code, instead expecting to reuse the existing web server infrastructure.
Generally the best place to start looking for C++ libraries is Boost. From there, just use google for what you need.
I'm pretty sure Apple (a) doesn't include Java by default and (b) even once you install it, they make you jump through hoops to allow it in the browser/applet context. I seem to recall them being called evil for making those decisions a while back.
The CB App. What's your 20?
Mono sucks and is inferior to OpenJDK .NET
LLVM is awesome but a different technology all together
LOL @
Mod me down, my New Earth Global Warmingist friends!
And if you have not used Java in 30 days, Apple disables it in the browser. (At least Java 6 and I believe any Java version). :-)
e.g., see http://www.christopherprice.net/making-sense-of-oracle-java-7-for-os-x-2119.html
Can you elaborate on what is awful about the Java platform? And no, lack of an open source option is NOT one of the drawbacks since Java has those as well (which is not true of C# btw where the open source alternative is not really operational).
Now, before you jump in realize that I'm not asking about JAVA APPLETS, but about the Java platform.
Go.
Write boring code, not shiny code!
You have a far bigger problem with local apps. The problems are your APIs. You have (presumably) a web server somewhere serving data to your local apps. And every time you will release a new version of your app, you will also release a new version of your API. But you also should remember to keep the old one working, because guess what: Some people will upgrade, and then some will not.
All of a sudden, you have your server and a gazillion apps out there, some more or less buggy than the others.
THIS is the biggest benefit of a web based app, not the reach of the 1205 users of FreeBSD. You have a bug? Fix it. Instantly, no one has a bug anymore. THAT is convenient.
Write boring code, not shiny code!
!? Java is basically the only language you can seriously use to write apps on Android. The NDK? It's awful. I love Android but I seriously hate Java. As a language it's terrible, and anyone who says otherwise needs to pull their head out of their ass and play with some other languages. What's awesome about Java is the JVM... which is basically just an open standard. It doesn't necessarily need to run Java code just Java *bytecode*. There are some fantastic alternatives that run on the JVM too, like Scala (and in sort of a different way JRuby). Unfortunately Scala on Android isn't so mature and is a nightmare to get working or really use.
Not fully supporting the NDK is one of the biggest things that pisses me off about Android. I'd drop Java in a heartbeat for C++ if the NDK was decent. Google would do well to start supporting some scripting languages natively too - there's a reason there are so many projects trying to make platforms in Python and Ruby for Android, but they all end up half assed or running out of time/money and they start going non-free.
Seriously Google, give us some alternatives. Java is the absolute worst part of Android.
Have you worked with C# under the .NET 4.x framework now that they've added Entity Framework to it?
It is so much more efficient that any other data access abstraction I've ever seen. It even makes Hibernate/NHibernate look like a lame hack.
I am able to do extremely complex things with 10% of the amount of code I used to have to write.
Microsoft might be making a LOT of mistakes lately, but Entity Framework is not one of them. I don't know if I'll ever have the patience to use another language again - C# with Entity Framework is that much better.
You have provided some terrible answers. Please stop posting about technologies when it's clear you have little technical knowledge.
Java is much, much faster than Flash.
The JVM set bundled with OpenJDK is the same as the one bundled with Oracle Java (Oracle Java is built on OpenJDK)
Java is cross platform, it's worked reliably for a long time
Java is open source, so blaming Oracle for slow development isn't fair (not that I like them, Fuck Oracle)
Some things that suck about Java:
No runtime generics
No lambda support
You have define your maximum heap size when the application is started
AWT and Swing are the official UI technologies and they're fucking terrible
It's very hard to port to platforms where it doesn't exist already
Mod me down, my New Earth Global Warmingist friends!
First of all, I think the comparison was Apple to Microsoft, not Linux to MS.
Second, when you talk desktop to server, you are talking apples (heh) to oranges. Desktops are important hosts for viruses because of what they are used for and who they are used by. Which is to say they tend to run on-demand applications and web browsing, and are run by anyone, usually amateurs who are easy to socially engineer.
A server is going to be run by professionals who operate services that are either developed in-house, or purchased and supported professionally. They will not frequently install new software, and that will usually be vetted carefully, if only because they will tend to spend money on purchase or support. You can still socially engineer professionals, but you will tend to have a lot harder time doing it, as they usually receive training covering that very contingency.
Consequently, while server exploits definitely exist, exploits that are directly related to a server tend to be fewer and more difficult to make use of where they exist, so Linux is going to have a much lower exploit penetration simply by virtue of being used mostly as a server, despite its market share of the server business. Hence, the comparison of the Windows market share, which is primarily desktop computing, to the Linux market share, which is mostly servers, is going to show significant deviation based on their usage patterns. That invalidates a direct comparison of their market shares in this instance and fatally undermines the argument.
Desktop market share is a big deal for viruses particularly if it is as high as that for Windows. The argument that Microsoft only cares about money doesn't cut it when you'd consider that Apple only cares about making money as well. MacOS is not a community project like most distributions of Linux, it may have more links to Open Source, but that doesn't mean that Apple is immune to profit motive, as we well know. You may well argue that Microsoft ignored the issues in favor of their vision of interoperability and control, but simple profit motive alone is not going to explain the differences without further elaboration.
Apple did and does have a smaller market share. It was also used, primarily, for purposes like design until it became more popular for developers in the last few years. While Apple probably has better security, part of which is inherited from it's UNIX roots, this is not going to be sufficient to deter malicious coders if there is interest in penetrating the MacOS share of PCs. In short, Apple users are a minority who don't really have a usage pattern that will be useful for most exploit developers. This is a real effect which decreases number and extent of exploitation and it *does* make using that platform safer, but it is a smokescreen, not a shield against future attacks.
You could make more of an argument for the security of an iOS specifically than Apple in general. However, even that security model was built more on the need to generate revenue than it was to prevent infections.
So, market share does matter significantly. While amateur hackers may well like the challenge of cracking something like a Mac or an Amiga for that matter, the more professional exploiters are going to spend time on the platform that they can generate the most effect from for the smallest initial investment. These professional exploiters will be more effective and more persistent than amateurs, which means they will tend to keep at exploits until they work well enough for significant penetration. This is a primary reason that Windows is riddled with exploits and would continue to be riddled with them even with better security measures.
Same old jokes and criticisms. Reading these posts, you'd think Java was relegated to driving outhouse fans in Siberia and not the #3 language by popularity in the world.
That being said, the Java *browser* vulnerabilities need to be taken far more seriously. The only exploit that I know I've been hit by was through an unpatched Java install and it was nasty; as in rebuild my laptop from the ground up nasty.
I swear to God...I swear to God! That is NOT how you treat your human!
I don't think that word means what you think it means
To be fair to AC, Java is dead slow to start up. Once it's up and running there are no issues anymore, but on the desktop, the startup time is pretty bad.
Also, IIRC, I think there are still a few libraries that are not open source (and that don't work well in OpenJDK)
Write boring code, not shiny code!
Everything we do has a business case attached
I'd like to see the formal business case you made for posting on Slashdot.
Well, it was originally a 78 page densely-written scenario analysis document circulated four weeks ago to more than 20 executives and managers. They liked it, so I was authorized to spend a week making 45 slides to reinforce the case, and these were presented two weeks ago to a specially selected focus group of at least 30 managers and engineers. We discussed it for a whole day at the meeting. There were lots of fancy headings, beautiful fonts, pie charts, animations, etc., and I got excited and did a lot of arm-waving which helped persuade the focus group to pass the business case onwards. I'm not sure which team they passed it to, but our processes must be streamlined, because it already got approved today, which was pretty fast.
Anyway here it is, reduced disgracefully down to a single paragraph:
"By encouraging all businesses to waste effort making business cases to justify every decision (including trivial ones), we can cripple our competitors in terms of costs (their management overheads skyrocket), reaction time (all their decisions get delayed), and flexibility (they must omit/neglect some possible decisions). Posting as an AC on Slashdot will advance this goal."
Those who can make you believe absurdities can make you commit atrocities. - Voltaire
As someone pointed out in the last story it is the IE 6 that wont go away, or at least the Cobol of the 21st century.
Every banking site requires it so it can wrap win32 com objects like excel spreadsheets for lines of credit reportsthat can be cut and pasted using security holes from 1.4.1 or some ancient version. So java is used to activeX like functionality with no security controls and is a requirement for anyone in finance. Some support java 6 but have to include some security holes so they can access windows dlls for the accountants.
Manpower and Kronos for clocking employees in and out also use Java. Java is still the most widely used language in the world if you check any website.
The irritating thing is not that Oracle wont fix java and should be liable, but rather apps and banking sites require such ancient versions of it that only work with XP and are filled with 30 or more security holes.
Many of these accountant laptops just get re-imaged on a weekly basis from infections. These same accountants only look at the cost of upgrading and not the productivity loss.
http://saveie6.com/
It's not a zero day if it was privately submitted over a month before. Zero Day means "a previously unknown vulnerability". It just wasn't public, so they didn't have as much urgency in fixing. Just stop calling it a zero day bug if the developers knew about it before hand.
-- these are only opinions and they might not be mine.