Slashdot Mirror

← Back to Stories (view on slashdot.org)

Oracle Fixes 42 Security Vulnerabilities In Java

Posted by samzenpus on from the patching-things-up dept.

wiredmikey writes "Oracle released its quarterly Critical Patch Update (CPU) for April, which addressed a whopping 128 security issues across multiple product families. As part of its update, Oracle released a Java SE Critical Patch Update to plug 42 security holes in Java, 19 with base CVE score of 10 (the highest you can go) and 39 related to the Java Web Start plugin which can be remotely exploited without authentication. According to security analyst Wade Williamson, organizations need to realize that Java will continue to pose a significant risk. 'The first step is for an organization to understand precisely where and why Java is needed,' Williamson wrote. 'Based on the rate of newly discovered vulnerabilities, security teams should assume that Java is and will continue to be vulnerable.' Organizations should to take a long, hard look at Java and answer for themselves if it's worth it, Williamson added. Due to the threat posed by a successful attack, Oracle is strongly recommending that organizations apply the security fixes as soon as possible."

2 of 211 comments (clear)

  1. Re:I only drink coffee by Freaky+Spook · · Score: 5, Interesting

    I need to use java interfaces every day, Cisco, EMC, Brocade, HP, IBM, Dell all use java for their management consoles, and I have to keep at list 6 different installers to be able to use them properly as periodic updates to java tend to break access to them if the client hasn't been keeping up with their firmware updates(which is pretty much everyone)

    It can be frustrating when you need 3 different versions of java to complete one job.

  2. Re:Yes, it's an industry-wide problem by Joce640k · · Score: 4, Interesting

    A substantial proportion of our core infrastructure is still written in error-prone, bug-friendly languages like C and C++

    A good programmer can write secure code with C++.

    A good programmer cannot write secure code with Java - he's at the mercy of the JVM.

    Java was sold to the world as a secure platform and has completely failed to deliver. Only a handful of websites need it (usually unnecessarily, and mostly for basic things like authentication) yet the huge all-singing-and-dancing API exposes you on every single web site that you visit. Does anybody really need all those Java multimedia APIs, etc.?

    It's become a cancer on the computing world, it needs:

    a) To be removed (recommended).
    b) To be reduced - bank logins only need a subset of Java 1.1.

    (PS: You can still use it for back-end work if you want, but keep it out of the browsers...)

    --
    No sig today...