Slashdot Mirror
Oracle Responds To Java Security Critics With Massive 50 Flaw Patch Update
darthcamaro writes "Oracle has been slammed a lot in recent months about its lackluster handling of Java security. Now Oracle is responding as strongly as it can with one of the largest Java security updates in history. 50 flaws in total with the vast majority carrying the highest-possible CVSS score of 10."
The knee-jerk reaction of getting the patches for Java out now following public criticism is not going to make up for their previous apparent disinterest in supporting the platform. The damage they have done to the reputation of Java is incalculable, and I for one as a C++ programmer thank them for it!
Supercop Oracle: I caught 50 powerful top grade thieves in my neighbourhood!! I am great!!!!
Ordinary cop: Why did you allow 50 scoundrels in the first place?
If you keep throwing chairs, one day you'll break windows....
I'm not sure how I feel about this;
1. Good. It's awesome that Oracle are finally taking notice of java security issues and doing something positive.
2. Bad. That's a lot of CVSS2.0 score 10 bugs they've been letting slide.
3. Confused. How many more are there?
I know Oracle didn't write Java to being with but they sure had a hard-on to acquire it, presumably so soak up profits by wedging themselves in to yet more enterprise services. I'd like them to take ownership of this issue and really hammer out these nasty problems. I know it's just the client side JVM-plugin-whatever but Oracle's behavior isn't really making me want to go out and seek other Oracle products.
And fuck, if I can't escape this piece software at work. I've got client applications, and web applications that we rely on that absolutely require the full fat oracle JVM. I'd love to disable the plugin or do away with it all together but I can't.
For that matter, deploying this supposedly enterprise piece of software is a massive pain in the ass. If you want to deploy it like usual (Published through AD) You've got to open the installer EXE, go to your temp folder to copy out the .msi, then use an .msi editor to create an .msp file to disable the really annoying and awful java auto-updater. (The auto updater requires admin privs to install.. And it will trigger on it's own without user intervention. It's really annoying to end users to have a UAC prompt pop up randomly out of nowhere when they're working)
Oh yeah, and if you run the exe manually to install? Make sure you uncheck the yahoo toolbar! And this is supposed to be business software?
I like the way it took a Federal agency (DHS) to recommend deinstalling Java before Oracle did anything.
I think the Fed recommendation stands. Stop using Java.
Yeah, like Orrible's (and specifically the Java section) going to lift a finger to help Microsoft after the whole J++ fiasco
1. that was not oracle, it was sun microsystem.
2. it was 10 years ago. you think any of the same people are around, and have the same motivations?
2. it wasn't a fiasco, it made sun $700 million. they were pretty happy about it.
Ask IBM.
Substantial portions (>80%) of Watson are written in Java.
The remainder is C++ and, of all things, Prolog.
File under 'M' for 'Manic ranting'
Would it kill you idiots to post a direct link to the update in a story that is about nothing *but* the update?
http://www.oracle.com/technetwork/java/javase/downloads/index.html
We apologize for the fault in the software platform. Those responsible have been sacked.
Mynd you, m00se bites Kan be pretty nasti...
We apologize again for the fault in the software platform. Those responsible for sacking the people who have just been sacked have been sacked.
Haiku for you!
Does another patch change the fact that Java runs slower than new programming languages like Nimrod [nimrod-code.org], which let developers accomplish the same tasks in far less code?
there's a new latest greatest language every 6 months. customers don't like to re-write their platforms every 6 months when language X goes out of favor and they can't hire people to maintain their code or get updates for the runtime / tools.
do you think it's possible that nimrod also has security flaws, but they haven't been exposed ... consider the usage of java vs. nimrod and therefore the interest of hackers in finding the security flaws?
There are probably 500 unaddressed.. you know...
Oracle's you know... rearranging the deck chairs on the Titanic. plugging a few of the small leaks here in there. Doesn't mean the ship is saved:)
Recall Cisco just released this big 2013 annual security report the other day, showing Java exploit as a #1 infection vector for malware.... :)
I like the *idea* of java.... but I don't like java.
It has been my experience, even way back when the JVM was owned by SUN, and when MS tried their crazy IE only "not really a real JVM but we say it is!" Bull--- that the JVM was a festering turd, that was slow, carried around a lot of baggage, and was a vector through wich malicious programs could be executed in secret due to its bugs.
Granted, that is just an anecdote. So, here's some old, tinned bugs from days of yore... clicky.
As far as I can tell, Java has always been a very attractive target for malefactors who want to run malicious executable code on remote systems, because the innate abstraction provided by the JVM makes it an ideal incubator for that malware. As such, malefactors have consistently looked for, found, and exploited holes in Java to accomplish their nefarious tasks, despite the JVM dev team's best efforts.
In short, Java has always been a security risk. The question I have always asked myself is if the benefits of that security risk outweigh the benefits. So far, my answer has always been "no." When it comes to desktop computing. For the originally intended ecosystem that Java was made for, (things like portable computers, set top boxes, and custom computing devices) java is a godsend that makes development time get spent more efficiently. For a mostly monolithic desktop hardware space, java doesn't make nearly as much sense, and carries with it a very large attack surface.
In short, I would rather do without your software, than expose myself to java's attack surface, if you refuse to write your software in a properly portable fashion, and choose to rely exclusively on the JVM.
If you need cross platform support, use cross platform libraries, and compile platform appropriate executables from your codebase. Maintaining platform agnosticism through writing exclusively portable code will force you to write better code anyway.
Leave Java in the ecosystem it belongs in: one off hardware implentations, novelty devices, and low power computing platforms. Bringing java kicking and screaming to the desktop ecosystem makes it too big of a target for malefactors, and only exposes your own unwillingness to practice best practices when writing your software.
3. PROFIT!
The remainder is C++ and, of all things, Prolog.
Prolog is actually very appropriate.
I wonder how many are still open after this publicity stunt and how many they did patch badly (as before), but now the attackers know what to look at.
Lets face it: Java is a mess. Use in anything but protected environment where the Java code and runtime cannot be attacked is highly unprofessional and borders on gross negligence.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
On what screwed up platform is this?
Seriously, I have 1.6.0_39 and 1.7.0_13 happily running together on all the platforms that I'm responsible for (Linux, Windows, UNIX of various flavors).
This patch was rather important in that there are some server side security issues being patched as well as browser plugin issues.
I'm seeing all of this hate, but you know what, I just don't get it. Software of any complexity has bugs. Microsoft used to be the champion of security exploits. Now it's Java. And lest anyone forget, there are myriads of PHP / Ruby / Python security bugs that allow systems to be exploited. I'm not even sure that there's a secure Ruby on Rails platform at this point, for example. I don't know for certain about Ruby, since the only Ruby platform I have right now is for Redmine.
I guess though everyone likes the Faux News mentality of computer security reporting. It garners page clicks, makes people feel important and is a lot easier than actually doing any work. It's like the hit piece someone at InfoWorld did on a Spring Framework bug that could possibly be exploited (albeit not very easily). The sensationalist piece completely overlooked the fact that the issue had been addressed over a year ago. The "journalist" at InfoWorld was too busy jumping on the "all things Java are evil and insecure" bandwagon to do the tiny bit of research needed to write intelligently about the problem . . .
Just like people are now doing about the current issue . . .
My favorite comment so far has been along the following lines
Sure, they may have fixed these security flaws, but there's no guarantee that this will fix future security flaws. It's better that you just go ahead and uninstall Java now.
Sure, [insert-least-favorite-software-of-the-day] may be patched now, but will it remain patched?
I thought at least professionals were a bit more intelligent than this. I guess not.
Java browser, eh?
Have you heard about SoylentNews?
I agree with 1 and have no opinion on 3. But for the second? I've only worked in one major tech company in my life, but from what i've heard the attitude is pretty uniform through most of them. The people that last are usually company men to the core. Most of the people who stick around very long do it for the brand/name and drink the cool aid mind body and soul. I could see holy war about something happening before they were even out of school pretty easily.
Everything will be taken away from you.
This whole thing about Java being the issue annoys me - if you take a broader look at the whole ecosystem.
Take a look at no more than 2 weeks ago with CVE-2012-4414 for example...
This is a MySQL security bug where any authorised DB user can arbitrarily inject SQL in the binlog used for replication...
For those that don't know Oracle has recently (over the past year) moved the majority of their bugs database internal only so that inhibits discussions for a start and on top of that they no longer publish test cases for fixes ... it looks like they might be going into an internal/tests directory but that isn't provided in the GPL tarball they provide.
However the curiousness doesn't stop there - if they are still writing test cases for code as opposed to just changing stuff willynilly they don't seem to be writing them very well.
When the Percona guys were merging from the upstream code they used the test case that the MariaDB team put together for this CVE - since there is no test provided by Oracle as previously mentioned.
They naturally expected the test to be fine seeing as Oracle claimed the CVE was fixed in 5.5.29 but shock horror it failed.
They ended up merging the MariaDB fix instead.
Given that what makes you think the rest of the code is *really* like and why that Java fix recently introduced a new bug and so on...
Ah well in the meantime FESCO has accepted the proposal to replace MySQL with MariaDB in Fedora 19 which is something that Oracle weren't too pleased with...
That Oracle response was prior to the FESCO vote by the way - time to get the popcorn methinks!