Slashdot Mirror
New Java 0-Day Vulnerability Being Exploited In the Wild
An anonymous reader writes "Here we go again. A new Java 0-day vulnerability is being exploited in the wild. If you use Java, you can either uninstall/disable the plugin to protect your computer or set your security settings to 'High' and attempt to avoid executing malicious applets. This latest flaw was first discovered by security firm FireEye, which says it has already been used 'to attack multiple customers.' The company has found that the flaw can be exploited successfully in browsers that have Java v1.6 Update 41 or Java v1.7 Update 15 installed, the latest versions of Oracle's plugin."
JAVA - Just Another Vulnerability Alert
...is busy colonizing Hawaii.
One Rich Asshole Called Larry Ellison
just set a team of 10-15 experienced programmers to review the code in a period of 3-4 months instead of just-wait-to-see-the-next-exploit-and-fix-just-that-rinse-and-repeat ?
p.s. I have disabled java in my browser since ages. the only reason i keep still installed is because of ps3mediaserver. I wish it wasn't written in java so I could say goodbye to java once and forever.
C is "secure" now? ...
Surprise, surprise indeed
Aberrations have appeared in my destiny prognostication engine!
Executing random C code from somewhere on the net in a Browser is even dumber than doing the same with Java. Java at least has a security model, even if it's broken anew every week, and has more holes than a sieve. C on the other hand has nothing. It really is more or less like a portable Assembly Language as it was developed for.
Yes, C is secure. You can however use C to write buggy software, for example a java virtual machine.
c++;
He probably means that you actually have to have a little knowledge to exploit C while Java is just one big sieve.
Yes, C is secure. You can however use C to write buggy software, for example a java virtual machine.
I think the people exploiting Java has a LONG list of vulternabilities in queue. With each update of Java, fixing the last known holes, they just update their exploit code to utilize the next vulnerability in their queue. This could go on for a long, long time.
And where I work, we have to use Documentum Webtop which requires Java. Now they have us pushing Java updates all the time.
Oracle needs to pay out a bounty for Java vulnerabilities so collect as many as possible so the next fix(es) will be better.
The tipping point is the many, many, many devices that probably aren't running other anti-virus (smartphones and tablets).
--Aahzmandius
Unfortunately there is no "stupid" moderation. The issue is the Java sandbox which has the goal of letting you run untrusted code (e.g. applets) on your system without any worries. Unfortunately the attack surface of the sandbox is huge because there are so many different API's that are usable and all it takes is a bug in one of them to give you an exploit.
Turn off Java in your browser and you'll be a happy camper. Stop spreading FUD. The Linux kernel still has exploits (http://www.zdnet.com/linux-kernel-exploit-gets-patched-7000011844/).
Oh, and I spent 10 years as a kernel developer in C and another 10 years as a Java developer so I guess I'm a Real Hipster Programmer.
Well, then you would both be wrong. C doesn't have a security model to exploit. The security model for loading untrusted code into your C application is "Don't do that" which isn't such a bad idea, really. However, if you remove the stupid idea of trying to run untrusted code in a sandbox within your application, Java is quite secure which is why people write server code in Java. No buffer overflows to start with (a classic exploit of server code written in C)
I think what he means is that C-security is solely dependent on your code, while Java-security is depended on JVM security in addition to your code security. And the developer has no control over JVM security.
Java fails yet again, and really who is surprised. Java was and is a flawed language from the ground up and all of these exploits just help prove it. If you want a good secure system / language just look to C, it does everything you can think of or want, has little to no overhead and runs on almost every device in the world. Real programmers use C, hipster wantabe's use Java.
The only failure I see here is your rather ignorant attitude that every language cannot be made just as vulnerable in the hands of the inexperienced.
Yes, C is secure. You can however use C to write buggy software, for example a java virtual machine.
The JVM is actually written in C++. Just sayin'
"Little does he know, but there is no 'I' in 'Idiot'!"
A few things are different:
1. People dislike Oracle as a company
2. The purposes/reasons for exploiting have shifted significantly
3. Sun was likely more friendly to people presenting information about bugs to be fixed.
And how frelling dare anyone out there make fun of Java after all she's been though!
Leave Java Alone!
Please...
Privacy is terrorism.
Yes, C is secure. You can however use C to write buggy software, for example a java virtual machine.
Ok explain why a simple string can buffer overflow? Maybe the latest Gnu C libraries have fixed that now, but damn that is bad as 10 years ago you could! The apis had to be practically rewritten to watch for these like these which explains why it is litered in secure versions of standard function calls.
The problem is you can't really write secure in C unless you know assembly. My simple "give me 2 numbers and I will add them" 10 line program will not look insecure but it is underneath after being compiled (this was 13 years ago I tried this). I know Theo from the OpenBSD tried making secure versions of standard ansi C functions to prevent this. Java at least tries and manages it. I can make the same argument that Java is secure. It is only the programmers who are not etc.
http://saveie6.com/
N.O.T. All software has vulnerabilities. No system if safe from hacking and attack, especially spear-fishing. So, it's news every time some dipswitch downloads pr0n and gets infected? Or opens an unsolicited email attachment and installs malware? Please ... post something that's actually news and stop the "bashing every company just because" merry-go-round. Who's next to be bashed incessantly?
Firefox now turns off the plug-in and you have to enable it when you visit a site that uses it. Each time BTW, it asks me every site, every time I open the browser.
Android doesn't permit Java in webpages at all, even though it uses Davlik itself (a Java engine) internally.
In the wild, is that the same as in cyberspace?
Java fails yet again, and really who is surprised. Java was and is a flawed language from the ground up and all of these exploits just help prove it. If you want a good secure system / language just look to C, it does everything you can think of or want, has little to no overhead and runs on almost every device in the world. Real programmers use C, hipster wantabe's use Java.
What do you think the JVM is written in?
Yeah, C and probably C++.
Grow a brain, you twerp.
I've heard it argued that Java is insecure because too much of it is written in C++, poor quality code no doubt. It would have been more secure if a core of commands was written in C++, and the rest was written in Java. Then, more effort could be put into making the core secure.
This and no other is the root from which a tyrant springs; when first he appears as a protector - Plato (423 to 327 BC)
I'm not a Java developer, but I do have a strong interest in engineering and reliability, and the reason for all these Java faults puzzles me. Could an experienced Java developer please explain (or at least suggest) why this particular virtual machine has suffered so many vulnerabilities?
In principle, a virtual machine is just the implementation of a specific FSM, very tightly constrained and therefore fairly easy to program for total correctness, unlike most other applications. Such correctness has clearly eluded the JVM. Home come?
I agree but I'm a little confused if your agreeing or disagreeing with me. C gives you the power to do what you want, Java on the other hand assumes.
He's not exactly disagreeing or agreeing with you, as you're so thoroughly confused that you manage to say things that aren't cleanly true or false.
C has no security model. At all. This lets you write things that are totally unsafe. For example, you couldn't have browser exploits with either Flash or Java or any other plugin if it wasn't for the NPAPI, which is a C interface! O! M! G!
Java does have a security model; it tries to segregate untrusted code away from trusted code and ensure that the untrusted code can only do very limited operations. This is hard to get right. (Doubly hard when you've got the plugin glue code in the mix; that just makes everything much more complex.) For most applications, this actually doesn't matter very much as they don't load code from untrusted sources at all; Java is doing just great at powering web application servers, and there are some wonderful libraries to help with this. Browser plugins though are a different beast; their whole point is to load untrusted code and execute it, and any mistake is a problem.
Right now, I recommend disabling the Java plugin in all browsers that you use, or even better removing the plugin entirely. If you must have it enabled (for some horrible corporate web application) then only turn it on when strictly necessary. As a bonus, you won't have to suffer from nasty slow Java-implemented ads. (That was why I originally turned it off in my systems; being defended against hacking was a side benefit.) Also, Java tends to look like ass in a browser these days.
"Little does he know, but there is no 'I' in 'Idiot'!"
Turn off Java in your browser and you'll be a happy camper.
It would be nice if we could have the JRE as a completely separate product from the plugin. I could happily live without the plugin (and do!) but the JRE itself is useful for other apps.
"Little does he know, but there is no 'I' in 'Idiot'!"
I would say discussion of if a Turing complete is secure or not is off base. You can express any computable algorithm and if you get it wrong it may or may not behave in undesired ways when presented with input you did not anticipate.
Now if you want to discuss topics if interpreters (byte code or otherwise) that enforce certain memory management contracts, so you don't have to express them as part of your program ultimately offer better security or just move the problems that might be a valid topic.
Java is not insecure; security is not even an attribute you could put a value on with regard to Java. The browser plugins that ship with the most popular interpreter and runtime implementation might be insecure. There may be bugs in the interpreter where it does not properly enforce contracts making otherwise correct programs under it vulnerable. One little mistake in a C/C++ programs might result in the same thing though. The traditional argument is whats more likely to result in the best outcome: every programmer our there writes good code or a team of skilled programs writes a universal memory manager, and set of libraries that are solid so other programers don't have to get some of that hard stuff right?
I guess the issue is we are finding out more often than not even teams of very skilled developers are bound to slip here and there with something as large and complex as the Java runtime.
Repeal the 17th Amendment TODAY! Also Please Read http://www.gnu.org/philosophy/right-to-read.html
For fuck's sake, can people please specify that the APPLET has vulnerabilities?
> Yes, C is secure.
The comment is nonsensical. Security is about vectors. The language itself, is really not "secure" because it has to operate within an environment. By integration, it's no more or less secure than the environment AND the program the language was used to write. You really don't understand the implications of the discussion if you think that comment was "excellent".
Please show your work eg: int foo(int x,y){ return x+y};
Hey KID! Yeah you, get the fuck off my lawn!
You know that just tells me that javac isn't self-hosting and they never bothered to bootstrap their own compiler. I wouldn't blame C for that.
Cwm, fjord-bank glyphs vext quiz
It is a poor worker who blames his tools. The language is not the problem, it is what you do with it but still...
YOUR PROGRAMMING TASK: To shoot yourself in the foot.
C: You shoot yourself in the foot.
C++: You accidentally create a dozen instances of yourself and shoot them all in the foot. Providing emergency medical assistance is impossible since you can't tell which are bitwise copies and which are just pointing at others and saying, "That's me, over there."
Perl: You grep through a list of your body parts, shooting the bits that look like feet. On the first try, you don't shoot anything, and realize that you're matching hashrefs instead of scalars. On the second try, you shoot off your big toe instead of the whole foot (shouldn't have used greedy matching in the regex). Finally, you shoot yourself in the foot, generalize your code to allow it to shoot anyone anywhere, and post it on CPAN as SUICIDE::LITE.
Python: You want to shoot the toes off your foot. You ask your foot to tell you about all of your toes, but to please pause for a while after each one so you can shoot it. After you shoot, your foot begins where it left off.
FORTRAN: You shoot yourself in each toe, iteratively, until you run out of toes, then you read in the next foot and repeat. If you run out of bullets, you continue with the attempts to shoot anyways because you have no exception-handling capability.
Pascal: The compiler won't let you shoot yourself in the foot.
Ada: After correctly packing your foot, you attempt to concurrently load the gun, pull the trigger, scream, and shoot yourself in the foot. When you try, however, you discover you can't because your foot is of the wrong type.
COBOL: Using a COLT 45 HANDGUN, AIM gun at LEG.FOOT, THEN place ARM.HAND.FINGER on HANDGUN.TRIGGER and SQUEEZE. THEN return HANDGUN to HOLSTER. CHECK whether shoelace needs to be re-tied.
LISP: You shoot yourself in the appendage which holds the gun with which you shoot yourself in the appendage which holds the gun with which you shoot yourself in the appendage which holds the gun with which you shoot yourself in the appendage which holds the gun with which you shoot yourself in the appendage which holds the gun with which you shoot yourself in the appendage which holds...
FORTH: Foot in yourself shoot.
BASIC: Shoot yourself in the foot with a water pistol. On large systems, continue until entire lower body is waterlogged.
Java: You find that Microsoft and Oracle have released incompatible class libraries both implementing Gun objects. You then find that although there are plenty of feet objects implemented in the past, you cannot get access to one. But seeing as Java is so cool, you don't care and go around shooting anything else you can find.
I'm pretty sure the semicolon should come before the closing curly brace...
The main difference between C and Java, is that in C you code the bugs personally - in Java, that functionality is baked into to the JVM.
Comes down to who's programmers you trust more - your own, or Oracle's ?
EMail: 0110001101100010010000000110001101110010 0110000101111010011011100110000101110010 0010111001100011011011110110
No, honestly, writing evil code in C is easy. You can open files without restrictions, modify them without restrictions, and so on, all with the power of the running user. Executing untrusted C code is NOT SECURE.
These days it's about using as many different languages as possible, ideally in the wrong place. Big desktop application? JavaScript hosted on a remote server sounds ideal! Website to display a list of your mobile phone apps? Show off your 1337 Java skillz by making the whole thing a plugin! A quick script to verify the format of an email address? To the Assembler!
Please consider this account deleted, I just can't be bothered with the spam anymore.
Strings don't overflow in C, unless you use them wrong.
And you never know, there might be a vuln in the Java string library. Unless you've audited it, I wouldn't say there isn't, since it seems there are vulnerabilities everywhere else.
"First they came for the slanderers and i said nothing."
All the major browsers have click-to-play for plug-ins now, so even if you have it installed you should be safe from drive-by infections if you have it enabled.
Actually I don't know if IE10 supports click-to-play, but surfing the net with IE is like licking the toilet seat down the pub - inadvisable at best.
const int one = 65536; (Silvermoon, Texture.cs)
SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
Nope its the damned games. Minecraft and Pogo and a shitload of other damned Java games have been released and become REAL popular which means a shitload of java installs that can be pwned. Its a damned shame, I saw Java practically disappear from the non corporate desktop only to see java all over the damned place now.
ACs don't waste your time replying, your posts are never seen by me.
It's a shame there isn't a really good open source alternative to Oracle's JVM that people could switch to. At least with the endless stream of Adobe Reader vulnerabilities you can just witch to Sumatra PDF or one of the many other free viewer applications.
As far as I can can tell most of the free JVMs are either abandoned or don't run on Windows.
const int one = 65536; (Silvermoon, Texture.cs)
SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
Or if you are on Vista or better just use any of the Chromium based browser or IE as those automatically run in low rights mode and not administrator. Why oh why can't Mozilla support low rights mode when its over 6 years old now is beyond me but the fact that FF runs with the same privilege as the user while the Chromium browsers don't was enough for me to replace Firefox with Comodo Dragon on all my installs, you should always use least privilege and FF just won't do that. Ironically the only "how to" on using LRM with FF actually undermines LRM until its worthless, so if you use Java don't use Firefox, use Chrome, Dragon, SWIron, any of the Chromium based will give you better security.
ACs don't waste your time replying, your posts are never seen by me.
It would be nice if we could have the JRE as a completely separate product from the plugin. I could happily live without the plugin (and do!) but the JRE itself is useful for other apps.
After this horrible sequence of 0-day exploits, I've finally disabled the Java plugin in ALL my browsers. There you are, instructions for removal of the Sun (or IBM) Java browser plugin on Windows, without removing the JRE. :)
And who writes their whole program in using just their own code? We have massive C libraries because we cannot reinvent the wheel every time. And it isn't possible to exhaustively check the code in those libraries due to time constraints and sheer complexity.
I totally agree with it. Using plain C does not solve anything, does not make life easier, and does not provide anything to replace for example Java applet functionality.
The security setting for Java defaults to High anyway. You would have to either A) change your security settings specifically lower or B) specifically allow an untrusted applet to run for this to (sometimes) work. I'm starting to get tired of the anti-Java FUD, there are a vulnerabilities found all the time in other languages/frameworks, how come all we seem to hear about is lame Java applet sandboxing issues?
Didn't realize I wasn't logged in when I made that post
The JVM might be wonderful but, empirically, the browser plugin is a pile of junk, at least in terms of code quality.
Could somebody, e.g. Apache, incubate a project to replace the Oracle Java web plugin? I don't use Windows but imagine if each company was willing to pay $2/user/year for a better plugin for their mission critical apps. The IcedTea plugin on Linux seems to be in a decent state these days, after quite a rough start - perhaps it could be a basis for a new Windows Java plugin.
My God, it's Full of Source!
OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
That's it. I'm done with Java. For good.
People who say "sheeple" have about as much sophistication as an AOL user, and in fact are probably actually AOL users.
I've kept Java turned OFF on all of our computers for a long, long time. It's a pig. It hogs computer resource units. I have not not once run into anything that requires it. Just say no to Java.
Yeah I noticed that right AFTER I hit submit. Yet another /. non-feature, even though I do understand why.
Hey KID! Yeah you, get the fuck off my lawn!
The point is that buffer overflows are an easy mistake to make. Using languages that prevent it is like using a seat belt.
Some browsers now have a white-list regarding the Java plugin (Chrome does it, not sure about Firefox), as it always should have been. (And it should be that way with Flash too.)
you must be trolling or you are clueless. C is secure ? you guy serious ?
The Linux kernel is written in C. I believe the BSDs are written n C. How much more secure can you get?
With C the vulnerability of you program to expliots or other bugs (an exploit is just a bug after all) is exactly what you wrote into it, nothing more nothing less.
However in Java land (and others) you are depending on a huge pile of abstractions underneath your code which may or may not be vulnerable/buggy. How would you know?
Do rethink your statement.
The JVM is actually written in C++. Just sayin'
That explains a lot...
The difference is that C CAN be secure if you code it right. In Java, even the most trivial thing you write remains dependent on the JVM to be actually secure.
That doesn't mean your C code WILL be secure, but if it's not it is your fault and entirely up to you to fix it.
Cars don't crash unless you drive them wrong...
with the COBOL plugin.
I don't know that I'd say inhumanly difficult, but it's fair to say it is challenging and failures are plenty.
Band Aids on bullet wounds friend, Band Aids on bullet wounds. what we NEED is for Java to die on the consumer desktop until oracle has enough sense to rewrite the thing from the ground up, looking at the OO.o source you can see Sun seriously sucked when it came to code for the desktop and the trouble Java is having now goes back to Sun and the trouble THEY had and the simple fact is ITS NOT NEEDED as you can do the same damned thing in Visual C++ as far as games go and not force home users to get stuck with Java.
Java has its place and that is the enterprise backend NOT the consumer desktop. When practically everybody and their dog and their dog's chewtoy has C++ runtimes already sticking with Java which has so many zero days is irresponsible and bad practice, I don't see how anybody could argue different. in the enterprise Java is too deeply used for anybody to change and from what I've been told its ability to handle so many users at once reliably makes the risk bearable and hey, I get that, I really do. But forcing consumers to install Java just to play a video game? bad form game devs, bad form.
ACs don't waste your time replying, your posts are never seen by me.
Hum... No, a simple string can not buffer overflow. You a word here or what?
Also, of course you must know how computers work to program in C. It's a shame that people think they don't need to learn that for coding in other languages (they do, but they'll build a lot of rope before they discover they are just hanging themselves).
Rethinking email
No computer is as restricted as a turing machine. For one thing, a turing machine doesn't do IO.
In fact, information security has no relevance for turing machines, as they can't compromisse any kind of information.
Rethinking email
This is just a pissing match on my language is better argument which is dumb. WHo modded the grandparent to +5?
Whether your compiler is VM like Java or converts it to assembly is the fact that the programmer is not in control. It is not the programmers fault if he or she uses an api that does not handle safety of data types. Historically Java has been years ahead of C until the last decade where Theo had to write secure versions of simple data handling functions as a strong or data type can easily overlfow by default and run malicious code. Even a hello world program can run malicious code when I did this 12 years ago! Why should this have been my fault?
That should be a strike against C and C++. I am not a professional programmer in these languages so I surely hope that is no longer the case. It is why Unix and Windows were so insecure agaisnt MacOS classic and VMS. Every datatype can overflow with stack smashes inside it. The ansi standard functions are not secure by default and each implementation had to rewrite these same things to securely check each data type at compile time.
http://saveie6.com/
Yes, yes. Panic! There's a Java 0day! Dear Lord forfend! Of course, as you read this you are probably running Windows, with tons of extensions and software. You're probably using Flash. You probably have a web browser - heck, obviously you have a web browser. Well, not to worry: After disabling Java you will be completely safe.
"No sane man will dance." -- Marcus Tullius Cicero
I was entertained that Larry Ellison attached crapware to their security updates, which have to be specifically turned off in the installation, and their stupid toolbar turns off popup windows, but that disables Oracle's Discoverer product, and it works differently than the IE popup blocker, by not looking for user configurable exceptions. So for pennies per user, Oracle collects from the toolbar makers for every installation. And they're alienating IT departments. I hate working with them-- they're more mafia-like every year. End of complaint.
Everything I've ever learned the hard way was based on a statistically invalid sample.
You're still relying on the C library to be secure. Many/most are not.
I run: Windows, OS X, Linux, FreeBSD. Just because you have a hammer, doesn't mean everything is a nail.
A lot more secure. Linux and the BSDs have holes found in them all the time, along with everything else. Pascal would be a lot more secure than C.
I run: Windows, OS X, Linux, FreeBSD. Just because you have a hammer, doesn't mean everything is a nail.
Same reason Firefox doesn't support DHCP based WPAD despite having patches submitted for such support in 2006.
I run: Windows, OS X, Linux, FreeBSD. Just because you have a hammer, doesn't mean everything is a nail.
Your C code still relies on the standard library and your compiler to be secure.
Not a sentence!
It CAN (and usually does) rely on libc, but doesn't have to. The compiler mis-compiling the code is quite a different class of problem, but since you have the source, you can validate the results.
In the bad old days, I actually debugged a case where the compiler mis-compiled the code.
I have done projects that did NOT include libc.
The obvious question is how are you using your strings that makes it so difficult to avoid overflows? It's not hard once you know how to do it.
"First they came for the slanderers and i said nothing."
It is perfectly possible to use strings safely in C, but at the same time, there are functions in libc that invite disaster, in some cases with an engraved invitation and a bottle of champagne. Gets, for example, needs to go. So much so that I wouldn't mind it's use being promoted from warning to error unless you use the switch --goatse-me.
Even if you use the right functions but screw up passing the allocated size to the functions, you can get in trouble, just like if you fiddle with the radio when you should be watching the road.
I never mentioned about the Linux kernel being non exploitable, but if it was writen in Java it would be much more exploitable.
All this statement proves is that you aren't qualified to have a opinion on this subject. I brought up Linux kernel exploits because the Linux kernel is coded in C. The Java exploits that I have seen are all related to breakouts from the sandbox. The kernel and the Java sandbox are equivalent because both are supposed to be able to run untrusted code and keep that untrusted code from doing things it is not supposed to. If you wrote a POSIX compliant kernel using Java you would not use the sandbox to keep untrusted code from doing bad things and it would be about as likely to have exploits as a kernel coded in C. The problem with the sandbox is that the attack surface is just too large to be secured effectively.
Some languages, like PHP, have features that actively work against security. Other than the sandbox (don't use the sandbox to contain untrusted code) Java doesn't have many features like that. C does have features that have to be applied carefully or used carefully (unchecked array bounds, int->pointer conversions).
So I'll admit your probably not a hipster, that wasn't fair to say but in the end I just find a good C programmer an invaluable addition to a team over any Java programmer.
You may as well say "good programmer" because lousy C programmers can make a mess incredibly quickly.
I never said a C programmer can't make a mess of code, I also never still never mentioned anything about the Java sandbox or the Linux kernel. I've also done enough Java programming to know I'm never going back to it. However you do bring up an interest concept about writing a fully posix complient kernel in Java, it would be interesting to see it actually being done. It would have to be Java from the very base of the system, including IDT and GDT table init. It would be interesting to benchmark against.
Yes, but how often do you screw up passing the allocated size? I'm not sure that happens often.
If it's something you are really having trouble with, you can declare a struct with the size and buffer together, then create wrapper functions around the standard library functions that use your struct. Then you only have to verify that your passing is correct within those wrapper functions, and not mess with the size anywhere else.
"First they came for the slanderers and i said nothing."
Really, I don't have a problem with it, however, the most common source of problems in general is probably the off by 1 thinko. Like forgetting to count the terminating null. Next up is probabvly cases where the programmer forgets that there are circumstances where the trailing null might NOT get written.
Next up is probabvly cases where the programmer forgets that there are circumstances where the trailing null might NOT get written.
Yeah, that one's really annoying. strcat() has a lot of special cases that are annoying as well. I usually encapsulate that one into a custom function where I only have to deal with all that once because it's so bad. Although it's not the most commonly used function.
"First they came for the slanderers and i said nothing."
I have always thought that in cases where n is exceeded, [n-1] should get the null terminator. I usually do that explicitly just to be safe. I don't like unterminated strings.
agreed
"First they came for the slanderers and i said nothing."
I can answer this one: : Back in my rock and roll days a girl I lived with, I was a tall blond "party girl" type, y'know, the kind that likes to "play blonde".. and you'd never quite know if she was acting or not. One particularly hot set, one of the folks I was playing with had one of those headstock-less Steinberg guitars , where the tuning pegs are down by the body of the guitar.. She apparently did not notice, or at least claimed not to notice, and after the set, said for all to hear "Wow! The music was so good the top of the guitar fell off!!" ;-) ;-) ;-) The press folks just stared at each other,and so did anyone else with this weird look like I've never seen before.. more than your typical "here we go again".. Nobody's really sure if it was a blonde moment or a remark of pure genius.. as everybody STILL remembers that gig!!
I never said a C programmer can't make a mess of code, I also never still never mentioned anything about the Java sandbox or the Linux kernel.
No, what you said is:
I never mentioned about the Linux kernel being non exploitable, but if it was writen in Java it would be much more exploitable.
The reason I mention the sandbox is because that is where the exploits are. Would you care to bring up another Java language feature that's a security hole?
I've also done enough Java programming to know I'm never going back to it.
You're welcome to use the tools you like. And you're welcome to criticize the tools I like, if your criticism is based on facts. All I ask is that you not spread falsehoods.
Recent builds (since around about JRE 1.7u11) add a checkbox in the Security tab in the Control Panel applet (control.exe C:\Windows\System32\javacpl.cpl) titled, "Enable web content in browser". Uncheck that and never see another Java applet again.
about:plugins in your browser's location bar will verify Java isn't there.
"Nine times out of ten, starting a fire is not the best way to solve the problem." - my wife
This is an exceedingly small percentage of development.
I run: Windows, OS X, Linux, FreeBSD. Just because you have a hammer, doesn't mean everything is a nail.
I am going to fucking kill Java! I destroyed Larry Ellison before and I will do it again! (throws chair across room) Posting again because I messed up the previous post, sent from a smartphone (my first /. post ever from one).
Ballmer? Is that you? :P
No colour or religion ever stopped the bullet from a gun
I know it's a joke, hence I made one of my own :P
No colour or religion ever stopped the bullet from a gun