Slashdot Mirror

← Back to Stories (view on slashdot.org)

Oracle Knew of Latest Java 0-Day Security Hole In August

Posted by timothy on from the when-the-living-is-easy dept.

An anonymous reader writes "After news broke on Thursday that a new Java 0-day vulnerability had been discovered, and was already being included in multiple popular exploit kits, two new important tidbits have come in on Friday. Firstly, this whole fiasco could have been avoided if Oracle had properly patched a previous vulnerability. Furthermore, not only is the vulnerability being exploited in the wild, but it is being used to push ransomware." Meanwhile, writes reader Beeftopia, the U.S. Department of Homeland Security is getting in on the action, and "has warned users to disable or uninstall Java software on their computers, amid continuing fears and an escalation in warnings from security experts that hundreds of millions of business and consumer users are vulnerable to a serious flaw."

8 of 265 comments (clear)

  1. Burned by Anonymous Coward · · Score: 5, Interesting

    Had a few users burned by this today at work. One emergency security meeting later and we pulled Java from 3000 workstations this afternoon. Should have done this a year ago.

  2. Excuse to upgrade shitty intranet apps? by Billly+Gates · · Score: 5, Interesting

    I use java solely for Eclipse development but I do not have the plugin installed on my browsers.

    The people at work who still cling to IE 6 and IE 7 also are stuck in Java land and is the sole reason why XP is still alive kicking and screaming. Many still use NTLM version 1 security pre 1999 that can crack any account on AD because these apps wont work with anything newer than 13 years old!

    With the department of homeland security recommendations perhaps we can finally move on and get rid of these dinosaurs that are a liability to our employers.

    Shame on Oracle.

    Java had such high hopes and Sun fucked up royally too beforehand. If Java could have native .exes and kept being updated perhaps it could be as good as .NET and we could all run Linux with our cross platform natively compiled apps in such an alternative universe.

    Besides a few limited uses for mainframes I think it is time we said goodbye and put it to legacy ala Cobol 2.0? The question is what next? ... not language wise but richness in api wise and frameworks which is why .NET and Java are liked for complex 3-tier enterprise platforms.

    --
    http://saveie6.com/
  3. Time to just remove Java (and Silverlight)? by gQuigs · · Score: 5, Interesting

    They are used on less than .2% of websites, and many are false positives. Yes some might not be detected as well. I am aware there is one very popular video service that uses Silverlight, can't say the same about Java.

    Click on the language for more details
    http://w3techs.com/technologies/overview/client_side_language/all

    1. Re:Time to just remove Java (and Silverlight)? by 93+Escort+Wagon · · Score: 4, Interesting

      There's quiet a few Android devices running Java. And developers need Java on their PCs to write apps for them

      That may be so; but it's not really a reason for people to keep Java enabled in their browsers.

      Several months ago I disabled the Java plugins/extensions in all the browsers I use. Know what I noticed? Absolutely nothing. No sites that I frequent used Java *at all*. My experience browsing the web didn't change an iota.

      --
      #DeleteChrome
    2. Re:Time to just remove Java (and Silverlight)? by dbIII · · Score: 4, Interesting

      I remember back when it was coming out a big deal was made about how the VM was in a sandbox and couldn't nuke user or system files under any circumstances. Convenience killed good intentions and now we may as well be on activeX bullshit.

  4. What happened to Java? by Jeremi · · Score: 5, Interesting

    Back in college (when Java was the new thing) one of its big touted features was security -- all applets would run in a sandbox, Java would be written in bytecode that would be automatically verified before it was executed, array access indices would be bounds-checked, etc etc. This all made Java execute more slowly than the alternatives (er, ActiveX?), but the (expected) upside was that Java would be super-secure and we wouldn't have to worry about our computers getting exploited by evil web pages that we accidentally loaded.

    Now it's 2013 and Java (at least in the context of a web browser) is turning into an unreliable bug-fest.

    So, what happened? Is it just a matter of incompetence at Oracle (and/or Sun)? Or is Java's security model fundamentally broken in some way that other in-web-browser languages (particularly JavaScript) are not? Where are all these security holes coming from?

    --


    I don't care if it's 90,000 hectares. That lake was not my doing.
    1. Re:What happened to Java? by phantomfive · · Score: 4, Interesting

      Theo de Raadt once said, "these guys can't write a secure OS, why would you expect them to write a secure VM?"

      These bugs have always existed in Java, but no one went out to exploit them because there were easier vulnerabilities available. Now as Microsoft has put more emphasis on security, the low-hanging fruit has become Acrobat reader, then Flash, now Java. Used to be you could smash the Microsoft stack any time you wanted. Now they are randomizing the stack and it's not so easy.....

      --
      "First they came for the slanderers and i said nothing."
  5. Re: it's not 0-day by Ambassador+Kosh · · Score: 4, Interesting

    That is absolutely true. The problem is that software is not delivering on all those things, it just promises all of those things.

    For a real engineering profession you have the whole sign off system and if someone wants something done for a song and to do everything you don't sign off on it. If they try to get around that sign off there are some pretty serious legal consequences to that.

    For programmers there is no legal way to say that the manpower involved is not sufficient to deliver the required quality. They will just be fired and replaced. Without programmers having some level of authority and the responsibility that goes with that you won't really see software getting better since there is no real incentive for it.

    Look at some of the break in stats, 50% of windows break ins last year where form Java and IE made up about 3% yet Microsoft and IE are still blamed for all the security problems. Why should Java or Flash really try to do much better if the average person is not going to blame them or making purchasing decisions based on that anyways?

    If you are a programming for Oracle and you say that X design is dangerous and you won't do it you will be fired.
    If you are a chemical engineer and you say a certain reactor design is dangerous it will be fixed or it won't get used.
    That is the real difference and that is what programmers need to have also.

    --
    Computer modeling for biotech drug manufacturing is HARD! :)