Slashdot Mirror
Oracle Responds To Java Security Critics With Massive 50 Flaw Patch Update
darthcamaro writes "Oracle has been slammed a lot in recent months about its lackluster handling of Java security. Now Oracle is responding as strongly as it can with one of the largest Java security updates in history. 50 flaws in total with the vast majority carrying the highest-possible CVSS score of 10."
Now please start working on an ARM version for my Surface RT.
Fifty whole flaws... Wow... (Dripping sarcasm intended)
The knee-jerk reaction of getting the patches for Java out now following public criticism is not going to make up for their previous apparent disinterest in supporting the platform. The damage they have done to the reputation of Java is incalculable, and I for one as a C++ programmer thank them for it!
Supercop Oracle: I caught 50 powerful top grade thieves in my neighbourhood!! I am great!!!!
Ordinary cop: Why did you allow 50 scoundrels in the first place?
If you keep throwing chairs, one day you'll break windows....
I'm not sure how I feel about this;
1. Good. It's awesome that Oracle are finally taking notice of java security issues and doing something positive.
2. Bad. That's a lot of CVSS2.0 score 10 bugs they've been letting slide.
3. Confused. How many more are there?
Wait.. two months early. This still has to be a joke, right?
I know Oracle didn't write Java to being with but they sure had a hard-on to acquire it, presumably so soak up profits by wedging themselves in to yet more enterprise services. I'd like them to take ownership of this issue and really hammer out these nasty problems. I know it's just the client side JVM-plugin-whatever but Oracle's behavior isn't really making me want to go out and seek other Oracle products.
And fuck, if I can't escape this piece software at work. I've got client applications, and web applications that we rely on that absolutely require the full fat oracle JVM. I'd love to disable the plugin or do away with it all together but I can't.
For that matter, deploying this supposedly enterprise piece of software is a massive pain in the ass. If you want to deploy it like usual (Published through AD) You've got to open the installer EXE, go to your temp folder to copy out the .msi, then use an .msi editor to create an .msp file to disable the really annoying and awful java auto-updater. (The auto updater requires admin privs to install.. And it will trigger on it's own without user intervention. It's really annoying to end users to have a UAC prompt pop up randomly out of nowhere when they're working)
Oh yeah, and if you run the exe manually to install? Make sure you uncheck the yahoo toolbar! And this is supposed to be business software?
I like the way it took a Federal agency (DHS) to recommend deinstalling Java before Oracle did anything.
I think the Fed recommendation stands. Stop using Java.
timothy fail English? That's unpossible!
We're required to maintain the 1.6 line and so have disabled the auto update as it constantly tries to upgrade to 1.7. So, in order to get the patch we turn on update to install the update and turn it off immediately or will it go straight to seven again forcing me to uninstall and reinstall the updated version?
Didn't they sue Microsoft for copying Java, and then sued again because Microsoft were unable to produce security updates because of the first lawsuit?
Well the same thing should apply to them due to THEIR poor security track record.
It doesn't matter how many patches they make, they are completely ineffective because it requires user intervention to update, which most users don't understand. They also force third party products by default with security updates, which make IT people not want to tea h users to update.
Better to uninstall Java and be happy, unless you REALLY need it.
...150+ new security flaws added
Ask IBM.
Substantial portions (>80%) of Watson are written in Java.
The remainder is C++ and, of all things, Prolog.
File under 'M' for 'Manic ranting'
Would it kill you idiots to post a direct link to the update in a story that is about nothing *but* the update?
http://www.oracle.com/technetwork/java/javase/downloads/index.html
Does another patch change the fact that Java runs slower than new programming languages like Nimrod [nimrod-code.org], which let developers accomplish the same tasks in far less code?
there's a new latest greatest language every 6 months. customers don't like to re-write their platforms every 6 months when language X goes out of favor and they can't hire people to maintain their code or get updates for the runtime / tools.
do you think it's possible that nimrod also has security flaws, but they haven't been exposed ... consider the usage of java vs. nimrod and therefore the interest of hackers in finding the security flaws?
There are probably 500 unaddressed.. you know...
Oracle's you know... rearranging the deck chairs on the Titanic. plugging a few of the small leaks here in there. Doesn't mean the ship is saved:)
Recall Cisco just released this big 2013 annual security report the other day, showing Java exploit as a #1 infection vector for malware.... :)
I like the *idea* of java.... but I don't like java.
It has been my experience, even way back when the JVM was owned by SUN, and when MS tried their crazy IE only "not really a real JVM but we say it is!" Bull--- that the JVM was a festering turd, that was slow, carried around a lot of baggage, and was a vector through wich malicious programs could be executed in secret due to its bugs.
Granted, that is just an anecdote. So, here's some old, tinned bugs from days of yore... clicky.
As far as I can tell, Java has always been a very attractive target for malefactors who want to run malicious executable code on remote systems, because the innate abstraction provided by the JVM makes it an ideal incubator for that malware. As such, malefactors have consistently looked for, found, and exploited holes in Java to accomplish their nefarious tasks, despite the JVM dev team's best efforts.
In short, Java has always been a security risk. The question I have always asked myself is if the benefits of that security risk outweigh the benefits. So far, my answer has always been "no." When it comes to desktop computing. For the originally intended ecosystem that Java was made for, (things like portable computers, set top boxes, and custom computing devices) java is a godsend that makes development time get spent more efficiently. For a mostly monolithic desktop hardware space, java doesn't make nearly as much sense, and carries with it a very large attack surface.
In short, I would rather do without your software, than expose myself to java's attack surface, if you refuse to write your software in a properly portable fashion, and choose to rely exclusively on the JVM.
If you need cross platform support, use cross platform libraries, and compile platform appropriate executables from your codebase. Maintaining platform agnosticism through writing exclusively portable code will force you to write better code anyway.
Leave Java in the ecosystem it belongs in: one off hardware implentations, novelty devices, and low power computing platforms. Bringing java kicking and screaming to the desktop ecosystem makes it too big of a target for malefactors, and only exposes your own unwillingness to practice best practices when writing your software.
Wow! It shows how bad things are getting on the Java security front when even Oracle start taking notice of the problem!
The remainder is C++ and, of all things, Prolog.
Prolog is actually very appropriate.
I remember those halcyon days when Java had just emerged, acorn like if you will, from Oak. It promised a brave new world of write once, run anywhere programming that was to usher in a wonderful alternative to all that dangerous mucking about with C++ and flatten the disparate paradigms of software development from Microsoft, Apple and others. I went to trade shows and conferences with like minded souls all excited about this Next Big Thing. Hell, I even bought books and marvelled how easy it was to get Duke to cartwheel on any OS with a JVM.
Then it all went to shit with internecine wars and disparate implementations.
But it didn't stop there. It then carved out of the psyches of beleaguered programmers the world over a new level of hell just for itself.
Adieu. At least it was fun in the beginning.
"Wait. Something's happening. It's opening up! My God, it's full of apricots!"
I wonder how many are still open after this publicity stunt and how many they did patch badly (as before), but now the attackers know what to look at.
Lets face it: Java is a mess. Use in anything but protected environment where the Java code and runtime cannot be attacked is highly unprofessional and borders on gross negligence.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
My remark suggesting that I am surprised by their use of Prolog is not because I felt that the language choice was inappropriate... quite the opposite, in fact. My remark was more because I previously hadn't really heard of anything practical that used Prolog for quite a number of years (not since the 20th century, in fact).... and as far as I knew, it had long since seemed to slip into obscurity. I was just a bit surprised to read that parts of Watson had actually been developed with it.
File under 'M' for 'Manic ranting'
Ask IBM.
Substantial portions (>80%) of Watson are written in Java.
The remainder is C++ and, of all things, Prolog.
I did LISP and Prolog programming as a college research assistant in automatic and fault-tolerant programming techniques, back in the mid '80s. Both languages are awesome. A/C responder is correct, Prolog is appropriate for Watson.
It must have been something you assimilated. . . .
You'll find hundreds and hundreds of security patches with more being released every Tuesday. If you really want to see a leaky sieve of an OS look no farther than Windows.
And if IBM jumped off a bridge, would you do the same?
A lot of corporate software is written in technologies the company has a stake in, or because of skillset momentum. IBM is a very rigid place, and it's also huge. It can throw a lot of money at some projects, but that doesn't mean they're ideally designed. I'm surprised Watson's coccyx isn't written in COBOL...
--libman
Comment removed based on user account deletion
unpatched hole for you to get screwed through.
It's so shot full of security problems that it's virtually a malware writing language. The promised code reuse. Code reuse? 30% of Java programmer time is spent maintaining legacy code because of changes in the language and libraries. Single framework. That's a laugh. It's so shot full of security holes it's virtually a malware writing language.Write once, run everywhere? What a laugh. 99.9% of the stuff on the web is Javascript. Performance? It stinks. Period. C++ is better and Linus Torvalds says "C++ is a horrible language." Java is C++--.
Poster said they don't know why anyone would use Java. I wasn't advocating it... I was just pointing out that they do, and if the poster does not know why, perhaps he should ask someone who does.
File under 'M' for 'Manic ranting'
I was specifically criticizing Java for things other than security.
First of all, it's not genuinely free software. A freer alternative implementation, Apache Harmony, was killed off by patents. Why marry a language when there are limits, both practical and theoretical, to what you can do with it? Some of Java's security problems are directly related to Java's relative closedness and bad will with the hacker community.
Secondly, it fails both as a high-productivity language and as a high-performance / systems language. People could always build better software more productively by using a scripting language like Python or Ruby, and then rewriting performance-critical modules in C. Unfortunately Ousterhout's Dichotomy never caught on in large bureaucracies, the excuse being that they wanted one language for a balance of productivity and performance, which, with enough statistical torture, Java could be shown to be. Until recently.
Many things have changed in the last decade to make real (compiled to machine code) programming languages competitive with bytecode VM's: better platform-independent build tools, faster compilers (plus network distributed compiling), sandboxing / OS-level virtualization, etc. We've had languages like D, Go, and now Rust that would offer better productivity than Java, and should in theory eventually come closer to the performance of C. (Haskell sucks.) And the language that in my opinion currently does the best job, both in terms of syntax and performance, is Nimrod.
--libman
50 makes ten more.....
Oracle is really doing its best to kill Java. For them to even *THINK* auto-uninstalling 1.6 is a good idea at this point in time is like the Titanic's crew chopping holes in their lifeboats upon seeing the iceberg...
How do you know Oracle wasn't working on the bugs before? They could simply be really slow. It wouldn't be the first time.
If you are installing Java 7, why would you need to keep 6? Do you have an example of something that works with 6 but not 7?
How is it different from IE8 requiring that you uninstall IE7?
Go green: turn off your refrigerator.
Look how many easily patch vulnerabilities I've been sitting on, and I did them all at once now that you're paying attention. Aren't I a big boy?
fix those vulnerabilities before someone installs a toolbar you don't want... oh wait. nevermind.
Because its easier than brainfuck?
Good leaders run toward problems, bad leaders hide from them.
I like how they call them CPU fixes.
Keep in mind that stands for Cumulative Patch Update... although I can't deny they might like that confusion sometimes.
Nimrod is fucking ugly as shit. I'd rather use Java any day.
Are agnostics skeptical of unicorns too?
On what screwed up platform is this?
Seriously, I have 1.6.0_39 and 1.7.0_13 happily running together on all the platforms that I'm responsible for (Linux, Windows, UNIX of various flavors).
This patch was rather important in that there are some server side security issues being patched as well as browser plugin issues.
I'm seeing all of this hate, but you know what, I just don't get it. Software of any complexity has bugs. Microsoft used to be the champion of security exploits. Now it's Java. And lest anyone forget, there are myriads of PHP / Ruby / Python security bugs that allow systems to be exploited. I'm not even sure that there's a secure Ruby on Rails platform at this point, for example. I don't know for certain about Ruby, since the only Ruby platform I have right now is for Redmine.
I guess though everyone likes the Faux News mentality of computer security reporting. It garners page clicks, makes people feel important and is a lot easier than actually doing any work. It's like the hit piece someone at InfoWorld did on a Spring Framework bug that could possibly be exploited (albeit not very easily). The sensationalist piece completely overlooked the fact that the issue had been addressed over a year ago. The "journalist" at InfoWorld was too busy jumping on the "all things Java are evil and insecure" bandwagon to do the tiny bit of research needed to write intelligently about the problem . . .
Just like people are now doing about the current issue . . .
My favorite comment so far has been along the following lines
Sure, they may have fixed these security flaws, but there's no guarantee that this will fix future security flaws. It's better that you just go ahead and uninstall Java now.
Sure, [insert-least-favorite-software-of-the-day] may be patched now, but will it remain patched?
I thought at least professionals were a bit more intelligent than this. I guess not.
I hope you support all of the DHS protocols like frisking 90 year old ladies with colostomy bags at the airport.
Are agnostics skeptical of unicorns too?
Majority : noun : 3. a number or percentage equaling more than half of a total.
Of the 50 flaws on the list, 26 carry the CVSS 10.0 score, which is the lowest number that qualifies as a majority. The only way that qualifies as a "vast majority" is if one of the vulnerabilities caused "vast" to be set to null.
Right now I have some software that will not build in Java 7. The developers decided to use some Sun - proprietary APIs that no longer exist in 7. There were big warnings about this when the code was built using JRE/JDK 6, as well as warning all over the Javadocs. However, these developers knew better. Now the code won't build in Java 7 until the dependency on these proprietary APIs is replaced. It will run just fine on Java 7, but you cannot do maintenance on the code using Java 7 until the code is fixed.
Java browser, eh?
Have you heard about SoylentNews?
I am an enormous tool, and should stop signing my posts if I'm not going to bother logging in.
Why? Because assholes like me can do... this.
--libman
You'd have to be a nimrod to use Nimrod?
For large sets, this will be our guide even unto death, for the LORD will work for each type of data it is applied to...
The Book is wrong. Everywhere else 's means ownership, so fuck that stupid-ass rule.
For large sets, this will be our guide even unto death, for the LORD will work for each type of data it is applied to...
OpenJDK under the GPL ain't free enough for you? You suggest Harmony was 'freer', with reference to some obscure website that rejects the Apache license as well. Hmmm.
Comment removed based on user account deletion
It stands for Critical Patch Update.
And Oracle seems gradually renaming to Security Patch Update (SPU), which will inevitably causing confusion with their Patchset Update (PSU).
We write an applet based trading platform, and due to the API adding a method with a name we were already using, we had to re-engineer heaps of our code (along with other Java issues). For them just totally discontinuing Java 6 as soon as Java 7 came out (and still had heaps of bugs) was a stupid mistake.
Didn't Microsoft do the same thing a couple of years ago... Waited until the government told us told us we shouldn't have Windows computers connected to the Internet before they finally fixed several major security holes in IE?
I am currently a systems architect, and work on making flexible systems. I know this is a bit far afield, but on the Windows 7 I'm working on, I have both JRE 6 and JRE 7 installed. I can convince my system to switch back and forth at will by fiddling with the Java Control Panels (for the browser) and some environment variables (PATH, JRE_HOME, JAVA_HOME) for the actual Java. This seems to satisfy the browsers, my IDEs, Tomcat, Glassfish, and some random desktop applications I have. I don't know how this would impact your system.
In fact, life on this particular machine is more complicated than that. It seems that even though I'm running a 64 bit system, at least 2 of my browsers are 32 bit. Thus, I have four JREs and two JDKs installed. Swapping around to the right one is a bit of a pain, but possible. I just have to find the right Java Control Panel, run it as Administrator, and I can switch things around.
However, at no point in all of these installs did the Java installer prompt me to uninstall a different version. True, I can no longer easily run multiple versions of JRE 6 or JRE 7 (without changing the target directory), but I normally don't do that. I used to do that with JRE 5.
Granted, doing all of this requires administrator privileges, and is much more cumbersome than it is on Linux, but it appears to be possible. Without knowing more about the particulars of your environment, it's hard to say why the Java installer is prompting you to uninstall JRE 6. Again, I've never seen that behavior, with the possible exception of installing on Linux via an RPM. I believe even in that environment you have the option of choosing with Java platform to use via the alternatives command. However, I tend to install Java by hand on Linux (for a small number of systems) and by custom script (for a large number of systems). I've found the alternatives system to be somewhat incomplete in maintaining multiple JDK/JRE combinations for development and testing.
Your mileage may vary of course. This just works for the systems I'm responsible for.
Oh, and as for hard-coding stuff. You have my condolences. I suggest finding the developer, and assigning him or her remedial system administrator / help desk duty for the rest of his / her career. I'm only being just a bit hyperbolic here . . .
Use in anything but protected environment
I realize you are using an idiomatic phrase, but I think you're using it wrong, and (based on context) just expressed the opposite of what you meant to express.
"The agriculture ministry is not in charge of Gundam" - Japanese ministry official.
Obligatory-
http://www.youtube.com/watch?v=i2fhNVQPb5I
It's a perfectly cromulent word.
I think I use it right: If Java does the protection, then it is a protection environment. If there is a perimeter around it implemented by some other technology, then it is a protected environment. There are also trusted environments, and in those you rely on nothing bad happening, but do not necessarily have mechanisms to ensure it.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
This whole thing about Java being the issue annoys me - if you take a broader look at the whole ecosystem.
Take a look at no more than 2 weeks ago with CVE-2012-4414 for example...
This is a MySQL security bug where any authorised DB user can arbitrarily inject SQL in the binlog used for replication...
For those that don't know Oracle has recently (over the past year) moved the majority of their bugs database internal only so that inhibits discussions for a start and on top of that they no longer publish test cases for fixes ... it looks like they might be going into an internal/tests directory but that isn't provided in the GPL tarball they provide.
However the curiousness doesn't stop there - if they are still writing test cases for code as opposed to just changing stuff willynilly they don't seem to be writing them very well.
When the Percona guys were merging from the upstream code they used the test case that the MariaDB team put together for this CVE - since there is no test provided by Oracle as previously mentioned.
They naturally expected the test to be fine seeing as Oracle claimed the CVE was fixed in 5.5.29 but shock horror it failed.
They ended up merging the MariaDB fix instead.
Given that what makes you think the rest of the code is *really* like and why that Java fix recently introduced a new bug and so on...
Ah well in the meantime FESCO has accepted the proposal to replace MySQL with MariaDB in Fedora 19 which is something that Oracle weren't too pleased with...
That Oracle response was prior to the FESCO vote by the way - time to get the popcorn methinks!
The Book is wrong. Everywhere else 's means ownership, so fuck that stupid-ass rule.
he's? she's?
Excuse me, wtf r u doin?
So, you've found and patched 50 critical security flaws with a single patch. What that says to me is that there is a failure to audit code for security on an epic scale within your company, and that I won't be trusting ANY software from you until it has been proven secure for several months/years in the marketplace.
With the advent of x86/x64 or ARM everywhere, it is probably easier to write portable native code (2 architectures) than cater to the many JVM versions out there anyhow.
I run: Windows, OS X, Linux, FreeBSD. Just because you have a hammer, doesn't mean everything is a nail.
I kinda disagree. There aren't "myriads" of PHP (well not so much any more) / Ruby / Python security bugs in the core language implementations allowing systems to be exploited.
The common problems in PHP and Ruby these days are in things written IN those languages rather than the languages themselves. And in the Ruby world it is really only Rails that is having regular problems. Rails is a bit "special" like that. And generally the Python world seems relatively safe overall.
This is very different to Oracle/Suns Java implementation where the core language/platform itself is the source of a lot of nasty problems. And like those other languages you still need to look out for the apps as well. Not a good look for a platform built around a security sandbox.
Java doesn't get to outdo Flash or PDFs as the number one malware vector for nothing.
At work because IT is outsourced. This lame big ass IT provider says it cannot update or stuff will break. They probably still did not spot that Java control panel thingy in Windows and have no idea about putting the right Java in the working path...
Sent tons of complaints to them, our "CSO" and management about security implications but get ignored. I have told my manager I refuse to take responsibility if I get owned, and covered my own ass by sending him a email about this, just to have it recorded. BTW, I am the only developer/tester of the company I work at, responsible for keeping an eye on outsourced code mucus and thus have no fellow geeks around to support me.
-sigh-
KERNEL PANIC -SIGFAULT AT ADDRESS #51A54D07
"Nimrod combines Lisp's power with Python's readability and C's performance."
if that is how they decide to advertise themselves.
and from the main page you should see that it's not a replacement for Java. for pascal - yes.
world was created 5 seconds before this post as it is.
The bugs fixed in the Oracle JRE are most probably also present (and have also been fixed) in the OpenJDK version, which is GPL-licensed. I don't know what all the Oracle bashing is all about. That's almost like blaming Red Hat every time a bug is found in a Linux device driver.
Java is a popular platform, and it is also a big platform. There will always be bugs, just like in every large piece of software. It has become a critical piece of infrastructure for many businesses. Being popular makes it a preferred target for attackers.
It is very cheap to put the blame on Oracle just at the time they're releasing bug fixes. But we shouldn't forget that they are not the only ones making profit from Java. And instead of crying for alternatives (which are probably less stable and have more undiscovered security holes), we shouldn't forget that most of Java is Open Source and that the Open Source community can actually work on fixing the problems.
You'll find hundreds and hundreds of security patches with more being released every Tuesday. If you really want to see a leaky sieve of an OS look no farther than Windows.
Patch tuesday is not "every tuesday". It's the second tuesday of every month, i.e. 12 tuesdays per year as opposed to 52 as you claim.
Patches are not just security patches, they also include stability patches, compatibility patches, language updates and more.
Comparing Java to a full operating system is a little disingenuous too.
If you must compare to something then you should compare Java to .NET Framework. But I wouldn't recommend you doing that if you like Java.
Java has consistently many times more security problems than .NET Framework, even if you compare just JRE with the *full* .NET framework (which include enterprise features comparable to what you get with *both* JSE + JEE).
Java SE 7 (released 2011-07-28): 88+50 (adding these latest vulns) = 168 vulnerabilities (source: http://secunia.com/advisories/product/37734/) .NET 4 (released 2010-04-12): 31 vulnerabilities (source: http://secunia.com/advisories/product/29592/)
If you take the availability period into account (vulnerabilities does seem to be discovered continously):
Java SE 7 has on average experienced 110 vulnerabilities per year. .NET Framework 4 has on average experienced 11 vulnerabilities per year.
That is ten times more vulnerabilities in a Java base class library which does even cover the same functionality as the .NET Framework does.
Reading slashdot one-liner: (irm http://rss.slashdot.org/Slashdot/slashdot).rdf.item | fl title,desc*
Does one of those patches s/GPL/BSD/g and release all the patents?
You are joking right? Sun open sourced java under GPL in 2006. Most java bashers in slahsdot seem to ignore that.
"I think this line is mostly filler"
Imagine how the platform would flourish once again if Google owned and developed Java.
1. Yes, 50 vulnerabilities were fixed but some where JavaFX, not the JRE.
2. and yes, a lot where 10s, but because Oracle refuses to give out complete information about the vulnerabilities. If it would many would score lower.
It's bad, very bad, but not as bad as the summary portrays.
It is not quite like replacing your browser. Oracle decided to remove hundreds of APIs, rename hundreds and cause weird incompatibilities with even more. They have always had the mentality of "Build your app for Java 1.X, and upgrade your app to run on Java 1.x+1" Backward compatibility has not been in their dictionary. They even break compatibility between updates and sub-major versions.
It would be like if IE8 dropped support for the because
is better. Sure, that's fine for new sites/apps, but what about the hundreds of existing stuff out there that takes a LONG time to get an upgrade ("enterprise stuff") or stuff that wont get upgraded because the dev is no longer there, doesn't care, wont get paid to upgrade it.
Lets face it: C++ is a mess. Use in anything but protected environment where the C++ code and runtime cannot be attacked is highly unprofessional and borders on gross negligence.
See what I did there?
Every computing language has flaws. Why? Because as of this moment we have no way to test every single possible logical outcome of program execution. There is always some edge case that is missed, some bug that goes undetected, etc. . People still find exploits in C libraries and they've been around for decades.
~X~
What APIs have been dropped? You know you are not supposed to use anything under "com.sun", right?
Go green: turn off your refrigerator.
Microsoft actually responded to recommendations from a more powerful yet crueler entity than the Department of Homeland Security.
Gartner.
If your children ever found out how lame you are, they'd murder you in your sleep
I would like to add, Watson ran on POWER during Jeopardy and hence runs on IBM's J9 JVM. I don't have any proof that it runs on other architectures, but I'm guessing it can.
Why is Oracle still pushing the shitty Ask.com toolbar with every single Java update? Ask.com (not to mention shitware toolbars in general) is something my mom used in the mid-2000s.
Stop using the browser plugin, not Java itself.
What is the Applet sandbox plugin if it isn't a piece of software written in ? This plugin is a relic of the dot com boom. It should have been made a separately downloadable and installable product a long time ago so it would not even get accidentally installed by most.
The problem has been the Applet system is not popular enough to generate enough attention to have a complete security audit/rewrite and historically it has been rammed down every JRE installers throat (often without their knowledge). With no simple way to disable it and with it reactivating itself at every future update (yes something has been done to address this only very recently).
As for problems with the Java "language" or the "JVM" I don't see it. Disconnect it from the browser and non of the remaining issues would warrant attention from technical forums.
I think unfortunately because of the way Java tries to brand itself as a single uniform environment many non-Java users and technical people who think they understand it really don't. They fail to separate the many facets of the platform from each other which results in comment like the GP has made.
Java brand != Java language != Java VM != Java applet plugin
A lot of federal agencies are going to what is become known as big fix. Either the department or DHS will require crap to get fixed right away. Good thing is things will be fixed right away. Bad thing is a lot will break. So while this is probably a good thing, I can imagine I'm going to get beat up soon. How fast can we fix the code? In some cases probably never since the guys that wrote it are long gone now.
I'm quite sure they *were* working on them. But apparently rather slowly. Perhaps they didn't intend the fixes to appear until the next version of Java, so they wouldn't need to admit there ever were any problems.
I think we've pushed this "anyone can grow up to be president" thing too far.
You do not get it. My statement was clearly in relation to the advertised features that many of the not so competent developers take at face value. Merely mimicking a sentence structure does not give any level of truth to a statement, context matters very much. So what you did is a meaningless stunt.
"has flaws" is also a meaningless statement. Quantity and quality is essential for any meaningful evaluation. And here Java is straight in the "part of the problem, not part of the solution" category. Many people think they can develop in Java without really understanding what is going on under the hood. This is a serious fallacy: Not only is that essential for developing any kind of secure software, it is also much, much harder and more complicated than in other languages. Understanding the Java security model and manager is a nightmare and not possible for most Java developers.
While I agree, that C++ also is some kind of bad mess, it has several advantages that Java does not have: It caters to developers with higher levels of competence (because others cannot master its features due to bad convolution). It does not promise any "inherent security". It has far less libraries that are part of the core language. However, by now I believe C++ is better left unused. Do the time-critical parts in C, where you have a very high level of control (if you cannot figure out how to do basic OO in C, then please leave, the language is not for you), and the high-level stuff in a language like Python. Does not absolve you from thinking, planning and actually understand what you are doing, but this model is very efficient and effective once mastered.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
Nimrod has nothing in common with Pascal. Pascal is somewhat more verbose and bureaucratic than C, while Nimrod is further a lot less verbose than C. Nimrod is Python-like syntax, with typing and some special features, that compiles to C. It's similar to Shedskin, but is considerably further along. As (with some persuasion from yours truly, among others) Nimrod is now changing to a copyfree license, shedskin's GPLv3-licensed compiler is toast.
Nimrod is an excellent replacement for Java in projects where Java was chosen as supposedly an ideal balance of performance (Node.JS / LuaJIT / etc too slow) and productivity (C/C++ too hard). Nimrod is definitely much easier than C/C++, and (at least IMHO) is easier than Java; and it already comes closer to the performance of C/C++ than Java, Go, Rust, or Dart. Nimrod also wastes a lot less memory than Java, so it could significantly reduce the "cloud" deployment costs of some applications.
Nimrod is not "build once run anywhere", but then again really neither is Java - this has very little relevance these days, and absolutely no relevance for server-side code. The same Nimrod-generated C code can be compiled with any major C compiler, so you can always pick the best one - which gives it an advantage over languages married to LLVM or GCC. Very few projects require being executed by a VM, and won't do better compiled to native code for deployment. I find that Nimrod daemons running in FreeBSD jails are an excellent combination of both safety and performance. Perhaps, with something like NaCl, Nimrod binaries could run in the browser as well.
--libman
You should get your eyes examined...
Or maybe you just like hearing yourself type - you'll be doing several times more tying to accomplish the same thing in Java as in Nimrod.
--libman
That list of accepted and rejected licenses demands perfection. My preference would have been to rank FLOSS license restrictiveness on a linear scale - with GPL being among the worst, MIT / ISC / CC0 being among the best, and many licenses falling in between. I would also rank projects by their historical karma - for example Lua would rank poorly (being a result of a coercively-funded government project), Go would rank better (being developed by a government-entangled corporation), and Nimrod would rank best (being a purely individualistic "grass-roots" endeavor).
As for copyfree.org being "obscure" - truth is often unpopular. The free software movement (itself a perfectly natural and inevitable market phenomenon) was hijacked early on by anti-capitalist fiends like Richard Stallman, and many projects were poisoned with viral restrictive licenses. The pervasiveness of that poison has gradually been declining in the last decade, but unfortunately most people only half-way understand the pragmatic reasons for why this is happening, and the moral reasons are only understood by a handful...
--libman
Many many people, not just ones with e-mail addresses ending in dot-gov, are entangled in the government. They benefit from its aggression, and shill in its interests. But there are degrees to evil... Not everything that any government says, does, or touches is automatically false. Even a stopped (typical analog) clock is right twice a day.
--libman