Another Java Exploit For Sale

tsamsoniw writes "Mere days after Oracle rolled out a fix for the latest Java zero-day vulnerabilities, an admin for an Underweb hacker forum put code for a purportedly new Java exploit up for sale for $5,000. Though unconfirmed, it's certainly plausible that the latest Java patch didn't do the job, based on an analysis by the OpenJDK community. Maybe it's high time for Oracle to fix Java to better protect both its enterprise customers and the millions of home users it picked up when it acquired Sun."

Oracle owns Java now?

When the fuck did this happen?

Re:Oracle owns Java now?

[mark-t]

2010

Re:Oracle owns Java now?

[Billly+Gates]

Sadly I remember stagnation and security issues too when Sun still owned it too.

Re:Oracle owns Java now?

[SIR_Taco]

You mean the redundancy issues?

Re:Oracle owns Java now?

[hairyfeet]

The problem is that 2 different security groups have been analyzing the flaws that the malware guys used for the last exploit and say it could be 2 years before a proper fix is in place because the underlying code is "a mess".

Of course any of us who had to deal with Sun's products in the past could have told them this, Sun was pretty piss poor when it came to code and security, this is why I've been saying give the LO guys at least 3 years before we start bitching simply because it'll probably take that long to clean up the mess Sun left.

The monkey in the wrench though, the fly in the ointment, the pain in the ass, is that Java usage was waaay down among consumers....until that fucking game showed up. I hope the guy who wrote Minecraft is happy because just when we had weened a lot of home users away from the tripe that is Java he had to build a hit game on it and drag us all back into the mess. I don't know which is worse, Micecraft bringing shitty Java back to the consumer desktop or that fact Java will add the browser plugin (along with crapware) every time you update the damned thing. But in any case the malware writers are gonna have a field day as all those Minecraft installs are a botnet waiting to happen and if those security researchers are right all Oracle can do is slap band aids on the mess that is Java..

Re:Oracle owns Java now?

Aww. Did a creeper explode your house?

Re:Oracle owns Java now?

[datavirtue]

Wow Hairy.....your comments are sooo much better when you know what you are talking about. The JRE is awesome. The main problems, or issues rather, have been from the applet plugin and users clicking "yes" on every dialog box they see. Sun created extreme competition in the market by implementing a C-based language with powerful, simple, sensible APIs and a security model. If it had not been for Java then Microsoft would have never developed .NET to the point it is at now. For what it is worth from a Java lover, .net is freaking awesome and now surpasses Java as a software development "language" in many respects. Java is still awesome though. Minecraft and the proliferation of Java-based enterprise applications shows that it is awesome and that the ultimate goal was met.

Re:Oracle owns Java now?

[darkgrayknight]

All the time, what's up with that! :)

Re:Oracle owns Java now?

[hairyfeet]

Riiight, Java is sooo awesome...that if you remove it and Flash you have a practically uninfectable computer. Hell I ran a PC for 4 years at the shop without even an AV, just Firefox with no Java and no Flash, thing never had so much as a close call.

I'm sorry but I don't give a rat's ass if Java as a language is so fucking good it sends 10,000 dollar hookers to blow you while you write code as that is NOT my concern. To steal a line from Tron Legacy "I stand for the users" and from a security standpoint Java has more bugs than a Bangkok whore on coupon day, its a fucking mess. it was a fucking mess when Sun had it, its a fucking mess now that Oracle owns it. The language itself may be candy and flowers but the implementation leaves a WHOLE lot to be desired. Don't take my word for it, hell don't take the word of the security researchers who've been analyzing the code I linked to, go to any security site like Securina and look at the 5 year history of Java when it comes to zero days and exploits. Check ANY security website and Java and Flash are neck and neck when it comes to zero days and malware.

At least with Flash its not like we have a choice in using it, HTML V5 is fucking BROKEN, goes through resources like a fat guy at an all you can eat buffet, can't even do 30% of the jobs Flash does, and I don't care which implementation you choose I can put it next to Flash using the same resolution and Flash will use less than half the CPU for a given file size, so at least with Flash we have NO choice until HTML V5 gets its shit together. You said it yourself we have .NET and it works just fine. While I may not like the way MSFT is going on the OS front with their "LOL What is Apple doing? Copy it and add a 20% markup LOL" attitude one thing I have ALWAYS given them credit for is making kick ass software dev tools and from what I've been told .NET is top notch.

So until Oracle can throw out the rotting corpse that is Sun's Java code and build something better I'm sorry but I'm calling a spade a spade and from a security standpoint Java is a nightmare from hell.

Re:Oracle owns Java now?

So you are so skilled that you can tell if you got malware on system somehow? LOL

IE+ActiveX = total control of your system.

Hell IE by itself is easily exploitable.

The Right Thing (TM)

So then do like Google and pay the guy for the bug.

Re:The Right Thing (TM)

[allcoolnameswheretak]

Exactly.
Java isn't inherently unsafer than any other software or platform. The reason why so many exploits are being discovered is that Java is currently at the focus of the criminal malware underground. Being so widely deployed makes it a natural target, just as most viruses and trojans target Windows because it's the most widely distributed operating system. Nevertheless all these security issues are causing a lot of bad press to the Java brand. What Oracle needs to do is to reward findings of security holes with good, quick cash to attract and reward hackers and keep them away from the dark side.

Come on Oracle! You've got the cash and you're guided by marketing folks. It shouldn't be too hard for you to analyze the cost/benefit of a few 100K $ for a safe Java platform.

Re:The Right Thing (TM)

[noname444]

That would escalate quickly.

Re:The Right Thing (TM)

Popularity and security have nothing to do with each other.

If a hacker actually wants to do some damage and make a lot of money, he doesn't target Windows, he targets Linux.

Windows is the most hacked because it is the easiest to hack. A 12 year old with no computer knowledge can break almost any windows install.

I agree that the JVM is not any more or less secure than any other runtime, its usage numbers have nothing to do with that.

Kill it with FIRE

[Billly+Gates]

Oracle needs to give up on browser plugins. I realize there are some mission critical business apps and a few cases where it is needed just like IE 6. We need to start pressuring the vendors to stop distributing it like we did with obsolete browsers.

With javascript and HTML 5 and CSS 3 there is no reason to keep such 20th century technology on the modern web. Consumer sites no longer even use it anymore.

With IE 6 and IE 7 gone by 2014 our eyes should focus on Java as the next technology that threatens the security of our networks that needs to bye bye. We need to do our part as IT professionals and inform PHB it is bad security just like IE 6 and demand app vendors to drop it.

Re:Kill it with FIRE

What about www.runescape.com and www.minecraft.com ?

oracle should just fix it properly.

they need to spend whatever it takes to fix it once and for all.

Re:Kill it with FIRE

They should die. There is no reason to do that sort of thing in a browser instead of a standalone client.

Re:Kill it with FIRE

Can we kill the whole DynamicHTMLWebApp thing instead, and return the web to being about lean mean content delivery?

Separate software in Java or whatever to deliver, well, apps. Not the half-caste "browser app" thing.

Re:Kill it with FIRE

It's too late for that. There are multiple industries built around that functionality, and with HTML5 it's only going to get worse. The only way the web will only return to the days of text-and-maybe-images is if something incredibly drastic happens to make people view the current web and a new, "clean" web as two distinct entities.

Personally, I think the only chance for it to happen is right after extraplanetary living becomes reasonable, we we have to communicate with the Earth through pencil-thin laser beams that can only carry 600 baud or something.

Re:Kill it with FIRE

[Darkness404]

Except that there are still a good chunk of websites that still use Java. For example, Minecraft and RuneScape to name two.

And sure you -can- have it be fully client side but it doesn't always work. Many schools and workplaces will filter out .exe file extensions but will let you run in-browser applications just fine.

The web is not just things developed in 2013, but also for things developed back in 1997. And as such, it needs to be at least partially backwards compatible with older technologies.

The real issue here isn't about browser plugins but it is the terrible management of Java by Oracle. There is nothing that inherently should make Java more unsafe than a generic web browser, the problem is unlike most web browsers, Oracle has time and time again proven to be unable or unwilling to fix gaping holes in their programs. Even when they do create a fix they still try to bundle in crapware such as the "Ask" toolbar and switch my default search engine to Ask. A slimeball tactic that should be reserved for those making keygens and the like.

There is nothing that makes Java any more insecure than JavaScript except for Oracle. Rather than simply dropping a useful element of the web, we should pressure Oracle to do what a software firm should do: fix the bugs!

Re:Kill it with FIRE

Except that there are still a good chunk of websites that still use Java. For example, Minecraft and RuneScape to name two.

Both applications that should be completely client side

And sure you -can- have it be fully client side but it doesn't always work. Many schools and workplaces will filter out .exe file extensions but will let you run in-browser applications just fine.

So the Java browser plugin deserves to exist because... otherwise kiddies can't get around Sonicwall? Really?

Furthermore, that's a terrible argument because an institution that can prevent non-whitelisted applications from launching can also trivially block whatever website hosts the .jar for the program you want to run. And if they do, it's their damn equipment anyway, stop screwing around on it.

The web is not just things developed in 2013, but also for things developed back in 1997. And as such, it needs to be at least partially backwards compatible with older technologies.

This is completely true, but people have pretty much given up on Flash. I doubt you pine for ActiveX.

The real issue here isn't about browser plugins but it is the terrible management of Java by Oracle. There is nothing that inherently should make Java more unsafe than a generic web browser

Java is a plugin, not a web browser

, the problem is unlike most web browsers

Java is a plugin, not a web browser

, Oracle has time and time again proven to be unable or unwilling to fix gaping holes in their programs. Even when they do create a fix they still try to bundle in crapware such as the "Ask" toolbar and switch my default search engine to Ask. A slimeball tactic that should be reserved for those making keygens and the like.

Agreed. Oracle is terrible.

There is nothing that makes Java any more insecure than JavaScript

Yes, there most definitely is. Javascript cannot access the filesystem. Java can. Javascript cannot spawn processes. Java can. The difference is that the Java plugin takes something that is fundamentally unsafe and attempts to bottle it up, where Javascript simply doesn't have the dangerous parts that malware gains access to.

except for Oracle. Rather than simply dropping a useful element of the web, we should pressure Oracle to do what a software firm should do: fix the bugs!

Why? As a user, what reason is there for you, personally, to have the Java browser plugin installed? So you can play minecraft? Use the standalone client instead. You'll get a better framerate without the browser, ffs. For the mathematical applets that I was linked to once? Please. Those are trivial to write in Javascript.

Re:Kill it with FIRE

[Lennie]

So how many people run Minecraft in the browser ? I thought most run it outside of the browser, right ?

Re:Kill it with FIRE

I have three words for you: "Go" "To" "Meeting". Microsoft of all people...

Re: Kill it with FIRE

Your name matches your comment damn ass

Re:Kill it with FIRE

Both applications that should be completely client side

no reason for them to be.

So the Java browser plugin deserves to exist because... otherwise kiddies can't get around Sonicwall? Really?

no it's because it provides a sandbox environment. it isn't perfect but it's far safer than running applications locally.

Furthermore, that's a terrible argument because an institution that can prevent non-whitelisted applications from launching can also trivially block whatever website hosts the .jar for the program you want to run. And if they do, it's their damn equipment anyway, stop screwing around on it.

their concern is likely about running programs on the system rather than in a sandbox environment.

The real issue here isn't about browser plugins but it is the terrible management of Java by Oracle. There is nothing that inherently should make Java more unsafe than a generic web browser

Java is a plugin, not a web browser

so? why does that mean it shouldn't be more unsafe than a web browser which also provides a sandbox for running applications?

, the problem is unlike most web browsers

Java is a plugin, not a web browser

which is why the problem with Java is unlike that of most web browsers even though they share characteristics from an application environment point of view.

Javascript cannot access the filesystem.

false.

Javascript cannot spawn processes. Java can.

you're confusing the browser plugin with the native jvm.

Re:Kill it with FIRE

Use minetest, it's C++ and scales better.

X feature missing? Add it, it's open source with lua scripting.

Re:Kill it with FIRE

[Runaway1956]

"fix it once and for all."

Please name some softwares that have been fixed, once and for all. I'm not aware of any. It seems that everything is evolving as threats evolve. You could start with the kernels. Microsoft seems to change theirs, Linux changes theirs, etc.

You might join the chorus, and complain that Oracle evolves to slowly, or that it is incapable of evolving fast enough to remain relevant, but there is no chance in hell that it can be fixed once and for all.

Re:Kill it with FIRE

[afgam28]

While I don't disagree with you completely, I think it's sad that JavaScript and HTML have "beaten" Java applets as the standard way to build network applications. Sun really dropped the ball in terms of the UX for desktop Java, and Oracle's security mismanagement has put the final nail in the coffin of Java on the desktop. But despite all of its flaws, the Java platform provides a much nicer programming model compared to "modern" web technologies.

HTML was originally designed as a way to display static, hyperlinked documents, and JavaScript was originally just a toy scripting language to do simple things like form validation. They've both evolved to support the creation of rich client interfaces, but creating rich clients using HTML5/JavaScript is not pretty. There's a web server, which spits out dynamically generated client code. Embedded in that client code is a mix of content, markup, JavaScript source code and maybe even inline stylesheets. It runs in one of a number of possible virtual machines (or "web browsers") which are all slightly incompatible, not to mention slow compared to a JIT bytecode interpreter (ironically, one of the early complains about Java applets was performance). Standardizing it all is a nightmare that takes years of political infighting and compromising on things like video formats. And you have to learn at least 3 different languages to even do anything!

It would've great if, instead of HTML/JavaScript evolving up into a full-blown rich client platform, Java just "devolved" a little bit so that it provided a stricter sandbox for applets. None of this "signed code" bullshit - everyone just clicks through on that, leading to all sorts of security problems. Just restrict all applets under same sandbox (like JavaScript does). Give it a more native UX (e.g. through SWT instead of AWT/Swing) and an App Store, and it would be great!

There's nothing really inherently wrong with the Java platform, and nothing inherent in its design that makes it less secure than JavaScript. The only problem is Oracle's lack of support, and some small implementation flaws. HTML5/JavaScript on the other hand is just a giant hack. But a standard one.

Re:Kill it with FIRE

[Billly+Gates]

Java is a classic case of great engineering mixed with bad management. Many evolutionary things got killed throughout history where a competitor comes in.

Sun blew it well before Oracle's acquisition. Not having a native fat binary compiler is one. Before someone jumps at me for making at all soooo non platform compliant I have to say how many are willing to open cmd prompt and type java x? You need a very expensive $$$$$ compiler to have a .exe where the code is written in java. This gave the perception java was slow 12 years ago.

Hell there are many on slashdot today in 2013 who actually think Java is as slow as an interpreter as basic. Users feel that way too because of the classes that need to be recompiled every time a java applet loads. Your site needs to work within 4 seconds are they leave in this modern broadband era. On dialup I guess that was more expected back when java applets were more popular.

By refusing to integrate with the host OS you have things that look and act odd on non native. Sun insisted on re-inventing its own wheel for everything Java does so it doesn't work quite right with the other apps on the users system. It is why Steve jobs pulled the plug on java and stop supporting it. It ruined the mac experience.

JavaFX came many many years late with no authoring tools. Instead Sun wrote a plugin for Adobe Flash. Really?! So why use java then when I can just use Flash and compile it with that? After all I already purchased it and everyone uses it right? Stupid ...

Java 7 is terrible and many like myself keep Java 6. Google Android SDK wont run on anything newer than Java 6 and it is turning to its own version of IE 6 of the java language.

Can it be saved? Who knows? My guess is no and that is not a bad thing. Java belongs as a language to write Android applets and servlets in while HTML 5 and CSS 3 for the gui.

Re:Kill it with FIRE

[Bing+Tsher+E]

It was Microsoft that killed Java. The last thing they wanted in the late 90's was for Java Applets to become a popular and powerful feature of the Web. So they corrupted and sabatogued the rollout of Java on Windows.

It's really weird that now, more than a decade later, people are trying to lay the death blow for Microsoft. Just plain weird. And especially sad to see it happen on Slashdot. Are you all Redmondites? (more than a few of you are, it's obvious)

Re:Kill it with FIRE

[Billly+Gates]

Except that there are still a good chunk of websites that still use Java. For example, Minecraft and RuneScape to name two.

And sure you -can- have it be fully client side but it doesn't always work. Many schools and workplaces will filter out .exe file extensions but will let you run in-browser applications just fine.

The web is not just things developed in 2013, but also for things developed back in 1997. And as such, it needs to be at least partially backwards compatible with older technologies.

The real issue here isn't about browser plugins but it is the terrible management of Java by Oracle. There is nothing that inherently should make Java more unsafe than a generic web browser, the problem is unlike most web browsers, Oracle has time and time again proven to be unable or unwilling to fix gaping holes in their programs. Even when they do create a fix they still try to bundle in crapware such as the "Ask" toolbar and switch my default search engine to Ask. A slimeball tactic that should be reserved for those making keygens and the like.

There is nothing that makes Java any more insecure than JavaScript except for Oracle. Rather than simply dropping a useful element of the web, we should pressure Oracle to do what a software firm should do: fix the bugs!

I can replace java with IE 6 too. We can then spend time optimizing for IE 6 and doubling your costs 200% right and making adding hacks for Netscape 4.7? My argument is it is time to move on. Yes not everyone has the state of the art Chrome browser with the latest OS on an iCORE7. However the web is not like 1997 except for www.craigslist.com and it is time to move on. Where do you draw the line with support but also moving foward and making something pretty and functional?

Java does not belong on the browser anymore. Like I said old apps probably written for IE 6 in quirks mode. Drop them in modern apps. Otherwise when offices switch to tablets in a few years they wont be able to run the apps anyway.

Re:Kill it with FIRE

Like we should all realize by now, it's about what works best. Java has it's cons just like the ever-evolving, more so "modern" tech does. What's important is that we remember this and constantly strive to make tomorrow's internet a better medium to use.

(But, me being biased toward those said "modern" languages, I have to say 1 thing: semantic and validated front-end shouldn't look ugly and if it does, it only goes to represent the critics' lack of proficiency in said tech.)

Re:Kill it with FIRE

[afgam28]

Why do you need an expensive compiler to create an .exe file which runs Java? All you need to do is compile this program or similar in any C compiler:

int main(void) { system("java com.example.App"); }

Yes, Java bytecodes need to be compiled every time they are loaded, but with a JIT interpreter it's not so bad. Compare that to JavaScript which has to be compiled from source every time! And the JVM does not take any longer to start up than a modern web browser.

You're right about host OS integration, and yes, JavaFX was too little too late. But Android is an example of client-side, web-enabled Java done well. If only we had something like that for the desktop...

Re:Kill it with FIRE

[LordLimecat]

Make an official Java(TM) / Corporate GunkWare(TM) browser that works with whatever stupid crap companies want to use. Problem solved.

Re:Kill it with FIRE

You can do this safely with IE security zones and have java only run in the intranet zone.

Issue is like older browsers they are incompatible with each other and do not run on tablets or smartphone browsers. They are relic of the past.

Re:Kill it with FIRE

[Billly+Gates]

Not anti MS at all.

Java is a better language and is a real platform while javascript is well javascript. I feel people do not like apps in browsers and want a browser. Javascript can manipulate elements on a page. Not with java. It was bolted on a felt foreign. I got modded down to 0 already for this, but I will say it again. Developers love java but its users hate it.

Flash is all pretty and fast. Java is slloow to load up and butt ugly and the fonts are not even opentype for LCD screens. Eclipse uses a special api that is not even included in the swing or awt apis to make it look somewhat native.

It has nothing to do with our hate for IE from that era.

I think if MS succeeded it would have helped java even if we ended up with java applets that ran only in IE 6. We have that problem today with crappy vbscript and html elements but we moved on. Java failed to perform for what people wanted.

JavaFX came too little too late and flash is what really hurt as well as ajax and greatly improved JIT for javascript. I would hate to think what would happen if flash never existed and we had to run java applets on an IPhone are something crazy.

Sun was more concerned with hurting MS and being terrified about java applets not running on solaris than optimziing it with better tools that integrated into each OS or with a fat binary that could run on multiple operating systems. That doomed as an application language too. That my friend is why Sun lost.

Re:Kill it with FIRE

[spongman]

it's significantly easier to parse javascript source, determine its validity and generate machine code from it than it is just to verify java bytecode.

for example: prove that the stack looks the same for every different way a basic block can be entered.

Re:Kill it with FIRE

Oracle need to stop being Adobe (with its evil "Reader" and Flash) - fixless fixes, constant patch updates for... oh, it sounds like MicroSoft and Windows.
My Java jumped up yesterday and installed "v7" with a panel claiming Java runs on 3 billion devices. I think we should systematically clean all 3 billion of them from the Java virus. Do your part today...

Re: Kill it with FIRE

[itmanCH]

oh bugger - the AC-twins again...

Re:Kill it with FIRE

[kestasjk]

Yeah I hate interactive websites..

Re:Kill it with FIRE

[gbjbaanb]

qmail. I understand the author offered a security bounty that's never been paid out.

Re:Kill it with FIRE

[RaceProUK]

qmail. I understand the author offered a security bounty that's never been paid out.

Doesn't mean it's invulnerable.

Re:Kill it with FIRE

[someones]

lol no. Just wait for all this cloud crap bubble to burst and people realize that nowadays "in the cloud" means "is online".

And after that people might realize that "apps" are nonsense too as local data is far more secure than havin data online.
And the lack of the ability to process data locally instead of "somewhere in the cloud" aka. online will lead people to want normal local programs to do that stuff.

And with the efforts dome by governments to regulate the internet and lack of usage/interest in online apps this dynamichtml crap will die out.

Just wait like 5-10 years.

Re:Kill it with FIRE

[someones]

again an unqualified post. You obviously never used java.
anyway do you have any numbers to prove your arguments or are you just a troll/fanboy?

Also ruining mac expirience is just an excuse to say: if done right it could show users mor than apple wanted users to see.

Re:Kill it with FIRE

[someones]

> Flash is all pretty and fast.
obvious troll is obvious.

Re:Kill it with FIRE

[someones]

and throw your android device away? Buy an eyephone or a winbloatphone 1337 today! /troll

Re:Kill it with FIRE

Seriously what kind of crap did you roll out of ?

How is local data be more secure than a cloud based storage ?

How can the cloud bubble burst

Why should we wait 5-10 years ? that's too long, once its in the cloud with 5-10 years of data its there for life.

Go back to sleep.

Re:Kill it with FIRE

Java is a plugin, not a web browser

I was inder the impression java is a set broad set of generic libraries running inside a virtual machine - a little more than a browser plugin.

"Javascript cannot access the filesystem."

I dont think this is the case any more - see the new Filesystem API. http://www.html5rocks.com/en/tutorials/file/filesystem/

"Javascript cannot spawn processes"

Again, I don't think this is completely accurate either - see the new web worker API http://en.wikipedia.org/wiki/Web_worker

It would seem that current efforts are aimed at giving javascript some of the capeabilities of java. Personally, I see this as a good thing as it will allow application developers to side step the real problem with java on the client - the God awful deployment issues. It will however add new attack vectors. Once again security and usability seem to be at odds with each other...

Re:Kill it with FIRE

The problem then is that 1) you have to worry about the classpath in your 1-line C program, and most importantly 2) you are now distributing TWO files instead of one. That's a deal-killer for most people.

Re:Kill it with FIRE

[idontgno]

True dat. The fact that the security bounty remains unclaimed simply means that approximately no one uses it, so it's worthless as an attack space.

Hell, by that metric, Amiga OS has been the shining paragon of network and OS security.

Re:Kill it with FIRE

[Mathematiker]

it's significantly easier to parse javascript source, determine its validity and generate machine code from it than it is just to verify java bytecode.

for example: prove that the stack looks the same for every different way a basic block can be entered.

Huh? Did you ever take a compiler class? Verifying java bytecode is really not that hard...

Re:Kill it with FIRE

[Mathematiker]

If you run some unix, you can create a standalone "executable" from java classes:
      https://coderwall.com/p/ssuaxa

This still needs a JVM, but then your proposal does as well...

Re:Kill it with FIRE

[datavirtue]

Dell not installing Java is equal to the computer not working for a lot of their customers. Not going to happen.

Re:Kill it with FIRE

qmail. I understand the author offered a security bounty that's never been paid out.

$500 would buy maybe a day's labor from a competent security researcher. Maybe two days back in 1997. That's a pretty tiny incentive for someone to do work on a speculative basis.

Re:Kill it with FIRE

Oh give it up. Read the article. A new hole is found that allows malware to escape the Java applet sandbox every month. It's almost like clockwork. Moon waxes, moon wanes, wife gets grumpy for a while, paycheck comes in, mortgage payment goes out, new Java plugin exploit found.

The applet sandbox is absolutely worthless. The idea was sound, but the track record is awful.

Re:Kill it with FIRE

[jpvlsmv]

it's significantly easier to parse javascript source, determine its validity and generate machine code from it

Hahahahahaha. Considering that it is quite common now for DOM elements (other than <script>) to contain javascript source, often encoded in ParseInteger with an arbitrarily-chosen base value, then passed to eval(), you clearly don't understand what "javascript source" is these days.

It all comes down to the ability to run arbitrary untrusted code downloaded from the Internet, thinking that some sort of "sandbox" will protect you. Don't.

--Joe

Re:Kill it with FIRE

[spongman]

well we didn't cover java bytecode verification in my compiler classes because java didn't exist then, but I worked on the java team at one of my past jobs, i wrote a java debugger for them, and i worked closely with the team that wrote the VM.

I assume you're referring to the bytecode verification as outlined here: http://www.w3.org/Conferences/WWW4/Papers/197/40.html#1

I don't think that's simpler than compiling javascript from source.

Re:Kill it with FIRE

Still *far* safer than downloading and running exe files natively where there is no sandboxing at all.

Re:Kill it with FIRE

It's really weird that now, more than a decade later, people are trying to lay the death blow for Microsoft. Just plain weird. And especially sad to see it happen on Slashdot. Are you all Redmondites? (more than a few of you are, it's obvious)

It's not weird at all, it's that unlike you some of us aren't religiously tied to opposing all the views of Microsoft, we have the ability to view things objectively and can see that just because big bad Microsoft did some assholish things to Java doesn't mean we ignore all it's faults. The fact is Java applets provides a poor user experience and have languished in recent years because of that, the adoption of low powered mobile devices has made it even less viable given you have to run a whole platform-specific VM on top of the browser and OS. Each platform vendor needs their own VM implementation and to provide a certified JRE, this is not practical given the number of different platforms out there. There is also the issue of the JCP being stalled by various parties with different ideologies and agendas, these sorts of things make the platform even less attractive to other vendors and prevent progress.

Oddly enough the Microsoft monopoly was the best thing for Java (only one major platform for the JRE) but it's had its day now, the opening up of Java came far too late to save it, open standards have beaten Internet Explorer and they have beaten Java's web-platform, and open standards is the way it should be.

Re:Kill it with FIRE

So abandon functional software for the sake of moving on?

If you are willing to donate a few billion dollars to make that a reality, go ahead.

"...interact...in complex and subtle ways..."

[John+Hasler]

And that is the fundamental bug.

It's all about teh luv

[sgt+scrub]

Google and others have bug hunts were people gather together to help find and fix bugs. If Oracle wasn't pissing so many people off they could do the same. I guess it couldn't hurt to try something like what Google is doing with Chrome. chrome bug hunt

Re:It's all about teh luv

[gmuslera]

Is not about knowing about them in advance, Oracle was aware of the previous bug in august.

Of course, is tempting to acuse Oracle of malice keeping the details of the bug for itself for giving them to government agencies for their next cyberweapons, after all, even Red October used a java bug for spreading. But Hanlon's Razor applies to Oracle too (unless their lawyers were involved, of course)

Re:It's all about teh luv

But Hanlon's Razor applies to Oracle too

Hanlon's Razor has a dull blade. Whenever you apply Hanlon's Razor you should also apply mcgrew's razor*: "Never attribute to incompetence when greedy self-interest explains the situation." If it fails mcgrew's razor, Hanlon's doesn't fit. In this case (and most when applied to any corporation), it fails mcgrew's razor miserably -- they don't give a damn about your security, at least not enough to spend any money on it. Incompetence? Nope. Malice? Nope. Greedy self interest? BINGO!

*Yeah, mcgrew here, can't get logged in on this machine, it worked fine at home.

That's right!

Maybe it's high time for Oracle to fix Java to better protect both its enterprise customers and the millions of home users it picked up when it acquired Sun."

Because everyone knows Oracle's aquisition of Java was for the betterment of Java and Java users. Java is very much alive! Oracle aren't trying to run it into the ground at the whim of their political lobbyists.

Re:That's right!

[Shoten]

You haven't noticed how they handle patches and vulnerability management for their database products, have you...

"This is the Critical Patch Update for , which fixes a whole lot of stuff we aren't going to tell you about. It's nearly a gig in size and changes all kinds of things...but we aren't going to tell you about any of that, either. Good luck deploying this on your mission-critical applications. You can thank us for doing this in 3-month cycles instead of twice a year (like we used to do) later."

Re:That's right!

[Cammi]

They are learning well from Microsoft. Fricken security patches keep breaking IIS, every, single, month.

Re:That's right!

[someones]

Thats why i switched to linux. IIS5 was broken all the f****in time

Re:That's right!

[Shoten]

You're complaining about Microsoft's patching with regards to IIS 5. IIS 5...which came out with Windows 2000, before they totally revamped their approach to both security and patching. That's like complaining about Ford, "because their cars blow up."

Re:That's right!

[Cammi]

fyi, IIS 7.5 and 8 came out in Windows Server 2008 and 2012 ... 2012 came out last year ...

It's been high time...

...since about oh, I dunno.. The late '90s?

Doesn't Oracle have a bug bounty program for Java?

[thue]

Surely the bad publicity from a root exploit is worth more to Oracle than $5000? $5000 is peanuts in this context. Why doesn't Oracle have a bug bounty program to avoid problems like this?

Java Sandbox Exploit, Not Java Exploit

[Bob9113]

This is not a bug in Java. It is a bug in the Java browser plugin, called a sandbox exploit.

The Java Virtual Machine (JVM) has access to the filesystem and can fork processes. In an attempt to make this safe to use in a browser, Sun wrote a sandbox, that is supposed to block access to the filesystem and to process execution. The sandbox doesn't work, and may never work. Disabling the Java plugin in your browser is a good thing. It might have been nice if the sandbox worked, but it doesn't. Don't run untrusted code in the JVM, whether in a browser or otherwise -- just like not running untrusted C code.

You can Java on a server, open a port, expose that port to the Internet, and as long as you haven't written a hole, nothing bad will happen. That is because this is not a Java exploit. It is a Java sandbox exploit.

Re:Java Sandbox Exploit, Not Java Exploit

Awesome. Because it's so separated, maybe Oracle can release the Java sandbox plugin as Oracle Sandbox, and declare the language for it to be OSL (Oracle Sandbox Language), then have Java as a separate download. This would clear up most of the confusion and allow OSL to get the bad reputation instead of Java.

Re:Java Sandbox Exploit, Not Java Exploit

[amicusNYCL]

This is not a bug in Java. It is a bug in the Java browser plugin, called a sandbox exploit.

While that distinction is important to the people exploiting the bugs and the people fixing or mitigating them, to consumers it doesn't matter. It doesn't matter if the bug is in "Java Plug-In", or "Java(tm) Plug-In SSV Helper", or "Java(tm) Plug-In 2 SSV Helper" or "Deployment Toolkit". What matters is that they got attacked because of a bug somewhere inside the Java Platform. If most people who don't care about the distinction between the various components also have no use for Java outside of the browser, then to those people attacking the browser components is attacking Java, and removing Java removes the threat.

Re:Java Sandbox Exploit, Not Java Exploit

[afgam28]

Well, that depends on what kind of "consumer" they are. If they're a user who only has the Java plugin installed, then yeah, you're right.

But for people who are running non-browser-based desktop apps like Vuze, PHBs who oversee server-side Java projects, and the poor bastards who have to work under them, the advice that "Java is unsafe!!" is misleading and sensationalist.

I'd wager that most Java applications are not applets, and so they are safe from this exploit and similar ones. So the distinction between the Java platform in general and the browser plugin is a valid one.

Re:Java Sandbox Exploit, Not Java Exploit

[ChunderDownunder]

I wouldn't be too keen to blame the plugin per se anyway.

The whole Java library (rt.jar and others) relies on a security model. Each class invoked has checks to see if a security manager is running and if yes then possibly deny a request based on permissions.

Poor development practices in not vetting the codebase for security checks have caused this. Specifically, this security breach is via new functionality included in JRE 1.7, where any assumptions of security requirements have been invalidated.

An audit of every class included in the JRE needs to occur with unit tests for expected behaviour inside a sandbox and outside.

Applets in a browser are the most common usage of a SecurityManager but pointing a finger at the plugin itself won't fix the underlying library code...

Re:Java Sandbox Exploit, Not Java Exploit

Thanks for the clarification, Bob. Now all we need to do is just assess each line of compiled Java to ensure that we're fully aware of whatever potential possibilities exist with the code we run throughout our daily lives.

Re:Java Sandbox Exploit, Not Java Exploit

Normal Java applications (non-applets and non-java webstart) doesn't use the Security manager unless the applications actually set it up by themselves.

Re:Java Sandbox Exploit, Not Java Exploit

This is not a bug in Java. It is a bug in the Java browser plugin, called a sandbox exploit.

While that distinction is important to the people exploiting the bugs and the people fixing or mitigating them, to consumers it doesn't matter. It doesn't matter if the bug is in "Java Plug-In", or "Java(tm) Plug-In SSV Helper", or "Java(tm) Plug-In 2 SSV Helper" or "Deployment Toolkit". What matters is that they got attacked because of a bug somewhere inside the Java Platform. If most people who don't care about the distinction between the various components also have no use for Java outside of the browser, then to those people attacking the browser components is attacking Java, and removing Java removes the threat.

It doesn't matter, but only because the plugin and the JVM are bundled together as a Platform.

Oracle needs to break up the Platform, take the plugin out back, shoot it, burn the carcass, dig a huge pit, throw the ashes in, urinate over them, cover the pit with boulders, and put up a barbed-wire fence with a warning sign that says, "beware of rabid monkey."

Then the rest of the Platform can move forward.

Re:Doesn't Oracle have a bug bounty program for Ja

[Shoten]

Actually, this sounds off to me. $5K for an exploitable Java vulnerability? That's waaaaaay too cheap for the exploit market...white, grey or black. I think this guy is selling a crock of shit, but he knows that the big-money purchasers would be able to tell. So he's offering it for chump change, which is exactly what a chump happens to have on hand to pay.

Re:Doesn't Oracle have a bug bounty program for Ja

Actually, Java exploits are pretty worthless in the market since they're so damn rampant. That and the fact this is probably a variant of an existing known exploit which can be potentially fixed greatly decreases it's value.

You are fricking mad!

[tjstork]

Can you really think you can compare a jack of all trades master of none half witted rendering engine that is html 5, coupled with a dull language that isn't even type safe and costs a comparitive fortune to debug, vs well, a -modern- language. I agree plugins can be hokey but html5 sucks.

Re:You are fricking mad!

Can you really think you can compare a jack of all trades master of none half witted rendering engine that is html 5, coupled with a dull language that isn't even type safe and costs a comparitive fortune to debug, vs well, a -modern- language. I agree plugins can be hokey but html5 sucks.

Can you really think you can't compare them? If one is so brilliant and the other so terrible I would think that assuming you know what you're talking about you could rattle off a list quite easily. Are you really struggling that much with debugging Javascript? Why are you having so much difficulty with it? Or with comprehending dynamically-typed languages? It's not that complex.

Re:You are fricking mad!

half witted rendering engine

I have one of those eeepc netbooks, and the first thing I discovered is that most of the desktop UI toolkits are completely witless rendering engines that would happily draw a dialog box larger than the screen with no way to scroll the rest of it into view.

Re:You are fricking mad!

[H0p313ss]

Can you really think you can compare a jack of all trades master of none half witted rendering engine that is html 5, coupled with a dull language that isn't even type safe and costs a comparitive fortune to debug, vs well, a -modern- language. I agree plugins can be hokey but html5 sucks.

That was certainly the intent of Applets back in the day when the web was young and exciting, but it's certainly not the reality that I've seen in the industry in the past 15 years. What I have seen has been a trainwreck of end user frustration, incompatibiity and security holes you could drive a truck through. (Not quite as bad as ActiveX, but close.)

Re:You are fricking mad!

[H0p313ss]

half witted rendering engine

I have one of those eeepc netbooks, and the first thing I discovered is that most of the desktop UI toolkits are completely witless rendering engines that would happily draw a dialog box larger than the screen with no way to scroll the rest of it into view.

So true. I had a tester complain that a dialog I added to an Eclipse UI plugin did not fit on the screen when running VMware at 640x480. While that may be a reasonable compromise for testing it never really occurred to me that anyone might try to use an IDE on a cheap netbook. I guess we'll see.

Re:You are fricking mad!

[Billly+Gates]

At least ActiveX has signed controls as of IE 6 SP1 which the browser will refuse to run anything unsigned.

With java it executes full privileges from any source! This means an infected ad server can host it via a link and it runs automatically with no user interaction! Most users of WindowsXP run as administrator too which means full privileges.

In essence it is too powerful as JVM is whole OS really that can do it. TO the user it is non native looking, slow, and does not integrate with Windows so it is an odd child. Meanwhile ajax can directly manipulate all the elements of the page. Not be something totally foreign inside something. That is how it beat Java.

It is time to lay the java plugin to rest. I pray Oracle wont keep fucking re-enabling JRE plugins on all browsers and do something like JavaFX 2.0 and think they can still win this while we see more exploits.

Re:You are fricking mad!

All I ever see is people who constantly complain without helping with whatever they complain about. I've been in the industry now (more or less) for about the same amount of time, and every year, all I ever see is worsening cultural aspects of things ranging from every-inflating egos and deteriorating internet etiquette to constantly-atrophying documentation and increasingly-untested software. You see it on here from time-to-time when those posts pop up on occasion concerning some guy who's miffed over some person he considers a less experienced programmer... As if they're god complex couldn't get any worse? In other community-based forums, you see people constantly being attacked for not knowing as much as someone else. I mean, if people can't stomach questions, I'll never understand their glutton for punishment by responding to them in the first place, but lo-and-behold, they do it... All this combined with issues like poorly-written install instructions, fluffy or useless search queries, plugins and add-ons that cause problems or eat ram... This is all the bane of today's internet because they all cause so many problems (intrinsically and extrinsically).

These issues (in my opinion) just keep getting worse and worse each year... If a new internet is ever made, or something representing "a new internet", these issues should reign supreme on the list of prioritized concerns. I think there's a bright future for this possibility, too. I mean, today's internet is yesterday's mistake that we can imbue tomorrow's masterpiece with the lessons we learned previously.

I just think we're at the breath before the plunge. These things take time to fix.

Re:You are fricking mad!

[gbjbaanb]

shame then that there are no security holes in html5 (as it does little) compared to the "modern" language that is full of them.

Re:You are fricking mad!

[aled]

At least ActiveX has signed controls as of IE 6 SP1 which the browser will refuse to run anything unsigned.

Unsigned applets run in a sandbox with limited privileges since java 1.3 at least. That's from year 2000. With the last version you can disable applet execution and set a security level for unsigned applets.
I agree that perhaps the default should be to disable applets.

This is insane

[mark-t]

I can't help but observe that the rate at which Java exploits started pouring forth really started skyrocketing after Oracle's acquisitiion of Sun.

I mean, seriously... look at the history. It shot up by multiple orders of magnitude in the first six months of 2010 alone, which was right after the Oracle acquisition. This, following a period where Java had actually been getting increasingly *more* secure over time, and as individual vulnerabilities were fixed, Java exploits were getting rarer and rarer.

But in 2010, it was like some sort of switch flipped. The number of exploits not only went up for the first time in many years, but it jumped at a rate previously unparallelled at any time in Java's history.

What the fuck is going on?

Re:This is insane

[thoth]

Well, the obvious conspiracy theory is that disgruntled former Sun engineers, people with extremely deep knowledge about Java, are angry at Oracle and venting their frustrations by poking holes in their former product. ;)

Re:This is insane

It's worse than insane. It's bullshit. The OS's firewall should be able to "sandbox" Java, or anything else, for that matter.

Re:This is insane

[trims]

Simple:

• Oracle completely screwed up the acquisition, and made major changes to the Java division. Management was completely redone, and the release/bug process was made much worse (not that it was great under Sun).
• All the old Sun personnel got pissed off at Oracle, for a variety of reasons. Less than 25% of those there in 2008 are still in the Java division; and, that's from an organization where people averaged 10+ years of work at Sun. Oracle hasn't been able to replace this brain drain, and is unlikely to ever succeed in restaffing to an acceptable level. The JDK codebase is incredibly complex - far worse than practically anything else I can think of, including the Linux kernel. The number of people on the planet who are good VM coders numbers maybe a hundred or two. That's it. And the rest of the organization has been decimated, too.

I worked at Sun for 6 years in the JVM group before the acquisition. I stayed on for another 1.5 years before I left. I only know a handful of people there anymore, and they're staying simply to ride it out to retirement (all are in their 50s). Over three dozen people I used to work with are gone, and there's no decent replacements.

Basically, people used to working "the Sun Way" detested the new "Oracle Way" and decamped en masse between 2009 and 2011. The whole Java division is a shadow of itself, and won't ever recover.

Re:This is insane

What is going on is fairly straightforward. People attempting to exploit security issues for nefarious purposes are just as lazy as anyone else - they attack the softest target that has a large enough footprint to be worth going after. This used to be just Windows, then it was just Internet Explorer. Eventually with IE's declining market share and Microsoft getting a little better at security they realized that they could exploit run times like Flash and Java and attack more machines than they could with just Internet Explorer and do so pretty quickly. So, boom. Look up the last year or so of exploit kits additions and they are 75% Java and Flash and only about 20% Microsoft (in terms of holes in Windows or IE directly). It absolutely makes sense in terms of number of vulnerable targets vs amount of effort to attack them.

Re:This is insane

[airfabio]

I would say it probably has to do more with Microsoft doing a lot of work to make ActiveX safer and browsers like Firefox and Chrome taking increasing market share.
Before that Internet Explorer had such a large market share and so many easier attack vectors than Java plugins.
And after constant stream of security updates Flash is probably a bit harder nut to crack than Java is.

Re:This is insane

[mark-t]

Your description of what happened seems to carry a tone of some sadness to it... almost bereavement, in fact.

I'm a bit curious, however... if you don't mind going into detail, could you describe what you mean by the "Oracle Way", and what was it about it that people detested so much?

Re:This is insane

[ChunderDownunder]

Well since the acquisition was announced in April 2009, there have been a total of 25 updates to the JRE 1.6 u14-u39. That represents about 150 security fixes (according to wikipedia) to a 'stable' product for which development commenced at least as early as Mustang's release in Sept 2004.

I'd suggest a fair number of those bugs lurked in the codebase back in 2008, back in the days of "the Sun Way".

So while we can blame Oracle for the current crisis in not vetting new 'method handle' code for invokedynamic functionality, as you say "The JDK codebase is incredibly complex".

Re:This is insane

i see you've never worked with an oracle product before

Re:This is insane

[Bing+Tsher+E]

The JDK codebase is incredibly complex - far worse than practically anything else I can think of, including the Linux kernel. The number of people on the planet who are good VM coders numbers maybe a hundred or two. That's it. And the rest of the organization has been decimated, too.

That's a little bit troubling, since a popular method of writing Android apps employs the JDK. People can talk about how the JRE platform can die, or be put to sleep. Android doesn't use the Sun/Oracle VM, but Java is important to Android's future.

Re:This is insane

Android doesn't use the Sun/Oracle VM, but Java is important to Android's future.

Isn't that the other way round? Outside of business apps (kinda like Cobol niche) java has been dying and being replaced by C# everywhere I went. Only through Android has java been able to avoid being buried alive. At least from my point of view. YMMV.

Re:This is insane

[someones]

LOL

Re:This is insane

[idontgno]

It's so weird. This betrayal at acquisition seems to play out over and over. A great team is disbanded by the heavy-handed and mouth-breathing attitude of the new boss.

I'm reminded of the Easter egg in Amiga OS 1.2, which was a secret message accessible by an obscure sequence of keystrokes, UI mouse clicks, and floppy disk ejection/insertion.

Now press both Alts, both shifts, press F1 and eject DF0: all at once and you'll see:

The Amiga, Born a Champion

Whilst holding this click the left mouse button on the "screen to back" gadget and re-insert the disk. You'll see:

We made Amiga, They fucked it up

Re:This is insane

[vilanye]

Android does not a use a JVM

. It can NOT run anything compiled by the java compiler.

Re:Doesn't Oracle have a bug bounty program for Ja

[Darkness404]

With as many bugs as Java (and its related technologies) have, Oracle would go bankrupt paying people to find them.

Actually, the opposite

Java applets are billion times more appropriate for running an application in a browser than a combination of
- markup language created to structure text,
- stylesheet language created to format it,
- and some alien abomination to make it all 'dynamic'.

I do see value in web apps, it is for example extremely useful to have access to Google Drive with it's text editor, regardless of where i am... But I cannot disregard that it has just a big pile of ugly hacks underneath to make it what it is. At least Java has been created exactly for writing applications and it does the job better than whole "HTML5, CSS3" stack.

The Web turned horribly, horribly wrong way.

Re:Actually, the opposite

[Billly+Gates]

You are looking at it as a developer. Not a user nor IT support professional.
Java is:
-butt ugly
-take 30 seconds to a minute to load
-can't run on mobile platforms
- fonts and widgets are not native and look weird. Are LCD fonts in yet? Ubuntu and debian have the old school non font hinting which is a horrible eye sore
- Security risk
- Not every computer has it and those that do have different versions
- No one uses it that much

Users hate it and think they are ugly and look like something from the 1980s while Flash is all pretty and fancy and loads instantly. People do not want applications in browsers. They use applets for that on their phones or tablet operating systems hence why Windows 8 was made whether you hate it or not. The browser is for simple logic and a gui platform.

You may feel the web is horribly wrong but I.T. loves it via the cloud and salesforce.com apps. No need to install software on 5,000 computers anymore.

Re:Actually, the opposite

[LordLimecat]

I have yet to see an HTML5 exploit that can root your machine.

JRE on the other hand....

^^^ This one factor outweighs basically everything else.

Re:Actually, the opposite

- markup language created to structure text

what's wrong with that?

- stylesheet language created to format it,

formatting it with a tool for formatting...imagine that. XAML must be a terrible idea too yes?

- and some alien abomination to make it all 'dynamic'.

yes it would seem alien to somebody who doesn't understand it, and if you did understand and had a criticism you would have articulated it as a specific criticism rather than an ambiguous exclamation of confusion.

Re:Actually, the opposite

[FlyingGuy]

It is only a matter of time. They keep trying to shovel more and more shit into HTML, CSS and javascript and the tipping point is not far off.

And oh by the way I have yet to see HTML5 prevent drive by's since the same fucked up code that allowed it to happen in the 1st place is still in there. Why that code has not been ripped out with extreme prejudice is beyond me.

Re:Actually, the opposite

[Mike+Frett]

huh? Ubuntu has no font hinting? This is news to me, since I'm using Font hinting right now and it looks great. I swear, people who don't know anything about Linux should not even bother to comment. 30 seconds to load? Yeah, on a P2 with 500MB Ram...or Dirty Windows. Java ME runs on Mobiles and can be implemented by device manufacturer's.

And your name is a dead giveaway as to why you spew the nonsense about Linux. I sincerely hope you do not work in the Industry.

Re:Actually, the opposite

These are all valid arguments, but - still looking as a developer - the correct answer is not to kill Java but to advance it from applets to first-class citizen. Build a native interpreters into browsers, much like javascript today - only that Java is actually better suited for parsing, JITing and runtime optimization. Java is perceived as slow and js as fast, when in fact it should be the other way around, if only Java would get the same kind of treatment.

Re:Actually, the opposite

- markup language created to structure text

what's wrong with that?

- stylesheet language created to format it,

formatting it with a tool for formatting...imagine that. XAML must be a terrible idea too yes?

I can't say if you're intentionally trolling or you're just clueless about what I am talking about.

Nothing wrong with having structured text formatted with a stylesheet language. That's how it is supposed to be. But stop pretending that bending formatted markup to create UI is the right way. It isn't.

- and some alien abomination to make it all 'dynamic'.

yes it would seem alien to somebody who doesn't understand it, and if you did understand and had a criticism you would have articulated it as a specific criticism rather than an ambiguous exclamation of confusion.

I write js daily, though I'm doing everything to have as little contact with it as possible. The language has it's quirks, has it's merits, but regardless of whether someone likes it or not, it is a fact that js is conceptually different from most other languages. It is also a fact that despite massive efforts in optimizing browser engines, js syntax is just inefficient for the task web development bent it to.

Can't we just stop trying to force a rectangle into circural hole? I guess we can't.

Re:Actually, the opposite

Java is already first class citizen through browser plugin. The main issue of perceived slowness is supposedly this:

-take 30 seconds to a minute to load

It has been there since day one and it gets worse. How do you fix the need to seek a few hundred MB of classfiles in an archive? Modularise it? The promise of Project Jigsaw has been around for quite a few years now, but I suspect the main benefit will just be to offset the rapid growth of the JVM.

Re:Actually, the opposite

Not sure where you're doing your IT work, but the cloud is a horrible putrid mess splattered upon the internet.

Re:Actually, the opposite

[someones]

Guess you never used it as most of the things you say are plain simple false.

Re:Actually, the opposite

[lamber45]

Several of your arguments are either false these days, or not as bad (especially versus the alternatives) as you make them sound:

-take 30 seconds to a minute to load

This load-time is for the first applet in a browsing-session, not each one; and "30 seconds to a minute" is an outer figure, on a reasonably modern system it will be less. I've seen Flash-based games that took a long time to initialize, as well.

- fonts and widgets are not native and look weird

Actually, you can have native widgets, with the old AWT components; it's the (slightly newer, still around for a long time) Swing that looks the same on every platform. Whether it's "ugly" is a matter of opinion.

Now, it's true that some people never need to run applets, those who do don't do so every day, and some applets look like something from 1995 because they really were written in 1995, and still work; but the Java plugin is not totally going away any time soon, and I think it's still a good choice for applications with unusual UI requirements that need to run "in" a browser.

Applets aren't just games, either. From my current needs:

• The GIS browser for the city I live in;
• My employer's expense-submission program;
• The VPN clients (from two different vendors) for systems I access for work

And that doesn't even include JNLP (Java Web Start) programs, which aren't the same "sandbox" but which also depend on Java platform security for their sandbox.

Re:Actually, the opposite

Nothing wrong with having structured text formatted with a stylesheet language. That's how it is supposed to be. But stop pretending that bending formatted markup to create UI is the right way. It isn't.

When you don't have a clue what your user's screen size, resolution, orientation, or aspect ratio is, that's the ONLY way to create the UI, and HTML has done it well since its inception. When you try to get around the above problems by setting the HTML aside, you wind up with clusterfucks like horizontal scroll bars, text that can't be seen, etc.

As to js, it's not my favorite language (assembly is) but it does work for everything I've needed it for -- and that was over ten years ago.

Re:Actually, the opposite

[Tharkkun]

I have yet to see an HTML5 exploit that can root your machine.

JRE on the other hand....

^^^ This one factor outweighs basically everything else.

Just wait for it to become more popular and they will come. Exploiters aim for the highest user base it can hit and HTML5 is not there yet.

Re:Actually, the opposite

stop pretending that bending formatted markup to create UI is the right way

there is no pretending necessary, if you know what you're talking about you would know that when targeting multiple screen sizes, resolutions, aspect ratios, etc, without knowing what they are it is the *only* way to go about it effectively.

I write js daily, though I'm doing everything to have as little contact with it as possible.

if that were true you would have been able to list some specific issues you were having and compare/contrast with alternatives.

it is a fact that js is conceptually different from most other languages.

that is true of many things, but you still aren't able to say what those conceptual differences are and why they are a bad thing, more evidence that you just don't know what you're talking about.

It is also a fact that despite massive efforts in optimizing browser engines, js syntax is just inefficient for the task web development bent it to.

more baseless comments that lack any substance whatsoever, you could say that about just about any language and platform and it would hold exactly the same weight, you're using generic statements like that because you don't actually know anything specific.

looking at your posts it is plainly clear that your opinions aren't based on experience or knowledge because nothing you have said relates explicitly to javascript and none of your comments have any specifics or factual basis. i'd be interested in why you have the opinions you do about javascript if you can provide specifics but baseless crap is all you're spewing.

Re:Actually, the opposite

And what clue do you have about screen size, resolution, orientation and aspect radio when developing desktop apps? None. And yet desktop apps were doing well without HTML/CSS/JS stack. I see no advantage here.

Re:Actually, the opposite

there is no pretending necessary, if you know what you're talking about you would know that when targeting multiple screen sizes, resolutions, aspect ratios, etc, without knowing what they are it is the *only* way to go about it effectively.

Yeah right. Cause we needed web to come out with markup, stylesheets and js to fix these problems. We couldn't POSSIBLY get away with them using different tools and we stil can't deal with it on desktop.

Please continue to live in your imaginary world.

if that were true you would have been able to list some specific issues you were having and compare/contrast with alternatives.

that is true of many things, but you still aren't able to say what those conceptual differences are and why they are a bad thing, more evidence that you just don't know what you're talking about.

You (well, I assume it was you) haven't listed any specific issues too. And that's fine with me, I didn't started this discussion on a high enough level of comparison to diverge into details. I am critical of _concept_, not of _implementation_. Concepts are by definiton more abstract.

But what you're trying to do now is to make an argument of my criticism of concept being abstract. Great tactics, way to go!

more baseless comments that lack any substance whatsoever, you could say that about just about any language and platform and it would hold exactly the same weight, you're using generic statements like that because you don't actually know anything specific.

As in what? I am supposed to prove that any language with eval() equivalent is massively hard to compile? Right away, after I collect enough evidence that sky is blue. And you claim that I am the one who doesn't know what we're talking about...

Re:Actually, the opposite

Yeah right. Cause we needed web to come out with markup, stylesheets and js to fix these problems. We couldn't POSSIBLY get away with them using different tools and we stil can't deal with it on desktop.

that's why we use a lot of absolute sizing and movable windows on desktop applications when concerned about typography.

You (well, I assume it was you) haven't listed any specific issues too.

because i'm not the one coming out with baseless claims, you are.

I didn't started this discussion on a high enough level of comparison to diverge into details. I am critical of _concept_, not of _implementation_. Concepts are by definiton more abstract.

then be critical of a specific part of the concept, your lack of any details whatsoever and your description of elements as 'alien' makes it pervasively clear that you don't even understand what's involved here, you don't like it because you don't understand it.

But what you're trying to do now is to make an argument of my criticism of concept being abstract. Great tactics, way to go!

wrong, your criticisms aren't specific nor do they have any factual basis, they are an emotional rant. you can't even explain what specifically you don't like because you don't know.

As in what? I am supposed to prove that any language with eval() equivalent is massively hard to compile?

all languages have features that can be misused that could make them inefficient, so which language should be used for web development? i doubt you have an answer to that.

And you claim that I am the one who doesn't know what we're talking about...

your posts make that abundantly clear without me needing to do anything.

Re:Doesn't Oracle have a bug bounty program for Ja

[jcoy42]

What makes you think he'd only sell it once?

Remote Code Execution

[the+eric+conspiracy]

Bad idea.

Just FYI

[VortexCortex]

Marking data as code at runtime then executing it is dumb.
JIT is bad, mmkay?

Re:Just FYI

[Bing+Tsher+E]

So the consensus is that Javascript and HTML5 are also bad and to be shunned?

Near as I can tell, with both those technologies, all that an httpd does is shovel some data over the wire to a browser that then executes it.

Re:Just FYI

[FlyingGuy]

The problem is that everything in http is text, no binary data. It is connectionless and the hacks that have come along to try and fix that are a joke and don't really work. So now we have shit like Avro, or JSON all this cruft that takes binary data, turns it into text, then javascript has turn that into code, then turn the results back into text, to send that data back to the server, to then get it turned back into binary data to then actual do something with it.

The web browser was never intended to be an application framework, it was designed to render text using markup language. Then came CSS and if there was ever a textbook example of a kludge then CSS is it. I mean twisting an unordered list into a set of menu's!? For pitty's sake. Checkboxes don't return anything in a get or post unless they are checked? They simply don't exist?! 5 versions of the HTML spec later and that is still true?

How about input validation? Yes we have something that sort of does that now, but not until a form submit method fires and you have to deal with them one by one on each on submit? If you want to do it in the onBlur, or onExit method of a control you have to write javascript functions?! I mean really, how hard is to implement that kind of stuff in the browser where you simply feed it a mask, hell they have had that kind of technology since COBOL for crying out loud!

If the WC3 wants to be taken seriously they need to fucking hang the old crap out to dry and move on. It is time, ti really is.

server consoles

With javascript and HTML 5 and CSS 3 there is no reason to keep such 20th century technology on the modern web. Consumer sites no longer even use it anymore.

I'm curious to know how you think sever console would be implemented (e.g., console over HP iLO or Dell DRAC). Currently the two ways are ActiveX and Java.

Personally I'd love to get proper serial/SSH console like on Snorcle SPARC machines instead of the plug-in garbage of x86 systems.

Re:server consoles

With javascript and HTML 5 and CSS 3 there is no reason to keep such 20th century technology on the modern web. Consumer sites no longer even use it anymore.

I'm curious to know how you think sever console would be implemented (e.g., console over HP iLO or Dell DRAC). Currently the two ways are ActiveX and Java.

Personally I'd love to get proper serial/SSH console like on Snorcle SPARC machines instead of the plug-in garbage of x86 systems.

Cloud with HTML and ajax. Salesforce.com does just that. Maybe not implemented with a serial console per say but it runs apps. You can run a stand alone program too.

That flushing sound

[sjames]

Is the value Oracle bought from Sun going down the toilet one piece at a time.

A couple weeks ago, it looked as if they were trying to rehabilitate Java's image and now DHS recommends that everyone disable or uninstall it.

Re:That flushing sound

I think there must be made a distinction between java the server platform and java on the client and java as browser plugin. The security issues affect Java as browser plugin.
Java on the server side is alive and kicking well, and is a great application platform. The problem stems from Sun neglecting the applet part for so long and Oracle now has a problem on its hands.

Re:That flushing sound

[JDG1980]

The only reason Oracle bought Sun was so that Larry Ellison could use its patents to wage war against Google and Android. Java's security problems don't impair his abilities to do that, so he doesn't care.

Re:Doesn't Oracle have a bug bounty program for Ja

[gray+peter]

Really? Compared to what? I've been programming java since it came out and I've come across far fewer bugs in the the JDK than I have in any of the other languages that have been around for a similar amount of time (PHP, Perl, etc.)

Drop Java

[gweihir]

It is a horrible language anyways. Unfortunately, there are some far better languages running on the same broken virtual machine.

Re:Doesn't Oracle have a bug bounty program for Ja

[bloodhawk]

A vulnerabilities value is directly related to how many users you can exploit. While their are still quite a few desktop Java has been spiralling the drain for years now and the recent press of exploits has only hastened it. What value is an exploit to a small market?

Wrong headline

It's not "Another Java Exploit" but "Some says there's another Java exploit without providing proof". When I read Slashdot I want news, not hoaxes.-Ignacio Agulló

Practical question

[fa2k]

Can I use the IcedTea Web Plugin on Linux, or is that also vulnerable?

Re:Practical question

Yes.

Re:Practical question

[fa2k]

Yes.

Bah, that's what i get for not phrasing the question properly. Oh well, it's disabled for now

No, no, NO

[MatrixCubed]

Nuke it from orbit. It's the only way to be sure.

Personal Solution

My personal solution (at home, on my personal gear) is just not to install Java. And if your application or website uses java, I'm not one of your customers. Pretty simple. There's hardly anything that the average consumer uses these days that uses Java.

Click-to-play plugins to the rescue

[jensend]

It's been in Chrome for a while and landed in FF with version 16 or so. Once it's enabled ("under the hood" settings in Chrome, plugins.click_to_play=true in about:config for FF) sites can't run plugins without you giving some form of explicit permission (either whitelisting a trusted site or clicking to play the plugin elsewhere).

It really should be the default. In fact, it should have been this way ever since NPAPI came on the scene back in Netscape 2.0. Countless security problems would have been much much less serious, performance problems would have been avoided, and people would have focused more on coding their sites to web standards and reduced their dependence on plugins.

The home users are not customers of Oracle

Customers are people that pay for your products. Oracles customers write products in java and want their products to work far and wide.
The problem is the model. The users point at the developers for using a flawed toolkit, and the developers point at Oracle and Oracle says boo!

Why do you think Java tries to install a toolbar

Oracle is trying to find some way to make money on all those downloads.

FUCK ORACLE and JAVA.

Fuck these assholes. They are ruining people's computers everywhere. Oracle needs to go out of business. Please people, stop supporting them. Really.

Java is *NOT* Write Once Run Everywhere

[knorthern+knight]

For any but the most trivial apps it's write once and run anywhere that you have Java 1.2.3.4.5. Not Java 1.2.3.4.4 or Java 1.2.3.4.6, but only Java 1.2.3.4.5. That's why you see so many machines with Java versions with known exploits. Because so many apps won't run with with newer versions of Java.

Can you imagine the howls of outrage if every 2nd "Microsoft Patch Tuesday", Access or Word or Excel stopped working? And you had to keep the security patch off your machine if you wanted all your expensive software to keep working? That's what's effectively happening in Java.

On the other hand, write code in C/C++ and it'll run on a dozen years worth of Windows machines from Win2K through WinXP through Vista through Win7. Throw in some #ifdef statements, and you can build your C/C++ app for Mac and Linux as well.

Re:Java is *NOT* Write Once Run Everywhere

[aled]

That seem more a problem with the applications than with Java. Can you mention real examples?