Oracle Ships Java 7 Update 11 With Vulnerability Fixes

An anonymous reader writes "After announcing a fix was coming just yesterday, Oracle on Sunday released Java 7 Update 11 to address the recently disclosed security vulnerability. If you use Java, you can download the latest update now from the Java Control Panel or directly from Oracle's website here: Java SE 7u11. In the release notes for this update, Oracle notes this version "contains fixes for security vulnerabilities." A closer look at Oracle Security Alert for CVE-2013-0422 details that Update 11 fixes two vulnerabilities."

Is this really a fix?

[DavidClarkeHR]

It's great that the default security settings have been increased - and the zero-day flaws needed fixing (as always).

Proper web browsing hygiene protected users from this zero-day vulnerability - but my mom needed this update.

Re:Is this really a fix?

[Thinine]

Why does your Mom need Java in the first place?

Re:Is this really a fix?

Games!

Don't even ask. People are stupid. However many people also don't exactly have much use for the computer without such things.

Re:Is this really a fix?

[PNutts]

Proper web browsing hygiene protected users from this zero-day vulnerability...

I'm not sure what you mean by that. What is "proper web browsing hygiene"?

Re:Is this really a fix?

[sproketboy]

To play Minecraft obviously.

Re:Is this really a fix?

keeping a box of tissue next to the computer

Re:Is this really a fix?

Proper web browsing hygiene includes not infecting one's system with Java to begin with.

Re:Is this really a fix?

[dubbayu_d_40]

This is a common misunderstanding of apple users.

Re:Is this really a fix?

[Runaway1956]

People who read this site are mostly geeks, nerds, IT, developers, or some such who are computer literate. But, NO ONE who reads this site is ignorant of how pervasive Java is. NO ONE who reads this site is completely ignorant of the ways in which John and Jane Q. Public uses their computers.

Like DavidClarkeHR's mother, my wife "needs" Java. Her computer may suffer any number of ills, and she'll ignore them. But, if she can't play her Pogo Games, the old broad is going to make my life miserable until the problem is fixed. To her, "the internet" pretty much means Pogo, Facebook, email, Craig's List, classified ads in the Texarkana Gazette, and a little bit of news.

Oh, wait - how can I forget her soap operas? The woman has given up on television, and watches her daily shows on the computer now.

THAT is the internet, for millions of people.

Java don't work? "I WANT IT FIXED BEFORE I GET HOME FROM WORK!! You can forget about taking trash out, you can forget to pick your clothes up off the bathroom floor, you can leave the sink full of dirty dishes, BUT FIX MY INTERNET!!"

Re:Is this really a fix?

[Mike+Frett]

Yes. people tend to forget Minecraft is popular and uses Java. There are also Webcam sites that are very popular with the Porn crowd that use Java. If you want people to ditch Java, then you need to fix the reason WHY they need it. Instead of coming here and pushing your views about how you managed to avoid Java, because after all it's your opinion and the last time I checked; It's no one else's.

Re:Is this really a fix?

[gl4ss]

I can't verify identity through my bank without java(to government services).

spend the entire morning trying to make the applet work today.

turned out I had to run the plugin through ie before it would work on either firefox or chrome.

such fucking bullshit really, and both chromes and firefox's installers and their help quite frankly sucks balls. note to developers: check where the fuck your help buttons go and if they go somewhere that just tells you to do what you just already did to see the help button don't fucking add it.

Re:Is this really a fix?

Your wife sounds positively insane. Makes me appreciate mine even more.

Re:Is this really a fix?

[oodaloop]

But, NO ONE who reads this site is ignorant of how pervasive Java is.

Tell me about it. I just started my first cup of coffee.

Re:Is this really a fix?

For Pogo games, most likely.

Re:Is this really a fix?

[hairyfeet]

A better question would be when is somebody gonna step up and stop slapping band aids on the bullet wound that is JavaScript and come up with something better. JavaScript was never designed for security, nor really built for all this "Web 3.0" crap and the way the web has evolved either you fuck the website owners or you risk getting pwned. You block all ads with ABP like I do by default for my users? The rate of infection drops right off the scale, pretty much the only infections you see after that is when they choose to download something funky.

Frankly its time to come up with something new, something designed with security in mind and by default sandboxing that won't allow a single webpage to call 3 dozen other addresses just to build the page. HTML V5 is a mess and worse than Flash in every single way, CPU, memory, bandwidth, its just terrible, and you feel sorry for these little sites that say "please don't block us" but as long as they keep getting ads from third parties with no control or accountability what else can you do?

The mess that is Java is just a symptom of a much larger problem, that website builders want and need to do more than plain JavaScript can do but at the same time the way you can just drop a link into any website and have it call up a malware server halfway around the world and have it dump shit right onto your PC is totally fucked up. We sent guys to the fricking moon, surely we can come up with a new language that will give website builders the tools they need without making it so damned easy to infect a machine.

Re:Is this really a fix?

For in case you sneeze?

Re:Is this really a fix?

Minecraft does not need the java browser plug-in.

Re:Is this really a fix?

[helix2301]

I was listening to twit.tv last night and while Leo was talking how bad this was the patch was release. We in the chatroom though this was funny.

Re:Is this really a fix?

[snemarch]

Proper web browsing hygiene includes not infecting one's browser with the Java plugin to begin with.

There, fixed that for you.

Re:Is this really a fix?

Craig's List eh, I would be a little more worried about what the internet is for if I was you.

http://www.youtube.com/watch?v=T-TA57L0kuc

Re:Is this really a fix?

And yet the plugin is installed without even asking when you install the JDK.

Re:Is this really a fix?

[gabereiser]

Needs more diamonds. But yeah, Minecraft has boosted Java Installs in the last two years. My daughter installed java so she can play minecraft and asked for my help. I was about to yell at her, no, but then she gave me those puppy dog eyes no rational human being can ignore.... ...so I got her a puppy.

Re:Is this really a fix?

[Bobfrankly1]

That's just keyboard and mouse hygiene. Keeps you from accidentally enabling the sticky bit.

Re:Is this really a fix?

[hairyfeet]

Its the same old same, bad software becomes popular, we have to keep bad software,lots of fixes and band aids when what we need is to move away from the bad software, simple as that. Oh and FYI but according to ZDNet this is strictly a band aid and the actual fix could take 2 years and that is if no more bugs are found. What are the odds of that?

Re:Is this really a fix?

It does not need java at all, probably was chosen only because the developer knew it best.

Re:Is this really a fix?

[Billly+Gates]

Java came about because you could bundle instant messenger apps on sites, upload files, interface with other programs, etc. Today I can do this with javascript. HTML 5 and ajax lets me do even more as you can see in Google Talk in gmail.

Oddly the one killer feature of using security exploits to manipulate excel COM objects is why Java is used in the office for lines of credit apps for HR, finance, and the big banks with their corporate customers. java 1.4.2 is standard as the latest ones stop these holes which the finance guys need. Other than that it is dying.

With OpenXML and even Microsofts proprietary version makes parsing it through the server easier than before where binary objects were embedded in excel 2003 files so that last option is no off the table without a +COM hack.

I used to be a HUGE fan of java a decade ago and hoped it would come back as it rocks as a development platform with an api for everything under the sun with frameworks to scale to big enterprise apps. But that day is done and .NET offers more and is easier and doesn't ahve these security issues.

Re:Is this really a fix?

tell me how to do minecraft with out java then

Re:Is this really a fix?

[exomondo]

A better question would be when is somebody gonna step up and stop slapping band aids on the bullet wound that is JavaScript and come up with something better.

What's that got to do with the Java plugin?

JavaScript was never designed for security, nor really built for all this "Web 3.0" crap

And what specifically is it about JavaScript that you oppose that makes it inherently problematic that an alternative wouldn't suffer from?

Frankly its time to come up with something new, something designed with security in mind and by default sandboxing that won't allow a single webpage to call 3 dozen other addresses just to build the page.

Why? Sandboxing can (and should) be done by the browser. Obviously plugins like Flash and Java make that difficult but that's not relevant to JavaScript.

HTML V5 is a mess and worse than Flash in every single way, CPU, memory, bandwidth, its just terrible

Oh yeah Flash is brilliant, so long as you're on Windows or OSX, but a good chunk of browsing these days is done on platforms that Flash either doesn't run on or runs like crap on.

Re:Is this really a fix?

Minecraft does not need the java browser plug-in.

Does that mean OP's mom is on those webcam sites?

Re:Is this really a fix?

[datavirtue]

Yeah right. Troll. Tell us the other language with a built-in free, rock-solid 2D/3D graphics library that compares to Java's AND is easy to use AND will run on any decent computer.

Re:Is this really a fix?

[datavirtue]

According to ZDNet? Jesus, well that IS the last word on technology you know. Any slashdotter worth his skin only reads ZDNet to see what the Microsoft shills are saying at the moment--strictly entertainment (propaganda).

Re:Is this really a fix?

[hairyfeet]

If you would have bothered to click the link you would have seen they were only rehashing what two major security firms were saying after taking a look at the code. Don't let that get in the way of your fanboi bleeting, don't forget to call it "M$" and scream about how much you love teh Google and teh FOSS for max whoreage.

What about Java 6 (et al)?

It isn't cool to force users to do a major version upgrade just to get a security patch.

Re:What about Java 6 (et al)?

[black3d]

Java 6 isn't vulnerable to this particular exploit. Only 7.

Re:What about Java 6 (et al)?

Java 6 isn't vulnerable to this particular exploit. Only 7.

Java 6 already has it's own security issues.

Re:What about Java 6 (et al)?

So they give you something for free, choose to dictate how they will support this something and you complain?

No wonder these companies gouge on the licensing where they can,ppl like you will demand an inch and take a mile.

Re:What about Java 6 (et al)?

[fuzzyfuzzyfungus]

So they give you something for free, choose to dictate how they will support this something and you complain?

No wonder these companies gouge on the licensing where they can,ppl like you will demand an inch and take a mile.

Nobody said that owning a 'platform' was a fun job. It's high blame, low praise, your undemanding customers have a willingness to pay hovering around $0, your customers who are willing to pay have a list of whiny demands about 'compatibility' and such. That's just how these things roll. Is it worth it to you to suck it up and reap the rewards, or is a different category of software a better fit?

It honestly looks like (consumer) in-browser java is nearly dead, and the JVM isn't as lively on the client side as it once was, so Oracle might not have to decide whether they are in the 'platform' business in that area. The general point still stands. "Platform" is not a pretty category of software to be responsible for, it just sometimes happens to be lucrative enough to be worth it.

Re:What about Java 6 (et al)?

[Tablizer]

It isn't cool to force users to do a major version downgrade just to get a security patch.

Re: What about Java 6 (et al)?

Java 6 is unsupported as of February anyway so it's hardly a big issue.

Java or Javascript?

[jkrise]

I'm totally confused every time this comes up... do browsers have Javascript (more accurately ECMA Script) or Java itself? I understand it is the former; whiereas Java is a plugin that needs to be explicitly installed. And I also believe Javascript has almost nothing to do with Java.

Is Java on browsers so widespread?

Re:Java or Javascript?

You appear to already know the answers. How can you be confused when you can clearly differentiate between Javascript (ECMA) and Java?

Re:Java or Javascript?

Yes.

Re:Java or Javascript?

Excellent point, jkrise.

To my knowledge, Java applets aren't too common and haven't been since the '90s, when (ironically) that was the feature that fueled the endless hype around Java. By the mid-90's Java had become known as a mostly server-side technology. But there are still sites that want to provide a richer GUI than you can get from CSS, JavaScript/Ajax, for example for interactive vector graphic simulations.

Re:Java or Javascript?

[black3d]

It's correct that the two have virtually nothing in common. However, Java in browsers is fairly widespread simply due to the fact that so many applications are built around the Java runtime and there's a good chance that at some time many users have needed to install it. A typical install of the Java Runtime Environment includes browser interaction.

Many websites utilize Java through in-line apps and modern browsers make the installation process fairly simple (ie, a couple of on-page redirects and a pop-up window which takes care of it all - the same way most browsers simplify Flash installation simply because it's so universal). For example, nVidia's video-card-dectection routine is in Java and if it's not installed, will helpfully let you know and give a button to click to download it. Minecraft, of course, requires Java. Many development tools and even many network management packages are written in Java.

Java on PCs is quite widespread and thus by default, so is Java on browsers.

Javascript, as you rightly raise, is altogether different, and prevalant on all browers by default (even though different browsers have different JS interpreters) and has nothing to do with the JRE.

Re:Java or Javascript?

[jkrise]

But there are still sites that want to provide a richer GUI than you can get from CSS, JavaScript/Ajax, for example for interactive vector graphic simulations.

Thanks for the explanation. Any examples of such sites, if they are popular?

Re:Java or Javascript?

oops, s/mid-90's/mid-00's/

Re:Java or Javascript?

[rwyoder]

I'm totally confused every time this comes up... do browsers have Javascript (more accurately ECMA Script) or Java itself? I understand it is the former; whiereas Java is a plugin that needs to be explicitly installed. And I also believe Javascript has almost nothing to do with Java.

Is Java on browsers so widespread?

I haven't need Java since my last job where I routinely needed to use the web interface of F5 proxies, in which the latest major revision went to an all-Java interface.

Re:Java or Javascript?

[RedHackTea]

I think the only popular sites are games now. Minecraft is the first you'll hear on /. It uses Java and LWJGL (Light-Weight Java Game Library) -- which essentially just uses JNI to expose native calls to OpenGL/AL/CL using C code. I believe there is both a Java Applet version and offline version (which may use Java WebStart, don't know).

RuneScape and all of FunOrb (also made by Jagex -- the creators of Runescape) are also Java Applets.

Other than games, you'll see sites use Java Applets for simulations, etc. -- things that are either computationally intensive or too complex. Since Java is object-oriented, has tons of built-in data structures, garbage collection, and runs off the client's (pretty fast) JVM in which there is a JVM available for the popular OSes, it's a better alternative to JavaScript or Silverlight for these tasks.

Re:Java or Javascript?

[QQBoss]

LOL, this reminds me of when our HR people took my project head's request for an experienced programmer knowledgeable in Java and put out a notice for a Java programmer, 10 years experience required- in 1997.

Re:Java or Javascript?

Here's a random example; although in this particular case it could probably be recoded to use JavaScript.

Re:Java or Javascript?

Popular? No. However, there are still plenty of sites that use java. For instance:

    http://www.diyonline.com/

Most of the tools there require java. And those tools are used by several large companies.

Re:Java or Javascript?

[Billly+Gates]

Javascript absolutely has nothing to do with Java.

Netscape realized for the web to take off as a platform it needed to do more than just display text and pictures so logic was needed. Netscape invented Livescript. Sun didn't like it and was in talks with making Java used instead of Livescript for dynamic web content.

So Netscape made a deal to rename Livescript Javascript with the contract to include jre with Netscape 3. It has nothing to do with it other than pure marketing name to confuse users to spread synergy to Java instead which is what Sun hoped as Livescript aka Javascript was very limited at the time.

It became a standard to this day.

Re:Java or Javascript?

[c0lo]

Is Java on browsers so widespread?

Don't know how accurate they are, but some say more than 40% of the computers connected to internet have Java plugin.

Re:Java or Javascript?

[LordLimecat]

FallingSandGame, Minecraft.

Re:Java or Javascript?

Java itself is the malware.

Javascript is the malware delivery mechanism.

Obligatory car analogy. Java is the worn down tire about to blow at any arbitrary moment, Javascript is the road that the car is speeding precariously along.

.

Leftovers

So does this leave the last 15 versions of Java the user has still installed and listed in the programs list? How secure is that?

Re:Leftovers

[black3d]

I've never experienced that. Could it be a user configuration issue?

Re:Leftovers

[sourcerror]

How secure is using Firefox 3.0?

Re:Leftovers

[lister+king+of+smeg]

Odd, as I have regularly run into it when cleaning up peoples computers.

Re:Leftovers

[X0563511]

The JRE, or just the JDK?

For a -loooong- time the JRE gets installed in a place like c:\program files\java\jre[5,6,7]

However, the JDK if you have that, get's it's full version in the path. So when that is updated, the old version remains.

Re:Leftovers

[bertok]

Older versions of Java defaulted to side-by-side installation mode, which was then kept even after newer releases were installed on top.

Newer versions default to in-place upgrade mode instead.

It's poorly documented, and as far as I know, the only way to fix it is to completely uninstall and re-install the latest version.

Re:Leftovers

[symbolset]

Malware often masquerades as versions of Java since Java requires all the things malware does. Hence, when you're cleaning up peoples' computers you will find lots of odd versions of java. This is evidence the machine is completely hosed.

When there is malware on a Windows PC, back it up and do a DBAN. Then build new starting from an official Microsoft .ISO and add verified OEM drivers. It is the only way to be sure. Then run a solid AV scan on the backed-up user content from a trusted PC before you pull it back in. Most of the time this gives good result. If the customer is a high-value target though, all bets are off. High-value targets need to not use Windows.

Re:Leftovers

[__aablib8664]

it didn't do a upgrade from 7-9 for me, it just side-by-sided anyways. uninstalled. im tired of waiting for the next vulnerability by a company who doesn't appear to care (anymore?)

Re:Leftovers

No instead it just fails to install because of those other versions requiring you to use the WICU to cleanup older installs on 20% of the workstations where it's installed.

August 2012 to January 2013

[QuietLagoon]

A vuln that apparently was first reported in August 2012 is finally fixed (maybe) in January 2013.

.
Why can't the larger companies, e.g. Microsoft and Oracle, respond to and fix the sucrity issues more quickly than on a timeline expressed in months?

Re:August 2012 to January 2013

[dreamchaser]

I couldn't agree more. It will probably take legal action to change this mentality. Eventually someone will sue one of the big software companies and win because a known vulnerability wasn't patched.

I really hate saying this because I am mostly libertarian and wary of too much regulation, but I think it is high time that there are regulations akin to those imposed on other engineering disciplines put into place over software that is used in 'e-infrastructure' such as banking, etc. Right now there isn't any, and thus huge multi-billion dollar companies are free to drag their feet on fixes or even outright ignore vulnerabilities that can cause serious harm to people.

Re:August 2012 to January 2013

[Gadget_Guy]

When a bug report is received, it gets evaluated and prioritised. It can take a non trivial time to track down and fix the bug (and any associated bugs in similar code). It takes time to test it in all the platforms and configurations (they have had to hastily recall patches in the past where the fix does more damage than the original bug).

It probably goes through some review process before being merged into the main code line (large companies can't allow anarchy with their code edits). Finally, patches are buffered to a schedule to allow their clients to plan for their own testing and application of patches.

All this takes time. You can make a system where you don't have this level of beurocracy, but that can cause its own problems and delays. So why did this specific Java bug take five months to fix? Without being privy to their processes we can't say for sure. Perhaps the extra step of outsourcing the fix to a third world country took a bit more time!

Re:August 2012 to January 2013

[sk999]

Why can't the larger companies, e.g. Microsoft and Oracle, respond to and fix the sucrity issues more quickly than on a timeline expressed in months?

It's because big companies like Oracle are too busy pursuing lawsuits against Google for IP infringement:
http://news.cnet.com/8301-1023_3-57526509-93/oracle-appeals-ruling-in-lawsuit-over-googles-use-of-java/

Protection of "IP" takes precedence over fixing security holes in the same "IP" every time.

Re:August 2012 to January 2013

[phantomfive]

Why can't the larger companies, e.g. Microsoft and Oracle, respond to and fix the sucrity issues more quickly than on a timeline expressed in months?

They can, the reason they don't is because they don't care. There are ways to do this, even in large companies.

If they wanted to do it, they would tell a middle-manager, "Fix this, test it, and get it out quickly. Your performance on this task will show up on your annual review." Then make sure he has the resources he needs to accomplish that. They didn't do this, which indicates that they don't care.

Re:August 2012 to January 2013

[X0563511]

Laywers and PHBs do not write code (thankfully). Nor do they test builds.

Re:August 2012 to January 2013

[KingMotley]

UH, yeah. I know the large companies I was in, I was constantly getting sidetracked by having to study law so that I could lead an IP infringement suit. That's what all good corporate programmers spend their time on.

Re:August 2012 to January 2013

[phantomfive]

I really hate saying this because I am mostly libertarian and wary of too much regulation, but I think it is high time that there are regulations akin to those imposed on other engineering disciplines put into place over software that is used in 'e-infrastructure' such as banking, etc.

You ask for that, but what you end up with will teach you the problems of regulations.

You will end up with some standards to follow that will slow you down, and won't make the code secure (in some cases, may make it less secure). It will be hard to change the standards, because the legislative process is slow. Large companies will get in on the process and make sure the regulations benefit them in some way (for example, Oracle might lobby that everyone be forced to use Java, because "sandboxes are more secure" or something. It doesn't matter if it's true. Coverity will lobby to force you to use static analysis. Someone will have the bright idea that every function must have one return statement, and only at the end of the function).

It's also worth mentioning, if you use open source, you won't be at the mercy of companies dragging their feet like this.

Re:August 2012 to January 2013

[QuietLagoon]

When a bug report is received, it gets evaluated and prioritised. It can take a non trivial time to track down and fix the bug (and any associated bugs in similar code).

Instead of trying to rationalize and trivialize the incompetence of the companies that provide a lot of the software infrastructure that the IT industry uses, maybe your online efforts might be better served to try to effect a change in the companies providing that software infrastructure to be able to produce a timely solution that protects the users from vulns.

Re:August 2012 to January 2013

[QuietLagoon]

Additionally, if the companies you seem to be defending have such a rigorous process for putting software out into general usage, how do such critical security bugs apparently seem to be able to side-step that very rigorous process and get Out Into The Wild?

Re:August 2012 to January 2013

[sproketboy]

Then you're not a libertarian, you're a hypocrite.

Re:August 2012 to January 2013

[jebblue]

Because software is hard to get right and it's written by people who make up companies from 1 person to tens of thousands, still just people trying to put food on the tables for their families.

Re:August 2012 to January 2013

They didn't do this, which indicates that they don't care.

You cannot draw that conclusion so simply. You have to remember that their first priority is to ship solid, full-feature software. Getting a patch through the professional regression testing takes some time.

Re:August 2012 to January 2013

[sk999]

It is the CEO of the big company who establish priorities. If the CEO wants a security hole fixed, it will be fixed. When the CEO is personally involved in the courtroom protecting "IP':
http://www.sfgate.com/technology/article/Ellison-testifies-in-Android-suit-against-Google-3489185.php
the fixing security of holes will suffer.

Re:August 2012 to January 2013

[phantomfive]

You cannot draw that conclusion so simply. You have to remember that their first priority is to ship solid, full-feature software.

Yes I can, I'm an experienced professional and I know what it takes. Java is well known to have an extensive automated testing suite, further simplifying the task. If Larry says it's a priority, it will get fixed.

Oracle is facing a problem that many good engineers who used to work at Sun have left. It is likely they are understaffed with the people necessary to maintain their systems, and the remaining people are having trouble making good priorities.

Re:August 2012 to January 2013

Just like everyone else who got hot on Atlas Shrugged when they were 19 and ended up managing in a regulated industry by the time they were 45.

If you're looking for a sophomoric philosophy, forget libertarianism and embrace marxism. At least the analysis remains correct even after you've sold out to the man.

Re:August 2012 to January 2013

[black3d]

To be fair, he did say "mostly libertarian".

Show me a man who's "100% libertarian" and I'll show you an insane man.



If "insane" is too harsh for you, substitute with "wearing intellectual blinders". While Libertatianism portrays itself as a platform of individual rights, taken to the logical extreme all the rights become null and void as they have no bearing on your interactions with anybody else. For example, how do you resolve the good old conflict of "I have a right to speak" with "I have a right not to hear you" (or, I have a right to peace and quiet)? The only ways to resolve it to either to force one of the individuals to move (a violation of the doctrine), forcing one of the individuals to wear sound-block devices (a violation of the doctrine), or create laws about when or where people can be heard or expect to have to listen and expect the two parties to work around these limitations (a violation of the doctrine).

Of course, various philosophers have their own answers to this, and varying interpretations and extremes of Libertarianism, and ultimately it must be accepted to reasonably be about "minimizing" rather than "removing" controls. Which means OP, being "mostly Liberarian", is a sane Libertarian.

While Godwin, Rand and Armand may outwardly appear like sensible people who write sensible books, most of their views are in violation of the Tragedy of the Commons. In other words, the philosophies only pan out for the individual if a small percentage of the population are self-absorbed egoists. If everyone was, it stops working, and any philosophy which relies on other people being worse off than you is tremendously selfish.

Re:August 2012 to January 2013

[Gadget_Guy]

What is your solution then? Release patches that are rushed and untested? Mark everything as "top priority" so that all bugs are finished faster?

As a developer in a small team, I can get away with shipping bug fixes without having to go through a process like I described. A small team can be agile and responsive like that. But I can imagine how chaotic this would be in a large organisation. Just because you can't understand that bug fixing actually takes time means that you would be more suited to a career in management rather than programming.

Re:August 2012 to January 2013

[X0563511]

Er, the CEO shouldn't be micromanaging all the different departments and sections of the company. He's got people below for that, and people below those etc.

The people who do product development and maintenance are not the people who would be in the courtroom. They are not the finance people, and they are not the sales/marketing people. Saying that one department being focused on lawsuits would prevent an unrelated department from doing their job tells me you've not been involved with a company larger than 10 or so people...

Re:August 2012 to January 2013

[Gadget_Guy]

Because no system is perfect. The code behind any modern operating system is far too complicated for any individual to understand. All the best intentions and best practices in the world will not completely catch all the bugs. But they do catch some, so it is worth trying to catch them.

To use a car analogy, what you said is like questioning the worth of seatbelts. Just because they don't save every life in an accident doesn't mean that it not worth wearing them.

Re:August 2012 to January 2013

Why can't the larger companies, e.g. Microsoft and Oracle, respond to and fix the sucrity issues more quickly than on a timeline expressed in months?

Because there is no real (profit) motivation until they get bad press, like this recommendation to uninstall Java from US Department of Homeland Security.

Re:August 2012 to January 2013

[spongman]

how do you resolve the good old conflict of "I have a right to speak" with "I have a right not to hear you"

wouldn't that be covered by trespass?

Re:August 2012 to January 2013

[penix1]

To use a car analogy, what you said is like questioning the worth of seatbelts. Just because they don't save every life in an accident doesn't mean that it not worth wearing them.

Let's carry your analogy to its conclusion...

The auto industry fought seatbelts tooth and nail and it took Congressional regulation for them to even consider them. That's part of how Ralph Nader earned his name recognition. Much like the software industry is fighting tooth and nail any attempt to make their software safe.

My way to fix this is much more simpler. Simply make the "AS-IS" clause of their EULA null and void and allow the users to sue for the damages when their defective products really hurts real people. A few high profile suits will make them put more of a priority on these vulnerabilities.

Re:August 2012 to January 2013

He's got a point. There were shitloads of Java applet vulnerabilities when Sun was managing the store. (I know, I got owned by one.) But Sun was a "good guy" and Oracle is a "bad guy" so now it gets much more negative IT press.

Re:August 2012 to January 2013

[Mojo66]

Why can't the larger companies, e.g. Microsoft and Oracle, respond to and fix the sucrity issues more quickly than on a timeline expressed in months?

They probably had a fix in the drawer since months but didn't release it in order to give the impression to be able to react quickly once the vuln is public. This makes the company look good to consumers and the press, and it pads statistics that measure reaction time to vulnerabilities. Everyone is doing it. Publicity first, consumer last.

Re:August 2012 to January 2013

[Gadget_Guy]

My way to fix this is much more simpler. Simply make the "AS-IS" clause of their EULA null and void and allow the users to sue for the damages when their defective products really hurts real people. A few high profile suits will make them put more of a priority on these vulnerabilities.

This would probably also dramatically increase the cost of all the software, not only to pay for the lawsuits but also for all the extra development work required.

Re:August 2012 to January 2013

In defense of the press, Oracle is the fucking devil.

Re:August 2012 to January 2013

[mvdwege]

Doesn't matter. The minute you accept that the free expression of one's rights may violate another's rights is the moment you accept that there is a ground to force one of the two participants to give up their rights.

As grandparent pointed out, the very basis of Libertarianism is paradoxical, which is why extreme Libertarians always sound like nuts.

Re:August 2012 to January 2013

[penix1]

And I am fine with that as long as the quality goes up which it would have to when you remove the AS-IS clause. Why should software be exempt from the product liability laws?

Re:August 2012 to January 2013

[spongman]

Ok, not as a question, then: trespass covers that.

Re:August 2012 to January 2013

[dreamchaser]

To be fair, he did say "mostly libertarian".

Show me a man who's "100% libertarian" and I'll show you an insane man.

Thank you. It's always nice to see a civil response instead of the normal ad hominems online. I posed it more as a question or a discussion topic. I don't really know the answer but it's an increasing problem. Oracle knew about this and did nothing. In just about any other industry that could lead to criminal charges, let alone a lawsuit.

I'm not a big fan of regulation but I'm mature enough to recognize that sensible regulation is sometimes needed in modern society. I am still struggling with this one because my nature is to want Government to stay out of people's business, but when that business has the potential to have an effect on infrastructure or the livelihoods of others then sometimes it's a necessary evil.

Re:August 2012 to January 2013

[mvdwege]

Still the paradox remains: the moment you sue someone for trespass, you use the power of the State to restrict their rights.

Libertarianism in its extreme preaches a paradoxical position: individual rights reign supreme until something comes along that makes it allright to restrict them.

Re:August 2012 to January 2013

[thoth]

Why can't the larger companies, e.g. Microsoft and Oracle, respond to and fix the sucrity issues more quickly than on a timeline expressed in months?

They are a corporation and have no profit incentive to act faster?
Or more specifically, risk to customers and ill-will generated doesn't cause a large enough monetary impact to the corporation than the cost to fix the problem?
Until now, when the issue is out and actively exploited in malware kits.

Re:August 2012 to January 2013

[thoth]

I think it's more interesting to note this bug took "five months to fix", but 3 days to fix after it started showing up in point-and-click exploit kits.
Seems pretty obvious that those initial five months didn't provide enough shall we say... motivation... to fix it, until Java started taking some black eyes and gut punches. Then, the solution miraculously came about over a weekend.

Re:August 2012 to January 2013

[thoth]

They didn't do this, which indicates that they don't care.

You cannot draw that conclusion so simply. You have to remember that their first priority is to ship solid, full-feature software. Getting a patch through the professional regression testing takes some time.

All the same, the timeline shows some tradeoffs between priorities and incentives.
Professional regression testing, etc didn't seem to act very fast for 5 months. Then when the bug was actively exploited, it took 3 days to fix.

I suppose you could claim they had the fix in hand and were just wrapping up coincidentally the same weekend exploit kits were using it and everybody was advising to uninstall/block java, but seriously, it is obvious what happened here: Oracle didn't care until the bonfire under their nuts was lit on fire.

Re:August 2012 to January 2013

[RobertLTux]

what should replace the AS-IS clause is a simple "Fitness for Purpose Stated" clause
does it

1 perform the function it is for
2 have reasonable steps been taken to ensure that is is safe and stable
3 if it writes files have steps been taken to ensure it writes only to the needed areas and safeguards against deleting an excess amount of files (so no twitch the mouse and delete half the files on the computer type things)

you wouldn't allow a truck to be sold with some sort of "blow up the gas tank" type problem and then have the OEM tell everybody FOAD it was sold as is would you??

Re:August 2012 to January 2013

[cbhacking]

Well, as an example, this site you're reading wouldn't exist. The browser you're reading it in probably wouldn't either. If you're like a substantial portion of the readership of this site, the OS you're running that browser on most likely wouldn't exist either.

Free software (in either the gratis or libre sense) would be nigh-impossible without the "as-is" clause you so deride. At the very least, nobody would publicly publish it. In the "cathedral and the bazaar" sense, the bazaar becomes impossible (every single code submission becomes a new source of liability) and the cathedral approach becomes far too expensive to use for anything short of critical applications (actually critical, like medical and telecom systems, not such silly little things as web browsers). So, IBM would still exist, but they'd be serving a very niche environment. Microsoft would probably exist, but they'd either be writing software for those really expensive systems (and selling it for thousands of dollars, minimum) or they'd still only have one or two products: development tools that could be used by very wealthy hobbyists who had managed to acquire computers. Hardware would be vastly more expensive, as the demand would be much lower and thus there would never have been the money to fund massive R&D.

As-is solutions work pretty well. Did you know that in most of the world, you can't sue a doctor for malpractice? Liability insurance is one of the major reasons why medicine is so vastly more expensive in the US than almost anywhere else. Yes, it's also "safer"... assuming you can afford it at all.

Re:August 2012 to January 2013

As long as the stockholders get their double digit increase what's the problem?

Re:August 2012 to January 2013

It is not that regulation is necessary. Yes, the big companies have a horrible track record. So dump them, then. Don't use their products! Ditch unsafe java. Quit unsafe microsoft products - including "windows". It can be done, because there are alternatives. Cheaper ones, even.

You may have to learn some new software - of course. And discover that it is ok, even though it is different. (But a new windows version was always different from the predecessor anyway.) Some may have to switch to a bank that doesn't use java - but that is ok because such banks exists.

There are competing products folks - use them! No need to stick with any particular vendor - not even microsoft.

Re:August 2012 to January 2013

[spongman]

You're mid-labeling anarchy. Libertarianism supports rights monopoly through property.

Re:August 2012 to January 2013

[mvdwege]

And instead of shouting empty phrases at me, you'd do better to actually show you think.

Again, the concept of individual rights has an inherent paradox in it: if your rights infringe on another's, you will find them restricted. Extreme Libertarians refuse to engage in a sensible discussion on how to solve this in practice, instead contenting themselves with repeating mantra's such as "the market will sort it out" or "property rights".

And you yourself mislabel anarchy. Anarchy is the non-existence of the State, but Anarchist theory is at least willing to look the paradox of counteracting rights straight in the eye.

Re:August 2012 to January 2013

[lennier]

You're mid-labeling anarchy. Libertarianism supports rights monopoly through property.

Yep, and this quality of monopoly leads directly by logical progression to literal medieval-style feudalism (property-owners consolidate; property-owners rent the use of their property to others who may re-rent it; society devolves on an accelerating spiral into an overclass of owners with all the rights and an underclass of renters at the absolute mercy of the owners, without even the right to purchase the justice of their peers; an optional hierarchy of idle rich monarchs, dukes, barons, etc being possible in between; the decentralisation of violence allowing wars to becoming a common means of settling disputes). All from one little right called "property". Actually, from two things: from nominal ownership of "property" being abstracted and separated from its actual use and upkeep by the people who work it (the renters, serfs or workers); and from this abstract property right being allowed to trump all other actual human rights such as food, safety and justice.

It's fascinating and a little scary how quickly libertarianism deconstructs itself even in theory. The Path to Serfdom, indeed.

Re:August 2012 to January 2013

[lennier]

Extreme Libertarians refuse to engage in a sensible discussion on how to solve this in practice, instead contenting themselves with repeating mantra's such as "the market will sort it out" or "property rights".

Arguably, if the entire universe is a market, the "market" does sort everything out, in that everything that exists, exists because the universe allows it to exist.

This of course makes "the market will provide X" indistinguishable from a null statement. Of course the market will provide X; the market is everything that's possible. But at what price will it choose to provide X? "Zero quantity of X for infinity dollars after infinite years" is a perfectly valid solution of the supply/demand equation. And "the market will provide War, Terror, Starvation and Death for 1000 years for 99% of the population, and Bohemian Luxury for a tiny elite" is also a perfectly valid solution.

To subvert a common libertarian example - if someone points a gun at me and says "dig your own grave or die right now", they're not actually taking me out of the market mechanism to do that. They're simply providing a rational choice (dig or die), a service (not immediately shooting me), and a charge (my digging). It's a valid contract, and I have the choice to accept or reject. Obviously if I reject the contract I may die, but - Atlas shrugs - that's life, isn't it? The market as a whole sees no self-interest in my continuing to live unless I provide it with services, and if we get really technical and precise about decoupling every private action from empathy, just *because* someone pulls the trigger on the gun they privately own and control, doesn't mean I'm *necessarily* going to die - I do also have the choice to dodge out of the way, etc, etc. There really is no there there in libertarianism; we can keep playing the "I'm not responsible for your happiness, even though I can logically foresee that the result of my actions will hurt you" game forever.

The problem is that as humans we have actual concrete needs which we would like actual concrete solutions for inside a feasible timeframe, and not just an abstract "well, you'll get that if/when it's possible for whatever price you're willing to pay". And sometimes those solutions require more than just shrugging and assuming someone else will solve them, which is what free market theory boils down to in the end.

Re:August 2012 to January 2013

[spongman]

well, you can argue the morality of ownership, thst's fine. i'm just pointing out that there's no paradox as stated above.

Re:August 2012 to January 2013

[spongman]

this isn't about what i think, so please restrain yourself.

i'm just pointing out that your assertion that libertarianism is inconsistent because there's no way to resolve your hypothetical rights issue is invalid because that case is easily resolved by property ownership and trespass law both of which are consistent with libertarian philosophy. it sounds to me that you want to prove your paradox by re-labeling libertarainism 'extreme' enough that they don't claim these points. can you provider a reference to someone else using this label, because i haven't heard of this before.

maybe if you could show how these so-called 'extreme' libertarians (that do not consider the validity of property and trespass) are different from anarchists in this respect?

Re:August 2012 to January 2013

[mvdwege]

Can you please prove that you actually have thought, instead of repeating the party line? Property rights and trespass restrict other people's rights. This is a paradox you can't solve except by axiomatically deciding one set of rights is worth more than another, but this is an axiom, not a self-evident truth.

You still have not addressed that. And people who take this stance without taking the time to actually think about this issue I do label extreme libertarians, I thought that much was obvious from the context of my original post. Then again, seeing as that you appear to have trouble grasping the nature of rights and how they interact, perhaps I should have used smaller words.

Re:August 2012 to January 2013

[spongman]

Actually property and trespass address that completely.

Your repeated ad-hominem attacks circular arguments lead me to conclude you're a troll. Good bye.

Re:August 2012 to January 2013

[jgarry]

To use a car analogy, what you said is like questioning the worth of seatbelts. Just because they don't save every life in an accident doesn't mean that it not worth wearing them.

Let's carry your analogy to its conclusion...

The auto industry fought seatbelts tooth and nail and it took Congressional regulation for them to even consider them. That's part of how Ralph Nader earned his name recognition. Much like the software industry is fighting tooth and nail any attempt to make their software safe.

My way to fix this is much more simpler. Simply make the "AS-IS" clause of their EULA null and void and allow the users to sue for the damages when their defective products really hurts real people. A few high profile suits will make them put more of a priority on these vulnerabilities.

There's an asymmetry issue here. The largest companies have the most lawyers.

Though I certainly agree a maturing industry needs liability. Corvairs were ten years ahead of Porsches in some technology (like turbocharging), 911's were famous for decades after Nader for going ass first off the road. --sarcasm-- German lack of liability certainly didn't hinder innovation there. If you can't handle trailing throttle oversteer, you aren't manly enough!--/sarcasm--

Re:August 2012 to January 2013

[jgarry]

A vuln that apparently was first reported in August 2012 is finally fixed (maybe) in January 2013.

.

Why can't the larger companies, e.g. Microsoft and Oracle, respond to and fix the sucrity issues more quickly than on a timeline expressed in months?

Because they need this guy in charge.

Re:August 2012 to January 2013

A few high profile suits will make them put more of a priority on these vulnerabilities.

Need to fix a problem? Sue people, that's the American way!

Re:August 2012 to January 2013

[exomondo]

what should replace the AS-IS clause is a simple "Fitness for Purpose Stated" clause does it

1 perform the function it is for 2 have reasonable steps been taken to ensure that is is safe and stable 3 if it writes files have steps been taken to ensure it writes only to the needed areas and safeguards against deleting an excess amount of files (so no twitch the mouse and delete half the files on the computer type things)

Ok then, take Windows - for example - and define those things. The function it is for, the reasonable steps that need to be take to ensure it is safe and stable (remembering that almost all BSODs are caused by malfunctioning drivers or hardware) and which areas can it write files to?
what if i want to easily delete a large amount of files? is that an exception to that rule? are the permissions on system files enough or do they need to restrict the user from being able to override those permissions?

That clause isn't 'simple' at all.

Re:August 2012 to January 2013

[mvdwege]

So how do property rights and trespass protect one's rights without restricting another's? If you have food, and I'm starving, your property right infringes in my right to live.

But given that you won't want to address that, and that you don't even know what an 'ad hominem' really is (except that it sounds important and mean), I can conclude that you're one of the libertards, for whom 'my property' is everything, and the rest of the world can go hang, even if they ask the rest of the world to pay taxes for the police to protect said property.

Java and Flash

[tepples]

Browsers come with only JS. Java is a plug-in published by Oracle that plays applets written in Java, just as Flash Player is a plug-in published by Adobe that plays applets written in ActionScript.

Re:Java and Flash

[jkrise]

Java is a plug-in published by Oracle that plays applets written in Java,

Yes, I understood that bit, which is why I asked the final question: Is the Java plugin downloaded so often, to run on browsers? (alternately)

Is Java plug-in bundled with browsers without the need for separate downloading?

Re:Java and Flash

[Shikaku]

You have to manually install it or a piece of software you run needs it and installs it. No modern browser needs it nowadays.

Re:Java and Flash

[tepples]

Is Java plug-in bundled with browsers without the need for separate downloading?

No. As far as I know, Flash isn't bundled either, except with Chrome. Java also has an environment for applications that run outside the browser such as FrostWire and Minecraft. Perhaps people are installing Java to run those, and the installer drops the plug-in into all installed browsers.

Re:Java and Flash

[PNutts]

No modern browser needs it nowadays.

It depends on what you're trying to do.

Re:Java and Flash

Java comes preinstalled on a lot of PCs (or at least it used to). Also, some browsers prompt you to install Java when you encounter an applet (or at least they used to).

The result is that a buttzillion users have Java installed even if they don't want or need it.

Re:Java and Flash

Java is a plug-in published by Oracle that plays applets written in Java,

Yes, I understood that bit, which is why I asked the final question: Is the Java plugin downloaded so often, to run on browsers?

No, but if you download Java runtime for anything (for example, LibreOffice or Eclipse, including the Android dev kit) it will install the web plugin as well.

Since there is a lot of software that, for whatever reason, requires the Java runtime, a lot of people have the plugin installed without realizing it.

Re:Java and Flash

[Giant+Electronic+Bra]

Normally the browser plug-in is a totally different independent install from Java itself. Its POSSIBLE an installer could bundle java and a java browser plug-in (like say icedtea). Linux distros will generally install java to satisfy the plugin's dependencies for instance, which in something like Ubuntu could happen almost automatically. I don't think anything like that will happen in Windows or OSX normally.

Lots of people DO have Java installed for completely other reasons than web applets though. In fact it is mostly used the same way .NET is, as a platform-independent managed code runtime. Nowadays frankly I don't see a lot of reason for most people to install the plugin though. Applets are OK, but most stuff is migrating to HTML5/JS anyway.

Re:Java and Flash

[fuzzyfuzzyfungus]

Java comes preinstalled on a lot of PCs (or at least it used to). Also, some browsers prompt you to install Java when you encounter an applet (or at least they used to).

The result is that a buttzillion users have Java installed even if they don't want or need it.

The one that really pisses me off is when the official Java autoupdate utility decides that you must not have meant it when you disabled the browser plugin, and helpfully re-installs it for you...

Re:Java and Flash

Yes, it's part of the remote console access toolkit for HP's ILO remote management, Dell's old "DRAC" technology, and almost anything that uses what is really VNC behind the scenes to provide remote console access to a browser.

Re:Java and Flash

The java plugin generally isn't bundled with browsers. However, it may be bundled with your computer. A Lenovo laptop I had about a decade ago came pre-loaded with Java, because its software update program was written in Java.

Re:Java and Flash

If you're doing anything involving Java then you're doing it wrong.

Re:Java and Flash

[Runaway1956]

"Secondly, it auto-installs if the plug-in isn't present."

Ahhh, yes, I remember that. That was the Wonderful World of Windows. Things just auto-install themselves with little, if any, input from the user, or the administrator.

In alternate realities, such as the Unixverse, the user must call up a program from which he searches for the particular package he wants to install. Or, he must be familiar enough with his package manager to call it up from a terminal. Auto-install has proven to be a Very_Bad_Thing, time and again.

Re:Java and Flash

On the other hand: Wonderful World of Linux. Nothing is compatible with each other, so nothing installs properly. Runaway1956 is mentally-retarded enough to think this is a security feature.

Browsers that have prompted users to auto install Java at various points in time:
- Internet Explorer
- Firefox
- Safari

And let's not forget this was all due to the exceptional marketing efforts of Unix-buttlords Sun Microsystems. So it's obviously all M$ W1nBl0wz fault or whatever.

Thank you for your completely uninformed knee-jerk input, Runaway1956!

Re:Java and Flash

In the Wonderful World of Linux, we type configure; make && make install and let others worry about binary compatibility.

Re:Java and Flash

[smash]

Unfortunately, heaps of enterprise management tools require Java (either that or CLI, but sometimes visualizing what is going on with a particular device is easier with a GUI where you have graphs, etc).

Re:Java and Flash

[oatworm]

Tell that to lawyers that need it to access PACER or their local court filing repository. Or tell that to various medical professionals that have line-of-business apps written in Java (recently stumbled across an pano controller package written entirely in Java - that was cute). Or tell that to certain financial industries that use Java to submit various bits of paperwork (if you're a merchant filing for credit card processing, there's a decent chance your application was scanned and uploaded using a Java app called "AMA", depending on which platform your processor is underwriting with). Or tell that to businesses that electronically deposit checks - quite a few banks out there use scanners with Java software to get the checks from the business' PC into the banking system.

Java's actually fairly commonly used for line-of-business applications because it's fairly easy to find Java developers ("easy" being synonymous with "cheap"), the tools start at "free", it's sort of platform neutral, and it's been around for a while. Plus, a lot of those Java line-of-business apps were first written 5-10 years ago and, well, they still basically work - given a choice between paying for a total re-implementation of some tool that works "reliably", doing the necessary field testing to prove it's at least as secure, functional, and stable as the current implementation, or just periodically testing it against the latest version of Java, guess what most businesses do?

Now you know why Java exploits are a big deal.

Re:Java and Flash

[drkstr1]

Don't forget makepkg! It helps if you want to uninstall later. :)

Re:Java and Flash

[DarwinSurvivor]

HAHA, someone actually convinced another human being that .NET is platform-indipendent! I think I owe someone 10 bucks.

Re:Java and Flash

[JohnVanVliet]

Here here

as a very long time linux ONLY user
( i only support my family's MS OS's because they want to windows boxes )

i would also add
---
yum install ProgramName
or
zypper in ProgramName

Re:Java and Flash

[JohnVanVliet]

mono is NOT .net
but a VERY unfortunate necessary evil

and if MS keeps having there way
it will always be 3 to 4 versions behind .net

Re:Java and Flash

At the risk of being off-topic...

Hasn't the release of Win RT proven that .NET isn't cross-platform, not even on Win8 running on different architectures?

If .NET were at all portable, they wouldn't need to rebuild apps for Win RT.

Re:Java and Flash

[petermgreen]

Normally the browser plug-in is a totally different independent install from Java itself

The standard windows 32-bit JRE installer includes the browser plugin and will install it by default. So any user of java on windows who hasn't decided explicitly that they don't want the plugin is likely to end up with it.

Re:Java and Flash

[Giant+Electronic+Bra]

OK, that was poorly worded, lol. Java is more like "like .NET BUT it IS platform-independent". In any case Java is certainly one of those things that is thought of one way but really is mostly something else.

Re:Java and Flash

Tell that to lawyers that need it to access PACER or their local court filing repository. Or tell that to various medical professionals that have line-of-business apps written in Java (recently stumbled across an pano controller package written entirely in Java - that was cute).

Tell it to the IT folks that needs remove to get remote console on the Dell/HP/whatever servers.

I wouldn't mind only running Snorcle SPARC servers where console access is easy to get via SSH, but x86 tends to need a browser to get remote access.

Unless you jump through hoops to get a virtual serial port setup, and then edit your inittab under Linux to launch getty on it, and then of course you want a GRUB prompt for emergencies in case you need to boot a different kernel with different options. Heaven help you if you want to redirect the BIOS to boot off a CD. While old-school Unix machines may have had their downsides, console access for emergencies was awesome functionality IMHO.

Re:Java and Flash

[HiThere]

FWIW, if you install Java, I think it auto-installs in the browser. Otherwise I don't know how it got there. And I use Debian. (OTOH, I've also installed a lot of packages. So it could have been something else that installed it.)

FWIW, the Java that was installed was OpenJDK, or perhaps Iced Tea. Not the Oracle flavor. But when I checked IceWeasel it was installed. (Actually, it's still installed. I just deactivated it.)

That said, I'm always dubious about Java. I understand why it's a lot more popular than C/C++, but Java seems neither as easy as the scripting languages nor as powerful as the compiled languages. The main thing it seemed to have going for it was being pushed by a large friendly company. Now the "friendly" has disappeared. (Oracle sure isn't Sun.)

Re:Java and Flash

[Billly+Gates]

Downgrade to Java 6.

That is what I use and it keeps it disabled in the browser. Oracle put that back in as they hoped would spurn a revivl in java applets.

Re:Java and Flash

[Sigg3.net]

All online banking in Norway requires Java. And it doesn't work with the F/OSS alternatives.

Going to the local bank office is not an option for many, it could be several hours driving.

Re:Java and Flash

[DarwinSurvivor]

mono is NOT .net but a VERY unfortunate necessary evil

[citation needed]

Re:Java and Flash

[tepples]

All online banking in Norway requires Java.

Is this by law? If so, your legislators are doing it wrong. Or is it just by common practice? If so, you're doing it wrong by not learning how to start your own bank and then starting your own bank.

Re:Java and Flash

[tepples]

Without Mono, it is impossible to write a video game that is portable both to GNU/Linux and to Xbox 360 XNA. Therefore, if you want an audience for certain kinds of game, and your studio isn't yet big enough to qualify for the first-class console game developer license, you need to use .NET, and on Linux that means Mono.

Re:Java and Flash

[Sigg3.net]

I agree. It's of course by practice and not law. And the banks using BankID (the product requiring java) are probably complaining too and I hope to see this change. However, bills and mortgages have to be paid in the meantime so if you live in Norway Java is required (or queue up at the bank office).. The law should say that there wouldn't be just 1 point of entry to use online banking (by e.g. allowing a free java alternative or something else entirely).

There is a mobile offering, but it's using GSM, so I don't feel it's secure.

Re:Java and Flash

Without Mono, it is impossible to write a video game that is portable both to GNU/Linux and to Xbox 360 XNA. Therefore, if you want an audience for certain kinds of game, and your studio isn't yet big enough to qualify for the first-class console game developer license, you need to use .NET, and on Linux that means Mono.

So no, it isn't necessary at all, in fact I doubt the situation you describe has ever practically existed. By using ridiculous non-existent scenarios like that you can justify anything as being "necessary".

Re:Java and Flash

[DarwinSurvivor]

I highly doubt any .net game written for the XBox would run on Linux's craptastic excuse of a language that is moonlight without the equivalent of an entire rewrite. If you believe that .net (even just the mono parts) are cross platform on the Linux platform, you have been seriously miss-informed.

Oh, and why did you pick the XBox? Why not use the PS3 or Wii, neither of which support the same platform as the XBox? Face it, if you count consoles there is NO SUCH THING as a cross-platform gaming environment. In fact, the closest thing would be OpenGL which runs on all 3 major desktops and I believe the PS3 as well (possibly Wii to a limited extent, not sure).

Re:Java and Flash

[exomondo]

Hasn't the release of Win RT proven that .NET isn't cross-platform, not even on Win8 running on different architectures?

No, because you write WinRT programs in .Net so of course it is cross-platform.

If .NET were at all portable, they wouldn't need to rebuild apps for Win RT.

They don't, if you write .Net apps to the WinRT featureset then they will run on Windows 8 and Windows RT. The language is cross-platform and the implementation of the VM is platform-specific, just like Java. You can write Java programs for your desktop but those programs generally need to be rebuilt to run on Android because the Oracle/Sun Java VM has a different featureset to the Dalvik VM, that doesn't mean Java isn't cross-platform, all it means is that different platforms are different so while the code can mostly stay the same across platforms there are platform-specific idiosyncrasies that need to be catered to.

Re:Java and Flash

Java in the browser or Java in the server?

I don't know many applications that require Iava in the browser whi h is where we find the problem.

The apps with Java in the server are safe according to Oracle. The new classes are for JSE.

Disaster

[timeOday]

All the main codebases I work with and develop are in java. Tonight I was doing some work and tried to google some javadoc, but the first result was an illustration of a java-logo coffee cup going into a garbage can, and the first pageful of results were "how to uninstall java." I already had a customer balking about installing java. Now it seems certain we'll have to port everything away, a huge undertaking. (Even though we'll end up porting it to C++ and have multiple times more vulnerabilities when we're done, but I guess at least they'll be specific to our application).

Re:Disaster

I hear you. It's going to take a lot of education to undo this mess.
For us, there's no way we could port our system to anything else
in any sensible length of time -- we've been working with it for
5 years, and don't even have all the equipment it controls here
any more. We use a lot of Swing, so what cross-platform UI are
you going to replace THAT with. And pointers? Most of our
programmers can barely manage in java's pretty benign environment,
having them deal with pointers would be a disaster.

Arrg.

Re:Disaster

All the main codebases I work with and develop are in java. Tonight I was doing some work and tried to google some javadoc, but the first result was an illustration of a java-logo coffee cup going into a garbage can, and the first pageful of results were "how to uninstall java." I already had a customer balking about installing java. Now it seems certain we'll have to port everything away, a huge undertaking. (Even though we'll end up porting it to C++ and have multiple times more vulnerabilities when we're done, but I guess at least they'll be specific to our application).

Wouldn't it be 1000x easier just to port your launcher to work outside of a browser and let people uninstall the Java browser plugin? ... Did you forget to check the anonymous box when you trolled?

Re:Disaster

[RedHackTea]

I don't see how porting it to C++ is a solution. This must not be a very big program. For any average enterprise software, porting the product from Java to C++ is a huge undertaking (almost a year of work). I would just take the month of educating your customers, making sure that their machines are up-to-date, and that your software works in the newest version (you can specify a lower version in the JVM args if you need compatibility).

Re:Disaster

[timeOday]

You're right, porting is not really a solution. And there's really no problem in the first place, since we don't do web apps. But all this negative press damages the Java brand name immensely, and it's very easy for people higher up in the bureaucracy to simply say, "Java? Oh yeah, we're aware of all the problems with that. The answer is no."

Re:Disaster

[KingMotley]

Sure, rewriting the applications would take some time, but I think you'll find that you'll spend less time rolling out a C++ application that you would a Java application. There is so many more things that can go wrong with Java than a standard C++ application. And I'm not sure why you even mention having to make sure their machines are up-to-date. That's a bigger issue with having to rely on the JVM than the C++ libraries that get compiled into the application or are dynamically linked in and most installers can chain in the C++ runtime libraries (that can be set to be application specific or system wide installation -- obviously app specific causes less headaches).

Re:Disaster

[jebblue]

So with all the years of negative press for Windows I guess the world stopped using Windows. Oh wait, no they didn't.

Re:Disaster

Of all the advantages of C++, Deployment is one I've really never heard before. Java Web Start might not be sexy but what's the native alternative? InstallShield?

Re:Disaster

[Billly+Gates]

Sure, rewriting the applications would take some time, but I think you'll find that you'll spend less time rolling out a C++ application that you would a Java application. There is so many more things that can go wrong with Java than a standard C++ application. And I'm not sure why you even mention having to make sure their machines are up-to-date. That's a bigger issue with having to rely on the JVM than the C++ libraries that get compiled into the application or are dynamically linked in and most installers can chain in the C++ runtime libraries (that can be set to be application specific or system wide installation -- obviously app specific causes less headaches).

Have you coded any huge +1 million lines of code projects before?

There is a reason developers fled C++ to Java back in the 1990s until recently. It doesn't make sense to go back to C++.

Re:Disaster

[TheSunborn]

The alternative we use on Windows is to include a jre with the app. That way our jre is only used by our app. It is not installed in as a jre in windows so windows don't see the jre as an independent app.

And then we can just install our app as any other app using install shild, or any other installer you want. And we don't have to think about compability with other versions of jre/jdk.
   

Re:Disaster

[spongman]

seriously, you write applets for a living?

otherwise you're barking up the wrong tree.

Re:Disaster

[timeOday]

No, desktop applications. What managed, crossplatform runtime is better?

Re:Disaster

[Jeremi]

There is so many more things that can go wrong with Java than a standard C++ application.

I think you grossly underestimate C++'s ability to go wrong :^)

Re:Disaster

The people writing end-user Desktop applications never fled (or if they did, they found themselves bankrupt forthwith).

Java's market is primarily places where C++ was never that big. Either web applications or line-of-business stuff (that would otherwise be done in VB).

Re:Disaster

[Heir+Of+The+Mess]

I already had a customer balking about installing java. Now it seems certain we'll have to port everything away, a huge undertaking. (Even though we'll end up porting it to C++ and have multiple times more vulnerabilities when we're done, but I guess at least they'll be specific to our application).

There is no way in hell I could recommend taking a team of Java developers and getting them to port their application to C++. Actually I've seen this attempted back in 2003, and it ended up generating a bunch of C++ code that had to be trashed and rewritten by a team of competent C++ programmers. The problem was mainly all these design patterns that Java programmers use that are based on garbage collection being present, and all the weird and wonder hacks that were introduced to try to add some kind of memory manangement scheme on top of a bunch of code that was written without any thought about object lifetime management. What about other languages like C#/mono? that will at least allow a basic like for like translation of everything below the GUI layer?

Re:Disaster

[gl4ss]

you should just package a jre with your application.

replicatorg does this, arduino ide does this and a bunch of other applications as well. sure it'll bloat your installation by 90mbytes but seems worth it for avoiding an install link to oracles web...

Re:Disaster

Then you (or your sales people) need to explain to your customers that the vulnerabilities only apply to applets. Tell them how your desktop applications aren't a vulnerability. Extend your installation docs to cover how to install a JRE for desktop use and disable it n all the browsers.

This "four legs is good, Java is bad" meme is obstructive but good advice can beat it down.

Re:Disaster

What about D? Supposed to be C++ with more features from other languages, including garbage collection.

Re:Disaster

[famebait]

Mod up.

Re:Disaster

[gbjbaanb]

If you port it to C++ and you have vulnerabilities, they will at least be *your* vulnerabilities and you can fix them.

With Java you're effectively hamstrung until Oracle pulls their finger out and fixes them.

Now, which situation would you rather be in? Noting that C++ isn't insecure by default, and isn't as difficult as its made out to be once you know what you're doing.

Re:Disaster

[gbjbaanb]

There is a reason developers fled C++ to Java back in the 1990s

yes, coolness. Java was "cool" and so everyone wanted to stop supporting their crappy C++ apps and wanted to do a big rewrite in the cool new system, and so wrote crappy Java apps instead.

I would hope the industry has grown up enough that they could go back to C++ and write boring, but good, apps.. but I imagine they'll just write crappy C# (or worse) apps.

Re:Disaster

There is a reason developers fled C++ to Java back in the 1990s until recently. It doesn't make sense to go back to C++.

Yup, they fled because Java promised to allow less talented (i.e. cheap) developers to write programs.

The reality is that good developers can use any language well, while cheap (i.e. typical Java) developers produce garbage.

Re:Disaster

I hear you. It's going to take a lot of education to undo this mess.
For us, there's no way we could port our system to anything else
in any sensible length of time -- we've been working with it for
5 years, and don't even have all the equipment it controls here
any more. We use a lot of Swing, so what cross-platform UI are
you going to replace THAT with. And pointers? Most of our
programmers can barely manage in java's pretty benign environment,
having them deal with pointers would be a disaster.

Arrg.

Then you have shitty programmers.

Meh. already fixed that

noscript. block all java.

whitelist for the one single site that needs it. ameritrade.

Re:Meh. already fixed that

i use ameritrade without java i donno wtf ur doin

Brings to mind an old saying...

Let him who hath coded a large project completely error free perform the first cast.

Re:And I still can't use it....

[RedHackTea]

I think Double.NaN is your problem here... Not Java.

Be careful what you wish for

[Anonymous+Brave+Guy]

I really hate saying this because I am mostly libertarian and wary of too much regulation, but I think it is high time that there are regulations akin to those imposed on other engineering disciplines put into place over software that is used in 'e-infrastructure' such as banking, etc.

Be careful what you wish for.

As a professional software developer, I find the poor choices made by big name software companies very frustrating, and I'm well aware of the cumulative damage caused when software used by many people fails.

On the other hand, if you mandate heavyweight regulation in such an industry, you're going to see prices go up significantly, and a lot of useful free-as-in-beer software would probably disappear almost overnight because the people writing it are going to be reluctant to accept engineering-level liability for work they do at charity/PR level prices.

Then you'll get some sort of approved person/recognised competency qualification, probably administered by some bureaucratic organisation with expensive membership fees and a lofty title, possibly backed by law so people can't even practise software development without jumping over the officially sanctioned barriers to entry any more, or at least such that you can't get professional insurance policies to cover your engineering-level liabilities without playing the game.

Oh, and since there are about three people on the planet who actually know how to write really robust software and they're all in very high profile jobs already, that organisation is instead going to be run (or more likely "advised" by some sort of "expert panel") by the kind of smooth-talking consultants who move from one fad to the next, making lots of money on the upside and then running away before they have to face the consequences of their expensive advice. You know, the ones who use terms like "Agile" and "software craftsmanship", but who can't manage to write a Sudoku solver or who think there are no more programming languages left.

In short, if you want to stifle genuine innovation in the industry by people who really are competing on quality or exploring better ways to write software, and ensure that all you ever get is junk written by people who are more interested in competing on compliance with "quality standards" and exploring better ways to make money from software, regulation is exactly how you do it. In time, we'll learn how to build software better and people who make the effort to do so will be able to compete on genuine quality, but until we have learned how to do that with some level of consistency, any attempt to turn software development into some sort of engineering profession is doomed.

Re:Be careful what you wish for

[GenieGenieGenie]

That's amazing. I'm a biologist and you are describing exactly what happened in my discipline due to over-regulation.

Re:Be careful what you wish for

[jgarry]

You nailed it.

You only missed the part about the alternative being worse. "Genuine innovation" means you are going to have mostly crap, with some really nice stuff that gets ignored by the masses. Remember, technical excellence is not what drives success. If you don't agree with that, please explain why bg is a billionaire. Or Zuckerberg, for that matter.

Any mass market industry is going to require standards and regulation as it matures. Some mass market industries require standards in order to mature. It's easy to forget, simply deregulating the Hz coming out of the wall would screw up most of our computer infrastructure.

So in the java and browser situations we have everyone's gramma or whatever dependent on this software. These are not the places for innovation that breaks everything. If you want a wild-west internet, fine, cage your own. The rest of us would much rather spammers die, and banks don't.

Re:Be careful what you wish for

[Anonymous+Brave+Guy]

Remember, technical excellence is not what drives success. If you don't agree with that, please explain why bg is a billionaire. Or Zuckerberg, for that matter.

I'm not sure this is particularly relevant to the main debate, but I'm just going to point out here that both Microsoft and Facebook have solved numerous challenging technical problems in order to produce the dominant software they have. If you'd said that technical excellence was not the only thing that drives success, I would certainly have agreed with you.

Any mass market industry is going to require standards and regulation as it matures.

Perhaps, but the words "as it matures" matter. Software development is a young industry. Most of us don't know how to do it to an engineering standard yet. Arguably no-one really does, though clearly a few projects have been much more successful than most. (But exactly none of the ones I'm thinking of used the currently trendy "best practices" that I would expect to see heavily promoted by consultants with vested interests if the industry were to be regulated prematurely.) As far as I'm aware, absolutely no-one has shown how to build software with engineering-level robustness at a similar cost to the development methods widely used today.

So in the java and browser situations we have everyone's gramma or whatever dependent on this software.

Perhaps you've found the problem right there. Maybe businesses/governments running systems that involve significant risks shouldn't be relying on their customers/clients/citizens running cheap (mostly free, actually) software produced by others for critical tasks? You can go after the people who give that software away freely as the cause of security/privacy/reliability worries, but I think you're aiming at the wrong target.

Those banks you don't want to die have plenty of resources to develop desktop clients and mobile apps that connect securely to their servers over the Internet without relying on anyone else's browsers and plug-ins if they want to. They choose not to, presumably because they've evaluated the risks and benefits and they've concluded that it is more effective to provide on-line banking via web sites. If the costs of going down a different path are greater than the losses due to fraud in on-line banking, it's not cost-effective to go down that other path. And if going down that other path has usability implications that mean some people simply won't use the service at all, then maybe a potentially flawed approach that people find useful is still better than a less flawed approach that people don't.

Re:Be careful what you wish for

[Finite9]

"On the other hand, if you mandate heavyweight regulation in such an industry, you're going to see prices go up significantly, and a lot of useful free-as-in-beer software would probably disappear almost overnight because the people writing it are going to be reluctant to accept engineering-level liability for work they do at charity/PR level prices."

I don't think that's a likely assessment of what could happen if regulation was put in place. Why would free software be in any way bound by regulatory rules? I don't think that would happen, because even most bone-heads would be easily able to grasp that you cannot hold a private person accountable to industry regulations when they release something for free. Fair enough, distribution maintainers that are publicly traded companies that release free software _may_ be affected by regulations, like redhat and canonical, but then they'd just start putting clauses in their distro EULA that the work is from many individuals and they cannot guarantee the quality. It's a bit of a different thing for a single corporation such as Oracle, who holds all the responsibility for a piece of software: then it would be acceptable that they would be bound by regulations.

I don't understand your thinking behind why free software would be affected?

Re:Be careful what you wish for

[Anonymous+Brave+Guy]

We're talking about a scenario where people could be stung for running a plug-in (which they paid nothing for) in a browser (which they paid nothing for). If the regulations aren't going to apply to all software that gets distributed, even stuff that's given away, then they aren't going to do anything to help the problem we're talking about. So I assumed the comments by dreamchaser were intended to apply even in that case.

For the record, I agree that it's an absurd idea that someone who is giving stuff away for free should be subject to regulation like that. I was just commenting on what I thought would happen if they actually were.

All it takes

Is the US Government recommending disabling Java for them to fix it.

Sounds like a sustainable development model.

just nuke it

[stenvar]

Just nuke Java, and the gigantic towers where it lives, from orbit; it's the only way to be sure.

Java Control Panel can't update.

you can download the latest update now from the Java Control Panel or directly from Oracle's website

My Java Control Panel has no update functionality.

Re:And I still can't use it....

[c0lo]

I think Double.NaN is your problem here... Not Java.

If an API call doesn't sanitize/check its input but causes a core dump, then it's the API problem, not the callers'.

Too Late Now

[Greyfox]

I'm not going to tell my friends and family it's safe to reinstall it. None of them even noticed that anything had changed after the uninstall.

Re:Too Late Now

[steelfood]

Java is a really shitty client language. It works, but it's not going to offer a good user experience. Which is why outside of the enterprise or software development environment, nobody really uses it. And I'm talking about applications. On the browser, they lost to Flash ten, fifteen years ago.

At this point, I don't even know why the installer tries to hook onto every browser on the machine. Sure, everybody should have a JRE installed, because there is the occasional niche program that will need it. But a normal user is tons more likely to run a full-fledged Java application than an applet.

Re:Too Late Now

[Pecisk]

1) Huge number of people uses it for various specialised desktop application software. Java is still best crossplatform IT has to offer. No, HTML5 can't do all of it, however it works towards that goal. Java propably will be gone in next 5 years, but not in near future;
2) Applets are used there and there, but also very specific applications. Flash can't cover all areas, especially with specific code which doesn't cover graphics; Still, I agree, Java applets are nightmare to manage from security POV, and last fallouts won't keep them around for long;
3) Java isn't really a shitty language. Problem is usage - applet concept quickly turned out disaster for Sun (altough Microsoft counterpart ActiveX also got their share of shame), and only fact that it was only capable enterprise language at the time of creation helped to keep it alive. Also if you look at it, there's not a lot you would want to do with Java on browser in it's heiday - it's graphics capacities are limited (Flash essentially started as crossplatform animation framework), it's slow to start (therefore no reason to use it for small, fast animations), etc. Essentially, it's really an crossplatform language for medium size applications.

Will some other language will end it's suffering? .NET is out of question, Python covers some parts of Java, but isn't unified and stable as it should be (but it's getting there). HTML/JS works only for apps with certain workflows, but of course has biggest mindshare and it's reasonable that lot of old Flash and Java stuff will be made absolete due of this duet. You can't do reasonable sound editor in it, but you can do rather good simple text editor, business apps, etc.

Also standartizing of exchange formats, web services, etc. allows to have different apps on different platforms without worrying much about porting them to other platforms.

So, I don't agree Java is really shitty (try to do C++), however I agree it's time come to end. Actually I would say that it held on for so long not because of their owners (Sun/Oracle), but despite them. Both these companies (Sun to lesser extent) has done absolutely everything for people to loath Java. That's sad.

Re:Too Late Now

[Greyfox]

Well sadly the defacto standard evolved while us CS guys were sitting around with our thumbs up our butts, and that defacto standard is javascript and flash. It ain't pretty, but it gets shit done. If applets got shit done better than javascript and flash, we'd be using them. I can't even remember the last time I saw a java applet on a web page. They were very easy to see, because they didn't really fit in with anything else. Their UI controls were different, they didn't really want to talk to anything else, getting data in and out of them was a pain in the ass... yeah.

The only java application I've used recently is Minecraft. I don't really count my Android phone, although that's pretty much ALL java. I've worked at a lot of companies that drank the Java/JMS/XML kool-aid. For something that's supposed to be super-reliable, JMS really isn't very reliable. And you don't really need XML for flat files with rows of numbers. It's a lot easier and faster to parse the flat files, and they take up much less space to store. Though XML is so redundant that at least it compresses reasonably well.

I think the reason there was so little action on the part of us CS guys is that fundamentally we realize that the browser isn't really a good application development platform anyway. Every browser is different and quirky, and most people's environments are homogenous. I can only think of one instance in the past couple decades where I actually needed to run the same application across all environments. Even though the company had previously chosen java for that, C or C++ would have been a better choice. The vast majority of the problem reports came from quirky environmental issues on the different environments, something that Java was supposed to have freed us from. Another small percentage of bugs came from the fact that it seemed like every developer in the company used a different web browser to access the HTML reports that application was emitting, and even for a very simple report it never seemed to render correctly on someone's browser. At the end of the day, a C++ application would have provided a more portable and maintainable solution, and a C++ client for the data we were outputting would have provided a more useful and flexible user interface.

Oracle doesn't give a crap about security

They did NOTHING even thought they knew about this since last August.

It makes the news, and it's fixed in one day.

Java 64-bit has no auto update?

[RockMFR]

While I was manually updating to 7u11, I found out that the 64-bit version does not even have auto update - only the 32-bit version does. How the hell can Oracle be so irresponsible? I know most people use the 32-bit version, but still, what the fuck.

Re:Java 64-bit has no auto update?

64-bit JRE doesn't have a web browser plugin.

Re:Java 64-bit has no auto update?

Says you. I've been using the 64bit JRE 1.6 plugin in SeaMonkey for years.

Re:Java 64-bit has no auto update?

Part of the reason is that most browsers don't come in 64-bit variants. Firefox and Chrome don't officially release 64-bit versions and no one really uses IE :)

I'm sure if you were to measure the percentage of people on the net using a 64-bit browser it would be less than 5%. Why release a plugin for that?

Re:Java 64-bit has no auto update?

Found this out first hand earlier today too. Seems like a glaring omission.

Re:Java 64-bit has no auto update?

In the Windows world, maybe. Real 64 bit operating systems tend to have a fully 64 bit userspace too...

Applets are dead

[Tablizer]

Because the stupid vendors make updates a chore to keep up with, people will choose their web engines with care, and Java applets don't have enough use for most to keep them in the upgrade chore list. It's down to Flash and HTML/DOM browsers now.

Oracle just has to hope that enough won't bother to shut it off.

Re:Is this really a fix? ..apk

[Zontar+The+Mindless]

Ringer.

But I'll give you 7/10 since your effort showed character.

Any announcement of policy changes in Oracle?

[GodfatherofSoul]

Their rep and that of Java took a huge punch in the gut. I'm a long time Java developer and I'm fuming at the way Oracle has handled this. When non-techies are associating Java with hacking, this is terrible news for the language and platform. It won't be long before the pointed-headed bosses start calling down to their IT shops making sure "we got all the java out of the computers."

Re:Any announcement of policy changes in Oracle?

Their rep and that of Java took a huge punch in the gut. I'm a long time Java developer and I'm fuming at the way Oracle has handled this. When non-techies are associating Java with hacking, this is terrible news for the language and platform. It won't be long before the pointed-headed bosses start calling down to their IT shops making sure "we got all the java out of the computers."

It's already happening. I work as SDM for a major outsourcing company and our clients PHBs are requesting we throw java out as soon as we can eliminate the software that depends on it. I have had three such calls today, and they are for organisations with 10k+ computers. Oracle are really hurting Java with this bad PR.

Re:Any announcement of policy changes in Oracle?

You should migrate away from Java if you can, and Oracle has proven itself to be insecure and slow to patch known security issues. So I don't see anything wrong with PHBs encouraging that.

As far as policy changes, unsigned apps now require confirmation before running. But I feel it is too little too late.

Re:Any announcement of policy changes in Oracle?

[Sigg3.net]

In some countries this is not an option.

Re:Is this really a fix? ..apk

Not APK. To short (needs more incoreherent or seemingly irrelevent sentences) and not enough bold. Only using one PS is highly suspect as well.

There are still at 3 more unpatched Java vulns

There are at least 3 more Java 0-day vulnerabilities in Oracle's queue that they have yet to address. We submitted one and I know of 2 more from other research groups. It is just a matter of time before they are either addressed or discovered and used in the wild. Unless you have specific needs for Java, there's no reason to run it.

Re:There are still at 3 more unpatched Java vulns

[gbjbaanb]

I was going to say "do you have a link for those", but then I realized what I was asking for :)

On the other hand, it wouldn't make a difference - I doubt Mozilla or Apple will whitelist the new version.

Re:There are still at 3 more unpatched Java vulns

[Bobfrankly1]

I was going to say "do you have a link for those", but then I realized what I was asking for :)

On the other hand, it wouldn't make a difference - I doubt Mozilla or Apple will whitelist the new version.

You're presuming they whitelisted the old versions. Unless I'm mistaken, they blacklisted the existing versions. That doesn't mean new versions are automatically blacklisted unless the logic being used to block the existing versions applies to them as well.

Re:There are still at 3 more unpatched Java vulns

[gbjbaanb]

yeah, I should think they'll be fine... for a week or two.

Is OpenJDK also affected?

[devent]

I'm interested if OpenJDK is also affected by this exploit or is it only the Oracle JRE?
Since Java 7 OpenJDK is now the reference implementation of Java. Linux ships of course with OpenJDK but you can still install Java from Oracle.

Re:Is OpenJDK also affected?

[ChunderDownunder]

Depends on whether the vulnerability is in the JRE or the core libraries. The browser plugin, web start, the auto updater, tray icon, control panel etc as found on the Windows install are Oracle-proprietary.

Red Hat (& other contributors) have coded open source substitutes for applets and jnlp applications but I haven't seen info as to whether these IcedTea components are at risk.

OS X version is Lion +

[oDDmON+oUT]

So everyone clinging to Snow Leopard and below (even though they remain the bulk of Mac OS installs in use [OSX version graph], are left hanging in the wind.

GJ Oracle.

Re:OS X version is Lion +

[ChunderDownunder]

Backporting security fixes to an old OS X release isn't feasible for Oracle because they don't own the particular codebase that targeted Snow Leopard and earlier. Apple forked the JDK under a commercial license from Sun back in the day, incorporating OS X specific implementation details, which for earlier Java releases lies in Apple HQ.

When Apple handed over the reins to Oracle, any code they contributed back to the OpenJDK codebase would have been for the then current OS X revision (Lion) and thus likely unportable to Snow Leopard without modification. Code "Soy Latte" existed some 4 years ago as a community effort to port OpenJDK to OS X 10.5 and later but this was never the "official" port used by Apple.

Were Apple any better during their stewardship of Java? I seem to remember JRE versions were tied to releases of OS X. Our efforts to develop a Swing application were stifled because our user base (e.g. schoolkids with iBooks) were stuck forever on Java 1.5.

So blame Oracle but some of the blame goes back to Jobs, who in later years did much to sideline Java.

subject

[Legion303]

No, I don't want the fucking Ass Toolbar installed, Oracle. Thanks for asking.

Re:subject

At least they asked. Could have been (even) worse.

And grossly over-estimate the ability ...

of the average developer.

Bank online scanner / check deposit

Another popular usage is for home check depositing via a scanner.

too late?

Of those I know who got rid of Java I am willing to bet not one will reinstall this software.

Official Oracle Security Alert

[slas6654]

I am a sysadmin on several web apps and I went and got the official security alert. I have to admit I am a bit confused by the message:

"

Oracle Security Alert for CVE-2013-0422

Description

This Security Alert addresses security issues CVE-2013-0422 (US-CERT Alert TA13-010A - Oracle Java 7 Security Manager Bypass Vulnerability) and another vulnerability affecting Java running in web browsers. These vulnerabilities are not applicable to Java running on servers, standalone Java desktop applications or embedded Java applications. They also do not affect Oracle server-based software.

The fixes in this Alert include a change to the default Java Security Level setting from "Medium" to "High". With the "High" setting, the user is always prompted before any unsigned Java applet or Java Web Start application is run.

These vulnerabilities may be remotely exploitable without authentication, i.e., they may be exploited over a network without the need for a username and password. To be successfully exploited, an unsuspecting user running an affected release in a browser will need to visit a malicious web page that leverages these vulnerabilities. Successful exploits can impact the availability, integrity, and confidentiality of the user's system. "

Yet Oracle released another notice that talks about a critical patch update for several Oracle products (ie.: db, app servers, etc.)

http://www.oracle.com/technetwork/topics/security/cpujan2013-1515902.html

Does anybody understand why there are cpu's for their products if the zde doesn't affect there products?

Too late

[TheSkepticalOptimist]

Been on the fence about removing Java completely from all my systems. Have a few things still requiring it, but I get tired of the frequent nagging update notices and the fact it installs 16 parallel versions. With the recent security problems I just decided to nuke java completely and refuse to use any service, tool or app that requires Java. While Java "the code" should live on, Java the "platform" should die a fiery death. Anybody still using Java as a platform for app distribution should seriously consider moving to a more 'modern" platform, or get a new career in basket weaving.

Why is this a headline?

[Skiboy941]

*skiboy941 reads about major Java exploit. Business as usual. Move along, nothing to see here.

Automatic updates are good for mom/dad

[sjbe]

Ahhh, yes, I remember that. That was the Wonderful World of Windows. Things just auto-install themselves with little, if any, input from the user, or the administrator.

As opposed to me getting a panicked call from my father wondering what this "Java" thing is and me having to coach him through every security update. Or worse no security updates ever getting applied and then me having to remove a bunch of malware. No thanks. I'd much prefer a moderately sane set of automatic updates for any portion of the population that does not have an IT department on retainer.

In alternate realities, such as the Unixverse, the user must call up a program from which he searches for the particular package he wants to install. Or, he must be familiar enough with his package manager to call it up from a terminal. Auto-install has proven to be a Very_Bad_Thing, time and again.

Back here in the Real World we have huge numbers of people who do not and will not ever understand updates for any reason even if it is in their best interest. Updates for the General Public should be automatic by default with an easily enabled option to make them not automatic. Software for enterprises should be not automatic by default with the option to make it automatic. Yes, automatic updates aren't a perfect solution but for many users it is better than no updates.

"Are you General Public or an enterprise?"

[tepples]

Updates for the General Public should be automatic by default with an easily enabled option to make them not automatic. Software for enterprises should be not automatic by default with the option to make it automatic.

So what's the best practice to tell whether a program that is useful both to the General Public and to an enterprise is being run by the General Public or by an enterprise? On Windows, should the criterion be whether a computer is joined to a domain at installation time? What should the criterion be on Mac and Linux?

Time.gov

[tepples]

Then the United States Government is doing it wrong. Time.gov, the tool to check the official U.S. civil time, offers the choice of a Java applet or a Flash object to display the current time accurate to within a half second.

Nuance and regulation

[sjbe]

I am still struggling with this one because my nature is to want Government to stay out of people's business, but when that business has the potential to have an effect on infrastructure or the livelihoods of others then sometimes it's a necessary evil.

It sounds like you understand the nuance of the situation nicely. Unlimited freedom is not always good and regulation is not always bad. Both can be taken too far with undesirable results. The notion of keeping regulation to a reasonable minimum is a very sensible idea. But you can cut regulation too far and the inevitable result is self interested behavior that hurts the common good. Our recent financial crisis was a good example of this. You cannot possible work in a job on Wall Street and not understand that some amount of regulation is very very necessary. Conversely it's not hard to have regulations that are so burdensome that they cause very real damage to people's lives and well being. Reasonable people can disagree about exactly where to draw the line but the fact is that there IS a line somewhere. Government does not exist for no reason at all. While I've done it myself, I think calling a "necessary evil" is wrong because it isn't evil, nor is it good. It is just necessary sometimes.

Re:Nuance and regulation

I do see the point. But I have yet to see regulation that actually accomplishes what it has set out to do. Almost universally if the government steps in to regulate something they increase cost without providing the benefit that was intended by the regulation in the first place. They raise our taxes, or plunder the funding by cutting some other service we were already paying for and never provide a return on investment.

hypocritical? Why not blame c/c++ For Windows

[Vince6791]

Why not blame c/c++ or objective-c for Windows, Linux, OSX for not being 100% secure? Java's virtual machine is just that a virtual pc with it's own computer language. Or why not blame intel or amd for not having a more smarter cpu's working in conjunction with OS's to monitor incoming and outgoing instructions, like intels Execute Disable Bit which prevents buffer overflow. Look how hackable adobe and autocad products are you can run all these free on your machine with key generators and such. You want to blame someone blame the hacker themselves no OS or application is 100% foolproof.

Re: hypocritical? Why not blame c/c++ For Windows

I don't think anyone is blaming them for the vulnerability so much as for the length of time it has taken to fix it. Because of that time this is now a major issue being exploited in the wild.

Default to lowest common denominator

[sjbe]

So what's the best practice to tell whether a program that is useful both to the General Public and to an enterprise is being run by the General Public or by an enterprise?

Default to auto update if the ultimate end user is unclear and provide a convenient way to disable it during the installation. Enterprises can deal with that. General Public not so much. The user should ALWAYS have a choice regarding auto-update but I think we need to err on the side of providing the updates due to the volume of non-technical people out there.

A Theo de Raadt clone might help.

They need to find and hire someone like Theo de Raadt to fix that mess called Java.
They need to give him/her dictatorial powers to fix it, or they should be dragged into court to pay for their negligence.

Thanks for that

[citylivin]

"None of them even noticed that anything had changed after the uninstall."

Until they go to remote into the workplace and uhoh! cannot connect to the remote appliance!

But it cant be their computer, because their "computer literate" son just came around and gave the computer a good fixin! and there is no way he would break something as important as their ability to work from home! In fact, its probably *I* who is the idiot and our company should really hire their son instead to do all the complicated eye tee work!

MonoGame

[tepples]

I highly doubt any .net game written for the XBox would run on Linux's craptastic excuse of a language that is moonlight without the equivalent of an entire rewrite.

That's what MonoGame is supposed to be for: an implementation of the XNA API on top of GNU/Linux, Mac OS X, iOS, and Android.

Oh, and why did you pick the XBox? Why not use the PS3 or Wii, neither of which support the same platform as the XBox?

I chose Xbox 360 because PlayStation 3, Wii, and Wii U have no environment comparable to Xbox Live Indie Games. It's fairly easy to connect an HDTV and two to four USB gamepads to a PC, but almost nobody does that. Nor are OUYA and the Steam boxes out yet. XBLIG is currently the only route to market that allows a startup that doesn't yet have the "relevant video game industry experience" and "financial stability" of an established game studio to develop and publish a video game on a device that's already commonly connected to a TV and gamepads.