Oracle Knew of Latest Java 0-Day Security Hole In August

An anonymous reader writes "After news broke on Thursday that a new Java 0-day vulnerability had been discovered, and was already being included in multiple popular exploit kits, two new important tidbits have come in on Friday. Firstly, this whole fiasco could have been avoided if Oracle had properly patched a previous vulnerability. Furthermore, not only is the vulnerability being exploited in the wild, but it is being used to push ransomware." Meanwhile, writes reader Beeftopia, the U.S. Department of Homeland Security is getting in on the action, and "has warned users to disable or uninstall Java software on their computers, amid continuing fears and an escalation in warnings from security experts that hundreds of millions of business and consumer users are vulnerable to a serious flaw."

Burned

Had a few users burned by this today at work. One emergency security meeting later and we pulled Java from 3000 workstations this afternoon. Should have done this a year ago.

Excuse to upgrade shitty intranet apps?

[Billly+Gates]

I use java solely for Eclipse development but I do not have the plugin installed on my browsers.

The people at work who still cling to IE 6 and IE 7 also are stuck in Java land and is the sole reason why XP is still alive kicking and screaming. Many still use NTLM version 1 security pre 1999 that can crack any account on AD because these apps wont work with anything newer than 13 years old!

With the department of homeland security recommendations perhaps we can finally move on and get rid of these dinosaurs that are a liability to our employers.

Shame on Oracle.

Java had such high hopes and Sun fucked up royally too beforehand. If Java could have native .exes and kept being updated perhaps it could be as good as .NET and we could all run Linux with our cross platform natively compiled apps in such an alternative universe.

Besides a few limited uses for mainframes I think it is time we said goodbye and put it to legacy ala Cobol 2.0? The question is what next? ... not language wise but richness in api wise and frameworks which is why .NET and Java are liked for complex 3-tier enterprise platforms.

it's not 0-day

if Oracle knew about it in August

Re:it's not 0-day

And if they knew about it for that long then they should be able to be sued for negligence.

Perhaps when the software industry has to accept the same liability and culpability as anyone else they will take their job seriously.

Aircraft are extremely complex and they cant use that as a get out of jail free card, software should not be able to either. If they want protection and patents then they can accept the down side, liability.

Re:it's not 0-day

[Ambassador+Kosh]

This is why programming is not an engineering profession despite what many keep claiming.

Until they have the same standards as a mechanical, aerospace, chemical, etc engineers they are not really engineers.

Time to just remove Java (and Silverlight)?

[gQuigs]

They are used on less than .2% of websites, and many are false positives. Yes some might not be detected as well. I am aware there is one very popular video service that uses Silverlight, can't say the same about Java.

Click on the language for more details
http://w3techs.com/technologies/overview/client_side_language/all

Re:Time to just remove Java (and Silverlight)?

[Samantha+Wright]

Dig hard enough and I'm sure you'll find equally arcane .NET setups. Remember, kids: the only difference between Java and .NET is that Java was paved with good intentions.

Re:Time to just remove Java (and Silverlight)?

[TopSpin]

java on the web is effectively dead

What killed it?

It's clunky. That's the shortest correct explanation I can provide. The whole user experience is just awful.

The first thing you experience when you encounter a Java applet is a sinking feeling as the browser becomes unresponsive with a large gray void somewhere on the page that will eventually render the applet. Sometimes this is alleviated slightly by a progress indicator in some weird JVM font that looks like it was salvaged from OpenBoot. All this "loading" takes large amounts of RAM so the OS starts paging which creates more anxiety for the user as the drive LED indicates vast amounts of mysterious IO. In any case the process takes too long and by the time the applet has rendered something meaningful most users have lost patience.

At this point the applet has started rendering. Frequently this is a bad thing because many Java applets are tragically ugly. Repulsive, really. So bad they look like hastily made email phishing attempts. It would have been better if the "loading" had never ended leaving the user to seek alternatives. The moment a user sees those fonts they squint, groan a bit inside and consider calling someone for help. The GUI widgets look weird. Things don't work right, like copy and paste or common GUI hot keys. And everything lags; you can feel extra tens of milliseconds of lag with every UI operation; click, scroll, whatever. It all lags.

Finally whatever unfortunate task led our victim here has been accomplished and it's time to leave. You click 'home' or some link or whatever to be on your way and BOOM!, the browser segfaults and closes. Recent browsers mitigate this habit by isolating applets (and other plug-ins) in process sandboxes, but the user still gets that extra little poke in the eye to top off the rest of the 'experience.' The sort of effort required to make the JVM run smoothly inside common browsers has never been applied and to this day it is a fragile and crashy combination.

People that care about the user experience, people with tens or hundreds of millions of users using their site(s), don't tolerate this heinous shit. So Java applets die the death they deserve.

Please, can we stop with "0-day"?

Can we please, please, please stop using the term "0-day"? It's completely meaningless here. Actually, it's worse than meaningless as it's used incorrectly and just makes things confusing. Is it a noun? Is it an adjective? Depends on who's writing the Slashdot headline! Try reading the headline and article while omitting the text "0-day" and you'll see it reads just fine and actually makes sense now.

What happened to Java?

[Jeremi]

Back in college (when Java was the new thing) one of its big touted features was security -- all applets would run in a sandbox, Java would be written in bytecode that would be automatically verified before it was executed, array access indices would be bounds-checked, etc etc. This all made Java execute more slowly than the alternatives (er, ActiveX?), but the (expected) upside was that Java would be super-secure and we wouldn't have to worry about our computers getting exploited by evil web pages that we accidentally loaded.

Now it's 2013 and Java (at least in the context of a web browser) is turning into an unreliable bug-fest.

So, what happened? Is it just a matter of incompetence at Oracle (and/or Sun)? Or is Java's security model fundamentally broken in some way that other in-web-browser languages (particularly JavaScript) are not? Where are all these security holes coming from?