Oracle Fixes 42 Security Vulnerabilities In Java

wiredmikey writes "Oracle released its quarterly Critical Patch Update (CPU) for April, which addressed a whopping 128 security issues across multiple product families. As part of its update, Oracle released a Java SE Critical Patch Update to plug 42 security holes in Java, 19 with base CVE score of 10 (the highest you can go) and 39 related to the Java Web Start plugin which can be remotely exploited without authentication. According to security analyst Wade Williamson, organizations need to realize that Java will continue to pose a significant risk. 'The first step is for an organization to understand precisely where and why Java is needed,' Williamson wrote. 'Based on the rate of newly discovered vulnerabilities, security teams should assume that Java is and will continue to be vulnerable.' Organizations should to take a long, hard look at Java and answer for themselves if it's worth it, Williamson added. Due to the threat posed by a successful attack, Oracle is strongly recommending that organizations apply the security fixes as soon as possible."

#1 web error

[EmperorOfCanada]

What I have observed is that many corporate types adopted Java about 8-10 years ago and seem to be largely sticking with it. But what I don't see are any organizations now switching to Java. The very occasional organization also seems to be dropping Java. At this rate the corporate world will still be using Java for a long time but I don't think it is where the cool kids are. Interestingly there seems to be no one thing replacing Java. I see python definitely becoming the language of choice in certain limited areas such as science and hedge-funds. I see some people tossing their java web front ends and replacing it with an array of things even including PHP.

So all in all where Java is it will probably stay and I doubt that these security concerns will damage that audience much. What reports like this will certainly do is to dissuade many potential adopters of Java based technologies.

Re:#1 web error

What reports like this will certainly do is to dissuade many potential adopters of Java based technologies.

Which is a shame, because these vulnerabilities (which, for the most part, are either in the web plugin itself, or in aspects of the JVM that are only exploitable through the web plugin) have no bearing on Java's suitability for its most popular uses.

The best move Oracle could make to rectify Java's public perception is to un-bundle the goddamn web plugin from the JRE. It's like a festering, oozing sore smack dab on the middle of the face of the platform.

Make it optional, part of a separate download, and bury the link somewhere behind a registration wall on the support pages where only the most determined IT pinheads will ever find it.

Re:#1 web error

[ADRA]

Trust me, as an implementor, there are plenty of new enterprises lining up moving to Java from C/C++/legacy. The alternatives are hodge podge languages which will most likely not work for supporting large number of diverse product categories, or you go with C/C++ and pay a crap load more money for developers & more time spent. Or, you can go with .NET which is fine if you're an all MS shop (less and less) or you rely on Mono for your non-windows systems (tough sell).

Where's the panacea of general programming environments where:
1. You can integrate it with -practically anything- (whatever the customer's currently plugged into -- protocol/socket, old DB's, all those queue systems, email, batch tools, clustering(scale), etc..) with little development overhead
2. Easy access to developers with varying degrees of cost / performance
3. 100% support on mainstream deployment platforms of choice

If you're not answering these three questions, most non-dev centric businesses won't be playing ball.

"but I don't think it is where the cool kids are"
Yes, there's a big difference between what some people want to develop in, and what people actually write useful code in. Joe rock-star could do all his work in Scala/Groovy/Ruby/Python/langoftheweek, but without super unsexy long term support from competent developers, that software will crumble and die with the company forced to move their platform to something more standard just to find people to keep it alive.

Re:I only drink coffee

[Freaky+Spook]

I need to use java interfaces every day, Cisco, EMC, Brocade, HP, IBM, Dell all use java for their management consoles, and I have to keep at list 6 different installers to be able to use them properly as periodic updates to java tend to break access to them if the client hasn't been keeping up with their firmware updates(which is pretty much everyone)

It can be frustrating when you need 3 different versions of java to complete one job.

Re:Yes, it's an industry-wide problem

[Joce640k]

A substantial proportion of our core infrastructure is still written in error-prone, bug-friendly languages like C and C++

A good programmer can write secure code with C++.

A good programmer cannot write secure code with Java - he's at the mercy of the JVM.

Java was sold to the world as a secure platform and has completely failed to deliver. Only a handful of websites need it (usually unnecessarily, and mostly for basic things like authentication) yet the huge all-singing-and-dancing API exposes you on every single web site that you visit. Does anybody really need all those Java multimedia APIs, etc.?

It's become a cancer on the computing world, it needs:

a) To be removed (recommended).
b) To be reduced - bank logins only need a subset of Java 1.1.

(PS: You can still use it for back-end work if you want, but keep it out of the browsers...)

Re:And this is where Oracle is failing...

[symbolset]

C doesn't have safety belts and airbags, that's your complaint? They gave you the framework to create those things if you need them. If you can't be bothered to check your work and your inputs, to consider pathological cases and data, no linguistic tool is going to make your work stable and secure.

Languages are syntactic sugar. When you have implemented the basic stacks of OO, heap, stack, garbage collection, array transforms, list and set processing, the dually-linked-list-dancing-btree-with-bucket-hash, the things that other languages give as algorithms in C then you know you can implement them as C libraries properly once and be done with them. Things like inheritance, soft-typing and operator overloading are a distraction and a menace to predictability, readability and debugging. When you encounter a new problem with no lib you can just write an algorithm that can transform the datastructure in the desired way, make it a lib and call it. The usages of the various languages add nothing but orientation hurdles to get the C programmer into the language developer's state of mind. The states of mind of language developers can be sometimes interesting, but sometimes they are mad. This is not high art. This is fingerpainting. There is a guy here on /. (not me) who designs sorting algorithms that dynamically optimize on processor cache size, in 1KB of code and competes with the world's best. There is another who designed a procedurally generated FPS with unlimited terrain in 4KB. THAT is high art. Once you have mastered the use of your programming tools, you can begin to explore what art can be made with them.

Admittedly some languages have some rapid development potentials and usages where the programmer need not know his programming art, but that is "tools for fools", not real work. Even at their most obtuse, these are almost always implemented in C. Windows is almost entirely C, as is Linux, BSD, of course Unix, every game engine and of course all of the libraries and drivers. It is all C. Even the C++ compilers are more than 90% C.

Other languages, like LOGO, are for children who can't be bothered to learn their Wirth before they make the turtle draw.