Slashdot Mirror
Oracle Knew of Latest Java 0-Day Security Hole In August
An anonymous reader writes "After news broke on Thursday that a new Java 0-day vulnerability had been discovered, and was already being included in multiple popular exploit kits, two new important tidbits have come in on Friday. Firstly, this whole fiasco could have been avoided if Oracle had properly patched a previous vulnerability. Furthermore, not only is the vulnerability being exploited in the wild, but it is being used to push ransomware." Meanwhile, writes reader Beeftopia, the U.S. Department of Homeland Security is getting in on the action, and "has warned users to disable or uninstall Java software on their computers, amid continuing fears and an escalation in warnings from security experts that hundreds of millions of business and consumer users are vulnerable to a serious flaw."
Had a few users burned by this today at work. One emergency security meeting later and we pulled Java from 3000 workstations this afternoon. Should have done this a year ago.
I use java solely for Eclipse development but I do not have the plugin installed on my browsers.
The people at work who still cling to IE 6 and IE 7 also are stuck in Java land and is the sole reason why XP is still alive kicking and screaming. Many still use NTLM version 1 security pre 1999 that can crack any account on AD because these apps wont work with anything newer than 13 years old!
With the department of homeland security recommendations perhaps we can finally move on and get rid of these dinosaurs that are a liability to our employers.
Shame on Oracle.
Java had such high hopes and Sun fucked up royally too beforehand. If Java could have native .exes and kept being updated perhaps it could be as good as .NET and we could all run Linux with our cross platform natively compiled apps in such an alternative universe.
Besides a few limited uses for mainframes I think it is time we said goodbye and put it to legacy ala Cobol 2.0? The question is what next? ... not language wise but richness in api wise and frameworks which is why .NET and Java are liked for complex 3-tier enterprise platforms.
http://saveie6.com/
They are used on less than .2% of websites, and many are false positives. Yes some might not be detected as well. I am aware there is one very popular video service that uses Silverlight, can't say the same about Java.
Click on the language for more details
http://w3techs.com/technologies/overview/client_side_language/all
.
It has become apparent that Oracle either does not understand the concept of computer security....
- or -
Oracle does understand the concept of computer security, and they are using these exploits to kill off Java, which they do not want to support anymore.
What else can it be?
(btw, my bet is that Oracle is clueless regarding computing security)
Back in college (when Java was the new thing) one of its big touted features was security -- all applets would run in a sandbox, Java would be written in bytecode that would be automatically verified before it was executed, array access indices would be bounds-checked, etc etc. This all made Java execute more slowly than the alternatives (er, ActiveX?), but the (expected) upside was that Java would be super-secure and we wouldn't have to worry about our computers getting exploited by evil web pages that we accidentally loaded.
Now it's 2013 and Java (at least in the context of a web browser) is turning into an unreliable bug-fest.
So, what happened? Is it just a matter of incompetence at Oracle (and/or Sun)? Or is Java's security model fundamentally broken in some way that other in-web-browser languages (particularly JavaScript) are not? Where are all these security holes coming from?
I don't care if it's 90,000 hectares. That lake was not my doing.
I think the future here is Java not from Oracle. We don't use their engine on servers now so why the hell would we use it on clients?
Oracle haven't got their act together, and obviously without a decent revenue stream they're not going to try, so time to move on from them.
Because it's used by others so effectively infrastructure, thus irresponsible to cut corners before release. To invoke a car analogy it's like opening a bridge on the announced date without finishing it in one lane so that cars driving from one direction keep falling into the water. Such an example appears so ridiculous because it's comparing a carefully planned engineering project on one hand (the bridge) with a room full of blindfolded basketweavers trying to weave bits of an elephant shaped basket while being shouted at in a language they cannot understand and none of them know what an elephant looks like (a typical mismanaged software project like your above example with your "tradeoffs").
You get what you pay for. "So, you want me to synthesize a new material, build a few skyscrapers with it, all on top of the landfill foundation the last team built, and make last at least 2 years before any substantial maintenance is performed? In a few months with a small team of survivalists?" I'm sure that'll work out great because those structural engineers are accredited.
It usually makes for very boring news so it is not covered very much except in things like trade journals. However real engineers are sued for design flaws when they don't do things correctly.
The laws acknowledge that no matter what there is always a chance of failure. If you did the work and can show that the odds of failure are .001% and the system still fails it will be investigated but as long as you are correct it is likely nothing will happen since rare events do happen.
However if you falsify the work, falsify the calculations, end up with calculations that are far off of reality then you can and are held liable in many cases.
Computer modeling for biotech drug manufacturing is HARD!
That is absolutely true. The problem is that software is not delivering on all those things, it just promises all of those things.
For a real engineering profession you have the whole sign off system and if someone wants something done for a song and to do everything you don't sign off on it. If they try to get around that sign off there are some pretty serious legal consequences to that.
For programmers there is no legal way to say that the manpower involved is not sufficient to deliver the required quality. They will just be fired and replaced. Without programmers having some level of authority and the responsibility that goes with that you won't really see software getting better since there is no real incentive for it.
Look at some of the break in stats, 50% of windows break ins last year where form Java and IE made up about 3% yet Microsoft and IE are still blamed for all the security problems. Why should Java or Flash really try to do much better if the average person is not going to blame them or making purchasing decisions based on that anyways?
If you are a programming for Oracle and you say that X design is dangerous and you won't do it you will be fired.
If you are a chemical engineer and you say a certain reactor design is dangerous it will be fixed or it won't get used.
That is the real difference and that is what programmers need to have also.
Computer modeling for biotech drug manufacturing is HARD!