Another Java Exploit For Sale

tsamsoniw writes "Mere days after Oracle rolled out a fix for the latest Java zero-day vulnerabilities, an admin for an Underweb hacker forum put code for a purportedly new Java exploit up for sale for $5,000. Though unconfirmed, it's certainly plausible that the latest Java patch didn't do the job, based on an analysis by the OpenJDK community. Maybe it's high time for Oracle to fix Java to better protect both its enterprise customers and the millions of home users it picked up when it acquired Sun."

The Right Thing (TM)

So then do like Google and pay the guy for the bug.

Kill it with FIRE

[Billly+Gates]

Oracle needs to give up on browser plugins. I realize there are some mission critical business apps and a few cases where it is needed just like IE 6. We need to start pressuring the vendors to stop distributing it like we did with obsolete browsers.

With javascript and HTML 5 and CSS 3 there is no reason to keep such 20th century technology on the modern web. Consumer sites no longer even use it anymore.

With IE 6 and IE 7 gone by 2014 our eyes should focus on Java as the next technology that threatens the security of our networks that needs to bye bye. We need to do our part as IT professionals and inform PHB it is bad security just like IE 6 and demand app vendors to drop it.

Re:Kill it with FIRE

[Darkness404]

Except that there are still a good chunk of websites that still use Java. For example, Minecraft and RuneScape to name two.

And sure you -can- have it be fully client side but it doesn't always work. Many schools and workplaces will filter out .exe file extensions but will let you run in-browser applications just fine.

The web is not just things developed in 2013, but also for things developed back in 1997. And as such, it needs to be at least partially backwards compatible with older technologies.

The real issue here isn't about browser plugins but it is the terrible management of Java by Oracle. There is nothing that inherently should make Java more unsafe than a generic web browser, the problem is unlike most web browsers, Oracle has time and time again proven to be unable or unwilling to fix gaping holes in their programs. Even when they do create a fix they still try to bundle in crapware such as the "Ask" toolbar and switch my default search engine to Ask. A slimeball tactic that should be reserved for those making keygens and the like.

There is nothing that makes Java any more insecure than JavaScript except for Oracle. Rather than simply dropping a useful element of the web, we should pressure Oracle to do what a software firm should do: fix the bugs!

Re:Kill it with FIRE

[Runaway1956]

"fix it once and for all."

Please name some softwares that have been fixed, once and for all. I'm not aware of any. It seems that everything is evolving as threats evolve. You could start with the kernels. Microsoft seems to change theirs, Linux changes theirs, etc.

You might join the chorus, and complain that Oracle evolves to slowly, or that it is incapable of evolving fast enough to remain relevant, but there is no chance in hell that it can be fixed once and for all.

Re:Kill it with FIRE

[afgam28]

While I don't disagree with you completely, I think it's sad that JavaScript and HTML have "beaten" Java applets as the standard way to build network applications. Sun really dropped the ball in terms of the UX for desktop Java, and Oracle's security mismanagement has put the final nail in the coffin of Java on the desktop. But despite all of its flaws, the Java platform provides a much nicer programming model compared to "modern" web technologies.

HTML was originally designed as a way to display static, hyperlinked documents, and JavaScript was originally just a toy scripting language to do simple things like form validation. They've both evolved to support the creation of rich client interfaces, but creating rich clients using HTML5/JavaScript is not pretty. There's a web server, which spits out dynamically generated client code. Embedded in that client code is a mix of content, markup, JavaScript source code and maybe even inline stylesheets. It runs in one of a number of possible virtual machines (or "web browsers") which are all slightly incompatible, not to mention slow compared to a JIT bytecode interpreter (ironically, one of the early complains about Java applets was performance). Standardizing it all is a nightmare that takes years of political infighting and compromising on things like video formats. And you have to learn at least 3 different languages to even do anything!

It would've great if, instead of HTML/JavaScript evolving up into a full-blown rich client platform, Java just "devolved" a little bit so that it provided a stricter sandbox for applets. None of this "signed code" bullshit - everyone just clicks through on that, leading to all sorts of security problems. Just restrict all applets under same sandbox (like JavaScript does). Give it a more native UX (e.g. through SWT instead of AWT/Swing) and an App Store, and it would be great!

There's nothing really inherently wrong with the Java platform, and nothing inherent in its design that makes it less secure than JavaScript. The only problem is Oracle's lack of support, and some small implementation flaws. HTML5/JavaScript on the other hand is just a giant hack. But a standard one.

Re:That's right!

[Shoten]

You haven't noticed how they handle patches and vulnerability management for their database products, have you...

"This is the Critical Patch Update for , which fixes a whole lot of stuff we aren't going to tell you about. It's nearly a gig in size and changes all kinds of things...but we aren't going to tell you about any of that, either. Good luck deploying this on your mission-critical applications. You can thank us for doing this in 3-month cycles instead of twice a year (like we used to do) later."

You are fricking mad!

[tjstork]

Can you really think you can compare a jack of all trades master of none half witted rendering engine that is html 5, coupled with a dull language that isn't even type safe and costs a comparitive fortune to debug, vs well, a -modern- language. I agree plugins can be hokey but html5 sucks.

Re:You are fricking mad!

All I ever see is people who constantly complain without helping with whatever they complain about. I've been in the industry now (more or less) for about the same amount of time, and every year, all I ever see is worsening cultural aspects of things ranging from every-inflating egos and deteriorating internet etiquette to constantly-atrophying documentation and increasingly-untested software. You see it on here from time-to-time when those posts pop up on occasion concerning some guy who's miffed over some person he considers a less experienced programmer... As if they're god complex couldn't get any worse? In other community-based forums, you see people constantly being attacked for not knowing as much as someone else. I mean, if people can't stomach questions, I'll never understand their glutton for punishment by responding to them in the first place, but lo-and-behold, they do it... All this combined with issues like poorly-written install instructions, fluffy or useless search queries, plugins and add-ons that cause problems or eat ram... This is all the bane of today's internet because they all cause so many problems (intrinsically and extrinsically).

These issues (in my opinion) just keep getting worse and worse each year... If a new internet is ever made, or something representing "a new internet", these issues should reign supreme on the list of prioritized concerns. I think there's a bright future for this possibility, too. I mean, today's internet is yesterday's mistake that we can imbue tomorrow's masterpiece with the lessons we learned previously.

I just think we're at the breath before the plunge. These things take time to fix.

Actually, the opposite

Java applets are billion times more appropriate for running an application in a browser than a combination of
- markup language created to structure text,
- stylesheet language created to format it,
- and some alien abomination to make it all 'dynamic'.

I do see value in web apps, it is for example extremely useful to have access to Google Drive with it's text editor, regardless of where i am... But I cannot disregard that it has just a big pile of ugly hacks underneath to make it what it is. At least Java has been created exactly for writing applications and it does the job better than whole "HTML5, CSS3" stack.

The Web turned horribly, horribly wrong way.

Re:Actually, the opposite

[Billly+Gates]

You are looking at it as a developer. Not a user nor IT support professional.
Java is:
-butt ugly
-take 30 seconds to a minute to load
-can't run on mobile platforms
- fonts and widgets are not native and look weird. Are LCD fonts in yet? Ubuntu and debian have the old school non font hinting which is a horrible eye sore
- Security risk
- Not every computer has it and those that do have different versions
- No one uses it that much

Users hate it and think they are ugly and look like something from the 1980s while Flash is all pretty and fancy and loads instantly. People do not want applications in browsers. They use applets for that on their phones or tablet operating systems hence why Windows 8 was made whether you hate it or not. The browser is for simple logic and a gui platform.

You may feel the web is horribly wrong but I.T. loves it via the cloud and salesforce.com apps. No need to install software on 5,000 computers anymore.

Re:Java Sandbox Exploit, Not Java Exploit

[afgam28]

Well, that depends on what kind of "consumer" they are. If they're a user who only has the Java plugin installed, then yeah, you're right.

But for people who are running non-browser-based desktop apps like Vuze, PHBs who oversee server-side Java projects, and the poor bastards who have to work under them, the advice that "Java is unsafe!!" is misleading and sensationalist.

I'd wager that most Java applications are not applets, and so they are safe from this exploit and similar ones. So the distinction between the Java platform in general and the browser plugin is a valid one.