Polish Researcher: Oracle Knew For Months About Java Zero-Day

dutchwhizzman writes "Polish security researcher Adam Gowdiak submitted bug reports months ago for the current Java 7 zero-day exploit that's wreaking havoc all over the Internet. It seems that Oracle can't — or won't? — take such reports seriously. Is it really time to ditch Oracle's Java and go for an open source VM?"

Duh

[binarylarry]

You think Uncle Larry gives a fuck?

No. Now pay him his money.

Re:Ditch Java entirely.

[binarylarry]

So your business model is:

1) Ditch Java
2) ???
3) Profit!

You and the underpants gnomes should hook up!

Re:Why are people still using this?

[binarylarry]

You sound like someone who shouldn't be giving technical advice.

C/C++ has advantages over Java, just like Java has advantages over C/C++

Saying you should use one over the other for every purpose is foolhardy.

Re:Why are people still using this?

Hey Larry, what's your surname?

Ask Toolbar Really ?

This is the programming language that still bundles the "Ask Toolbar" crapware with their installer. Nuff said.

No

[ExE122]

This is not a sign that you need to start ditching Oracle. The reason more security loopholes are discovered in Oracle are because it is the most widely used JVM. Other VMs will still have a ton of issues, they just don't get attacked as much (yet).

A similar argument used to be debated years ago with Apple v Microsoft... Apple toted it's superior security over MS when in reality, nobody gave a crap about attacking Mac users which only made up 10% of the market. Once they gained popularity, they started getting hit more as well.

The real scary part is that MS at least takes its security flaws somewhat seriously. Oracle seems to have smugly ignored Mr. Gowdiak. He can now smugly turn around and give them a big "I told you so!"

Re:No

[X0563511]

The real problem here is the quarterly patch cycle that seems to ignore the severity of security bugs. If you want to do a quarterly cycle that's fine - but you need to make exceptions for security bugs.

Re:No

[pointyhat]

Dear Blakey Troll,

Java desktop application guy here

Last place I worked, I was the lead architect for a real-time patient care system deployed to 120,000 users across 2500 hospital sites around western Europe across Windows, Linux and Solaris platforms.

It stopped the users' patients from dying, so they are quite happy with it as are their patients. It is incredibly fast (2 orders of magnitude faster than the C++ based MFC native Windows app our competitor was throwing out), it has had no downtime (ever!) by nature of the architecture which must not go down under any circumstance (everything was fully distributed), the UI definitely does not suck and it's certainly not bloated at 52Mb including the JVM (our competitor hit 2Gb including the local SQL server instance installation).

What do you propose we use instead and how do you propose we start rewriting the 1.9 million lines of code we've already got?

Re:No

[pointyhat]

No - you are actually totally clueless here and are just trying to get karma by jumping on the anti-Java bandwagon.

No our application is not contributing any such risk whatsoever:

1. We shipped the JVM with the application in its own standalone directory. No applets, no browser plugins. It's launched by a wrapper exe on windows and a script on Linux+Solaris. Basically it runs java[.exe] -jar application.jar. There is no target vector for this exploit.

2. we ship JVM 1.6 which is not vulnerable.

3. It uses SWT which looks native on all platforms - look it's not ugly at all: http://www.eclipse.org/swt/

Re:Ditch Java entirely.

[characterZer0]

Ditch Java applets entirely.

As a former Oracle dev

[juancn]

Oracle is a huge organisation. I mean mindbogglingly huge (think planet Vogon). There is a lot of red tape that you have to cut to get anything done, and in 4 months they're probably still scheduling meetings to figure out if it should be fixed, and when, and by whom.

Unless an SVP gets involved, it's unlikely that it will be rushed.

Re:As a former Oracle dev

[NettiWelho]

Perhaps they should, you know, have a department dedicated to handling these kinds of things in a timely manner then?

Re:IBM

[Simon+Brooke]

Whatever happened to them? Didn't they at one time have a Java implementation?

IBM's Java work is now part of OpenJDK. How close OpenJDK is to Oracle Java and whether it shares this exploit I don't know (although the OpenJDK home page says they are '...based largely on the same code'), but if it does it should be patchable.

I'm not ready to give up on Java. It is not because I think it's the best, I still think C# beats it as a language, but at times when a client requires non-microsoft, it is my only choice for a modern language. Yeah, I know C++11, I've looked at it quite a bit, and it is better than it was, but as long as it needs header files, I don't put it into a modern language category.

I could happily give up Java, but I wouldn't willingly give up Clojure. There's more (and better) languages for the JVM than just Java.

Re:Why are people still using this?

[binarylarry]

You have provided some terrible answers. Please stop posting about technologies when it's clear you have little technical knowledge.

Java is much, much faster than Flash.
The JVM set bundled with OpenJDK is the same as the one bundled with Oracle Java (Oracle Java is built on OpenJDK)
Java is cross platform, it's worked reliably for a long time
Java is open source, so blaming Oracle for slow development isn't fair (not that I like them, Fuck Oracle)

Some things that suck about Java:

No runtime generics
No lambda support
You have define your maximum heap size when the application is started
AWT and Swing are the official UI technologies and they're fucking terrible
It's very hard to port to platforms where it doesn't exist already