Oracle Fixes 42 Security Vulnerabilities In Java

wiredmikey writes "Oracle released its quarterly Critical Patch Update (CPU) for April, which addressed a whopping 128 security issues across multiple product families. As part of its update, Oracle released a Java SE Critical Patch Update to plug 42 security holes in Java, 19 with base CVE score of 10 (the highest you can go) and 39 related to the Java Web Start plugin which can be remotely exploited without authentication. According to security analyst Wade Williamson, organizations need to realize that Java will continue to pose a significant risk. 'The first step is for an organization to understand precisely where and why Java is needed,' Williamson wrote. 'Based on the rate of newly discovered vulnerabilities, security teams should assume that Java is and will continue to be vulnerable.' Organizations should to take a long, hard look at Java and answer for themselves if it's worth it, Williamson added. Due to the threat posed by a successful attack, Oracle is strongly recommending that organizations apply the security fixes as soon as possible."

still with the java?

[vswee]

oracle should start a fresh new platform. java is making me dislike my bank

Re:still with the java?

[jtollefson]

Why your bank? They're using Java because it isn't going anywhere soon. It's highly integrated all over the place and is leading the way as the language of choice for everything from big-data processing a'la MapReduce frameworks in Hadoop to Mom & Pop shops just looking for a new college grad to put together something for their needs.

Dislike your bank because they're not treating you like their most important customer, not because they're using Java. =)

Re:still with the java?

It's highly integrated all over the place and is leading the way as the language of choice for everything from big-data processing a'la MapReduce frameworks in Hadoop to Mom & Pop shops just looking for a new college grad to put together something for their needs.

Yes! COBOL all the way!

Re:still with the java?

[TrollstonButtersbean]

What is 6 times ... ah .. nevermind.

Re:still with the java?

[stenvar]

Java is "the language of choice" for programming in roughly the same way that the military is "the method of choice" for dealing with diplomatic problems.

Re:still with the java?

[siDDis]

In Scandinavia we have to use a java applet called BankID for login to our bank account. This has for the past few months become REALLY frustrating for people who really don't know what Java is. Even technicians who has a basic understanding of what a computer is, has problems keeping Java up to date(they don't know where to download it, and therefore accidentally download something they shouldn't) and all the them are infected with that Oracle search toolbar malware.

Re:still with the java?

[symbolset]

My teller offered me online banking once. But her monitor was tilted just enough that I could tell she was using IE6. "Um, no. Thanks. I'm good."

Re:still with the java?

[dropadrop]

In Scandinavia we have to use a java applet called BankID for login to our bank account. This has for the past few months become REALLY frustrating for people who really don't know what Java is. Even technicians who has a basic understanding of what a computer is, has problems keeping Java up to date(they don't know where to download it, and therefore accidentally download something they shouldn't) and all the them are infected with that Oracle search toolbar malware.

I'm in Scandinavia and don't need to use any java applets...

Have you considered that there are tens of banks in Scandinavia, and only a handful require java support in browsers? I would be surprised if such banks did not exist outside Scandinavia too. Just switch to something else (at least for day to day banking if you can't move loans).

Re:still with the java?

Oh come on, you Scandies are smarter than Americans. Look at your educational system and universal health care. Even this dumb redneck programmer here (me) can figure out how to update java. Go to good and type in "download java" install it. ta da! you're done.

Re:still with the java?

As far as I can tell, BankID is a native application launched from your browser.

Re:still with the java?

[wmac1]

Is there ANY type of reasoning or reason in that statement?

Re:still with the java?

[allcoolnameswheretak]

I'm getting tired of this Java bashing in the media due to security issues. Java isn't inherently more insecure than any other platform. On the contrary, it has a sophisticated, built-in security system that most other platforms lack. But of course there are bugs and holes, just like with any other software. The only reason why Java is being exploited and making headlines so much recently is because Java is so widely adopted now that it makes a big target. It's what hackers have their sights on at the moment, just like they had their sights on Flash or Acrobat Reader a while back. If enough people switched to a different platform because Java is so insecure, the only result would be that in a couple of years hackers would be targeting the new platform, because it's the new prime target. Then all of its security holes will gradually be uncovered and the switchers will be just as exposed or even more so than if they had sticked with Java in the first place.

Re:still with the java?

Java is the reason you dislike your bank?

Re:still with the java?

Your bank is using Java because they can get hoards of cheap, shit-quality programmers for that task.

Re:still with the java?

That will remove 42 exploits and add 17 new ones for a balance of 17243.

And no, I am not joking but estimating.

Re:still with the java?

[Joce640k]

Why your bank? They're using Java because it isn't going anywhere soon. It's highly integrated all over the place and is leading the way as the language of choice for everything

Sure ... but is it necessary for me to install it in my machine just so I can log into their web site? (Thus exposing me to every other malicious site on the web)

Same for all those government web sites, etc., that require Java. Not necessary just for a login.

In reality I only access those web sites via IE and use Firefox for general surfing, but how many ordinary people do that?

Re:still with the java?

[joib]

I'm in Scandinavia and don't need to use any java applets...

FWIW, the only "major" bank in Scandinavia which requires java applets is AFAIK Danske Bank, and they are set to introduce a java-free banking site sometime this summer.

Re:still with the java?

[DrXym]

I think it's a good reason to hate a bank. Most banking sites these days have seen the wisdom of using pure HTML, CSS and Javascript. I've seen sites which have used Java to fetch a certificate off the disk which is used in conjunction with authentication. Invariably this is a pain in the ass and immediately makes the site inconvenient to use from any platform / browser the bank hasn't "blessed" for that purpose and some banks will point blank refuse to work if your browser is "wrong".

I don't blame Java per se - the bank used Java because it was the only way to achieve what they wanted to do. The problem is that what they want to do is stupid and there are alternatives which don't involve so much hassle. e.g. instead of issuing a cert, banks could use a hard token or post out a one time pad book, or employ several layers security.

Re:still with the java?

[Mikkeles]

What I find interesting is that Java security problems were almost a non-issue until Sun was bought by Oracle.

Re:still with the java?

[danskal]

I use NemId to login to my bank accounts - Nordea et al., as well as the tax authorities and any government website you choose to log in to.

They all use Java, and I am fine with that.

Re:still with the java?

[aled]

you mean in your country it is?

Re:still with the java?

[chad_r]

The only reason why Java is being exploited and making headlines so much recently is because Java is so widely adopted now that it makes a big target.

But there's nothing wrong with examining whether Java in the browser should be widely adopted. After the last merry-go-round of critical updates I deleted the Java plugin and haven't noticed a difference. The only site I encountered since then that used any embedded Java was the Taiwan Ministry of Education using it for some unimportant news ticker (which sums up browser applets in general: a distant reminder of Geocities and Livejournal). Even before then, Firefox intermittently would disable Java plugins as being insecure, so Java applets haven't been a seamless experience for a while.

I still have the JRE around on my work machine for some development tools that need it. But the usage is all local, so there is no urgent need to update. Plus, the update process has been broken in Windows 7. The update check and nag warning comes up for all users, but the installation can only be done by an admin account. Even as an admin, the update fails because it's expecting to download to a temp directory that doesn't exist. I deleted Java completely from my family computers, because I got tired of reassuring everyone that the constant update warnings weren't serious. Nobody has missed it.

Re:still with the java?

Well, as the other guy said, it is COBOL all over again.

Re:still with the java?

[allcoolnameswheretak]

True. I suppose a third of the people with Java installed don't really need Java. Another third probably don't want or need the browser plugin. It should be an optional part of the installation. The final third are the professional or educated users who know what they are doing, probably need Java and are savvy enough to disable the browser plugin, if they don't need it.

The main problem of IT security is always that most users just don't know better.

Re:still with the java?

[jones_supa]

Java security problems have been brought up in a larger scale only in the past few months.

Re:still with the java?

[TapioNuut]

When Danske Bank bought Finnish Sampo Pankki, they forced it (and its customers) to move to Danske Bank group's online banking software which pretty much sucked and supposedly still sucks. And requires Java.

Sampo Pankki had one of the best online banking experience in Finland, feature- and usability-wise. It did not require Java or other sillyness from the client.

IIRC The Danske Bank applet's the client code had some obfuscation/encryption features in it but the author hadn't used it. So the code was easily opened and analyzed. One of the things they found out that the Java software collected very detailed information from the client computer and user and sent it to the server. This was information which has nothing to do with banking.

During the transition Danske Bank had a lot of problems not only in the web bank but in money transfers etc. The fiasco caused an outrage and they say even tens of thousands of customers left. This is not a small thing in a country of about 5,4 million people.

I closed all my accounts with Sampo Pankki soon after the whole thing, mainly because of the crappy web bank, Java dependency and the privacy violations. Sadly though my new bank's web bank wasn't nearly as good as Sampo Pankki had before Danske crap. But it sure beats running some spyware Java applet while doing banking online...

I only drink coffee

[MarcAuslander]

Removed java a while ago. I haven't found a site a cared about that needed it. We should all pressure any sites that still use it to get off it.

Re:I only drink coffee

[0racle]

Java is used for a lot more than just powering websites.

Re:I only drink coffee

[binarylarry]

Few sites use Java applets (which is what you uninstalled).

Far more sites use Java to power the site on the server side (Google, Amazon, Ebay, etc).

Re:I only drink coffee

[Freaky+Spook]

I need to use java interfaces every day, Cisco, EMC, Brocade, HP, IBM, Dell all use java for their management consoles, and I have to keep at list 6 different installers to be able to use them properly as periodic updates to java tend to break access to them if the client hasn't been keeping up with their firmware updates(which is pretty much everyone)

It can be frustrating when you need 3 different versions of java to complete one job.

Re:I only drink coffee

[__aawmso8327]

Write once, debug everywhere.

Re:I only drink coffee

[aztracker1]

Write once, run anywhere*

* where available, void where prohibited, quantities limited, some restrictions may apply, batteries not included.

Re:I only drink coffee

[VeryBest52]

Yep, +1 there, what's annoying is having to work with an old pix firewall from a modern day machine running an up-to-date version of java. Java Web Start and Java Applets are the bane of my existence and I hope they burn in hell real soon. Then we talk about updates...Has anyone ever tried to update java without admin access on a Windows box? As often as they are rolling out updates we find ourselves spending 1/3rd of our weeks just keeping java up to date on everyone's machines.

Re:I only drink coffee

[jhoegl]

Yeah!
Its also used for terribly engineered front end software and to slow down the most powerful supercomputer to a crawl because the guys that used it were too lazy to learn c++ and proper coding.
Oh... developed for Object Oriented Programming you say? Well hell yeah... it only take 15 lines of code to say "Hello World!"
WWWWEEEEEEEEEEEEEEE!!!!!

Re:I only drink coffee

it only take 15 lines of code to say "Hello World!"

lolwut?

if you need 15 lines of java to do a 'hello world', then the problem is with the person in the mirror.

for all its faults, the browser plugin being the most obvious, java for apps is freakin awesome. None of the obtuse BS of C and C++ but all the ability...not to mention all the free libs. Frankly, if it weren't for Java, I'd be sleeping on the streets.

Re:I only drink coffee

too lazy to learn c++ and proper coding.

Hahaha. C++ is the worst of C and Java combined together into one gigantic unreadable, unmaintainable, untestable mess.

Remind me how many different types of pointers C++ has nowadays?

Re:I only drink coffee

[eennaarbrak]

That is rather curios. Java has always been backwards compatible - using the latest version should always work with older code (unless these libraries use proprietary extensions, in which case this is not a Java issue but a library issue). Care to share what type of problems you run into?

Re:I only drink coffee

[wmac1]

Oh boy....

Have you heard about JEE?

Besides could you give us your reasons why C++ would be a better choice?

Re:I only drink coffee

[sodul]

One example: Groovy code compiled with JDK 6 will throw exceptions when running in JRE 7. It is indeed a design flaw in Groovy, not in Java:
http://blog.proxerd.pl/article/how-to-fix-incompatibleclasschangeerror-for-your-groovy-projects-running-on-jdk7

Re:I only drink coffee

[kevingolding2001]

Write once, run away*

* I can't take original credit for this. I read it somewhere and thought it was very funny.

Re:I only drink coffee

Yeah - Java Is The Language Of the Homeless !

Re:I only drink coffee

In the hands of an experienced and disciplined professional, the C++ compiler can generate extremely efficient and secure(*) code, while even the very best Java developer will be inhibted by

-every object must be heap-allocated
-there are only pointer (yeah, they call it "reference") arrays; no value arrays of objects
-everything will be collected by GC, not when I the experienced pro want it to be collected.
-the intrinisc un-realtimeness of the point before
-the shitty ergonomics (freezes of the GUI) caused by the point before

* that implies in my opinion to refrain from using "bare" pointers, including char*

Here's a compiler which will spit out memory-safe C++:

http://sourceforge.net/p/sappeurcompiler/code-0/HEAD/tree/trunk/doc/SAPPEUR.pdf?format=raw
http://sourceforge.net/p/sappeurcompiler/code-0/HEAD/tree/trunk

Re:I only drink coffee

[wmac1]

In the hands of an experienced and disciplined professional, the C++ compiler can generate extremely efficient and secure(*) code, while even the very best Java developer will be inhibted by

Like the developers working on browsers and operating systems? Extremely efficient and secure?

Thank you!

Re:I only drink coffee

[david_thornley]

If you're looking for a language that will always produce extremely efficient and secure code, well, I think you'll need to incorporate unicorn farts into the compiler and linker both. If you're looking for a language that can produce extremely efficient and secure code when written by a non-expert, that's maybe slightly more achievable. If you're looking for a language that can produce extremely efficient and secure code when written by experts (and this includes knowing which features of the language to use, and which to run screaming from), C++ will do very well.

Re:I only drink coffee

1. Groovy is a shit language. Use Scala, Clojure or JRuby.
2. As you said it is a Groovy issue so,
3. Your entire post is worthless and off-topic
4. Go fuck yourself.

Re:I only drink coffee

[wmac1]

If you're looking for a language that can produce extremely efficient and secure code when written by experts (and this includes knowing which features of the language to use, and which to run screaming from), C++ will do very well.

The thing is that even Java would do fine under those circumstances. I am not talking about browser plugins though.

Coming from someone which has developed in both languages decades.

#1 web error

[EmperorOfCanada]

What I have observed is that many corporate types adopted Java about 8-10 years ago and seem to be largely sticking with it. But what I don't see are any organizations now switching to Java. The very occasional organization also seems to be dropping Java. At this rate the corporate world will still be using Java for a long time but I don't think it is where the cool kids are. Interestingly there seems to be no one thing replacing Java. I see python definitely becoming the language of choice in certain limited areas such as science and hedge-funds. I see some people tossing their java web front ends and replacing it with an array of things even including PHP.

So all in all where Java is it will probably stay and I doubt that these security concerns will damage that audience much. What reports like this will certainly do is to dissuade many potential adopters of Java based technologies.

Re:#1 web error

[binarylarry]

Java "front ends" never really had much market share this side of the millennium.

Java is an extremely common development technology to use for any medium to large web app though.

Re:#1 web error

What reports like this will certainly do is to dissuade many potential adopters of Java based technologies.

Which is a shame, because these vulnerabilities (which, for the most part, are either in the web plugin itself, or in aspects of the JVM that are only exploitable through the web plugin) have no bearing on Java's suitability for its most popular uses.

The best move Oracle could make to rectify Java's public perception is to un-bundle the goddamn web plugin from the JRE. It's like a festering, oozing sore smack dab on the middle of the face of the platform.

Make it optional, part of a separate download, and bury the link somewhere behind a registration wall on the support pages where only the most determined IT pinheads will ever find it.

Re:#1 web error

Speaking as someone who does Release Engineering professionally, and thus tends to see all the technologies that a company uses in deploying modern systems, Java is still #1 by a long shot, and I continue to see new development done all the time.

It's all middleware, though. And, frankly, for pretty much any reasonably scalable system which has some sort of a front end web-ish part, a middleware "business logic" part, and a DB backend, Java is not only the leader, but its essentially one of two choices: .Net is the other.

Standalone apps don't much exist in Java anymore (the few that do are mostly legacy). It's also almost completely disappeared as part of the Frontend portion of content delivery (i.e. not in the dynamic content being served to the end user, nor in the "web server" portion of the infrastructure).

But in terms of middleware, well, only .Net is a serious competitor in terms of enterprise requirements. Java's got all the nice library and code support, plus plugins and stuff for all the build/deployment/test infrastructure. C++ doesn't even come close, and python/ruby/perl aren't even in the running. Now, there are architectures where there IS no middleware, and the frontend system actually is a python program which both serves content and has business logic in it, but I see them far less commonly, and they have serious scalability issues.

And, frankly, the middleware tier is also the place which minimizes Java's deficiencies, and maximizes its strengths.

As far as the future goes, I desperately wish Oracle would quit expanding the featureset of Java, and just spend all the time cleaning up the codebase. Java (the language) is more than feature-full at this time, and there's really very little need to keep adding stuff to the language. The codebase, on the other hand, needs at least couple of years of full-on cleanup. The JVM itself is still pretty solid, but everything else is suffering from neglect pretty badly.

Re:#1 web error

[aztracker1]

As much as I honestly don't care for Java development, I have to agree.. giving me a browser plugin that the vast majority of sites don't legitimately use along with the runtime that's needed to make desktop/background apps run is nutty. At this point I'm avoiding Java apps all together, since I just don't want to deal with the hassle.

.Net and Java are old and busted, over-engineered slow, bulky crap these days... A lot of the dynamic stuff like Python and NodeJS get you where you're going, maybe a tiny bit slower in some cases, but much less development overhead.

Re:#1 web error

[ADRA]

Trust me, as an implementor, there are plenty of new enterprises lining up moving to Java from C/C++/legacy. The alternatives are hodge podge languages which will most likely not work for supporting large number of diverse product categories, or you go with C/C++ and pay a crap load more money for developers & more time spent. Or, you can go with .NET which is fine if you're an all MS shop (less and less) or you rely on Mono for your non-windows systems (tough sell).

Where's the panacea of general programming environments where:
1. You can integrate it with -practically anything- (whatever the customer's currently plugged into -- protocol/socket, old DB's, all those queue systems, email, batch tools, clustering(scale), etc..) with little development overhead
2. Easy access to developers with varying degrees of cost / performance
3. 100% support on mainstream deployment platforms of choice

If you're not answering these three questions, most non-dev centric businesses won't be playing ball.

"but I don't think it is where the cool kids are"
Yes, there's a big difference between what some people want to develop in, and what people actually write useful code in. Joe rock-star could do all his work in Scala/Groovy/Ruby/Python/langoftheweek, but without super unsexy long term support from competent developers, that software will crumble and die with the company forced to move their platform to something more standard just to find people to keep it alive.

Re:#1 web error

[hey]

Java is the only choice for things like that. It is quite nice, actually.

Re:#1 web error

.Net and Java are old and busted, over-engineered slow, bulky crap these days... A lot of the dynamic stuff like Python and NodeJS get you where you're going, maybe a tiny bit slower in some cases, but much less development overhead.

Java is generally faster in all cases. I'm no fan of the JVM, but I give respect where it's due.

Your comment is really ignorant of factual knowledge. Python may be easier to program in (I hate Python, btw, I find its syntax annoying and much of the library unintuitive), but it doesn't yet even approach the performance of the JVM.

http://benchmarksgame.alioth.debian.org/u64q/benchmark.php?test=all&lang=java&lang2=python3&data=u64q

Re:#1 web error

[Anonymous+Brave+Guy]

giving me a browser plugin that the vast majority of sites don't legitimately use along with the runtime that's needed to make desktop/background apps run is nutty

Unfortunately, that's not the situation for many people.

In reality, a lot of very popular web sites and applications do run Java applets, even if you personally happen not to use any of them. Common examples in these kinds of discussions are a few major banks, some national government web sites, some teleconferencing/screen sharing tools widely used in businesses, a few games, etc.

Meanwhile, many people at home have no use for Java for desktop/background applications at all. Relatively little end user software is actually written in Java these days, and Java's most popular use seems to be writing business middleware code.

Re:#1 web error

In other words, if you want to use mediocre and cheap developers, you take the Java route and then spend like mad for hardware. You will also spend like mad for all the bugfixing your mediocre developers require for the next five years.

Or, you take a less-than popular route and hire top-class, expensive C++ software engineers, spend some more money upfront and then have very low hardware requirements and very moderate maintenance costs.

But hell, why should I buy a Mercedes, if a FIAT can drive, too ?

Re:#1 web error

Sorry but the mere fact you branded Scala/Groovy/Ruby/Python as "languages of the week" shows your post is not worth reading...

Re:#1 web error

Java is the COBOL of the 21st century.

Naive question

[DoofusOfDeath]

What's the deal with people saying Java is a major source of insecurity?

Does that mean compared to C++? Are they comparing (Java + all its libraries) to (C++ plus one instance of each library which is needed to match Java's standard libraries)? Insecurity of the JVM itself, compared to native object code?

I honestly can't tell.

Re:Naive question

It does sound like an anti-Java marketing blitz, doesn't it.

Re:Naive question

The problem with Java/JVM/JRE is that _everybody_ uses the exact same broken code, and because Java is still largely proprietary in practice it takes forever to get it fixed, not to mention to be publicly disclosed. That leaves hackers a huge window to break stuff.

Also, heap and buffer overflows aren't that common these days in widely used projects. Most of the idiot programmers don't C anymore. They moved on to Java, or even C++.

And the bugs which allow hackers to steal your social security or bank account number are just as common in Java as everywhere else, sadly.

Re:Naive question

[aztracker1]

I thought it was all the abstracted interfaces and "Enterprise" grade design patterns that make software harder to maintain.

Re:Naive question

What's the deal with people saying Java is a major source of insecurity?

Does that mean compared to C++? Are they comparing (Java + all its libraries) to (C++ plus one instance of each library which is needed to match Java's standard libraries)? Insecurity of the JVM itself, compared to native object code?

I honestly can't tell.

Really, none of the above. Of those, "Insecurity of the JVM itself" is closest to the truth.

The big problem with Java is the browser plugin.

For the most part, these vulnerabilities (I'm generalizing) are in the parts of the JVM that are used by the Java browser plugin, or in the plugin itself.

It's actually one of the great ironies of Java. The Java language, and the JVM, were actually pretty well designed with regards to security; things like strong typing and garbage-collected memory management go a long way toward preventing ordinary bugs from becoming security issues. Unfortunately, long ago, Sun figured Java was so safe that there would be no risk with running Java code ("applets") off the Internet, right in your browser. So they built in a sandbox into the JVM, and created the Java applet embedding browser plugin that depended on that sandbox to prevent applets from harming your computer.

And in doing that, they overreached, especially as they began adding features* that made the sandboxing of code from the Web harder and harder to enforce.

Get rid of the browser plugin, and Java is no worse than any other language/platform. Probably better than some.

C++ doesn't have this problem, because there is no equivalent browser plugin that allows random bits of C++ code from the web to get onto your comptuer.

* I have heard that JVM support for dynamic languages in the version 7 JVM is a big reason for the growth in security vulnerabilities. I'm not educated enough to say whether this is true or nonsense, but it seems plausible

Re:Naive question

If by "bad programmers" you mean Sun and Oracle, then yes, I agree.

Re:Naive question

What's the deal with people saying Java is a major source of insecurity?

Does that mean compared to C++? Are they comparing (Java + all its libraries) to (C++ plus one instance of each library which is needed to match Java's standard libraries)? Insecurity of the JVM itself, compared to native object code?

I honestly can't tell.

Generally, they're talking about "having a Java plug-in in your web-browser" versus "not having a Java plug-in in your web-browser". Insecurity in the Java web plugin that lets websites deliver Java code to your browser that executes on your computer. (They can break out of the sandbox and run code that does more than it should be able to.)

Re:Naive question

[VortexCortex]

What's the deal with people saying Java is a major source of insecurity?

Does that mean compared to C++? Are they comparing (Java + all its libraries) to (C++ plus one instance of each library which is needed to match Java's standard libraries)? Insecurity of the JVM itself, compared to native object code?

I honestly can't tell.

Yes. The design of the stack based language traded speed for size. When run as an interpreted language pure Java is very secure. However, now that it has JIT compilation you're basically just taking data, flagging that as code, then running it. That's what's inherently insecure. Not only do you have to worry about defects in the applications and library code, but also the virtual machine itself, which lowers the bar for malicious data to get itself marked as code, and executed. Combine that with the fact that in order to call an implementation "Java" it must have all those bells and whistles, PLUS backwards compatibility for deprecated features, AND a significantly huge section of "all its libraries", anything with the "Java" name attached is synonymous with Exploitable -- Anything with an attack surface that wide is. That Java is deployed on powerful well connected hardware as well as on end user machines through client side browser plugins makes it a perfect environment for anyone getting into malware development, the largely non-patched state of things and the fact that older (unpatched) versions are still sitting on your hard drive after a new update, waiting to be exploited by any malware that specifically targets them (check your installed program list and see), means that Java is considered "a major source of insecurity" by security experts world wide, yours truly included.

You and I know that a language isn't just it's implementation, however, with Java: It is. That's a requirement of Oracle's trademark license. Which is why Oracle sued over Android (which uses the language Java, but not the implementation) -- So, when they say "Java", it's not the syntax we're talking, it's "Java" as defined by its owner.

I loved Java once. Java COULD have been an amazing lightweight sandbox for application development, but it isn't. Java COULD have been the One Runtime to Rule them all if it wasn't so fracking complex, and native cross platform application development frameworks didn't exist (and work better). What is Java really though? Java is a way to make your application cross platform without releasing the source code... If you release the source code then Java's benefit is its unified API -- Which other cross platform toolchains provide. When I tally things up, including the massive source of exploits, extreme slowness (due to emulated floats -- not even using the FPU), Java just doesn't make sense for me. The advice in the submission is sound. Figure out if Java is worth it, look at the other solutions, and see if it's really the best way forward, all things considered, including security.

Also Note: monocultures become extinct IRL when a single vulnerability wipes out the species, it's not just Java that is punished for dragging along unneeded complexity and unused features, it's a dumb design that is punished by the nature of the universe itself time and again throughout history. The efficiency requirements of life (less energy to maintain a less complex system) and competition combat this in life forms... Hell, Sex was invented as a better alternative to doing shit like Java does.

Re:Naive question

If you really have to ask...

I recommend you uninstall your C++ browser plugin ASAP, and reinstall the machine from read-only media.

Re:Naive question

Good answer.

So if C++ is so much better (and can automatically avoid security problems !!!), why the browsers developed with C++ have so many security problems. Or the operating systems or hundreds of other non-Java software?

Re:Naive question

[DoofusOfDeath]

Don't get stars in your eyes just based on the company name.

Re:Naive question

The difference is no-one ever claimed C++ was secure.

Re:Naive question

There was ActiveX, which was a fancy name for "let's download DLLs from websites and execute them in the browser process". We all know that bombed massively, especially because rogue website could launch (e.g.) HP's dlls inside their HTML code. They would then proceed to exploit the buffer overflows in the HP DLLs.

ActiveX was a security nightmare based on downloaded C++ dlls.You see, mankind enumerates all possible ways of crap until it decides to limit itself to the less dangerous crap (JS).

Re:Naive question

When I started my programming Java was the new thing and it was designed to be extra secure... but it turns out that this was BS and it had many flaws... but really is this any more unsafe that using other products (that allow remote control or full control of the machine). And if you are trying to integrate Java with other systems, you can have some real fun... http://en.wikipedia.org/wiki/Criticism_of_Java

When Oracle took over from Sun, they didn't seem to acknoledge or address security issues, for a long time. So in the last year or so (in my work as an IT admin) I've replaced the service that needed Java and have taken Java off the machines... so glad to get rid of the update popup box that needed admin rights and I've had a lot less problems with the machines (virus and malware). I must admit, I don't know if this is related but it seems suspicious that machines with Java installed were the first to get bugged out. This was all from innocent web surfing (supposedly legitimate sites that may have been compromised).

I never investigated bugs, I just remove the machine from the network and re-image... saving hrs of scanning and reasearch. After all once a machine has been compromised, you can't really know it's been cleaned properly.

Moral of the story : Only have programming enviroments that you really need, and keep them updated with the latest security patches.

Re:Naive question

Java's "strong" typing sucks ass. It is a shitty, brain-dead system.

Also Java is forever vulnerable to integer overflow attacks because Java completely ignores the problem

Re:Naive question

[david_thornley]

From where I was watching, it looked like the browser plugin was what made Java popular. Back then, if you wanted to do anything complicated client-side on the web, you wrote a Java applet. After that, I started seeing magazine articles about server-side Java, since people had all these web guys who knew Java, and that's where it developed to its present roles.

Repeat after me

It's not "Java" it's "Java browser plugin". Nothing to see, move on.

Organizations should take any long or hard looks, since there isn't really any choice when it comes to Java. You either running Java, or you running Windows. No Java, no Linux on the server side. Sorry to break it, oops.

Re:Repeat after me

[viperidaenz]

yeah, it should read: 3 Java security vulnerabilities (2 are client only) and 39 Java Web Start vulnerabilities fixed.

Re:Repeat after me

[MareLooke]

Yeah, but that doesn't make for such an impressive OP... Spreading FUD makes for better headlines you know...

Oh come on...

[Zephiris]

It's been worrying me that the tagline "News for nerds, stuff that matters" has been removed from Slashdot (except in the source code, but gets replaced on any/all page loads), but this story is coming behind both TFA and the actual patches being available for two full days prior.

It's no "Preskill mocks Stephen Hawking" quote from 2012, like the other article, but maybe this could've ended up -slightly- higher priority given that it fixes 1-2 remote unauthenticated exploits in Java, and IIRC 3 in Oracle DB.

Re:Oh come on...

[VortexCortex]

It's been worrying me that the tagline "News for nerds, stuff that matters" has been removed from Slashdot (except in the source code, but gets replaced on any/all page loads), but this story is coming behind both TFA and the actual patches being available for two full days prior.

It's no "Preskill mocks Stephen Hawking" quote from 2012, like the other article, but maybe this could've ended up -slightly- higher priority given that it fixes 1-2 remote unauthenticated exploits in Java, and IIRC 3 in Oracle DB.

Nerds submit the news here. This is the stuff they think matters. If it's not prioritized the way you like, then promote the things you like and firehose the other submissions down. Perhaps there are just more nerds that don't give a frack about Java vulns than you think. E.g: None of my 8 home Linux boxes, or the 20 I manage for my day job have that pox installed -- Then again, the only "Enterprise" things I do are related to science fiction. Guess I'm not nerd enough if I'm using Xen VMs to virtualize right on the metal instead of that slow, non FPU supporting, software VM: Java. Love ya, Gramps, but I don't share your beliefs (as should be expected).

Re:Oh come on...

been over a year since I have had any machine run Java. The last one I pulled it off was a server when I decommissioned the last support tool that we were using that required it (and yes it using Java was one of the main reasons to give that tool the arse).

So 10,000+ to go

In a 15 years java might be safe. Although still incredibly out of date for anything useful to the browser.

You're using it wrong

[viperidaenz]

Java isn't evil, Browser plugins are.
Leave Java on the server side and be done with it.

Re:You're using it wrong

[StormReaver]

Leave Java on the server side and be done with it.

Or learn to use Java properly on the client side, which means stop using it as a browser plugin. Java makes an excellent desktop application development platform, but an absolutely lousy browser plugin.

Re:You're using it wrong

[viperidaenz]

Yes. That's exactly what I'm doing at my current job. Java back end, Java thick client.

Re:You're using it wrong

[stenvar]

Java makes an excellent desktop application development platform, but an absolutely lousy browser plugin.

You may like Java as a developer, but Java fails to integrate properly with any of the desktops; Java desktop apps are a nightmare.

Re:You're using it wrong

Double yes to this. IMMHO Java is an awesome language for developing stand-alone apps.

There's many excellent options such as packaging jars as exe's etc etc so it gets my vote.

Re:You're using it wrong

[dropadrop]

Java makes an excellent desktop application development platform, but an absolutely lousy browser plugin.

You may like Java as a developer, but Java fails to integrate properly with any of the desktops; Java desktop apps are a nightmare.

I've seen a lot of nice Java desktop apps and a lot of bad ones.

Re:You're using it wrong

Java makes an excellent* desktop application.

* Excellent is defined here as "slow, ugly and memory hungry."

Re:You're using it wrong

[Ash-Fox]

Or learn to use Java properly on the client side, which means stop using it as a browser plugin.

So, how do I use the virtual machine remote management interface that is only available in java on a webpage?

Re:You're using it wrong

[stenvar]

Whether they are "nice" or not in and of themselves isn't the point. They fail to integrate with the desktop, they don't behave like native apps, and they don't look like native apps either.

Re:You're using it wrong

[sproketboy]

Citation? I thought not.

Re:You're using it wrong

[dropadrop]

Whether they are "nice" or not in and of themselves isn't the point. They fail to integrate with the desktop, they don't behave like native apps, and they don't look like native apps either.

Maybe that depends on the desktop? Could it actually be that some (read whatever you are using) desktops are seriously limiting how different kinds of applications can be integrated degrading the user experience? Bashing the apps might be the wrong way around, as the problem is on the desktop environment.

Re:You're using it wrong

[Bill_the_Engineer]

GUI toolkits that promises cross-platform compatibility stick to the lowest common denominator of native features and then build on it. Java does a pretty good job of integrating with most desktops without the burden of cross compiling for every single target environment. Qt and Gtk applications do not look native on all desktops either.

The main factor affecting desktop integration is the amount of effort a developer will put into programming the GUI. This can be said for all libraries.

Re:You're using it wrong

Whether they are "nice" or not in and of themselves isn't the point. They fail to integrate with the desktop, they don't behave like native apps, and they don't look like native apps either.

Whether they integrate with the desktop or not depends on how much effort the developer put into it. A Java app can look, feel, and work just like a native app if the developers put forth the effort.

You only notice it's Java when they don't. When they do, you don't notice and you assume they're native code.

The worst you could truthfully say is that Java enables lazy UX and quick-and-dirty cross-platform ports.

Re:You're using it wrong

[pne]

Java makes an excellent* desktop application.

* Excellent is defined here as "slow, ugly and memory hungry."

Reminds me of this joke:

"Knock, knock"

"Who's there?"

...

...

...

...

"Java."

Re:You're using it wrong

[stenvar]

Citation? I thought not.

Better than a citation: just download desktop Java apps and run them on OS X or Gnome or KDE.

Re:You're using it wrong

[stenvar]

It's not the apps that I bash, it's the Java platform: it set out to deliver a great cross platform experience and it failed, because what it attempted to do is impossible. The only way you can get a good experience on each platform is to customize your app for each platform.

Re:You're using it wrong

[sproketboy]

Something like jshot http://jshot.info/ you mean? Works great for me on Mac and Windoze. I don't know or care about the .02% of Linux garbage. Maybe if the Linux clowns could get their act together. .....

Re:You're using it wrong

[asola]

Absolutely agree. It is possible to write excellent Java desktop applications especially if you use an RCP platform like the Netbeans RCP or Eclipse RCP.

It is even possible to make them good looking with modern Swing look & feels like JGoodies.

Re:You're using it wrong

230 downloads on CNET and no reviews.

One review on Softonic: http://jshot.en.softonic.com/opinion/does-its-job-but-no-way-is-it-worth-it-355248

It doesn't even come with a standard installer.

Yup, that about sums up the success of Java-based desktop apps.

Re:You're using it wrong

FYI there is such a thing in the java called look and feel which tries to render all the widgets to look like native OS widgets based on the OS on which the JVM is running.

Re:You're using it wrong

[StormReaver]

* Excellent is defined here as "slow, ugly and memory hungry."

Java was very slow until Project Mustang, at which time it became very fast for most uses. Two excellent examples are JTable and the printing system. I've populated JTables with a few hundred thousand rows (typically seven or eight columns wide) in the blink of an eye, with scrolling being just as responsive as with just a few dozen rows. And printing, which was completely unusable prior to Mustang, became as fast as anything else. A bug in my program caused my print loop to never exit, a situation that occurred to me immediately after I started the program. I killed the program immediately, but it had already generated a dozen pages and delivered them to CUPS in that time.

Ugly is an entirely subjective term, so I'm not going to debate it here. My customers, however, are uniformly complimentary on the look and feel of my user interfaces.

Some of the computers my Java desktop software runs on had, until just recently, 512MB of RAM and were running XP. My software started immediately, and caused no more noticeable paging than was already happening. It ran continuously every day from the start of business until the close of business, causing no issues beyond Windows' normal problems.

It's understandable why these Java memes survive beyond their useful lifespans, as Java performance really sucked for a long time, but Sun did an absolutely fantastic job during Project Mustang. Most of these memes continue solely on their own inertia, despite no longer being based on reality.

Re:You're using it wrong

With JavaFX2 java in the browser is again a viable solution.

Java's browser plugin has very few real exploits in the wild.

Re:You're using it wrong

Whether they are "nice" or not in and of themselves isn't the point. They fail to integrate with the desktop, they don't behave like native apps, and they don't look like native apps either.

I find Eclipse works perfectly adequately. It looks as much like a native app as anything else, and I don't see any way in which it fails to integrate with my desktop where I can't also easily complain about a dozen native apps that have the same issue. It's much better in both respects than, say, Photoshop.

And if you don't like Eclipse's approach, you could look at stuff implemented using other toolkits. There's a Java binding for QT that has gained some traction lately, and a Java GNOME binding, if that's your preferred environment. I haven't tried either of them, but my bet is they produce applications that are indistinguishable from native applications using those toolkits.

Just because you presumably don't like AWT or SWING doesn't make Java a failure -- you're not forced to use those libraries.

Re:v1.6 is forgotten but most use that

[viperidaenz]

What are you smoking? 1.6 update 45, released a few days ago contains all these fixes.

ORACLE FIXED SOMETHING?!

[CheshireDragon]

Reminds me of my dad always breaking shit when he tried to fix it. Then he actually fixed something and we flipped our shit!

Re:ORACLE FIXED SOMETHING?!

How do you know that Oracle actually fixed something, and didn't break 10 other things in the process?

Re:ORACLE FIXED SOMETHING?!

If they only broke 10 other things this time around then I would say things are looking up.

Fix the model. Chicken wire isn't watertight

[raymorris]

With tje taste of Java exploits exceeding one per day, it seems clear the problem is bigger than the specific exploits they are fixing. The DESIGN that allows for hundreds of vulnerabilities is seriously flawed and THAT is what they should fix.

It really looks like someone trying to use chicken wire fencing to build a dam, and they keep patching each little hole. Instead, they need to ditch the porous chicken wire and use something watertight for the barrier between VM and system.

Re:Fix the model. Chicken wire isn't watertight

[Earthquake+Retrofit]

We don't read about this many security problems with other general purpose languages. If GCC needed patches every month I sure wouldn't be inclined to use it. Why does Java need to be patched so often? What is so different that it makes it so bad? Is it because it's interpreted rather than compiled? Why does that matter? I'm amazed Java has been such a mess for so long.

Re:Fix the model. Chicken wire isn't watertight

[lister+king+of+smeg]

GCC may not be patches that often but you OS is. Java is not just a language it is a VM that the compiled Java code runs in, a jit compiler that compiles the Java code, a language and a web plug-in. all collectively referred to as Java. Javas big problem is it is used in unsafe ways (via web plug-in). the main security problem is that the Java web plug in grabs arbitrary code and runs it in the same vm as Java app's and it can be abused to take control. You would never run a just any random binary you found on the Internet but you do anytime a page has Java on it.

And this is where Oracle is failing...

Oracle really need to stop working on new features for Java. It is a sufficiently advanced language at this point, and pretty much all the new features I see people whining for are to satisfy some pedantic desire to make Java the UberLanguage that does absolutely everything in any way possible.

Instead, Oracle really needs to just say: NO MORE FEATURES. The language is complete (or at least for a decade). All efforts should be placed on fixing the problems in the implementations right now.

Re:And this is where Oracle is failing...

Nope. Languages need to keep up with the times, or they become an albatross.

Re:And this is where Oracle is failing...

No, they don't.

C (as a language) has hardly changed over 40+ years.

C++ isn't much different after standardization.

And the list goes on and on. The vast majority of languages very rarely change features after an initial infant lifecycle. Once a decade is probably sufficient.

And, the purpose of a language isn't to be the end-all-be-all for everyone. Languages do best when fulfilling a specific niche (which may be fairly broad). Because, in any language, there are inherent compromises. Trying to be an UberLanguage magnifies these compromises into downright terrors.

Don't confuse libraries with the core language grammar and feature set.

Re:And this is where Oracle is failing...

[stenvar]

Java language evolution has been cosmetic, not substantive; Sun and Oracle have refused to fix things at the VM level. As a result, Java has fallen behind more and more over the years.

Re:And this is where Oracle is failing...

[symbolset]

Languages need to keep up with the times, or they become an albatross.

Unless through being steeped in the art and basic principles and with an eye toward the future the authors built their language in such a way that it could be timeless art that stood for all time, like for example Brian Kernighan and Dennis Ritchie's "C".

Go ahead and learn ALGOL, FORTRAN, BASIC, SNOBOL, APL, ADA, brainfuck, R, LISP and dozens of others like I did if that's your nerd thing. It's fun. After you've done that you'll come to the same conclusion I did: programming languages are syntactic sugar. They are constructs for interpreting your ideas into references to libraries that instantiate the desired result in predictable ways.

C is. It stands like the Oedipus trilogy as a distillation of all prior art and a foundation of all subsequent art. It is beautiful and timeless in the same way. Learn this one thing and all else becomes easy. Unfortunately, like the Tau, it is not possible to really understand C until you don't need to do so any more. When you have learned enough about C to know why it is a fool's game you will have become ready to launch your own inferior language.

Re:And this is where Oracle is failing...

[Anonymous+Brave+Guy]

C was a great language for its time, but from a security point of view it is still a nightmare. Unfortunately, whatever theoretical equivalence they might have, in practice different programming languages are not just syntactic sugar.

C is the language that introduced many of us to terms like "buffer overrun" and "access violation" and "null pointer dereference" and "off by one error". These are kinds of programmer error that everyone makes sometimes if they have the chance, even world class programmers who write core OS and networking tools we all rely on every day, and of course most programmers aren't world class and make far, far more mistakes if you give them the opportunity to do so.

C also has very little expressive power, in the sense of letting programmers implement the concepts they need concisely and elegantly, and it hardly has a type system worth mentioning at all. Both of these things are also severe disadvantages when it comes to writing robust, secure code.

If you really think that C is the pinnacle of programming language design and that all these more modern languages are inferior, you might like to consider the sage advice Kipling almost gave: "If you can keep your head when all about you are losing theirs... they probably know something you don't."

Or it's too early in the morning, my sense of humour hasn't finished booting, and your post really was intended as a troll, in which case you have succeeded gloriously and I tip my virtual hat to you...

Re:And this is where Oracle is failing...

[sproketboy]

Nice troll.

Re:And this is where Oracle is failing...

[symbolset]

C doesn't have safety belts and airbags, that's your complaint? They gave you the framework to create those things if you need them. If you can't be bothered to check your work and your inputs, to consider pathological cases and data, no linguistic tool is going to make your work stable and secure.

Languages are syntactic sugar. When you have implemented the basic stacks of OO, heap, stack, garbage collection, array transforms, list and set processing, the dually-linked-list-dancing-btree-with-bucket-hash, the things that other languages give as algorithms in C then you know you can implement them as C libraries properly once and be done with them. Things like inheritance, soft-typing and operator overloading are a distraction and a menace to predictability, readability and debugging. When you encounter a new problem with no lib you can just write an algorithm that can transform the datastructure in the desired way, make it a lib and call it. The usages of the various languages add nothing but orientation hurdles to get the C programmer into the language developer's state of mind. The states of mind of language developers can be sometimes interesting, but sometimes they are mad. This is not high art. This is fingerpainting. There is a guy here on /. (not me) who designs sorting algorithms that dynamically optimize on processor cache size, in 1KB of code and competes with the world's best. There is another who designed a procedurally generated FPS with unlimited terrain in 4KB. THAT is high art. Once you have mastered the use of your programming tools, you can begin to explore what art can be made with them.

Admittedly some languages have some rapid development potentials and usages where the programmer need not know his programming art, but that is "tools for fools", not real work. Even at their most obtuse, these are almost always implemented in C. Windows is almost entirely C, as is Linux, BSD, of course Unix, every game engine and of course all of the libraries and drivers. It is all C. Even the C++ compilers are more than 90% C.

Other languages, like LOGO, are for children who can't be bothered to learn their Wirth before they make the turtle draw.

Re:And this is where Oracle is failing...

Java was shit long before Oracle bought it.

Re:And this is where Oracle is failing...

[stenvar]

No, just truth.

Re:And this is where Oracle is failing...

Yeah, languages should be extended by all sorts of fancy crap, so that there will be a constant inflow of new exploits for Chinese intelligence to exploit. Makes sense for me, sitting in Chengdu, currently downloading the latest Rivet Joint software package from a server in Atlanta.

Re:And this is where Oracle is failing...

[Endlisnis]

Yeah, C is great, and timeless; as long as by "timeless" you mean, "has gone through 4 different versions". Haven't you heard about C89, C99 and C11?

Re:And this is where Oracle is failing...

[Anonymous+Brave+Guy]

C doesn't have safety belts and airbags, that's your complaint?

Your car analogy is poor. You're talking about whether the language is good for safety, and safety belts and airbags save lives.

If you can't be bothered to check your work and your inputs, to consider pathological cases and data, no linguistic tool is going to make your work stable and secure.

That's an absolute argument in a relative world.

I don't need to check that I'm not dereferencing a NULL pointer everywhere if my programming language's type system means there is no NULL value in that context. The entire class of mistakes is removed.

I don't need to check for an off-by-one error updating a loop counter if I'm using a loop control structure in my programming language that has no explicit counter at all. The entire class of mistakes is removed.

No human programmer is perfect, no matter how good or experienced they are. I make mistakes. You make mistakes. Every single programmer reading these posts makes mistakes. The only way to remove a class of errors with close to 100% reliability is to use tools and processes that remove the possibility of the human error in the first place.

If my tools do that for me in some cases, it leaves me that much longer to think about the other ones, and makes it that much clearer for my peer reviewers to check that I got the logic right when I do. It's not as if I have somehow mysteriously lost all my defensive programming skills by using a more powerful language instead of C! I'll just be using those skills to better effect, because I can concentrate on the harder problems and trust that the easy ones are already solved.

Re:And this is where Oracle is failing...

[sproketboy]

Citation? I thought not. Try harder.

Re:And this is where Oracle is failing...

[WhatAreYouDoingHere]

This is not high art. This is fingerpainting.

In the case of assembly, I think it's more like pointillism than finger-painting. :-)

Re:And this is where Oracle is failing...

Nope. Languages need to keep up with the times, or they become an albatross.

An albatross is actually good luck to a sailor--until you kill it.

http://en.wikipedia.org/wiki/Albatross_%28metaphor%29

Re:And this is where Oracle is failing...

[david_thornley]

C doesn't have safety belts and airbags, that's your complaint?

More like its lack of ABS, traction control, air and fuel filters, visibility, windshield, etc. Sure, you can write your own, but it's always going to be clumsy and error-prone. Sure, you can check some stuff beforehand, but there's a lot of things (like when to free memory) that's Turing-undecidable at writing or even compile time. Garbage collection or std::shared_ptr are nice, easy-to-use ways of solving that problem in ways that are not tricky to use (well, there are some circumstances where std::shared_ptr gets tricky, but nowhere near as bad as any C counterpart).

Languages are syntactic sugar. When you have implemented the basic stacks of OO, heap, stack, garbage collection, array transforms, list and set processing, the dually-linked-list-dancing-btree-with-bucket-hash, the things that other languages give as algorithms in C then you know you can implement them as C libraries properly once and be done with them. Things like inheritance, soft-typing and operator overloading are a distraction and a menace to predictability, readability and debugging.

Sounds like you've never bothered to learn anything other than C well. Sorting in C and C++ is available in the standard libraries, but qsort() and std::sort aren't exactly the same thing. qsort() requires at least one separate function to be defined, and requires that you pass in assorted pointers correctly. At that time, it will do a lot of indirect memory references and function calls, which can cost performance and even cause cache misses. With C++, you can define the comparison function in a natural place (either in the class definition or the std::sort invocation itself, frequently), and the compiler can inline what it sees fit. C++ sorting is easier to use and much harder to get wrong.

As far as your complaints about inheritance and such, you need to consider programmer competence. If you gave me my choice of knives and swords and put me up against an unarmed martial artist, you would observe that weapons are useless using that reasoning. We're talking about a C programmer who can be trusted with stdio.h, and knows when and how to use the str* and strn* functions. Somebody who knows C++ that well is not going to screw up inheritance and operator overloading in that way. I don't know what "soft-typing" is, but C's type system is about the softest around.

C is a very good language for some purposes, but it's really hard to make it secure. There's many more pathological cases to consider than in most more modern languages, and the incessant attention to detail that this requires can lead to making much larger-scale errors. A C programmer has to be very careful to avoid buffer overflows, while a C++ or Java programmer can generally avoid them with a few intelligent practices.

Re:And this is where Oracle is failing...

Too bad Java suffers from null pointers. Yes, Java has pointers, references came from marketing because they were aiming for the mediocre programmer who is frightened by a simply concept. But they are pointers that you can't do arithmetic on them. At least the JLS refers to them properly, as pointers.

Re:And this is where Oracle is failing...

[Anonymous+Brave+Guy]

Too bad Java suffers from null pointers.

Yes, it is. In that respect, Java has a design almost as unfortunate as C and C++.

Most biased summary, ever.

Oracle has been releasing scheduled security updates for years now, as has virtually other software vendor in the world. Java is no less secure than any other software product. If anything, it is far more secure than alternative programming languages and VMs.

When Oracle fails to patch known vulnerabilities, they get nailed for it (rightfully so). But then when they actually *do* patch known vulnerabilities, Slashdot nails them *anyway*. That's just biased!

Re:Most biased summary, ever.

[gbjbaanb]

the point is that they just patched 39 vulnerabilities that were not know about last week... how many are still in there that we just haven't discovered yet? That's why we criticise them, because they've found so many vulns, there's a good chance there's a load more waiting to be discovered.

Re:Most biased summary, ever.

It is far less secure as has been repeatedly proven.

Douglas Adams proved right again!

See, Oracle releasing patches for 42 vulnerabilities in one shot just confirms that.... Java has the permanance of a kid's tree house.

What "Java Web Start plugin"?

[Grim+Leaper]

I thought Web Start was invoked through file associations for JNLP files, not through the Java plugin. In other words, you could disable the plugin entirely and still be vulnerable to JWS exploits. Is that the case?

Ask

[andrewa]

Yet still they are trying to sneak the "Ask" toolbar in there.....

Re:Ask

[SeaFox]

I've decided that must be the only reason they haven't created an auto-update system for Java. I mean, my AV software can update its own definitions, my web browser can update itself, yet I still have to click the stupid message every time Oracle farts.

My mom has been complaining about it too. The frequency of these updates are encouraging people to ignore them or turn them off like the classic boy who cried "Wolf!".

If the Java system could update itself they'd lose the opportunity to trick people into not unchecking the Ask Toobar, McAfee Security Scan, etc shovel-ware. And as people get frustrated with the constant updates they get sloppier about what they're clicking as they go though them.

Re:Ask

[aled]

java does auto update for years now on Windows. what is your point?

Re:Ask

Auto update as in it updates itself without user intervention.

Sure they have an update service taking space in your RAM but you still have to click through dialog boxes and hope you don't forget to uncheck that annoying Ask toolbar.

It is not as bad as Comodo's security suite which tries to install spyware(Chrome). Pretty funny and sad that a tool that is partly anti-spyware recommends you install spyware.

Re:Ask

My whole operating system updates everything daily. The only nuisance is the casual reboot required after kernel upgrades. A whole fucking operating system. But Java can't do that on Windows.

Re:Ask

[SeaFox]

java does auto update for years now on Windows. what is your point?

No it doesn't.

It checks for available updates on its own.
It can even download update installer executables on its own.
It does not actually update anything on the computer until you manually click "Install", etc.

If Java needs updating this often it should be able to do it silently the same way Chrome and Firefox update themselves.

Great. Headaches ahead.

[mindwhip]

Every time they release one of these my companies IT department insists on the new version being mandatory and installs it on every PC without any testing.

This then breaks one (or more) of our externally provided and supported, business critical, small user base, Java client/server systems. After a few days of frantic phone calls and manual un-installs of the new Java version (which have to be done by IT support due to security lockdown remoting into PCs, after senior signoff) we have to keep doing to combat the overnight updates) we end up with an emergency change to install a very alpha version of the client/server system.

The updated client is normally so full of bugs that it gets several further emergency updates over the next 3 months and is just about stable and almost bug free in time for Oracle to release another patch...

Re:Great. Headaches ahead.

[arkhan_jg]

And what are IT supposed to do? Leave a known vulnerable version with dozens of critical flaws - including the HIGHLY exploitable browser plugin - on business critical PCs across the org, including the business critical ones of that small group?

Who's neck would it be if those machines got remote rooted by some chinese hacker driveby? I'm betting not yours.

Perhaps a dialog with IT where you don't install the browser plugin at least, and firewall the group off from the rest of the network in exchange for a tested, custom (i.e. slower) rollout for your setup. It wouldn't hurt if your department volunteered to cough up the cash to pay for the extra engineer time required...

Or you could start evaluating alternative platforms for your business critical software that don't have more holes than my colander?

Re:Great. Headaches ahead.

I have NEVER had a java update(even a major version) break any of my code.

You guys must employ API monkeys and not programmers.

Re:Great. Headaches ahead.

Good for you.
Of course it is not very easy to break "hello world" copied from a book.

Re:Great. Headaches ahead.

Keep telling yourself it is Java update breaking your code and not your lack of skill.

Hundreds of thousands of lines of code written in Java since Java 1.4 and never had any update break code.

Never had code break in Ruby or Python either, except when they purposefully make breaking changes and advertised it well in advance(ie Python 3 and Ruby 1.9)

Shitty API monkey simply doesn't know he is shitty.

Warning: ask.com toolbar

[icknay]

Suppose that when you first run the java installer, it asks you if you wan to install the ask.com toolbar, naturally you select No Ask.com Malware button, and everything installs nicely. Now later on, for each security update that comes along, there's a nice Install Important Update button .. and what do you suppose that does? It installs the Ask.com toolbar! I know Oracle is supposed to be aggressive with their practices, but I cannot believe they abuse security updates this way to get a few pennies out of Ask.com which is basically a search-result-spam engine.

The reason you have not heard about this more, is that Macs and Firefox/Chrome (not sure about IE) resist the Ask.com installer, so you just don't see it, but the crappy Oracle behavior is in fact going on each time. The result is that naive users are getting this toxic thing installed and it really messes up their whole internet experience.

Hey Oracle: you're pissing away tons of Java goodwill in exchange for pennies form the Ask.com spammers. Who on the heck thought that was a good trade? Like what techie who learns of this behavior is ever going to install Java anywhere? Aren't you trying to make JavaFX into a real client thing?

See http://www.zdnet.com/a-close-look-at-how-oracle-installs-deceptive-software-with-java-updates-7000010038/ for lots of details on how the Ask.com installer tries to trick the users and hide itself. It's kind of interesting arms race between the spamming toolbar and the browser vendors.

Re:Warning: ask.com toolbar

+ This

As an enterprise java developer for almost 8 years (shit, time flies) I honestly like the ecosystem and the language is good enough, I suppose.
But Oracle's antics with the ask.com toolbar almost make me ashamed I use java. I recently needed to uninstall the ask.com toolbar for the 3rd time from my dads' pc because he kept missing the ask.com option in the update installer (which ofcourse defaults to yes) and the only reason he had java in the first place was because of a tool I installed for him...
I know that right after the Sun takeover Oracle said they where looking into how to "Monetize" java, but they must've picked the sleasiest way to do this (honestly, I didn't think there was a way to monetize it).

Anyways, there's a petition out there to put pressure on Oracle for removing the Ask.com cancer from java, supported by Joshua Bloch, but the response has been pretty underwhelming imo .
If you care about this, please take a minute to sign it:
http://www.change.org/petitions/oracle-corporation-stop-bundling-ask-toolbar-with-the-java-installer

Re:Warning: ask.com toolbar

ask.com deal was penned by the cash-strapped Sun back in the day, not Oracle. Oracle acquired this contract with the rest of Sun, and I trust they'll eventually get rid of it; ask.com is paying 'em, but while it must've been significant coin for Sun, I'm sure it's peanuts for Oracle.

Re:Warning: ask.com toolbar

[sproketboy]

What about Flash? That installs a google toolbar and McAfee and doesn't even give me a choice. Where's the rage? I guess cause it's a google toolbar it's OK then?

Re:Warning: ask.com toolbar

[KevReedUK]

I may be missing something here, but last time I checked, if you download the offline installer, it doesn't bundle, or even offer, the Ask.com tool-bar (certainly not if you are installing it silently). Furthermore, you can disable automatic updates via command-line switch / post-install registry change so that it doesn't automatically prompt you to download the next update as a web-based installer and run the risk of forgetting to un-tick the Ask.com tool-bar option

Surely those of us in business / enterprise environments are using this and are capable of keeping up-to-date with new releases without trusting your update mechanism to a third party? And that's not to mention preventing calls because end-users can't install an update that has automatically downloaded itself and prompted them to run it due to not having admin rights (you are locking your users down, aren't you?!?). Add to this, manually deploying updates rather than leaving yourself in the hands of Oracle means you can test first to make sure the new release doesn't break anything (you are doing this too, right?).

About the only people this would affect are home users who, at the end of the day, will just accept whatever is shovelled at them and may un-install the tool-bar later if it bothers them that much. Consequently, the damage to good-will exists only in the heads of those like us who actually know what goes on under the hood and give a damn about it. Personally, I know what's going on, but as I can avoid it with trivial amounts of effort, I don't really care. Yes, as a business practice, I find it somewhat distasteful, but at least they give you the option to say no. I, for one, am not about to lose any sleep over it! I can understand why they do it. It'll either be a contractual obligation that they inherited when they acquired JAVA via SUN, or it could be a way of getting (I won't sully the word earning) a few extra pennies wherever they can. The end result is an easily-avoidable minor annoyance, so in real terms it's of far less concern to me than a lot of other things that are going on in the industry.

Re:Warning: ask.com toolbar

No one is talking about flash, we're talking about Java. You ass.

Re:Warning: ask.com toolbar

Unless you're running a really shitty install of Lynx or something, you can unselect McAfee and the toolbars before you download the update. That or you're really impatient/getting it via a third party.

Re:Warning: ask.com toolbar

You trust Oracle?

WTF?

Can say the same for

According to security analyst Wade Williamson, organizations need to realize that the web browser will continue to pose a significant risk. 'The first step is for an organization to understand precisely where and why a web browser is needed,' Williamson wrote. 'Based on the rate of newly discovered vulnerabilities, security teams should assume that the web browser is and will continue to be vulnerable.' Organizations should to take a long, hard look at web browsers and answer for themselves if it's worth it, Williamson added.

Jackie Robinson and the answer to the question.

It's all coming together. You'll see. What I don't know; but it's all coming together.

These are NOT JAVA vulnerabilities

[coder111]

These are java APPLET or BROWSER PLUGIN vulnerabilities. Completely different thing.

Slashdot should stop with this misinformation. Java the LANGUAGE is OK. Java Virtual Machine is OK. Servers using Java as server-side language are OK. Java desktop applications are OK.

Java the BROWSER PLUGIN is vulnerable. But Java Browser plugin should never have happened in the first place and should be killed with fire.

So stop with the whole bashing of Java in general. Java is a very good and mature language, with the fastest JVM on planet today, lots of open source 3rd party libraries, servers, frameworks and tools. It's very very good for server-side development.

--Coder

Re:These are NOT JAVA vulnerabilities

with the fastest JVM on planet today

Of course they have the fastest JVM - that's like saying Ferrari makes the fastest Enzo. What you mean is just "VM" or even "byte-code interpreter".

Re:These are NOT JAVA vulnerabilities

Yeah, it is, actually. Bro.

Re:These are NOT JAVA vulnerabilities

[gbjbaanb]

are you sure about that - check where the vulnerabilities were found. How many were in the plugin, how many in the JVM.

The fast that the code that executes in the plugin is Java code that runs in a JVM sandbox seems to have passed you by, of course the plugin in a good attack vector as its so readily accessible, but there's nothing stopping the same attack code from running in your desktop or server programs, its just harder (but not impossible) for the attacker to get their code there.

So, no, Java is not somehow totally secure and its all the fault of the plugin.

Re:These are NOT JAVA vulnerabilities

It's very very good for server-side development
Java is good for anything that requires inter-operatable communication from objects, processes, nodes, hardware.

I noticed on here it's all about language show boating here lately. And the majority of ./ users are C/C++ folks (though likely moved onto Python), where as the most of the Java guys moved to Stackoverflow.

Re:These are NOT JAVA vulnerabilities

The JVM isn't really a byte-code interpreter and hasn't been for over 10 years.

Re:These are NOT JAVA vulnerabilities

there's nothing stopping the same attack code from running in your desktop or server programs, its just harder (but not impossible) for the attacker to get their code there

Desktop/server applications don't generally make any particular security claims, so it would be hard to violate their security requirements. Or looked at another way, if an attacker can use these exploits on a desktop or server, they could just run the code that they'd want to use the exploit to run anyway.

The plugin might not be the cause of the fault, but it's the only part of Java that makes any security guarantees, so it's the only part that's exploitable.

Oh yeah

[symbolset]

It's also used for Minecraft. And that's why I make my son boot from a fresh network image each day. He's too young to understand why enabling his Minecraft habit is a bad thing, so I do what I must.

Re:Oh yeah

[dimeglio]

You sadistic dad :) Just apply the patch. Make your son happy.

Re:Oh yeah

It's also used for Minecraft. And that's why I make my son boot from a fresh network image each day. He's too young to understand why enabling his Minecraft habit is a bad thing, so I do what I must.

First let me say I read your post about C - and I can not at all believe someone as smart as you could be so misinformed about Java as to waste so much time, energy, and money as that.

Buy your kid a computer that was made anytime in the last 5 years, one with a 64 bit CPU that can run 64 bit software. Problem solved.

There have been, including today's TWO JRE exploits, a total of THREE java exploits since 2008, and exactly ZERO are remotely exploitable.

The only possible way Java is insecure is if you disallow him access to 64 bit hardware and force the 32 bit JRE with the browser plugin on him.
Once you install a 64 bit OS, you install only the 64 bit Java JRE. There is no browser plugin at all in the package and it does not even touch a browser. This includes the ask toolbar.

Only someone still running the old 32 bit JRE is forced into the browser plugin and has to deal with 50+ exploits a month that are all remotely exploitable.

Oh, and the 64 bit JRE will stop Minecraft from crashing daily as well.

Depending how young is young, I can understand you might not want to spend much money on a separate computer here, but even a used computer as long (as it is 64 bit) would be a massive upgrade and improvement in security to what you claim you currently are doing!

Re:Oh yeah

Sweet merciful crap. Are you serious? Just uninstall the browser plugin, which is not needed for Minecraft and is where all the vulnerabilities are, and let your kid enjoy himself.

Re:Oh yeah

[bhspencer]

Are you running minecraft as an applet in the java browser plugin? If not you are not exposing your self to any of the vulnerabilities that have recently been described regarding java. The problem is with the browser plugin, not with Java or the JVM.

I wouldn't 'Ask'

[GerryHattrick]

I really would tell all my country-cousins to update their Java, but I couldn't rely on them to untick the 'Make Ask my default homepage, and add the toolbar' box. That sort of inertia-sell to the ignorant inspires no confidence at all.

Oh please

[symbolset]

Kids these days.

Ballanced?

[Racerdude]

"Organizations should to take a long, hard look at Java and answer for themselves if it's worth it, Williamson added.". This doesn't sound very balanced. It sounds like he has some sort of ulterior motive

Infinity minus 42

Infinity minus 42...

is still infinite.

Re:Infinity minus 42

Infinity is not a number

42?

[Vlijmen+Fileer]

That sounds pretty final to me :)

NOT correct

With a C++ program it is up to me, the programmer to make sure there are no exploits. With Java, I am forced to expose myself to all the exploits that come rolled into the enormous platform (JVM, standard library and so on).

With Javascript, I have several alternatives.

With Sappeur (take that with a grain of salt, it's from myself), I have a reasonable chance to fix issues, as the compiler is rather small (12kloc). Unlike Java, which is a massive piece of code.

And yeah, Sappeur delivers the same security assurances as Java at almost same efficiency and real-timeness as C++:

http://sourceforge.net/p/sappeurcompiler/code-0/HEAD/tree/trunk/doc/SAPPEUR.pdf

http://sourceforge.net/p/sappeurcompiler/code-0/HEAD/tree/trunk/doc

http://sourceforge.net/p/sappeurcompiler/code-0/HEAD/tree/trunk/

Re:NOT correct

[DrXym]

With a C++ program it is up to me, the programmer to make sure there are no exploits.

Which is why of course all those ActiveX controls running in IE, mostly written in C++ were so immune to exploitation. The security exceeded everybody's wildest expectations.

Re:NOT correct

[Eraesr]

With a C++ program it is up to me, the programmer to make sure there are no exploits.

Guess how many programmers are adequately up to that task... And when I say "many", I actually mean "few".

Re:NOT correct

ActiveX controls are vulnerable no matter what language they're written in. The problem is the ActiveX design, not the language.

Re:NOT correct

The change to C++ that was called C++98 was so great that all that came before and all that came after that was designed before has no bearing on the language.

Re:NOT correct

[david_thornley]

Also, in C++, I'm also constrained by the libraries I have to use. Much of the stuff that's in Java standard libraries just isn't in C++ standard libraries (although C++11 improved that a lot, and Boost is very useful for what it covers). It's a lot easier to write secure code in C++ than in C, but (as a C++ fan) I'm not at all convinced it has advantages over Java.

Did you C the light?

[Viol8]

Sorry, bad pun :o)

But I agree, K&R really nailed it with C. Sophisticated enough to do any major task required of it - eg linux kernel - but simple enough for a beginner to write basic apps in even if he doesn't quite understand for example the subtle difference between pointers and arrays yet.

Sure its not the best language now for a lot of things but as a general purpose language that will let you program virtually anything it can't be beaten.

Re:Did you C the light?

Heh. I have heard it said, "C gives you all the speed and power of assembler, with the ease of use of assembler."

Yes, it's an industry-wide problem

[Anonymous+Brave+Guy]

I agree wholeheartedly. Almost the entire software development industry is rotten, and Java is just an easy target to pick on because of the browser plug-in vulnerabilities.

Certainly security is a difficult thing to get right, but that's no excuse for using tools and techniques that are horribly inadequate for writing secure code. Take a look at how many critical vulnerabilities get patched in every major browser in a year and you see they're no shining beacons of security virtue either. A substantial proportion of our core infrastructure is still written in error-prone, bug-friendly languages like C and C++, which looking objectively from the outside is just crazy.

Unfortunately, it's an institutional malaise, something that is hard for any individual actor in the system to fix. Most development projects simply can't afford to just give up on languages and run-time platforms with vast ecosystems surrounding them that dramatically increase productivity or they'll put themselves at a significant competitive disadvantage. That will continue until someone's "better alternative" language/platform also comes with the same kind of ecosystem.

Realistically, we'll probably have to put up with this sort of nonsense until either the general public start wising up to how much security failures really cost and vote with their wallets, or governments step in and regulate to force the issue, or some project starts eating everyone's lunch because it really does offer such an improvement that using it is a compelling advantage and it can bootstrap its own ecosystem. And it's not as if any of those options doesn't have problems of its own...

Re:Yes, it's an industry-wide problem

[Joce640k]

A substantial proportion of our core infrastructure is still written in error-prone, bug-friendly languages like C and C++

A good programmer can write secure code with C++.

A good programmer cannot write secure code with Java - he's at the mercy of the JVM.

Java was sold to the world as a secure platform and has completely failed to deliver. Only a handful of websites need it (usually unnecessarily, and mostly for basic things like authentication) yet the huge all-singing-and-dancing API exposes you on every single web site that you visit. Does anybody really need all those Java multimedia APIs, etc.?

It's become a cancer on the computing world, it needs:

a) To be removed (recommended).
b) To be reduced - bank logins only need a subset of Java 1.1.

(PS: You can still use it for back-end work if you want, but keep it out of the browsers...)

Re:Yes, it's an industry-wide problem

[gbjbaanb]

security is not about the language, its about how you approach the problem, and frankly I'd rather have a "bug friendly" language like C and C++ so that I know I have to take care, than one that claims to be so perfect I can knock out any old crap and not consider the implications of what I'm doing.

Consider that the JVM is written in C/C++ and you'll understand why your statement is so stupid.

Re:Yes, it's an industry-wide problem

[darjen]

How many good programmers actually exist who are capable of writing secure code in C++? And out of them, how many will still make simple errors like an occasional buffer overrun? Even if you're a "good" programmer there will be lapses in judgement or things that are just overlooked.

I do largely agree with your comment about keeping it out of the browsers though.

Re:Yes, it's an industry-wide problem

[Anonymous+Brave+Guy]

Well, I don't accept your premise about good programmers writing secure C++ code. The evidence just doesn't support your position: there are plenty of vulnerabilities found in software written in C++, just like every other language in widespread industrial use today. Often they just come in the form of library vulnerabilities that your unsuspecting C++ linked into his application, but they're still out of his control unless he wants to rewrite his security library, which I hope we would all agree is a Really Bad Idea(TM) if he's not genuinely a security expert himself.

But even if we grant your premise for the sake of argument, how is someone supposed to write secure C++ and then run it in someone else's browser accessed over the web without posing a security risk to the remote user? You're comparing apples to oranges.

For a long time, there was a real need for things that browsers couldn't do natively and that meant plug-ins like Java or Flash. Of course that also meant the security risks that came with them, but who was offering a better option at the time? As new technologies mature, the use cases that made plug-ins helpful may be better served in other ways. However, it's unrealistic to expect everyone who was using those technologies to drop them and rewrite everything overnight, and many of the newer technologies are objectively not as good at getting useful things done as Java or Flash yet.

Apple tried your just-bin-it approach with Flash on their mobile devices, and all that happened was that when you visit popular sites on your more-expensive-than-a-laptop iPad you see messages saying content isn't available for your device, while competitors pitch products with slogans like "See the whole web!" What do you think would happen if we somehow magically made the Java plug-in disappear tomorrow?

Re:Yes, it's an industry-wide problem

A good programmer can write secure code with C++.

A good programmer cannot write secure code with Java - he's at the mercy of the JVM.

If you write a program in C++ and happen to write a buffer overflow, this quite easily can allow a remote exploit. The Java JVM protects against this kind of errors, which makes the JVM more secure when the JVM itself has no bugs.

Then, the JVM bugs. What kind of remote exploits there exist, when you don't allow executing arbitrary code (applets, etc)? Say, you have a server program written in Java, and the outside communication happens using ordinary sockets. Does the JVM have a bad implementation of sockets that has security holes? I have not heard of such thing. And, even the C++ programmer is at the mercy of the library he uses, it's not really any different except that Java is better protected against programmer mistakes.

The Java applets are bad, but that's a feature not even supported by C++, so the languages are not comparable in that sense. And with HTML5, perhaps the Java applets can be gotten rid of.

Re:Yes, it's an industry-wide problem

[Joce640k]

How many good programmers actually exist who are capable of writing secure code in C++? And out of them, how many will still make simple errors like an occasional buffer overrun? Even if you're a "good" programmer there will be lapses in judgement or things that are just overlooked.

If you're using std::vector then buffer overruns can't happen. Same for std::string, etc.

(nb. Modern C++ compilers enable range checking on operator[] by default...)

If you're using smart pointers then all pointers will either be valid or null (they also make garbage collection moot - two birds with one stone).

If you're not doing those two things in a security sensitive app. then you're doing it wrong.

Done right, C++ can be every bit as easy/safe as Java is claimed to be.

Re:Yes, it's an industry-wide problem

[Joce640k]

how is someone supposed to write secure C++ and then run it in someone else's browser accessed over the web without posing a security risk to the remote user?

Why is that ever necessary?

The whole premise of foreign code having direct access to my machine seems broken to me.

Re:Yes, it's an industry-wide problem

[Joce640k]

If you write a program in C++ and happen to write a buffer overflow, this quite easily can allow a remote exploit. The Java JVM protects against this kind of errors

Maybe you could try using std::vector/std::string instead of C arrays...

Re:Yes, it's an industry-wide problem

[Anonymous+Brave+Guy]

The whole premise of foreign code having direct access to my machine seems broken to me.

I agree entirely. That's why there's a need for technologies that can run remote code in a sandbox with limited access to the host system, which is exactly why tools like Flash and Java applets have been useful.

The danger comes when the code in the sandbox isn't quite as isolated as it's supposed to be, as we see all too often. On the other hand, not having a sandbox at all doesn't so much solve the problem as remove the entire possibility of running remote code on a local host, which is a useful thing to do.

In time, JavaScript and HTML5 may effectively offer a similar generic sandbox that can do much the same things instead. No doubt there will be some security issues there too. For now, however, we're not there yet.

In Java

Oracle Fixes 42 Security Vulnerabilities

"Oracle is strongly recommending"...

1.... that organizations apply the security fixes as soon as possible

2.... that you install the Ask Toolbar

And here goes the credibility of Oracle.

His 15 minutes of fame?

That's a really poorly written article, bad security analysis overall. I doubt Wade Williamson really knows what he's talking about because he ended up pointing at every possible kind Java application, talking a lot about the JVM and barely mentioning the actual vectors: the applets. Does he even comprehend that, in order to deliver malicious code through an applet or even through a WebStart application, the attacker needs to gain access to the web server and also needs to be able to change the files on the server?

Oh well, he reached his objectives, didn't he? His name is on SlashDot and his article saw a considerable amount of traffic, right?

NOT

Java could never replace either C or C++. That's because

+ Stack allocation of objects
+ Object Arrays (as opposed to object reference arrays)
+ Object Aggregation (one adjacent region of memory containing several objects inside another class)
+ Destructors/free() which operate synchronously

is simply non-existent in Java. Of course you can inject caffeine and sugar into a weak sports horse and let it plough through sand. That works. But you WILL NEED a Farm Horse if you want to plow arable fields with some heavy mud.

You won't see the difference in micro-benchmarks, but you will definitely see it in real-world programs which often contain massively complex data structures.

Here's an attempt by myself to fix the security issues of C++ while retaining efficiency and real-timeness:

http://sourceforge.net/p/sappeurcompiler/code-0/HEAD/tree/trunk/doc/SAPPEUR.pdf?format=raw

http://sourceforge.net/p/sappeurcompiler/code-0/HEAD/tree/trunk/

Re:NOT

Short lived objects(ie only created and used inside a single method) are now stack based.

Arrays hold references to objects not the object itself. I bet you think Java is pass by reference huh?

Java is much better in terms of performance in long running programs. It is short-lived programs where it is slow. Java compiles to native code at runtime with information static compilers will NEVER have. Before you say "compilation takes time" you should view it in a profiler it normally takes 0.00001 seconds to compile a class at runtime.

Dumbass.

Re:NOT

In C++ you can have arrays of objects, which means 250 objects of 8 byte each will take 250*8 bytes and nothing more (on the heap you will need an additional 24 bytes for the entire array for heap management. On the stack nothing). Each access will directly go into the object, not first into the reference array and then from there into the object. Java will require at least 250*(8+8)bytes (probably (8+16 or so) and two memory accesses instead of one.

Please show me how you can allocate a value array in Java on the stack. I bet you will initialize it by the new operator for each element.

I see that they have now added something EXPERIMENTAL to automagically try to detect when they can do stack allocation:
http://www.stefankrause.net/wp/?p=64
Very pathetic to do that instead of adding proper syntax to the language itself.

Now, look at this and continue your name-calling:

http://benchmarksgame.alioth.debian.org/u64q/benchmark.php?test=all&lang=java&lang2=gpp&data=u64q

Re:NOT

You are seriously a dumbass.

Since at least Java 7.0 short lived objects are automatically created in the methods stack frame.

Try to keep up

DROBO WARNING!!!!!!

[Holi]

If you install this on your Mac and you are using a Drobo iscsi device, then you are no longer using your iscsi device. This java update breaks Drobo's iscsi initiator.

Re:#1 web solution

Where's the panacea of general programming environments where:
1. You can integrate it with -practically anything- (whatever the customer's currently plugged into -- protocol/socket, old DB's, all those queue systems, email, batch tools, clustering(scale), etc..) with little development overhead
2. Easy access to developers with varying degrees of cost / performance
3. 100% support on mainstream deployment platforms of choice

If you're not answering these three questions, most non-dev centric businesses won't be playing ball.

All right then. Perl it is.

Re:#1 web solution

[marcosdumay]

Yeah, Perl and Python nowadays. Ruby is getting there, and Javascript entered the run lately, but it's nearer the starting point than that goal. And of course, there are the JVM alternatives that can use any Java lib, but also share its vunerabilities. And also, that's just one kind of development shop. Other kinds may be best served with something more powerful like Haskel, or nearer to the metal, like C.

Now, if "Easy access to developers with varying degrees of cost / performance" means "We'll hire incompetent programmers and don't want them to destroy everything", Java seems to be the only option.

42

[the+eric+conspiracy]

Out of how many? 42? 420? 69105? 10^42?

The Question

[petteyg359]

Damnit. If they've fixed 42, that means they've found the question, and now the universe is just going to turn into a new confusing and illogical mess.