Oracle Ships Java 7 Update 11 With Vulnerability Fixes

An anonymous reader writes "After announcing a fix was coming just yesterday, Oracle on Sunday released Java 7 Update 11 to address the recently disclosed security vulnerability. If you use Java, you can download the latest update now from the Java Control Panel or directly from Oracle's website here: Java SE 7u11. In the release notes for this update, Oracle notes this version "contains fixes for security vulnerabilities." A closer look at Oracle Security Alert for CVE-2013-0422 details that Update 11 fixes two vulnerabilities."

Is this really a fix?

[DavidClarkeHR]

It's great that the default security settings have been increased - and the zero-day flaws needed fixing (as always).

Proper web browsing hygiene protected users from this zero-day vulnerability - but my mom needed this update.

Re:Is this really a fix?

Minecraft does not need the java browser plug-in.

Be careful what you wish for

[Anonymous+Brave+Guy]

I really hate saying this because I am mostly libertarian and wary of too much regulation, but I think it is high time that there are regulations akin to those imposed on other engineering disciplines put into place over software that is used in 'e-infrastructure' such as banking, etc.

Be careful what you wish for.

As a professional software developer, I find the poor choices made by big name software companies very frustrating, and I'm well aware of the cumulative damage caused when software used by many people fails.

On the other hand, if you mandate heavyweight regulation in such an industry, you're going to see prices go up significantly, and a lot of useful free-as-in-beer software would probably disappear almost overnight because the people writing it are going to be reluctant to accept engineering-level liability for work they do at charity/PR level prices.

Then you'll get some sort of approved person/recognised competency qualification, probably administered by some bureaucratic organisation with expensive membership fees and a lofty title, possibly backed by law so people can't even practise software development without jumping over the officially sanctioned barriers to entry any more, or at least such that you can't get professional insurance policies to cover your engineering-level liabilities without playing the game.

Oh, and since there are about three people on the planet who actually know how to write really robust software and they're all in very high profile jobs already, that organisation is instead going to be run (or more likely "advised" by some sort of "expert panel") by the kind of smooth-talking consultants who move from one fad to the next, making lots of money on the upside and then running away before they have to face the consequences of their expensive advice. You know, the ones who use terms like "Agile" and "software craftsmanship", but who can't manage to write a Sudoku solver or who think there are no more programming languages left.

In short, if you want to stifle genuine innovation in the industry by people who really are competing on quality or exploring better ways to write software, and ensure that all you ever get is junk written by people who are more interested in competing on compliance with "quality standards" and exploring better ways to make money from software, regulation is exactly how you do it. In time, we'll learn how to build software better and people who make the effort to do so will be able to compete on genuine quality, but until we have learned how to do that with some level of consistency, any attempt to turn software development into some sort of engineering profession is doomed.

Re:Java or Javascript?

[Billly+Gates]

Javascript absolutely has nothing to do with Java.

Netscape realized for the web to take off as a platform it needed to do more than just display text and pictures so logic was needed. Netscape invented Livescript. Sun didn't like it and was in talks with making Java used instead of Livescript for dynamic web content.

So Netscape made a deal to rename Livescript Javascript with the contract to include jre with Netscape 3. It has nothing to do with it other than pure marketing name to confuse users to spread synergy to Java instead which is what Sun hoped as Livescript aka Javascript was very limited at the time.

It became a standard to this day.

Re:Disaster

[Jeremi]

There is so many more things that can go wrong with Java than a standard C++ application.

I think you grossly underestimate C++'s ability to go wrong :^)

Re:Java and Flash

[oatworm]

Tell that to lawyers that need it to access PACER or their local court filing repository. Or tell that to various medical professionals that have line-of-business apps written in Java (recently stumbled across an pano controller package written entirely in Java - that was cute). Or tell that to certain financial industries that use Java to submit various bits of paperwork (if you're a merchant filing for credit card processing, there's a decent chance your application was scanned and uploaded using a Java app called "AMA", depending on which platform your processor is underwriting with). Or tell that to businesses that electronically deposit checks - quite a few banks out there use scanners with Java software to get the checks from the business' PC into the banking system.

Java's actually fairly commonly used for line-of-business applications because it's fairly easy to find Java developers ("easy" being synonymous with "cheap"), the tools start at "free", it's sort of platform neutral, and it's been around for a while. Plus, a lot of those Java line-of-business apps were first written 5-10 years ago and, well, they still basically work - given a choice between paying for a total re-implementation of some tool that works "reliably", doing the necessary field testing to prove it's at least as secure, functional, and stable as the current implementation, or just periodically testing it against the latest version of Java, guess what most businesses do?

Now you know why Java exploits are a big deal.