Oracle Responds To Java Security Critics With Massive 50 Flaw Patch Update

darthcamaro writes "Oracle has been slammed a lot in recent months about its lackluster handling of Java security. Now Oracle is responding as strongly as it can with one of the largest Java security updates in history. 50 flaws in total with the vast majority carrying the highest-possible CVSS score of 10."

Re:Java sucks.

[mark-t]

Ask IBM.

Substantial portions (>80%) of Watson are written in Java.

The remainder is C++ and, of all things, Prolog.

*sigh*.... Java...

[wierd_w]

I like the *idea* of java.... but I don't like java.

It has been my experience, even way back when the JVM was owned by SUN, and when MS tried their crazy IE only "not really a real JVM but we say it is!" Bull--- that the JVM was a festering turd, that was slow, carried around a lot of baggage, and was a vector through wich malicious programs could be executed in secret due to its bugs.

Granted, that is just an anecdote. So, here's some old, tinned bugs from days of yore... clicky.

As far as I can tell, Java has always been a very attractive target for malefactors who want to run malicious executable code on remote systems, because the innate abstraction provided by the JVM makes it an ideal incubator for that malware. As such, malefactors have consistently looked for, found, and exploited holes in Java to accomplish their nefarious tasks, despite the JVM dev team's best efforts.

In short, Java has always been a security risk. The question I have always asked myself is if the benefits of that security risk outweigh the benefits. So far, my answer has always been "no." When it comes to desktop computing. For the originally intended ecosystem that Java was made for, (things like portable computers, set top boxes, and custom computing devices) java is a godsend that makes development time get spent more efficiently. For a mostly monolithic desktop hardware space, java doesn't make nearly as much sense, and carries with it a very large attack surface.

In short, I would rather do without your software, than expose myself to java's attack surface, if you refuse to write your software in a properly portable fashion, and choose to rely exclusively on the JVM.

  If you need cross platform support, use cross platform libraries, and compile platform appropriate executables from your codebase. Maintaining platform agnosticism through writing exclusively portable code will force you to write better code anyway.

Leave Java in the ecosystem it belongs in: one off hardware implentations, novelty devices, and low power computing platforms. Bringing java kicking and screaming to the desktop ecosystem makes it too big of a target for malefactors, and only exposes your own unwillingness to practice best practices when writing your software.

Re:*sigh*.... Java...

[ahabswhale]

ROFL...are you fucking serious? You can find a lot more security holes in C and C++ than you can in Java. The ONLY reason you see all this shit about Java security is that Java can be run client-side via a simple download by your browser. There are very very few languages that allow this and I can guarantee you that any other ones are thoroughly explored for security holes by hackers. Ever heard of Flash? They've had many many security holes too but that's because they are a target. There are no safe fucking languages. Get that ridiculous idea out of your head. It's about the language's ecosystem and when that ecosystem ends up getting quietly download by somebodies browser, it's gonna get fucking raped by every hacker worth a shit.

I have to say that I'm pretty shocked about how utterly clueless the /. community is about this kind of technology. Sad stuff.

Re:Confused.

[DMUTPeregrine]

So install a second browser, just for Java. Disable the plugin on your other browsers, and sandbox the browser with Java as well as you can.

I use Chrome in a VM for Java (and some other probably insecure things, like viewing sites where I can't block ads.)