Slashdot Mirror

← Back to Stories (view on slashdot.org)

Oracle Ships Java 7 Update 11 With Vulnerability Fixes

Posted by samzenpus on from the try-it-now dept.

An anonymous reader writes "After announcing a fix was coming just yesterday, Oracle on Sunday released Java 7 Update 11 to address the recently disclosed security vulnerability. If you use Java, you can download the latest update now from the Java Control Panel or directly from Oracle's website here: Java SE 7u11. In the release notes for this update, Oracle notes this version "contains fixes for security vulnerabilities." A closer look at Oracle Security Alert for CVE-2013-0422 details that Update 11 fixes two vulnerabilities."

23 of 243 comments (clear)

  1. Is this really a fix? by DavidClarkeHR · · Score: 5, Interesting

    It's great that the default security settings have been increased - and the zero-day flaws needed fixing (as always).

    Proper web browsing hygiene protected users from this zero-day vulnerability - but my mom needed this update.

    --
    - Nec Impar Pluribus, or so I'm told.
    1. Re:Is this really a fix? by Anonymous Coward · · Score: 4, Funny

      keeping a box of tissue next to the computer

    2. Re:Is this really a fix? by Runaway1956 · · Score: 4, Informative

      People who read this site are mostly geeks, nerds, IT, developers, or some such who are computer literate. But, NO ONE who reads this site is ignorant of how pervasive Java is. NO ONE who reads this site is completely ignorant of the ways in which John and Jane Q. Public uses their computers.

      Like DavidClarkeHR's mother, my wife "needs" Java. Her computer may suffer any number of ills, and she'll ignore them. But, if she can't play her Pogo Games, the old broad is going to make my life miserable until the problem is fixed. To her, "the internet" pretty much means Pogo, Facebook, email, Craig's List, classified ads in the Texarkana Gazette, and a little bit of news.

      Oh, wait - how can I forget her soap operas? The woman has given up on television, and watches her daily shows on the computer now.

      THAT is the internet, for millions of people.

      Java don't work? "I WANT IT FIXED BEFORE I GET HOME FROM WORK!! You can forget about taking trash out, you can forget to pick your clothes up off the bathroom floor, you can leave the sink full of dirty dishes, BUT FIX MY INTERNET!!"

      --
      "Windows is like the faint smell of piss in a subway: it's there, and there's nothing you can do about it." - Charlie Br
    3. Re:Is this really a fix? by Mike+Frett · · Score: 4, Insightful

      Yes. people tend to forget Minecraft is popular and uses Java. There are also Webcam sites that are very popular with the Porn crowd that use Java. If you want people to ditch Java, then you need to fix the reason WHY they need it. Instead of coming here and pushing your views about how you managed to avoid Java, because after all it's your opinion and the last time I checked; It's no one else's.

    4. Re:Is this really a fix? by Anonymous Coward · · Score: 5, Informative

      Minecraft does not need the java browser plug-in.

  2. August 2012 to January 2013 by QuietLagoon · · Score: 4, Insightful
    A vuln that apparently was first reported in August 2012 is finally fixed (maybe) in January 2013.

    .
    Why can't the larger companies, e.g. Microsoft and Oracle, respond to and fix the sucrity issues more quickly than on a timeline expressed in months?

    1. Re:August 2012 to January 2013 by dreamchaser · · Score: 3, Insightful

      I couldn't agree more. It will probably take legal action to change this mentality. Eventually someone will sue one of the big software companies and win because a known vulnerability wasn't patched.

      I really hate saying this because I am mostly libertarian and wary of too much regulation, but I think it is high time that there are regulations akin to those imposed on other engineering disciplines put into place over software that is used in 'e-infrastructure' such as banking, etc. Right now there isn't any, and thus huge multi-billion dollar companies are free to drag their feet on fixes or even outright ignore vulnerabilities that can cause serious harm to people.

  3. Java and Flash by tepples · · Score: 4, Informative

    Browsers come with only JS. Java is a plug-in published by Oracle that plays applets written in Java, just as Flash Player is a plug-in published by Adobe that plays applets written in ActionScript.

    1. Re:Java and Flash by oatworm · · Score: 5, Interesting

      Tell that to lawyers that need it to access PACER or their local court filing repository. Or tell that to various medical professionals that have line-of-business apps written in Java (recently stumbled across an pano controller package written entirely in Java - that was cute). Or tell that to certain financial industries that use Java to submit various bits of paperwork (if you're a merchant filing for credit card processing, there's a decent chance your application was scanned and uploaded using a Java app called "AMA", depending on which platform your processor is underwriting with). Or tell that to businesses that electronically deposit checks - quite a few banks out there use scanners with Java software to get the checks from the business' PC into the banking system.

      Java's actually fairly commonly used for line-of-business applications because it's fairly easy to find Java developers ("easy" being synonymous with "cheap"), the tools start at "free", it's sort of platform neutral, and it's been around for a while. Plus, a lot of those Java line-of-business apps were first written 5-10 years ago and, well, they still basically work - given a choice between paying for a total re-implementation of some tool that works "reliably", doing the necessary field testing to prove it's at least as secure, functional, and stable as the current implementation, or just periodically testing it against the latest version of Java, guess what most businesses do?

      Now you know why Java exploits are a big deal.

  4. Re:Java or Javascript? by black3d · · Score: 3, Informative

    It's correct that the two have virtually nothing in common. However, Java in browsers is fairly widespread simply due to the fact that so many applications are built around the Java runtime and there's a good chance that at some time many users have needed to install it. A typical install of the Java Runtime Environment includes browser interaction.

    Many websites utilize Java through in-line apps and modern browsers make the installation process fairly simple (ie, a couple of on-page redirects and a pop-up window which takes care of it all - the same way most browsers simplify Flash installation simply because it's so universal). For example, nVidia's video-card-dectection routine is in Java and if it's not installed, will helpfully let you know and give a button to click to download it. Minecraft, of course, requires Java. Many development tools and even many network management packages are written in Java.

    Java on PCs is quite widespread and thus by default, so is Java on browsers.

    Javascript, as you rightly raise, is altogether different, and prevalant on all browers by default (even though different browsers have different JS interpreters) and has nothing to do with the JRE.

    --
    "The true measure of a person is how they act when they know they won't get caught." - DSRilk
  5. Disaster by timeOday · · Score: 4, Interesting

    All the main codebases I work with and develop are in java. Tonight I was doing some work and tried to google some javadoc, but the first result was an illustration of a java-logo coffee cup going into a garbage can, and the first pageful of results were "how to uninstall java." I already had a customer balking about installing java. Now it seems certain we'll have to port everything away, a huge undertaking. (Even though we'll end up porting it to C++ and have multiple times more vulnerabilities when we're done, but I guess at least they'll be specific to our application).

    1. Re:Disaster by Jeremi · · Score: 5, Insightful

      There is so many more things that can go wrong with Java than a standard C++ application.

      I think you grossly underestimate C++'s ability to go wrong :^)

      --


      I don't care if it's 90,000 hectares. That lake was not my doing.
    2. Re:Disaster by Anonymous Coward · · Score: 3, Insightful

      Then you (or your sales people) need to explain to your customers that the vulnerabilities only apply to applets. Tell them how your desktop applications aren't a vulnerability. Extend your installation docs to cover how to install a JRE for desktop use and disable it n all the browsers.

      This "four legs is good, Java is bad" meme is obstructive but good advice can beat it down.

  6. Re:What about Java 6 (et al)? by black3d · · Score: 4, Informative

    Java 6 isn't vulnerable to this particular exploit. Only 7.

    --
    "The true measure of a person is how they act when they know they won't get caught." - DSRilk
  7. Re:Java or Javascript? by RedHackTea · · Score: 3, Informative

    I think the only popular sites are games now. Minecraft is the first you'll hear on /. It uses Java and LWJGL (Light-Weight Java Game Library) -- which essentially just uses JNI to expose native calls to OpenGL/AL/CL using C code. I believe there is both a Java Applet version and offline version (which may use Java WebStart, don't know).

    RuneScape and all of FunOrb (also made by Jagex -- the creators of Runescape) are also Java Applets.

    Other than games, you'll see sites use Java Applets for simulations, etc. -- things that are either computationally intensive or too complex. Since Java is object-oriented, has tons of built-in data structures, garbage collection, and runs off the client's (pretty fast) JVM in which there is a JVM available for the popular OSes, it's a better alternative to JavaScript or Silverlight for these tasks.

    --
    The G
  8. Re:Leftovers by bertok · · Score: 3, Informative

    Older versions of Java defaulted to side-by-side installation mode, which was then kept even after newer releases were installed on top.

    Newer versions default to in-place upgrade mode instead.

    It's poorly documented, and as far as I know, the only way to fix it is to completely uninstall and re-install the latest version.

  9. Be careful what you wish for by Anonymous+Brave+Guy · · Score: 5, Insightful

    I really hate saying this because I am mostly libertarian and wary of too much regulation, but I think it is high time that there are regulations akin to those imposed on other engineering disciplines put into place over software that is used in 'e-infrastructure' such as banking, etc.

    Be careful what you wish for.

    As a professional software developer, I find the poor choices made by big name software companies very frustrating, and I'm well aware of the cumulative damage caused when software used by many people fails.

    On the other hand, if you mandate heavyweight regulation in such an industry, you're going to see prices go up significantly, and a lot of useful free-as-in-beer software would probably disappear almost overnight because the people writing it are going to be reluctant to accept engineering-level liability for work they do at charity/PR level prices.

    Then you'll get some sort of approved person/recognised competency qualification, probably administered by some bureaucratic organisation with expensive membership fees and a lofty title, possibly backed by law so people can't even practise software development without jumping over the officially sanctioned barriers to entry any more, or at least such that you can't get professional insurance policies to cover your engineering-level liabilities without playing the game.

    Oh, and since there are about three people on the planet who actually know how to write really robust software and they're all in very high profile jobs already, that organisation is instead going to be run (or more likely "advised" by some sort of "expert panel") by the kind of smooth-talking consultants who move from one fad to the next, making lots of money on the upside and then running away before they have to face the consequences of their expensive advice. You know, the ones who use terms like "Agile" and "software craftsmanship", but who can't manage to write a Sudoku solver or who think there are no more programming languages left.

    In short, if you want to stifle genuine innovation in the industry by people who really are competing on quality or exploring better ways to write software, and ensure that all you ever get is junk written by people who are more interested in competing on compliance with "quality standards" and exploring better ways to make money from software, regulation is exactly how you do it. In time, we'll learn how to build software better and people who make the effort to do so will be able to compete on genuine quality, but until we have learned how to do that with some level of consistency, any attempt to turn software development into some sort of engineering profession is doomed.

    --
    If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
  10. Re:Java or Javascript? by Billly+Gates · · Score: 5, Informative

    Javascript absolutely has nothing to do with Java.

    Netscape realized for the web to take off as a platform it needed to do more than just display text and pictures so logic was needed. Netscape invented Livescript. Sun didn't like it and was in talks with making Java used instead of Livescript for dynamic web content.

    So Netscape made a deal to rename Livescript Javascript with the contract to include jre with Netscape 3. It has nothing to do with it other than pure marketing name to confuse users to spread synergy to Java instead which is what Sun hoped as Livescript aka Javascript was very limited at the time.

    It became a standard to this day.

    --
    http://saveie6.com/
  11. Too Late Now by Greyfox · · Score: 4, Interesting

    I'm not going to tell my friends and family it's safe to reinstall it. None of them even noticed that anything had changed after the uninstall.

    --

    I'm trying to teach myself to set people on fire with my mind... Is it hot in here?

  12. Re:What about Java 6 (et al)? by fuzzyfuzzyfungus · · Score: 3, Insightful

    So they give you something for free, choose to dictate how they will support this something and you complain?

    No wonder these companies gouge on the licensing where they can,ppl like you will demand an inch and take a mile.

    Nobody said that owning a 'platform' was a fun job. It's high blame, low praise, your undemanding customers have a willingness to pay hovering around $0, your customers who are willing to pay have a list of whiny demands about 'compatibility' and such. That's just how these things roll. Is it worth it to you to suck it up and reap the rewards, or is a different category of software a better fit?

    It honestly looks like (consumer) in-browser java is nearly dead, and the JVM isn't as lively on the client side as it once was, so Oracle might not have to decide whether they are in the 'platform' business in that area. The general point still stands. "Platform" is not a pretty category of software to be responsible for, it just sometimes happens to be lucrative enough to be worth it.

  13. Any announcement of policy changes in Oracle? by GodfatherofSoul · · Score: 4, Insightful

    Their rep and that of Java took a huge punch in the gut. I'm a long time Java developer and I'm fuming at the way Oracle has handled this. When non-techies are associating Java with hacking, this is terrible news for the language and platform. It won't be long before the pointed-headed bosses start calling down to their IT shops making sure "we got all the java out of the computers."

    --
    I swear to God...I swear to God! That is NOT how you treat your human!
  14. subject by Legion303 · · Score: 4, Insightful

    No, I don't want the fucking Ass Toolbar installed, Oracle. Thanks for asking.

  15. Re:OS X version is Lion + by ChunderDownunder · · Score: 3, Informative

    Backporting security fixes to an old OS X release isn't feasible for Oracle because they don't own the particular codebase that targeted Snow Leopard and earlier. Apple forked the JDK under a commercial license from Sun back in the day, incorporating OS X specific implementation details, which for earlier Java releases lies in Apple HQ.

    When Apple handed over the reins to Oracle, any code they contributed back to the OpenJDK codebase would have been for the then current OS X revision (Lion) and thus likely unportable to Snow Leopard without modification. Code "Soy Latte" existed some 4 years ago as a community effort to port OpenJDK to OS X 10.5 and later but this was never the "official" port used by Apple.

    Were Apple any better during their stewardship of Java? I seem to remember JRE versions were tied to releases of OS X. Our efforts to develop a Swing application were stifled because our user base (e.g. schoolkids with iBooks) were stuck forever on Java 1.5.

    So blame Oracle but some of the blame goes back to Jobs, who in later years did much to sideline Java.