Security Expert Says Java Vulnerability Could Take Years To Fix, Despite Patch

← Back to Stories (view on slashdot.org)

Security Expert Says Java Vulnerability Could Take Years To Fix, Despite Patch

Posted by samzenpus on Monday January 14, 2013 @05:25AM from the long-road-coming dept.

An anonymous reader writes "After the Department of Homeland Security's US-CERT warned users to disable Java to stop hackers from taking control of users' machines, Oracle issued an emergency patch on Sunday. However, HD Moore, chief security officer of Rapid7, said it could take two years for Oracle to fix all the security flaws in the version of Java used to surf the web; that timeframe doesn't count any additional Java exploits discovered in the future. 'The safest thing to do at this point is just assume that Java is always going to be vulnerable,' Moore said."

6 of 320 comments (clear)

Min score:

Reason:

Sort:

Re:Java used to be secure and sandboxed by zero.kalvin · 2013-01-14 05:46 · Score: 5, Informative

Yes, but when a bug is found in either of them (Firefox or Chrome) devs race to plug the whole. On the other hand Oracle knew about this since August and did nothing about it..
Re:Applies to all outside software by PenquinCoder · 2013-01-14 06:04 · Score: 5, Informative

Java != Javascript
Re:Applies to all outside software by Karlt1 · 2013-01-14 06:06 · Score: 5, Informative

"Trying to use 'todays' internet with Java disabled is not a viable option. A realistic estimate is that over 70% of all common websites require Java to function correctly.
It is unfortunate that so many web developers use Java in places where it just isn't required. While I agree that Java Script does provide needed functionality in some situations, that is not the case in many (most) applications."
Really? This day and age someone not knowing the difference between Java and Javascript?
70% of pages do not use Java. Javascript yes but they are completely different.
Server- vs. client-side Java by DragonWriter · 2013-01-14 06:16 · Score: 5, Informative

"Trying to use 'todays' internet with Java disabled is not a viable option. A realistic estimate is that over 70% of all common websites require Java to function correctly.
The only way that number is within an order of magnitude of being correct is if it is a reference server-side Java, which isn't the issue. In-browser Java is the issue, and very few common websites require in-browser Java to function correctly (in-browser JavaScript, perhaps, but aside from artifacts of early-90s marketing in the naming, the two have nothing in common.)
Re:Java used to be secure and sandboxed by Anonymous Coward · 2013-01-14 06:22 · Score: 5, Informative

yes, we already blacklist Java across the company where I work due to this.
in general they're quite liberal about letting employees manage their own computers (it's a software dev studio) but Java is blacklisted because of the Ask bundling, which is considered Spyware at corporate level and difficult to remove cleanly.
Re:Why isn't there a whitelist-only mode? by David_Hart · 2013-01-14 06:24 · Score: 5, Informative

If you are using Firefox, Chrome, or Safari, you can install NoScript. I find that it works well. It takes some effort to figure out which scripts you need to run for each page to display properly and which are the advertisement scripts. But it does the job. So far, I have found only one site that doesn't work with NoScript, but it's not a common site.
If you are not using If you are using Firefox, Chrome, or Safari, then it may be time to switch. I, personally, have always preferred IE. However, I made the switch to Firefox a couple of years ago and haven't turned back since. The security plugins for FireFox are much better than for IE and most are free (open source).