Security Expert Says Java Vulnerability Could Take Years To Fix, Despite Patch

← Back to Stories (view on slashdot.org)

Security Expert Says Java Vulnerability Could Take Years To Fix, Despite Patch

Posted by samzenpus on Monday January 14, 2013 @05:25AM from the long-road-coming dept.

An anonymous reader writes "After the Department of Homeland Security's US-CERT warned users to disable Java to stop hackers from taking control of users' machines, Oracle issued an emergency patch on Sunday. However, HD Moore, chief security officer of Rapid7, said it could take two years for Oracle to fix all the security flaws in the version of Java used to surf the web; that timeframe doesn't count any additional Java exploits discovered in the future. 'The safest thing to do at this point is just assume that Java is always going to be vulnerable,' Moore said."

4 of 320 comments (clear)

Min score:

Reason:

Sort:

Two years? by schneidafunk · 2013-01-14 05:33 · Score: 5, Interesting

It looks like he randomly pulled a time frame. I cannot find an explanation for the two year estimate.

--
Some people die at 25 and aren't buried until 75. -Benjamin Franklin
1. Re:Two years? by Zocalo · 2013-01-14 05:54 · Score: 5, Interesting
  
  Possibly, but it could also have something to do with Oracle's announcement that Java will be getting regular updates on a two year schedule. Maybe he's just assuming it's going to take a major iteration - from the v8.x series due in September to the next release, v9.x to completely fix this class of flaws.
  
  --
  UNIX? They're not even circumcised! Savages!
Much hyperbole about nothing by Zero__Kelvin · 2013-01-14 05:51 · Score: 5, Interesting

That's not specific to Sun/Oracle's JVM Implementation, but goes for all software, at all times.

"it could take two years for Oracle to fix all the security flaws in the version of Java used to surf the web" ... "The safest thing to do at this point is just assume that Java is always going to be vulnerable,""
This guy isn't a security expert. He doesn't even know that Java is a programming language, and that Oracle's JVM is not "a version of Java used to surf the web". No self respecting expert would misuse terms the way he is, and he should be sued for doing it. It leads to ridiculous situations, where people think Java is inherently bad. I mean, isn't Android based on Java? OMFG ... don't get one of those! Haven't you heard. Java is vulnerable to attack! If the writer got what this guy said correct then his guy is either shilling for Apple or Microsoft against Google/Android, hates Oracle, or is phenomenally incompetent.

--
Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
Why isn't there a whitelist-only mode? by Anonymous Coward · 2013-01-14 05:54 · Score: 5, Interesting

I find it strange that I can install a flash blocker that allows me to whitelist certain websites but that similar functionality seems to be missing for Java... the easy answer is to not allow java to run unless the site or even specific URL is in a whitelist.
The java engine should check whether the code it is about to execute is from a whitelisted location before it executes it. If the code is not, it should warn the user, perhaps prompting to add the site.
That way your banking and ecommerce sites would still work easily while the "bad guys" would at least have to successfully social-engineer you into adding their site, a situation much better than what we currently see where all you have to do is inadvertently browse to a web page with compromized java applets embedded.