Oracle Knew of Latest Java 0-Day Security Hole In August

An anonymous reader writes "After news broke on Thursday that a new Java 0-day vulnerability had been discovered, and was already being included in multiple popular exploit kits, two new important tidbits have come in on Friday. Firstly, this whole fiasco could have been avoided if Oracle had properly patched a previous vulnerability. Furthermore, not only is the vulnerability being exploited in the wild, but it is being used to push ransomware." Meanwhile, writes reader Beeftopia, the U.S. Department of Homeland Security is getting in on the action, and "has warned users to disable or uninstall Java software on their computers, amid continuing fears and an escalation in warnings from security experts that hundreds of millions of business and consumer users are vulnerable to a serious flaw."

it's not 0-day

if Oracle knew about it in August

Re:it's not 0-day

And if they knew about it for that long then they should be able to be sued for negligence.

Perhaps when the software industry has to accept the same liability and culpability as anyone else they will take their job seriously.

Aircraft are extremely complex and they cant use that as a get out of jail free card, software should not be able to either. If they want protection and patents then they can accept the down side, liability.

Re:it's not 0-day

[Ambassador+Kosh]

This is why programming is not an engineering profession despite what many keep claiming.

Until they have the same standards as a mechanical, aerospace, chemical, etc engineers they are not really engineers.

Please, can we stop with "0-day"?

Can we please, please, please stop using the term "0-day"? It's completely meaningless here. Actually, it's worse than meaningless as it's used incorrectly and just makes things confusing. Is it a noun? Is it an adjective? Depends on who's writing the Slashdot headline! Try reading the headline and article while omitting the text "0-day" and you'll see it reads just fine and actually makes sense now.

Re:Time to just remove Java (and Silverlight)?

[Samantha+Wright]

Dig hard enough and I'm sure you'll find equally arcane .NET setups. Remember, kids: the only difference between Java and .NET is that Java was paved with good intentions.

Re:Time to just remove Java (and Silverlight)?

[TopSpin]

java on the web is effectively dead

What killed it?

It's clunky. That's the shortest correct explanation I can provide. The whole user experience is just awful.

The first thing you experience when you encounter a Java applet is a sinking feeling as the browser becomes unresponsive with a large gray void somewhere on the page that will eventually render the applet. Sometimes this is alleviated slightly by a progress indicator in some weird JVM font that looks like it was salvaged from OpenBoot. All this "loading" takes large amounts of RAM so the OS starts paging which creates more anxiety for the user as the drive LED indicates vast amounts of mysterious IO. In any case the process takes too long and by the time the applet has rendered something meaningful most users have lost patience.

At this point the applet has started rendering. Frequently this is a bad thing because many Java applets are tragically ugly. Repulsive, really. So bad they look like hastily made email phishing attempts. It would have been better if the "loading" had never ended leaving the user to seek alternatives. The moment a user sees those fonts they squint, groan a bit inside and consider calling someone for help. The GUI widgets look weird. Things don't work right, like copy and paste or common GUI hot keys. And everything lags; you can feel extra tens of milliseconds of lag with every UI operation; click, scroll, whatever. It all lags.

Finally whatever unfortunate task led our victim here has been accomplished and it's time to leave. You click 'home' or some link or whatever to be on your way and BOOM!, the browser segfaults and closes. Recent browsers mitigate this habit by isolating applets (and other plug-ins) in process sandboxes, but the user still gets that extra little poke in the eye to top off the rest of the 'experience.' The sort of effort required to make the JVM run smoothly inside common browsers has never been applied and to this day it is a fragile and crashy combination.

People that care about the user experience, people with tens or hundreds of millions of users using their site(s), don't tolerate this heinous shit. So Java applets die the death they deserve.