Latest Java Update Broken; Two New Sandbox Bypass Flaws Found

msm1267 writes "Oracle's long security nightmare with Java just gets worse. A post to Full Disclosure this morning from a security researcher indicated that two new sandbox bypass vulnerabilities have been discovered and reported to Oracle, along with working exploit code. Oracle released Java 7u11 last Sunday and said it fixed a pair of vulnerabilities being exploited by all the major exploit kits. Turns out one of those two bugs wasn't completely patched. Today's bugs are apparently not related to the previous security issues."

Enough Already

Someone, please put Java in the browser out of our misery.

Re:Enough Already

[arth1]

Someone, please put Java in the browser out of our misery.

As a sysadmin, I say someone please put Java outside the browser out of my misery.
"Oh, the system has 24 GB RAM, that means I, Java, can hog 18 GB by default, no problem!", followed by anguish from users who neither understands NUMA nor cgroups, and wonder why their java "creations" are killed by the system.

Re:Enough Already

Someone, please put Java in the browser out of our misery.

Said by someone that hasn't installed the latest update.

Re:Enough Already

[CodeReign]

That's not how java works. Java has a very small memory footprint by default. This is why running minecraft requires you to run java -Xmx6G minecraft_server.jar so you can use upto 6GB

Re:Enough Already

anguish from users who neither understands NUMA nor cgroups, and wonder why their java "creations" are killed by the system.

What about the anguish from sysadmins who neither understands virtual memory nor how to interpret the results from top and free and makes their cgroup restrictions too strict?

Re:Enough Already

Someone, please put Java in the browser out of our misery.

Said by someone that hasn't installed the latest update.

Actually, it was said by someone who removed Java, along with Flash & Adobe Reader, from all my client's computers almost two years ago when the three of them were battling for the top spot of "Security Hole of the Year".

Re:Enough Already

Actually, it was said by someone who removed Java, along with Flash & Adobe Reader, from all my client's computers almost two years ago when the three of them were battling for the top spot of "Security Hole of the Year".

Well, I uninstalled Adobe Reader and Flash many years ago and nothing of interest was lost.
As for Java, I just disable the browser plugin and that's it. Desktop java applications (yes yes they do exist, for instance jdownloader) continue to work wonderfully.

Re:Enough Already

[Above]

I would love to banish Java from all of my machines never to see it again. Most of the uses for Java are well, useless to me, HOWEVER....

There are a few things I do that require Java and even if I wanted to badger my vendors to do them in some other cross platform way I'm not sure how they could. The two I regularly use are access to IPMI cards and Cisco WebEx. Both do things that as far as I can tell can't simply be done in a browser with HTML5 and JavaScript.

If someone had a good solution for those sorts of things I would dump Java in a heartbeat.

Re:Enough Already

[datavirtue]

Why, after all this it will be unbreakable. Look at Windows and how it has improved. Hold on, Windows Store, locked down application environment....uh.

Re:Enough Already

And I say as someone who had done both the job of sysadmin, and developer, that you are a fucking idiot and have no idea what the fuck you're doing. I have never seen a java app ask for that much ram; ever. Not even WebLogic Portal.

Re:Enough Already

in defense of both sysad and java, there are developers which just tink that garbage collection is magic and create a memory problem where there is none

Re:Enough Already

From a user-experience point of view, doing that work to enable Java to work properly for Minecraft is an abortion.

Re:Enough Already

[mrops]

At this point there is no reason why HTML5 canvas can't do what WebEx is doing with Java. Java is great for server side development, it shouldn't be on any end user machines.

Disclaimer: 10+ year Java developer, so I am biased in favor of Java for web/server development.

Re:Enough Already

[robmv]

Already done, the previous u10 added options on the Java control panel (Windows) to disable all Java feature on the browser, so if you need Java for desktop applications, you don't need expose it to the browser.

Note: The Java plugin code was never open sourced to OpenJDK, people from IcedTea project developed a new plugin and JNLP engine for Linux. I am starting to think that Sun already knew the bad security quality of the plugin and they decided to never release that code

Re:Enough Already

[kbg]

This is one of the very stupid things Java has. The user has to set memory limits for the application, either using to much memory or too little, and the memory used is based on the usage for the application so that it is always a possibility to run out of memory for a Java application even if you have enough memory on your machine. This is a major usability and design flaw in Java.

Re:Enough Already

[moderators_are_w*nke]

I've worked on Java processes that use that much RAM. On a server app, if you have it, why not use it (for caches etc.). Better than having it sit there depreciating.

Re:Enough Already

[Lisias]

From a user-experience point of view, doing that work to enable Java to work properly for Minecraft is an abortion.

Being this the main reason for what some (good) developers made the choice to write a tiny native launcher for their java programs.

Re:Enough Already

[Lisias]

+1 Informative, please.

Re:Enough Already

[hairyfeet]

Well as I posted when the band aid patch that is now busted was put out it could take 2 years to fix the actual problem because the underlying code is "broken" and pretty much needs a full rewrite. We can't really blame Oracle for this as Java was a mess when Sun had it, Oracle merely got stuck with the mess when they bought out Sun.

The thing I WILL blame Oracle for is the fact that if you update the damned software with the patch it RE-ENABLES the browser plug in unless you know to disable it, along with the usual crapware that comes with everything. Oh and I also blame the jerk that made Minecraft for bringing shitty Java back to the home users, for a good while there I had all but wiped Java out on home users systems, then that damned game came up and here we go again.

Personally I think Homeland Security should order Oracle to put out a patch that disables the browser plug in and bar them from re-enabling it when they patch as those that actually NEED Java can find out how to turn on the plug in easy enough but those that don't won't know to disable it every. single. time. they have an update.

Re:Enough Already

Getting most Java software working seems to be a real effing hassle. Several open source packages seem to go out of their way to be especially hostile to Windows users, going so far as providing broken launchers. Hardcoded paths, unquoted paths, stupid assumptions, the wrong line terminators in batch files... bleh.

Re:Enough Already

[hairyfeet]

If Canvas sucks as bad as HTML V5 does at replacing Flash i can think of a reason, its a pig. You name which implementation you want and we'll compare it to Flash and no matter the size HTML V5 will suck MORE CPU, MORE RAM, and in many cases where Flash will play just fine HTML V5 will stutter like watching flash over dialup.

So while I long for the day when the ONLY thing you'll need is a browser frankly HTML V5 just doesn't cut the mustard and isn't suitable for purpose yet. It sucks too many cycles, gives poor performance, doesn't do a third of what Flash does, and if St. Steve hadn't said it sucked (while the fanboys ignored the fact that Flash let devs bypass his golden calf appstore so he kinda had a conflict of interest) we honest;y wouldn't even be talking about HTML V5 video as a possible replacement for Flash, much less anything else. Its just not even alpha quality ATM, certainly not ready for the masses.

Re:Enough Already

[hairyfeet]

Or he could have just used C++ like every other game on the planet and thus saved all those users from getting pwned.

Frankly until that damned game came out I had pretty much gotten rid of Java for my users and they didn't have a bit of trouble living without it, then along comes that damned game and suddenly they have Java again and here comes the malware. I hope whomever wrote that game learned his lesson and uses something else for his next game because the way Java sticks the plugin into the browser by default makes it too risky for home users.

Re:Enough Already

[roman_mir]

The user has to set memory limits for the application, either using to much memory or too little, and the memory used is based on the usage for the application so that it is always a possibility to run out of memory for a Java application even if you have enough memory on your machine. This is a major usability and design flaw in Java.

- I agree, it's terrible that you have to tell the VM how much memory it is allowed to take from the physical box it is running on.

Oh, wait.

That's like every VM, at least every VM that runs on a server. Seriously, you have limits on how much memory is set to a specific VM. You think that's the wrong approach for a VM?

--

Now, maybe there should be a way to tell JVM upfront that you want it to be bound only by the underlying OS and the memory that it can give to the JVM, that I actually agree with.

Re:Enough Already

If there were no limit then Java would consume all the memory on the machine (in fact it seems to do this even with limits).

Java sucks.

Re:Enough Already

That's why proper applications have a native or webstart installer that sets the max limit. This max limit will then be the only amount of memory to consume - and no more.

If your application gets an OOM, you designed it wrong, or didn't properly profile it and have the max limit set properly.

Re:Enough Already

If your paymasters at Adobe had done their homework, there would be no HTML5.

Re:Enough Already

[geekboybt]

Webex's use of Java seems that it's only to launch the native client. I'm not sure why they go this route rather than using a URL handler (e.g. webex://[meetingnum]), but once it fires off the native client, it's no longer in use.

Re:Enough Already

[arth1]

On a server app, if you have it, why not use it (for caches etc.)

Why use it for caches for your app instead of letting the OS use it for caches for all apps?

And just because the memory is there doesn't mean it's free for grabs. On servers with NUMA, you want to avoid using memory that's not on the CPU you use, or you pay a big performance penalty. The 16 GB you see might be 8 GB per CPU, and grabbing more than what's available in your CPU group might slow performance for you to (to say noth8ing about the system as a whole).

Use the memory you need, don't just grab memory because it's "available".

Re:Enough Already

[TopSpin]

Java has a very small memory footprint by default.

Erm. No. Just no.

class Main { public static void main(String[] args) { while (true); } }

(jdk 1.7.0.6 x86_64 linux)

17M resident for that. 0.5G of virtual address space. The only other class referenced is java.lang.String.

The equivalent Perl is 1.7M. Node.js is 9M. Python is 4M. TCL is 1.9M.

EVERYTHING uses less RAM than bleeping Java. A lot less. And this isn't some fail test where Java gets better as applications scale. Go look over here and observe how almost every other language consumes less memory across a wide variety of algorithms. Anecdotal evidence from any app server admin will corroborate this.

Java is a RAM pig and it always has been. The problem, at least regarding initial memory footprint (and start-up time), is excessive class loading. This is not opinion. There has been a project to correct it on the books for almost four years.

Like everything else with Java, it has been neglected. Supposedly the results will appear in JDK 9..... sometime in 2015.

And don't cite Android as some exception. Dalvik isn't JRE.

Re:Enough Already

Appsof this type typically have the server to themselves and operating system caching is necessarily too general.

Your points about numa are correct, but the wrong memory is still faster than a disk.

Re:Enough Already

[skegg]

An abomination.

Re:Enough Already

Non dynamic memory, that takes me back to Windows 3.1 and OS 9.

That is the primary reason why I would never ever decide to develop anything in Java. I have developed for Java when a boss really wants me to.

The biggest problem with Java: "You need a really good programmer to work with Java. Really good programmers would never choose to use Java.

Re:Enough Already

[kbg]

I am not talking about server applications here they are set up by professionals, not end users. Yes I think having to set up specific memory for a VM is the wrong approach. You don't need to set memory parameters for native applications and they can use all the memory they want so why do I need to set one for VM?

Re:Enough Already

[kbg]

Why do I need to set the max limit? Why can't the program just use the memory it actually needs, I don't need to specify this crap for native programs. There are a lot of programs that you don't know before hand what is the memory usage. For example like compilers, file editors and any programs that work with multiple files and objects that are specified by the end user.

Re:Enough Already

There are lot of ways Java sucks, this is not one of them.

I had a lot of unpleasant accidents with native programs that "don't need that crap" and "use the memory they actually need" thinking they need every byte of RAM you have and bringing system to its knees. Best part is that if you run out of virtual memory, it's not necessarily the offender that gets killed, it might be innocent bystander that asked for another 4 kilobytes at the wrong time.

I really wish they had a switch as easy and universal as -Xmx.

PS: Yes, I'm aware of not that easy and universal methods like ulimit.

Re:Enough Already

[gweihir]

Indeed. Java was intended for firmware in smaller embedded devices, like washing machines. It was never intended to be connected to a network. It was never intended for large software. It was never intended to go into the mainstream either. All security is patched on later (hint: that approach is sure to fail).

Put that together with Oracle engineering quality (which sucks badly, I am surprised their database products ever made it to any prominence), and you have a fine disaster. What I do not get is that people think this technological lemon is any good.

Re:Enough Already

[ahabswhale]

You usually don't because any competent software company writing Java software of this type will provide a launcher that takes care of this for you and you can remain blissfully unaware of it like any other software. Just because Minecraft is retarded, doesn't make Java retarded.

Re:Enough Already

[ahabswhale]

Good point because we all know that C++ is immune to security holes.

Re:Enough Already

[zuperduperman]

It's really sad how badly Sun screwed up Java. They basically had the world in the palm of their hand at one point - one of the only ways to run rich content in the browser, the only universally available cross platform runtime that the vast majority of people had installed. They tried to do all the right things - Java WebStart to easily run Java applications from a link, downloading all the necessary components on the fly. A simple, easy way to launch applications (just double click on the jar file!).

But every single one of these "great" ideas had the most awful flawed execution, completely stupid, bone headed limitations that made you want to poke your own eyes out. This one you mention being an example. You can wrap your application up in a beautiful jar file and the user can double click it to run it. But there is no way for you to specify how much memory that application should get. And the default amount of memory is implementation dependent, so no way to predict what it will be. So they've solved all of your problems to avoid writing a native launcher and then left you still having to write one, just to pass one stupid fucking parameter to the JVM.

This is just one tiny example, but I could list a dozen of these.

Re:Enough Already

[TubeSteak]

Already done, the previous u10 added options on the Java control panel (Windows) to disable all Java feature on the browser, so if you need Java for desktop applications, you don't need expose it to the browser.

Thanks! I just did this.
Control Panel --> Java --> Security --> uncheck the box at the top

Re:Enough Already

Yes!

Java is a ignorantly designed and poorly implimented.

For example, Java code uses named varibles that the compiler maps to a stack and then to the virtual registers of the JVM which then have to mapped back to a stack and back out to the actual registers of the machine that runs it by the JIT. Every time. Each step is wasted RAM and chances for bugs. They are cargo cult programmers - duplicating hardware constraints in software.

A key part of most total exploits is to corrupt return addresses on the stack. This is only possible because the x86 foolishly mixes the system's return addresses on the same stack as user data. It was understood decades ago that this was a bad but cheap design choice considered OK for stand alone systems. High end systems used seperate stacks even 40 years ago! Given a completely clean slate to design completely new virtual hardware what do the Java designers do? Badly copy the C/x86 system that was known to be broken decades ago and connect it to a global network designed to run unsigned 3rd party code on a regular basis.

There are many other technical aspects that demonstrate Java and the JVM are fundamentally bad designs and should be dropped. Java never lived up to the portability claims. The JVM never lived up to the security claims. They've had decades and billions of dollars to fix this and it's still broken.

Most people still look at the wrong benchmarks. In non-trivial multi-user environments the first resource you run out of is almost always RAM. Then the swapping to disk starts and it's orders of magnitude slower. 16 core CPUs wait and wait for the disk sub-system. Even SSDs are slow compared to the cheapest DRAM. The reason I bring this up is that Java and the JVM are RAM pigs and will cause your servers to page out to disk long before most other languages will. So don't be fooled by Oracle's trivial benchmarks that Java is 'almost as fast as C' - with a large number of users Java loses to COBOL in the real world. Statistically, Java also has more bugs and takes longer to develop.

Re:Enough Already

[hairyfeet]

Are you HONESTLY gonna compare C++ to Java when it comes to security? Really? Sure you don't want to take that back before we hand you your "I don't know WTF I'm talking about" sign?

Go to ANY security website where they rank programs, your choice, I prefer Securina but there are a couple of others out there, and compare the amount of bugs in any given period, say 3 years, between Java and C++ as well as the severity. Frankly the only program that comes anywhere close to java on sheer shitstorm scale is Adobe Reader, last I checked even Flash isn't as bad on number of "Can take over your computer" bugs. Which if you think about it makes perfect sense, nothing more dangerous than a badly written framework as by its very nature its designed to run other people's code.

Show me ONCE, just once mind you, where Homeland Security has put out an adviser recommending removal or disabling of C++, just once. Frankly C++ on its worst day isn't even in the same ballpark, hell its not even the same sport as Java, Java is a security nightmare and has been almost since the very beginning. if you don't like C++ there is a dozen other languages out there and NONE of them are as dangerous to have on your system as Java, none.

Re:Enough Already

Which language do you think Adobe Reader is written in? Pixie Dust 2.0?

And which language do you think Java browser plugin is written in?

Re:Enough Already

[ahabswhale]

Wow, you're so fucking smart and knowledgeable that I'm too intimidated to respond. lol

How much client-side C++ is out there, you fucking moron? Argument over, you lose.

Re:Enough Already

It's a virtual machine. Most of the time, you don't want any application it runs eating all your memory. You can increase the max to match your system's if you want that, but it would just be a bad idea.

Re:Enough Already

If your misguided rant were to be remotely close to some truism, you wouldn't be disabling C++ you'd be disabling assembly.

At any rate the DHS is isn't recommending disabling Java. It's recommending to disable the browser plugin. Java is more than a browser plugin. Its uses outside of the browser are no worse than any other language from a security viewpoint.

Fun fact, Java is essentially immune to one of the more prolific bugs in c/c++ code: use after free.

Re:Enough Already

If an applet needs a non-default memory size it can be set by the applet developer [oracle.com] unless you don't consider him to be "professional".

Not if the developer in question is a recruiter for a cult. Other developers I would consider to be professionals, but you sir I would not.

Re:Enough Already

This is why running minecraft requires you to run java -Xmx6G minecraft_server.jar so you can use upto 6GB

That's not what -Xmx does.

The -Xms option sets the initial and minimum Java heap size. The -Xmx option sets the maximum heap size. In some cases setting the maximum heap size can be helpful, but it can also be detrimental. It depends more on the particulars of the specific JVM you're using and what all you're doing.
For example, if you only have 8gigs of physical RAM available and are trying to run two server applications, setting it to 6Gigs is often going to cause you problems because the OS will have to use 4Gigs of slow swap/cache space right off the bat to satisfy your demands. You'd be better off setting each to 4Gigs, but even then only in cases where the JVM is for some reason defaulting to a maximum value. If you're using a 64bit JVM implementation you often don't have to set the Heap size manually at all. In any case, fiddling with the min/max heap sizes is something of an Art which varies vastly by environment and application behavior.
There really is not any "right" or "wrong" way to set the Heap size- the best thing to do is profile your server application with various settings under normal production loads to see what actually performs best. Sometimes if you set too much heap size, you can run into problems (especially with Minecraft) because it waits SO long to run garbage collection that when it does collect you get massive latency spikes. You can also approach such problems from a different angle- the less loading/unloading the application does, the less the heap gets full of trash. So it can sometimes be better to let Minecraft run with a smaller Heap size and use the extra RAM to load up map files onto a RAM disk.

Re:Enough Already

Because Microsoft and Sun (and Oracle) are competitors and Microsoft is not going to build Sun's garbage collector into Microsoft's OS Kernel - which you would do if you wanted to do it right.

Re:Enough Already

[Lisias]

That's a point. However...

Who in his sane mind would like to download a random JAR from the Internet and give it total control about your computer?

I agree that a more user friendly mechanism to give the VM the JAR's needed resources could be a good idea, but I really don't get this as one of the major Java's flaws. On Linux, that native launcher can be just a fscking bash script, by God's sake!

If you think that this is an unacceptable friction as a developer, feel free to try build a multiplatform application using .NET, C++ , Python or Perl. :-)

(hint: even Python has some serious idiosyncratic friction on the operating system: give the os.stat a peek for a example).

And no one bought the idea of the "Java/OS", anyway.

Re:Enough Already

[kbg]

But why should I have to care if it is a virtual machine or a real program, the program should just work.

Re:Enough Already

[kbg]

No you just do it right, you don't need the kernel to do correct memory allocations behavior.

The same old story

[Synerg1y]

Java's had issues with reflection before: http://stackoverflow.com/questions/3002904/what-is-the-security-risk-of-object-reflection .

Considering that reflection is basically injecting code at runtime, I'd say most things in the Java world don't need it, not sure if it's on or off by default, but in 99% of scenarios I believe it should be set to off.

Re:The same old story

[K.+S.+Kyosuke]

Considering that reflection is basically injecting code at runtime

That's pretty narrow, isn't it? Reflection is reification of program's state (and possibly code, which should be a subset of it) in form of (possibly mutable) metaobjects. The interface doesn't necessarily have to allow the program to do things that are inherently unsafe (although some applications need to do precisely that, e.g., Smalltalk IDEs when creating or modifying classes and methods). If Java's reflection features violate Java platform's security, it's an API design flaw, not necessarily a problem with reflection as such. It's not like this is Java's only design flaw anyway. :-)

Re:The same old story

[Synerg1y]

Yea, and why not apply reflection's methods against the platform itself? "Reflect", reverse, and modify the framework appropriately to gain a hook. Java isn't the only language to use reflection, c# has it, but I don't think I've ever seen it used, which may be a testament to it's usefulness more than it's security.

Potential Reflection scenarios: http://stackoverflow.com/questions/2488531/what-is-the-use-of-reflection-in-java-c-etc

Re:The same old story

Sorry to say: if you haven't seen reflection used in C# you must not have been looking very hard...

Re:The same old story

[sjames]

Reflection is extremely useful given a language that considers it a first class feature rather than a bolt-on. Duck typing, for example,is a specific application of reflection. In turn, duck typing can actually fulfill the promise of reusable code that OOP promises but rarely delivers.

Re:The same old story

[Bob9113]

If Java's reflection features violate Java platform's security, it's an API design flaw, not necessarily a problem with reflection as such.

Java is a progamming language, like C. It has access to the filesystem and can fork processes. Security is handled by the operating system, just like C. Any permission that the executing user has, the language has. That is as designed.

The Java browser plugin, on the other hand, has a sandbox which is supposed to make it safe to run untrusted code. Turns out that trying to make it safe to run untrusted Java code is just as difficult as trying to make it safe to run untrusted C code. The security hole is in the Java sandbox, and in the notion of executing untrusted code in a language that has system access, not in the Java language.

Re:The same old story

[barjam]

Reflection in C# is used all the time. If you have written anything more complicated than hello world you have definitely used it. Not directly but the APIs you call use it.

Re:The same old story

[AuMatar]

Its major use is to avoid busy work for the programmer. An example is ORM where the program can analyze what fields a class has and figure out what data types those fields are and build sql querries from it. Another example is xml/json parsing, where you can pass in a json string and a class definition and have it match all of the fields in the json to members in the class. You can spend 15 minutes writing annoying boilerplate code or 15 seconds making 1 method call.

Re:The same old story

[K.+S.+Kyosuke]

Yea, and why not apply reflection's methods against the platform itself? "Reflect", reverse, and modify the framework appropriately to gain a hook.

If that's possible and not intended, you have a bug in your platform.

Java isn't the only language to use reflection, c# has it, but I don't think I've ever seen it used, which may be a testament to it's usefulness more than it's security.

Yes, in a decade, perhaps, these two platforms will reach the reflective maturity of Self-93 and its successors. Until then, they're half-botched.

Re:The same old story

[petermgreen]

AIUI while the browser plugin is by far the most common use of the sandboxing and hence the most common way to exploit flaws in the sandboxing the sandboxing itself is a core feature of the java platform.

Re:The same old story

[cusco]

OK, I'm not a programmer and never will be but the phrase 'duck typing' is so off-the-wall that I just have to ask what the hell it means.

Re:The same old story

the whole java enterprise specification is built over reflection and code injection, also quite a lot of frameworks out there are (hibernate and spring, just to say some)

now, why did they leave reflection enabled by default on applet instead of placing it behind a user policy is beyond me.

Re:The same old story

... reification ... mutable ... metaobjects ...
BINGO!

Re:The same old story

[Cinder6]

You know, mallard, stifftail, goldeneye...

Okay, fine, it's a type of dynamic typing: http://en.wikipedia.org/wiki/Duck_typing

Re:The same old story

[w_dragon]

Wikipedia's article is pretty good

Re:The same old story

[K.+S.+Kyosuke]

and in the notion of executing untrusted code in a language that has system access

Actually, that notion is perfectly fine. In a proper object-based runtime, the untrusted code should only get those references ("capabilities", from security POV) that it's supposed to have access to in order to accomplish its tasks, and nothing more. It can't get anywhere else in any other way then by pointer chasing or querying the provided objects/capabilities and invoking their methods, using the API it's been given access to. Basically, it's the same principle that MS is trying to employ in the development of Singularity-like systems. The notion is perfectly fine, that is, when the API isn't botched.

Re:The same old story

[HFXPro]

When I see a bird that walks like a duck and swims like a duck and quacks like a duck, I call that bird a duck. http://en.wikipedia.org/wiki/Duck_typing

Re:The same old story

[Sique]

So this is something we were using in LPC 20 years ago without knowing it had to have a special name. We just said, we were calling the method in the object - all objects being from the same type object anyway.

Re:The same old story

[Knackered]

OK, I'm not a programmer and never will be but the phrase 'duck typing' is so off-the-wall that I just have to ask what the hell it means.

If it looks like a duck, walks like a duck, quacks like a duck, then for all purposes it's a duck.

In my understanding, duck typing doesn't require the explicit declaration of "is-a" relationships in a class system. If a type (or object, depending on the language) fulfills sufficient requirements, it can be considered as a sub-class or object of another type. Depending on the language, the requirements may be expressed by interfaces, prototypes, pattern matching or some other means.

Re:The same old story

[sjames]

In the first generation of OOP, the focus was on the 'type' of an object, often involving an 'isa' method. For example, A.isa(file) might return true. The problem is that it is far too easy to get a case where something very file like isa(MyVerySpecialFileThing) but returns false for isa(file) because it has no truncate method (even though we don't want or need to truncate).

Duck typing is the idea that the type of an object and where it inherits from is largely irrelevant. We don't care if A isa file, we care if A has a method called read that returns data. We might further care if it can close(), or seek().

In other words, if it swims like a duck, and quacks like a duck, and walks like a duck, it's a duck as far as we care.

See also Wikipedia. To see the difference between 1st class vs. bolt-on, compare the Python and Java examples.

Re:The same old story

[DarkOx]

It comes from the phrase "if it walks like a duck, quacks like a duck than its a duck!"

It differs from the idea of strong typing where the interpreter and compiler will require the object be exactly the declared type or perhaps something inherited from that type.

Automobiles might all have functions: start, stop, accelerate, break, hold, left, right; and properties speed, started.

Car may or may not be inherited from automobile, and it might have more properties and functions, such as LeftTurnSignal. A loosely typed language will allow you to pass a car to a function expecting an automobile. The program might use duck typing to check that is has those properties and functions automobiles are supposed to have. If they do he will proceed to treat it like an automobile, assuming it is so and the program should work fine. If its missing one of those methods he will raise an error. This adds flexibility ( and usually bugs).

The key thing being that he/she must actually write the code to check the existence of the properties and functions, and raise the error. A language that uses strong typing would do it automatically, but cars would need to be automobiles.

Re:The same old story

[K.+S.+Kyosuke]

I would omit the "sub-class" part of your post. This is about substitutability, and that is all about subtyping, whereas subclassing is about representation and implementaiton. You can have a subclass that is not a subtype (per LSP, at least, although most OO languages like to pretend in their type systems that subclasses are always subtypes), and a subtype that is not a subclass (which is typical with interfaces).

Re:The same old story

[Bob9113]

AIUI while the browser plugin is by far the most common use of the sandboxing and hence the most common way to exploit flaws in the sandboxing the sandboxing itself is a core feature of the java platform.

You are calling this a core feature because it was part of the central design more than a decade ago when Java was intended to be used in the browser. The overwhelming majority of Java that is live today does not use the sandbox. The sandbox is no more a core feature of Java than your appendix is a core feature of your digestive system.

Re:The same old story

Yes. It's the natural thing to do until the taxonomy bureaucrats find it and break it by insisting in seperation into disjunct classes. Nowadays you have to specifically mention that you did NOT break the natural paradigm of "send the object a message, with, you know, words". Hence the term "Duck Typing"

Re:The same old story

[cusco]

Ah, so you're checking the type of an object, not keying something in. The only thing that came to mind when I first read it was 'cat typing', aka 'kitty keyboarding', an entirely different activity. Thanks.

Re:The same old story

[ADRA]

Well, you're partly right. Sandboxing is always running on all JVM instances, and can be quite handy when dealing with dividing multiple aspects of a running system (like deploying different versions of a given software library across different deployments on the same server instance).

Now I haven't looked into this one yet, and I'm not sure if they found flaws in the plugin shared objects, or in the platform's handling of its platform sandbox.. If it was the platform sandbox, then that's a lot worse imho.

Re:The same old story

Why do you need reflection for that ? Good old Macro programming will do nicely. Use m4 and expand code into a file, so that you can nicely inspect and debug.

Re:The same old story

[Randle_Revar]

Agreed. When my brother was a C# dev (including when he worked at MS on Codeplex) he talked about using reflection a lot.

Re:The same old story

[Randle_Revar]

But "duck" is not monophyletic! Is it Anatinae, Aythyinae, Merginae, Oxyurinae, or something else?

Re:The same old story

[sjames]

Now take that compiled code and hand it BrandNewDuckLikeObject you defined yesterday and see what happens. That's exactly the sort of reuse failure duck typing avoids.

Bonus points if it then hands that object back out and it can be recognized as a BrandNewDuckLikeObject again without a dangerous typecast that will fail if performed on a NotSoNewQuackingThing.

Re:The same old story

[stenvar]

Java is a progamming language, like C. It has access to the filesystem and can fork processes. Security is handled by the operating system, just like C.

That's false. Java claims to provide sandboxing, runtime safety, and fault isolation, something C never provided. In different words, security can be handled by the OS, but it can also be handled by the language and runtime. Providing it in the language and runtime has lots of potential advantages. Java tried to provide support in the language and runtime, but failed. Other languages and runtimes have succeeded at accomplishing what Java failed to do with sandboxing, runtime safety, and fault isolation, so it's certainly possible to do in principle.

Re:The same old story

Or be freaking incompetent. Reflection is the only way to implement many cross cutting concerns in a generic way.

A few examples: ORMs, Databinding, (Unit) testing frameworks, Data serialization, Policy injection, it's even used for on screen formatting in ASP.NET MVC framework.

Re:The same old story

[gbjbaanb]

its a poor way of achieving what a compiler should do for you - from the class definition, it should be able to generate the boilerplate so that you can pass in the json and have it nicely accessible, you don't need reflection to do that and the results are considerably more performant.

Nearly all uses of reflection should be replaced with some up-front thought for a different way of approaching the problem.

Re:The same old story

[AuMatar]

No, that kind of stuff is WAY, WAY outside the scope of a compiler. Why the hell would a compiler even know JSON exists? You can argue its the job of a preprocessor or code generation utility run as part of your build process and you'd have a point. The advantage of using reflection is that all your code is in your source code and checked it- with preprocessing tools or code generation you're generating code at compile time which breaks a lot of tools and makes debugging errors much more difficult.

Re:The same old story

[bcrowell]

Turns out that trying to make it safe to run untrusted Java code is just as difficult as trying to make it safe to run untrusted C code.

Total nonsense. This is like saying that people get electrocuted by their toasters, and people get electrocuted repairing downed power lines, so toasters are just as dangerous as downed power lines. Toasters are safe by design. So is the java applet sandbox.

Re:The same old story

[gbjbaanb]

you're looking at it wrong - the compiler knows your code exists, what its structure is, and its that that matters - that you can create objects and populate them with data sourced from the JSON data stream is exactly what you should be doing.

Using reflection to take a data source and turn it into code is just the security problem that has already happened.

Also I found that generated code made debugging much easier - you can see the code that has been generated, step through it in the debugger. Runtime code creation is quite the opposite, mostly blackboxes of looping reflection and recursive functions.

Re:The same old story

[AuMatar]

Why the hell should a compiler know what JSON is? A compilers job is to turn code into machine or bytecode. Giving it more intelligence is a mistake. Generate the code maybe, but not as part of the compiler.

I'm going to disagree on easier to debug, because its impossible to step through the process of generation, which tends to be where the mistake is. It also means not all of your code is in source control, because the compiler itself becomes part of your code. I dislike the efficiency of runtime generation, but its more transparent because the generation code is part of your source.

Just let it die already

[Billly+Gates]

Of your corp must need ot then downgrade to Java6 which is not effected by the latest exploits and disable it in your browser except for whitelisted sites in your intranet zone in IE.

Oracle appearently cant code their way out of a paperbag but Sun wrote Java 6. Not to say that release is secure but at least less flaky and doesnt have the same flaw as 7.

Re:Just let it die already

[Antipater]

To be fair, coding your way out of a paper bag sounds pretty difficult.

Unless you have a robot with poking capabilities inside the bag with you, of course.

Re:Just let it die already

[arth1]

Of your corp must need ot then downgrade to Java6 which is not effected by the latest exploits and disable it in your browser except for whitelisted sites in your intranet zone in IE .

Run that by me, again?

Re:Just let it die already

[CodeReign]

He said if you are running peoplesoft allow Java to run only on your peopleosoft site. Was that so hard to understand?

Re:Just let it die already

[The+Moof]

It's the screwy way Windows does network trust. The "Internet Options" from the control panel is actually IE's preferences. This is also the place you set up trusted zones, allowing network applications or applications downloaded from external sources to run on the OS.

Like I said, it's screwy.

Re:Just let it die already

[Billly+Gates]

Old IE may suck for rendering websites properly compared to new IE, but what it does do right is come with corporate oriented tools including this, called security zones.

Just go under Internet Options in control panel and disable java in the internet zone and set it up in the intranet zone. Fairly easy stuff. You can push this through Acitive Directory as well if you are at work to protect your users.

I assume no one but a few minecraft users use it at home so uninstall it. Chrome and FIrefox should have it disabled by default.

Re:Just let it die already

[icebike]

Oracle appearently cant code their way out of a paperbag but Sun wrote Java 6. Not to say that release is secure but at least less flaky and doesnt have the same flaw as 7.

I think it is starting to look suspiciously like there is some unfair dealing going on in the "security researcher" world.

The fix was released last Sunday and two new security flaw turn up today which, according to the summary and TFA "are apparently not related to the previous security issues."

First, that is very short period of time to find these new flaws, and write a proof of concept.
Were these flaws in the prior release, or introduced by the Sunday release?
Did these guys have them in hand prior to the work on sunday's release and hold them back?
Were they using "research" methods that they refused to share? Fuzzers, code inspection?
If the researchers didn't find these new flaws until after sunday, why not?

Just sayin....

Re:Just let it die already

[Billly+Gates]

I was under the impression it utilized the same exploit from what I read. It just used the same attack vector utilizing a different method that the fix doesn't mitigate.

Re:Just let it die already

[icebike]

Why Yes, Yes it was.
One wonders to what extent we should take advice from a guy who can't form a conversant sentence.

Re:Just let it die already

I don't think that word means what you think it means.

People are conversant, sentences aren't.

Re:Just let it die already

[icebike]

Actually what I wrote was a perfect example of Muphry's law and I really meant to say coherent, but auto-correct jumped in and bitchslapped me yet again.

Re:Just let it die already

[Em+Adespoton]

To be fair, coding your way out of a paper bag sounds pretty difficult.

Unless you have a robot with poking capabilities inside the bag with you, of course.

You just have to press hard when writing the 1's. After enough iterations, you'll be out.

Re:Just let it die already

[Tarlus]

Murphy's *

...Sorry, couldn't help it. =)

Re:Just let it die already

[icebike]

Nope, you should have clicked the link. Muphry's Law is a deliberate misspelling of Murphy's law. Sort of a self referential joke.

Re:Just let it die already

I heard Larry Ellison's mom has a robot with poking ability; maybe they could borrow that one.

Re:Just let it die already

Better than back when you had to get to the computer's internet preferences by first launching IE...

Re:Just let it die already

Unfair dealing? Sun and Oracle have been promising to create a secure, safe sandboxing language and environment for 15 years, and it has been one disaster after another. The only thing that's "unfair" is that they haven't been sued into oblivion for their total incompetence.

Re:Just let it die already

[Tarlus]

Yeah, that was intentional. Apparently the mods didn't get it either. =)

Dalvik virtual machine

[perpenso]

Is Google's Dalvik virtual machine available for PC or just Android? Perhaps a little competition is needed.

Re:Dalvik virtual machine

The problem is that most applets are coded to use a gui that was never implemented in Android, so I don't think it would help.

Re:Dalvik virtual machine

[sjames]

The rooting hacks I've seen don't seem to attack the VM. They generally either rely on linked in C libraries where the exploit is actually implemented or they are attacks on the bootloader to get it to load something in kernel mode to set flags in hardware.

The more difficult case is the ones that attack the kernel through permitted system calls.

Ultimately, the answer will probably involve a mini guest OS isolated by something like KVM where each applet gets it's own VM and any changes on the client side roll back when the applet exits.

Re:Dalvik virtual machine

[Em+Adespoton]

Ultimately, the answer will probably involve a mini guest OS isolated by something like KVM where each applet gets it's own VM and any changes on the client side roll back when the applet exits.

Well, this would at least have the effect of hardening KVM over time as flaws were found allowing similar attacks via message passing routines. That wouldn't necessarily be a bad thing, although it would make life more painful for those of us who already use KVM in relative obscurity.

blaaaaaaaaaa

who cares? java does not belong in the browser, javascript does not belong on the server. end of story.

Re:blaaaaaaaaaa

[arth1]

who cares? java does not belong in the browser, javascript does not belong on the server. end of story.

No, you're missing a few chapters to your story:
Chapter 1: Javascript does not belong in the browser when fetched from untrusted sources.
Chapter 2: Java does not belong in the browser.
Chapter 3: Javascript does not belong on the server.
Chapter 4: Java does not belong on servers also used for non-java.

Re:blaaaaaaaaaa

who cares? java does not belong in the browser, javascript does not belong on the server. end of story.

No, you're missing a few chapters to your story:
Chapter 1: Javascript does not belong in the browser when fetched from untrusted sources.
Chapter 2: Java does not belong in the browser.
Chapter 3: Javascript does not belong on the server.
Chapter 4: Java does not belong on servers also used for non-java.

Chapter 5: Javascript does not belong in the browser, either.
Chapter 6: Images do not belong in the browser.
Chapter 7: The only thing that belongs in the browser is ASCII text. None of this Unicode crap.
Chapter 8: And ONLY if that text has been sanitized to hell and back.
Chapter 9: Waaaaaaah, why don't we just use Gopher like we used to? The world made so much sense back then, and that was good enough for us!
Chapter 10: Screw you guys, I'm just going to pass floppy disks among my Media Lab friends at MIT like in the old days.
Chapter 11: 1.44MB is enough for anything.
Chapter 12: Unless you're one of the old fogies with the 360kB disks. Forget that noise, we've got COLOR in our .tiffs now!

Re:blaaaaaaaaaa

[CodeReign]

Can you paste chapter 4 for me. I'm somewhat curious what you mean, is there privilege escalation that can occur or what's going on in that chapter?

Re:blaaaaaaaaaa

[Bill_the_Engineer]

Chapter 4: Java does not belong on servers also used for non-java.

Please cite some evidence that the above is true.

Re:blaaaaaaaaaa

[AliasMarlowe]

Chapter 12: Unless you're one of the old fogies with the 360kB disks. Forget that noise, we've got COLOR in our .tiffs now!

Who are you calling "old", sonny?
I'm not that old (far from retirement age), and worked with brand new 140kB and 160kB 5.25" floppy disks on a brand new PC, several years after graduating. Earlier I worked with PDP-8, PDP-11, IBM-360, and DEC-20, which were floppy-free, and cassette-tape systems such as the PET. Even those who recall 80kB 8" floppies, or subsequent 100kB and 110kB 5.25" ones might not be retired yet.

Re:blaaaaaaaaaa

[CFBMoo1]

Chapter 13: Punch cards, the new ninja throwing stars!

Oracle should deprecated the broswer plugin

Oracle should deprecated the browser plugin. It is the new ie6+ActiveX... Let the vendors repackage theirs applets into jnlp application were you have to accept before allowing execution.

Re:Oracle should deprecated the broswer plugin

[sjames]

I'm really wondering if the industry just needs to deprecate Oracle.

I just have to say...

[cyberjock1980]

Whoops!

I wonder how many of these vulnerabilities will be found and identified before the top brass at Oracle starts questioning the logic in buying Sun. Could Oracle realistically just come out and say "you know what.. we're done with Java"? Is Oracle really this inept at making stuff secure?

I mean, fixing security vulnerabilities is never good for business.. at all. You spend money fixing something that doesn't affect you directly but definitely affects your customers(which indirectly affects you). It's developer time that could have been spent on the next version's new shiny feature. Not to mention you aren't going to sell your product by saying 'We fixed XYZ vulnerabilities in the last 2 years". Anytime a company name is used in the same sentence with "new vulnerabilities discovered" is also not good for said company.

When the last topic about these vulnerabilites was posted I mentioned how I don't trust companies with my security any more than I have to and mentioned that my firewall is now pfsense since Linksys, Netgear, and Dlink don't seem to be interested in security without buying a new router every 2 years. Naturally I got modded down. Let's see how this goes this time...

Re:I just have to say...

[c]

Is Oracle really this inept at making stuff secure?

Ask David Litchfield. You might also want to read up on their Unbreakable campaign a few years prior to purchasing Sun.

Re:I just have to say...

[lecithin]

"Is Oracle really this inept at making stuff secure?"

Aside from their database, Oracle is inept at pretty much everything.

Re:I just have to say...

[Scutter]

Anytime a company name is used in the same sentence with "new vulnerabilities discovered" is also not good for said company.

True, but it's amazingly easy to deal with that by adding the phrase "But they have a history of fixing vulnerabilities quickly whenever they are discovered." Unfortunately, Oracle can't seem to do this.

Re:I just have to say...

Oracle is inept at pretty much everything.

FTFY

Re:I just have to say...

[organgtool]

I mean, fixing security vulnerabilities is never good for business.. at all. You spend money fixing something that doesn't affect you directly but definitely affects your customers(which indirectly affects you). It's developer time that could have been spent on the next version's new shiny feature.

Have you used Java lately? It hasn't had any killer new features in quite a long time and that stagnation has been there for a period even before Oracle bought Sun. That stagnation looks even worse when you compare it to .Net languages like C# which have surpassed most of Java's language features and is now ahead. And before everyone jumps down my throat for advocating a Microsoft technology, I use absolutely none of their technologies for software development. I'm just objective enough to recognize that they're putting a lot of effort into creating new features for their languages and as a Java developer, I have to say that I'm a bit jealous (but not jealous enough to switch to Microsoft's single-platform development environment).

Re:I just have to say...

It might have something to do with Oracle's management style and decisions running off most of the top talent... Take a look at the who's who list from Sun pre-Oracle, and look how many have bailed.

Re:I just have to say...

[gweihir]

"Is Oracle really this inept at making stuff secure?"

Aside from their database, Oracle is inept at pretty much everything.

From what I have seen of their databases, security sucks there too (for example, no way to securely store certificates for communication or storage encryption), and you basically have to physically and logically protect Oracle database boxes by non-Oracle means.

Interesting

[jones_supa]

I still find it odd how Java suddenly caught all the attention regarding security.

Re:Interesting

[Bill_the_Engineer]

Smear campaign. I always wondered why a "mega" exploit package was reportedly offered up for sell yet only the Java exploit contained in the package was the one getting the media attention.

Re:Interesting

[dalias]

Yes, in some ways I agree it is a "smear campaign", but I don't think it's an unjustified one. When a product has had vulns this serious this many times, yet maintains huge deployment due to market dominance and user lock-in, a huge smear campaign is needed to destroy it. This was the case in the past with products like BIND, Sendmail, WU-FTPD, IIS, IE, etc. and Java is just the latest necessary target.

Re:Interesting

[DMUTPeregrine]

Windows got better, and fixed most of the easy exploits. Flash got a bit better, and fixed most of the easy exploits. Java and Acrobat Reader are still easy to find exploits in.We'll see what comes next.

Re:Interesting

[Bill_the_Engineer]

I didn't say it was unjustified just unfair. In fact, depending how Oracle responds, it may actually make Java more secure than other options/languages.

What I am suspicious of is the lack of coverage for the other exploits. Which unfairly diminishes Java's image while elevating the status of similar products that may have the similar vulnerabilities.

Re:Interesting

[Bob9113]

I still find it odd how Java suddenly caught all the attention regarding security.

I think this is largely due to the bad reporting. Ignorant reporters keep referring to this as a Java exploit. It is not. It is a Java sandbox exploit. A Java exploit of this nature would be catastrophic, since there are millions of servers out there running Java. A Java sandbox exploit, on the other hand, is little more than a reminder: Hey, everybody: Disable the Java plugin in your browser, like everyone else did ten years ago.

Re:Interesting

[Tridus]

Java's on a lot of machines, and hasn't been hardened that well. Windows itself used to be the favored target, but Microsoft spent a lot of money in that area and it's much harder to find exploits in Windows 7 (and 8) than it used to be in XP. Flash was a target for a while, as was Acrobat reader.

Re:Interesting

[Nimey]

Acrobat Reader got a lot better with version 10's secure mode. I don't remember reading of any exploits that were able to get past that.

Re:Interesting

[w_dragon]

This is about Java in the browser. The main competitors in this space are Flash and (if you're in an outdated, IE-loving enterprise) ActiveX. Do you really have that high an opinion of Flash?

Re:Interesting

[sjames]

It started with a serious security flaw that the vendor (Oracle) tried hard to ignore. The publicity was turned up to shame them into fixing the flaw with an out-of-cycle patch. The vendor half-assed the patch and so the cycle of 'all clear' press was interrupted for a new round of drubbing. Then an attempt was made to re-habillitate Java's image and so now we're at the 'not so fast' rebuttal.

Meanwhile, it never really lived up to most of it's promises anyway (especially as a browser plug-in) and so it naturally leads people to wonder if it's time to stick a fork in it.

That Java is Oracle's second big software acquisition from Sun that seems to be flaming out under the new management and that Oracle is not really well liked as an entity anyway just adds to the dogpile.

Re:Interesting

[ashpool7]

This list almost makes sense, except IIS isn't going away because of .NET and BIND hasn't been significantly reduced either. Java in the browser might go away, but that seems about it.

Re:Interesting

Wait, is there a replacement for BIND now? I'm aware of dnsmasq, but I only ever see it used for its lightweight/ease-of-configurability on embedded devices.

Re:Interesting

[gtall]

Oracle Forms relies on Java in the browser. It isn't going anywhere because they use OForms as a front end to their database. Maybe if we asked really nicely, they'd rewrite OForms in something else. I've been asking them for years to put Uncle Larry out to pasture but they don't seem to listen.

Re:Interesting

Adobe acrobat got a lot better when I uninstalled it and replaced it with Sumatra PDF reader.

Re:Interesting

[DMUTPeregrine]

I vaguely recall at least one, but it has helped. I still prefer Foxit, Sumatra, or Okular due to speed anyway.

Re:Interesting

[ahabswhale]

It's a fair question. Java applets are similar to ActiveX plugins in that they have web apps access to system resources they would ordinarily not ever have access to but I don't hear anyone whining about ActiveX (which can do some seriously evil shit).

Re:Interesting

[dalias]

Absolute usage, or relative? Their market dominance has surely eroded, and people who know what they're doing aren't using the old clunkers anymore.

Bad stewardship of Java

[benjfowler]

Oracle need to be called out on what appears to be an open-and-shut case of negligence.

Only a complete idiot would take on Java and it's 600 million users without making some kind of plan for supporting it. Their approach so far has been unbelievably reckless.

I certainly hope they don't take that attitude to Oracle Database, which is very expensive indeed, and running inside companies with lots of well paid lawyers.

Re:Bad stewardship of Java

oracle doesn't give a damn about java. all they really wanted when they bought sun was to get their paws on mysql.

Re:Bad stewardship of Java

[sdnoob]

Perhaps the best course of action would be for Oracle to donate Java to Apache Foundation... but then, the question to ask is: would they even want it?

Re:Bad stewardship of Java

[Tridus]

Oracle has a lot of stuff that uses Java, so I doubt their plan was "totally screw Java up so we can ditch it."

Clearly they need to devote serious expertise to hardening it though, or just take the easy route and kill Java in the browser entirely. That's where these problems are all coming from. It wouldn't even be that hard for them, since it's basically a dying method of doing things in the browser anyway.

Re:Bad stewardship of Java

[medv4380]

Apache would probably kill to have full control over Java.

Re:Bad stewardship of Java

He's not an idiot, he's Larry "Lanai" Ellison. How complete he is, as an idiot, is still open for debate?

Who's to say he every had any real intention of keeping Java alive? As a profit center within Oracle, it's hardly noticeable. And so far, there's no downside to fiddling ineptly with Java since there's no competition to replace it.

Re:Bad stewardship of Java

Apache would probably kill to have full control over Java.

IBM didn't give a shit about having full control of Java.

Re:Bad stewardship of Java

Idk that hrs saying they planned to wreck it just that they failed to consider what would be involved in not wrecking it.

Oracle really wanted a puppy named java, then it realized it had to walk and feed its me pet and clean up the poop and take it to the vet when it gets sick and that ain't no fun, mannnnnnnnnnnnnnnn

Re:Bad stewardship of Java

That doesn't mean they would be better. Some of their projects are nice, other are crap, quality isn't constant. I think they don't have enough man power to handle this.

Dear Lary Ellison

Since your programmers can't seem to code their way out of a wet paper bag, perhaps you should spend less time on your yacht and more time actually running your company.

Sincerely, everyone who's time you waste with shit software.

Re:Dear Lary Ellison

You can spend hundreds of thousands of dollars with Oracle and still have to jump through hoops for even the simplest support requests. Larry Ellison is a sleazy little cunt. I'd love to have five minutes alone with him so that I could smash his fucking skull.

Re:Dear Lary Ellison

Hey billy gates, if you're going to use the same phraseology in every post and click the "Post Anonymously" on only one of them.... you're not really as anonymous as you think you are.

Enough already

[mark-t]

While admittedly this could reasonably qualify as news for nerds, the exploits that are being discovered in Java these days are happening with such rapidity now that it truly seems like a complete waste of time and effort to report them all individually. They are so frequent now as to border on spam.

Why is this so difficult?

[istartedi]

I'm not familiar with the architecture, so I have a hard time understanding why this is so difficult. Many C programmers including myself have written simple stack machines that have an "instruction set". It's trivial to separate safe instructions from dangerous ones

One instruction might be 32-bit unsigned addition that rolls over without throwing an exception. Perfectly safe, as long as you can live with the results.

Another instruction might be "open file". Lots of opportunity for mischief there.

So. If the code came from the 'net, you just scan the code after you've compiled it onto your VM and reject anything that has "open file" unless the user has granted permission for the software to access files.

Sure, I'm glossing over the details; but that's the basic idea. If you have a huge library, you might have to have staff review a lot of API calls to make sure you're classifying them properly as safe or dangerous; but the fundamental idea of the sandbox itself seems really, Really, REALLY hard to mess up.

It sounds like they have calls to a "cause the scanner to ignore dangerous functions" API scattered throughout their code, which seems highly unlikely. Library code shouldn't even know it's running after a scan, let alone have the ability to shut off the thing that scans it.

So. I have to conclude that the sandbox architecture is something more complicated than "compile, scan for restricted system calls, run if none found"; but I have no idea what it is. Can anybody enlighten me?

Re:Why is this so difficult?

[Billly+Gates]

THe flaw is in the reflections. Since metadata changes unmutable things like strings you can have safety but this hack goes around it and manipulates it. Get rid of that feature?

THen you break applications and mission critical business apps. Of course from what I see they all use older versions of the language where this feature is not used but neverless it is the joys of supporting a large complex thing where the users have a psychotic episode if anything changes and want it frozen yet demand to get security patches.

This is the reason many programs will not run on Windows 7 as MS had to make it secure starting with Vista. Corporate users just kept using XP and ignoring all the security issues.

Re:Why is this so difficult?

[Tridus]

I'd surmise (since I'm nothing resembling a sandbox expert) that one of the problems is that the sandbox is built to allow a lot of those "dangerous" activities if the applet is signed and asks for permission to do them. It's not a total block.

When the code to do it is in there somewhere, apparently there's a lot of edge cases to find ways to get to it.

Re:Why is this so difficult?

[istartedi]

THe flaw is in the reflections.

OK I had to review that.

LOL. When I was taking 100-level CS courses to get my EE and thought I was all cool because I had several years hacking with things like the C-64, I wrote some self-modifying assembly and turned it in as part of an assignment. The TA marked off for it as "too clever for its own good" or something along those lines. I was miffed at first, but saw the point after a while. I guess some people didn't.

That said, if there's something that uses "eval" like functionality, such as a graphing calculator app then that's useful. It's not arbitrary modification of the existing code so much as it is writing new code. The loader could scan for calls to "eval", and replace them with calls to "safe_eval" which would include the scanning function.

I don't see why that couldn't work for adding functions to a class at runtime, which is something the wiki article on reflections considers as part of the definition.

At any rate, since you're narrowing it down to a problem with their implementation of reflections (however you define it) then it seems like they need to run some kind of audit wherein all reflective calls in their source tree are singled out and secured. Another advanced concept, "aspect oriented programming", comes to mind.

Long story short though, it's too clever for its own good. Actually, it also makes me think of why Windows has had such a hard time on the Internet. It was designed first, then the networking was bodged on. Same deal here. Java was just imperative OO first, right? It sounds like they're trying to bodge on Lisp.

Re:Why is this so difficult?

[barjam]

You don't understand reflection evidently. Reflection is a core feature of languages such as C# and java. You simply can't get rid of it without completely redesigning the language.

This isn't a problem with reflection as much as sloppy programming. There is zero reason why a competent development team couldn't make reflection perfectly safe.

Re:Why is this so difficult?

[istartedi]

You don't understand reflection evidently. Reflection is a core feature of languages such as C# and java

Let's leave specific languages out of it, and discuss reflection in language-neutral terms. AFAICT, it's a vague term that encompasses several things. 1. Reading out the names and types of data members of an object at runtime. 2. Reading out the names of function members of an object at runtime. 3. Reading out the exact *class* of that object at runtime (which would lead you back to 1 and 2, so that's redundant). 4. (the particular thing I think is dangerous if not used CAREFULLY) Adding new members (data or function) to a class at run-time.

You simply can't get rid of it without completely redesigning the language.

I was particularly interested in (4) above, and note that I've added CAREFULLY. There are probably a hand full of use cases where you need that. In an object-oriented language you probably can't have "just a function" like you can in C, so adding some code to a class is probably the only way to implement the aforementioned graphing calculator applet.

OTOH, I maintain that if you have something like a button class that you've been using for 10 years, it's just way too tempting for some junior developer to "solve" problems by injecting new code into it.

This isn't a problem with reflection as much as sloppy programming. There is zero reason why a competent development team couldn't make reflection perfectly safe.

Here you seem to be siding with those on this forum who paint the Oracle devs as incompetent. I prefer to reserve judgement. I haven't been digging through Java code. I don't know what kind of maintenance nightmare they inherited.

Now, not to let this internet communication get too out of hand (as it looks like we're already having the f2f vs. online communication problem here) but another hair that needs to be split is "safe" vs. "sane". It might be possible to make self-modifying code "safe" from a security standpoint; but I'm doubtful about the "sanity" (for "sane", read ability to trace and debug) of it. This doubt comes from debugging C++ code where *data* has accidentally been modified at run-time. That's bad enough; but at least I knew the *code* pages weren't hit.

Re:Why is this so difficult?

[s1lverl0rd]

Wouldn't mission critical business apps usually run on a server, though, and not inside a sandboxed browser plugin?

Why isn't OS ACL preventing the damage?

I understand how a sandbox vulnerability could lead to malware being installed on the machine. But that malware still has to then exploit an OS-level security hole, right? The reports make it out that somehow the Java vulnerability allow complete take over of the machine. So I'm confused why the Win7, OSX, etc Access Control mechanism doesn't prevent the potential damage. Or is this specifically targeting users who for example are logged in as admin on a Win box and have explicit approval of system changes via ACL disabled?

If they keep this up...

[mandark1967]

Adobe is gonna get jealous.

Re:If they keep this up...

Adobe is gonna get jealous.

No it's impossible. At Adobe they have real monkeys coding Acrobat and the other applications.
As much hate as Oracle gets, they still have some competent engineers left after the great Sun exodus.

Re:If they keep this up...

+1 Hopeful Optimist

yeah, best leave that comment unmodded.

Re:If they keep this up...

[antdude]

Same for MS and others. ;)

Shouldn't the OS prevent the worst of the damage?

[overunder]

I understand how a sandbox vulnerability could lead to malware being installed on the machine. But that malware still has to then exploit an OS-level security hole, right? The reports make it out that somehow the Java vulnerability allow complete take over of the machine. So I'm confused why the Win7, OSX, etc Access Control mechanism doesn't prevent the potential damage. Or is this specifically targeting users who for example are logged in as admin on a Win box and have explicit approval of system changes via ACL disabled?

For cripes sake... Java Plugin != Java

[diarrhea-uh-uh]

So sick of these headlines. Java is fine, it's the barely-used-these-days plugin that's the problem. I expect non-techy sites to omit that detail, but come on /. For those preaching that Java should be donated to Apache, give me a break. It's at the core of all "Enterprise Applications'" tech stack. Never gonna happen, nor should it. Best solution would be to decouple the plugin from the Java install and no longer shove it down people's throats.

Re:For cripes sake... Java Plugin != Java

Yes thanks so much for this. Any body ever heard of Tomcat? Java is still big on the sever side. The plugin went out in like 99.

Re:For cripes sake... Java Plugin != Java

Not just the server side. 90% of apps I use on desktop today is Java.

Re:For cripes sake... Java Plugin != Java

[amicusNYCL]

Java is fine, it's the barely-used-these-days plugin that's the problem.

That's right, the problem is the plugin that virtually no one uses which, according to Kaspersky, is responsible for at least 50% of infections on Windows (and also gave the Mac world their first widespread trojan, Flashback). It's just a good thing so few people use it. It's not like it ships with some new computers or anything.

I'm not suggesting that the major problems with the Java platform are anywhere other than relating to the plugin, but it's pretty disingenuous to say that no one has it. This time next year though, you might be more accurate.

Now if you mean that there are barely any applets written to use the plugin, then you might be right. But the fact is that a lot of people do have it installed, and it's the malicious applets that people actually are writing that are the issue.

Re:For cripes sake... Java Plugin != Java

[afgam28]

You're confusing "have" with "use". You can have something installed that you don't use. Many people have the Java applet plugin installed, but few actually use it.

Knowing this, try reading the gp post again and you'll see it makes perfect sense.

Re:For cripes sake... Java Plugin != Java

[diarrhea-uh-uh]

Java is fine, it's the barely-used-these-days plugin that's the problem.

That's right, the problem is the plugin that virtually no one uses which, according to Kaspersky, is responsible for at least 50% of infections on Windows (and also gave the Mac world their first widespread trojan, Flashback). It's just a good thing so few people use it. It's not like it ships with some new computers or anything.

I'm not suggesting that the major problems with the Java platform are anywhere other than relating to the plugin, but it's pretty disingenuous to say that no one has it. This time next year though, you might be more accurate.

Now if you mean that there are barely any applets written to use the plugin, then you might be right. But the fact is that a lot of people do have it installed, and it's the malicious applets that people actually are writing that are the issue.

You just reiterated my point. It's installed by default when you install Java and should not be. Of those infected, how many actually use the browser plugin? Not many...

Re:For cripes sake... Java Plugin != Java

[diarrhea-uh-uh]

Not just the server side. 90% of apps I use on desktop today is Java.

90% of what you run on your computer are Java applets? I call BS.

Re:For cripes sake... Java Plugin != Java

[amicusNYCL]

I would guess that something like WebEx is the single biggest use on the public internet. I'm not sure how many people use it. The Java installer doesn't even give you a choice about what to install, there are no options at all during installation the last time I ran through it (last July).

Re:For cripes sake... Java Plugin != Java

[ahabswhale]

"That's right, the problem is the plugin that virtually no one uses which, according to Kaspersky, is responsible for at least 50% of infections on Windows..."

Do you have a source for that because I can't find anything to back it up other than your post.

Re:For cripes sake... Java Plugin != Java

Barely used, except by Oracle's customers that are still using Oracle Forms. Some years ago, Oracle created a migration path that let users run their forms in a java applet served up from Oracle's java app server. I work at a large institution which is completely dependent on this. I imagine there are others. Entire vertical applications are written in Oracle Forms that implement critical business functions.

The reason Oracle bought Sun was their significant technological investment in Java and to a smaller extent Sun hardware; the alternative buyer could only have been IBM, a competitor.

Of course we keep trying to get them to ditch the forms but these are the kinds of organizations that have no problem keeping 20 year old technology that costs them money rather than rock any political boats.

Re:For cripes sake... Java Plugin != Java

[amicusNYCL]

I've looked on Kaspersky's site for any source for it, the only places I see it are on third party sites which state it but don't provide a link. I'd like to see a source for it also, the last I heard was that Java was responsible for 37% of infections, and Acrobat 32%. Now Kaspersky says (according to others) that Java is at 50%, and Acrobat at 28%.

Oracle doesn't get security!

[onyxruby]

I've said time and time again that Oracle doesn't get security, they just don't. They have been pulling things like this for a very long time. I never could have imagined saying this 10 years ago or so, but Oracle, you need to look at Microsoft for some pointers on handling security. Since you probably not willing to do that, I'll spell it out for you:

When you find out about a notable security flaw you need to have a patch ready to go within 60 days.
Meaningful notification. The everyday hacks that run IT need to have reasonable notification of security flaws.
Workarounds. If you can't fix it, that's fine, but give me a workaround or I'm going to start uninstalling your product.
How does it the flaw work? If you can't tell me how it works it means I have to reverse engineer it myself and this annoys me.
The difference between theoretical flaws and something that is broken beyond saving is typically 8-10 years.
The bad guys make a lot of money by counting on you dismissing security concerns.
You need to make it easier to administer updates to your products.
You need to make it easier to limit updates to your products. Why does Java 6 automatically update to 7? This is a bad, bad thing.

From a security standpoint I can't think of anything I would wish for more than the death of Java. Every chance I have to get rid of Java I put in my two cents to do exactly that.

Re:Oracle doesn't get security!

I've said time and time again that Oracle doesn't get security, they just don't.

And yet, Oracle would often advertise their products as "unbreakable". I don't know why they haven't been sued for false advertising (or maybe they have and I haven't heard about it).

From a security standpoint I can't think of anything I would wish for more than the death of Java.

Java is an abomination upon the world (particularly for security). The sooner it dies the better. Even on the server-side, I haven't seen a java application that wasn't a slow bloated POS.

Re:Oracle doesn't get security!

My first "security" experience with Oracle was in 1998, when I crashed the Ora Listener by telnet-ing in to the listener port and followed that by some random typing. That crashed the listener.

So, these are IT whores and you should avoid them at all cost if you care about security. Get yourself a copy of Perl and Postgresql.

Re:Oracle doesn't get security!

[ahabswhale]

So I guess Amazon, Mint, Netflix, and eBay are all slow, bloated POS? Yes, some of the largest websites in the world run on Java. Fucking deal with it. At minimum, don't be such a fucking pussy and state what language you think should be used by these large companies.

Documentum in the office here...

[erroneus]

... these updates and stuff are not fun.

How good would you be at 'C' right now?

Java JDK Alpha and Beta (1995). So that puts y'all at about 35, right? Just about ready for the glue factory. Don't worry. They'll come for you dot net / C Sharp burnouts in the next load. Kids are out of diapers, there's some equity in your house and the wife is unhappy, right?

Must mean there is some new 6th generation, socially enabled, no programmers needed, wundercoding coming, along with a new silver bullet development methodology and magical management philosophy, going to pop out of nowhere in the next few months.

Re:How good would you be at 'C' right now?

With 100% certainty it will involve "functional" and "based on JVM". My guess for the name is "crapala".

You're new to Oracle, I can tell.

Oracle need to be called out on what appears to be an open-and-shut case of negligence.

Only a complete idiot would take on Java and it's 600 million users without making some kind of plan for supporting it.

Have you seen how Oracle supports its other products? Or more importantly, how much it charges for support for its other products?

Java is not broken

[zmooc]

The only thing broken here is the Java browser plugin made by Oracle, which has no use whatsoever outside of museums. Java is not broken.

Re:Java is not broken

[amicusNYCL]

The only thing broken here is the Java browser plugin made by Oracle, which has no use whatsoever outside of museums.

It sounds like there are quite a few people getting very good use out of the plugin, actually. Not Oracle's "customers", per se, but nonetheless they obviously appear to enjoy it.

Re:Java is not broken

[bcrowell]

The only thing broken here is the Java browser plugin made by Oracle, which has no use whatsoever outside of museums. Java is not broken.

Plenty of people are still using java applets. I use them. They're commonly used in medicine, banking, and law offices.

Or are you claiming that the version of the browser plugin "made by Oracle" is the only one broken? If so, could you explain what you're basing that claim on? As far as I know, groups like IcedTea use Oracle's code extensively, and all of these bugs are likely to be present in all implementations of the Java 7 applet sandbox.

Re:Java is not broken

[zmooc]

Yes, yes, I'm aware they're commonly used in medicine, banking and law museums. Since you still use it, I suppose you work in such a museum?

Not until WebRTC

[Krischi]

No, not video conferencing, you can't. Not until WebRTC is ready.

Re:Not until WebRTC

Video conferencing is entirely possible right now. It is just a lot harder than what Java or WebRTC would provide.

Audio + Video can be given generated streams of data, which can be requested from a constantly open data stream between client and server, and even 2 clients, or peers if you will. Do the usual timekeepery wizardry to keep things in sync (something that piece of crap Skype doesn't even do!) and you are done.

Peer2peer in web browser has been there for a couple years now at least, in fact likely longer. I'm sure I remember reading ages ago on here than some researchers made a darknet entirely within a web browser, no software or anything needing installed.
I also don't think this was one using the Pepper API, which was a more recent development. Not sure what it used again.

I just wonder how Google and their, uh, Dart was it, will go. (either that or Go)
It sounds promising as a language from what I heard, but given it is Google, it will die this summer.
Unless it is being used by a bajillion people, it gets cut.
Google are as bad as the games industry right now trying to get the "CoD audience" and ruining entire game franchises in attempting to do so.
In fact, Google are worse. They are outright killing things because they suck at advertising SOMEHOW, DESPITE HAVING A COMPANY BUILT ENTIRELY ON ADVERTISING.
Hearing them cry over how iGoogle can't be monetized made me almost have a damn stroke at how stupid they are.
The damn thing we all requested for over a year, the sidebar where the chat can go, has a HUGE space underneath it where ads could go. Do the same thing Gmail does as well with those tiny little ads at the topbar. PROBLEM SOLVED.
Sorry for that tangent, Google annoy me more than Java, Oracle and Sun combined for being so stupid in the past 5 years. A company that used to be glorious has just died internally. It kinda sucks.

What patches

[ArrayIndexOutOfBound]

Why do you keep referring to the latest release as a patch and a bugfix? The only change was in configuration - while before you could run unsigned applers, now you can only run signed ones. No patching / clever bugfixing was involved. And in response to commenter suggesting putting Java-in-browser out of misery, the last 'patch' was designed to do just that. The only way to decently run an applet is to have it signed by expensive code signing certs.

Stahp it! Please, Stahp!!!

[mark-t]

These Java exploit announcements are becoming too frequent.... at some point it stops being news and starts being a waste of bandwidth.

TeamViewer

Boring, reliable, Teutonic C++ code. No installation required. Get rid of WebEx.

NOT correct

By means of Macros or templates, you could do the same in a "strongly typed" language.

Yeah, Macros are good, provided you expand them on disk for inspection, debugging and easy tracing of compiler errors.

Re:NOT correct

[DarkOx]

Yes and no. Macro certainly make it possible to define an objects that can handle any number of data types as inputs simple or otherwise.

What they don't give you that run time duck-typing does is to do something like create a instance of class driver, Fred. Give Fred an argument MaryLoo, an instance of class truck. Later call MaryLoo.Park() and than pass Fred and instance of car, Gina.

In strongly typed language maco's would make it is to create both drivers and truck_drivers; but not both with the same runtime instance. Alternatively driver might be written to accept a instance of automobile; but then both car and truck need to be children of automobile. That probably is the case in any sensible object model dealing with cars and trucks but is not always the case.

More complex situations often leave you facing two classes of objects that don't logically make sense to be derived from a common base class; yet they do share some common functions and properties and you do want to do the same operation on them. Duck-typing lets you decided this thing I have been passed is "enough like" whatever was expected to go on.

An insurance company might insure residences,boats and cars. Maybe a program is being written to see if uses qualify for a total value discount. Depending on what-else the companies libraries do with this data it may or may not make sense for these three classes to roll up to some parent. They all have a .GetLastAppraisalAmt() function. You might want to pass an array of pointers to all the customers owned assets, all the function needs to do is get a total it does not care about anything else. It could just check that every object its passed has .GetLastAppraisalAmt() if it does fine, otherwise raise an exception.

So Niiice

..how you Java fanbois spin it now. "Our formerly major feature is now depreciated".

The truth is, Java was a stinking hairball laced with the bullshit of McNealy from day one. Long on marketing, extremely short on reliability, security, efficiency. A cheap language for cheap people. A vehicle to sell RAM modules.

Grownups use something else, not including C#.

Re:So Niiice

[ahabswhale]

Like what? I'm curious what you're superior, unflawed language of choice is.

You are also clearly not a Java developer. I can state unequivocally that Java is very fast and reliable. I won't vouch for Java applets because like 99% of all Java developers, I write server-side Java. FYI...a good portion of the web runs on Java.

Re:Shouldn't the OS prevent the worst of the damag

It doesn't make much of a difference that the user isn't root/Administrator, or that the exploit fails to get root/Administrator.

The applet running as the user outside of the sandbox gives:
* access to that user's files
* access to other machines on the network
* persistence - install an executable into ~/.profile on Unix-based systems or HKCU/...../Run on Windows.

The home directory is also where Firefox and Chrome store user extensions.

Re:Shouldn't the OS prevent the worst of the damag

I don't know if MS has changed it recently, but traditionally, all users run as a member of the Administrators group which has practically full access to everything (and can certainly escalate itself to get access it wants). Even when running as a member of Power Users (and I would think very few people run below this because they can't install anything), you can cause considerable damage.http://developers.slashdot.org/story/13/01/18/1838243/latest-java-update-broken-two-new-sandbox-bypass-flaws-found#

Java

It's time to go back to real life!
C/C++

Why has this taken so long?

Why has it taken so long for people to realize the java plugin is one of the biggest gateways to malware. I've seen more people get malware via the java updater than flash. There is no need for a java client side plugin. Java is good for the server side stuff. No one even uses it for client side anymore. Get rid of it. When was the last time any of you had a need for some client side java applet in your browser? Maybe for some old legacy enterprise junk.

Re:Shouldn't the OS prevent the worst of the damag

The reports make it out that somehow the Java vulnerability allow complete take over of the machine

That does not happen. The browser runs with user rights which means it can do anything a user can do. Since you do not want a web site to read your local documents the browser does not offer this functionality in its javascript API, java itself however offers this as part of its standard API so it needs an aditional sandbox when run in the browser . The exploits first bypass this sandbox and then disable it to run whatever malware they want.

Difference:

Sandboxed: can read/write user selected files (using the java file dialog) and connect to its originating server

Not sandboxed: can read/write arbritary files, start programms and connect to any server (basically limited to what the user can do)

Re:Shouldn't the OS prevent the worst of the damag

I think the issue is that on singe-user/family machines all the personal data is accessible to the user anyway. Malware can have itself start up when the user logs in and access address lists, obtain passwords and so on. For many users an infection of their user space will be indistinguishable from an infection of their OS, and as many won't understand the distinction even when it's explained to them it appears news media, including those focusing on IT, don't seem to bother to make it anymore. Sad, really.

Other inaccuracies: Java Plugin != Java (as already pointed out), and Java is talked about as if only one implementation exists. The OMG Java is Bad type of "news" never seems to mention OpenJDK+Icedtea-plugin as an alternative. As a consequence I'm not sure how vulnerable that combination is (and I never went through the trouble to find out because the only applet important to me crashes Iceweasel when I use that anyway).

Oracle thinks of it as an opportunity

[amoeba1911]

to ask people to install ask.com toolbar when they carelessly go through the update. Every idiot I know has ask.com toolbar installed, they have no idea how they got it or what it does, and they don't understand that it redirects their searches to their own shitty web site. It's disgusting, and it's disgusting that Oracle benefits from this.

Re:Oracle thinks of it as an opportunity

[museumpeace]

OK, I am an idiot. PLEASE show me how to dig that piece of crap out of my browser.

Re:Oracle thinks of it as an opportunity

[gbjbaanb]

Oracle tells you how (scroll down)

funny, Norton just told me it was safe

[museumpeace]

They notified customers last night:

Rest assured, because you have a Norton security software product installed on your computer, you’re protected against the Java bug (CVE-2013-0422), as long as you have not disabled the automatic updates feature. We also recommend that you apply Oracle’s recently released security patch and make sure you are running the most updated version of Java. Thank you for being a valued Norton customer.

I am so glad I have protection.

BT90

Release it as OpenSource and let some smarter people do the job.
They already f*cked up OpenOffice and MySQL so both had to be forked - resluting in LibreOffice and MariaDB.
Not to mention this Oracle Vs Android thingy....

How incompetent can a single company be?

hackable equilibrium?

[ILongForDarkness]

My work has group policy that removed all Java from everyone's computers. We still didn't get it back so it seems that our IT is cautious enough that they didn't jump on the first patch they saw as an opportunity to give everyone their Java back.

But the quickness of the exploit poses a question to my mind: how much can hackers exploit a system before people just stop using the system? Especially with things like programming languages/frameworks chances are there is an equivalent solution to your problem that runs on a different framework. So how vulnerable can something like Java be before everyone just stops using it to develop there software? I think there must be some sort of equilibrium point where you can hack the system but no so frequently that people completely give up on it.

All these updates

They're trying to figure out a better way to get that Ask toolbar installed. I know it.

Ditch the plugin...

[the.emmef]

Please don't yell on Java but instead yell on the plugin builders and browsers' handling of plugins. Browser application/native plugins are obsolete and inherently unsafe. If a company cannot come up with a decent JavaScript/HTML5 site, preferrably working over SSL, the site is not trustworthy and should not be visited. Java is a very stable and excellent performing language for real applications and specifically server applications. Though Oracle is wokring hard to alienate the Java world...