Slashdot Mirror
Oracle Fixes 42 Security Vulnerabilities In Java
wiredmikey writes "Oracle released its quarterly Critical Patch Update (CPU) for April, which addressed a whopping 128 security issues across multiple product families. As part of its update, Oracle released a Java SE Critical Patch Update to plug 42 security holes in Java, 19 with base CVE score of 10 (the highest you can go) and 39 related to the Java Web Start plugin which can be remotely exploited without authentication. According to security analyst Wade Williamson, organizations need to realize that Java will continue to pose a significant risk. 'The first step is for an organization to understand precisely where and why Java is needed,' Williamson wrote. 'Based on the rate of newly discovered vulnerabilities, security teams should assume that Java is and will continue to be vulnerable.' Organizations should to take a long, hard look at Java and answer for themselves if it's worth it, Williamson added. Due to the threat posed by a successful attack, Oracle is strongly recommending that organizations apply the security fixes as soon as possible."
Java is used for a lot more than just powering websites.
"I use a Mac because I'm just better than you are."
Why your bank? They're using Java because it isn't going anywhere soon. It's highly integrated all over the place and is leading the way as the language of choice for everything from big-data processing a'la MapReduce frameworks in Hadoop to Mom & Pop shops just looking for a new college grad to put together something for their needs.
Dislike your bank because they're not treating you like their most important customer, not because they're using Java. =)
Few sites use Java applets (which is what you uninstalled).
Far more sites use Java to power the site on the server side (Google, Amazon, Ebay, etc).
Mod me down, my New Earth Global Warmingist friends!
What I have observed is that many corporate types adopted Java about 8-10 years ago and seem to be largely sticking with it. But what I don't see are any organizations now switching to Java. The very occasional organization also seems to be dropping Java. At this rate the corporate world will still be using Java for a long time but I don't think it is where the cool kids are. Interestingly there seems to be no one thing replacing Java. I see python definitely becoming the language of choice in certain limited areas such as science and hedge-funds. I see some people tossing their java web front ends and replacing it with an array of things even including PHP.
So all in all where Java is it will probably stay and I doubt that these security concerns will damage that audience much. What reports like this will certainly do is to dissuade many potential adopters of Java based technologies.
I need to use java interfaces every day, Cisco, EMC, Brocade, HP, IBM, Dell all use java for their management consoles, and I have to keep at list 6 different installers to be able to use them properly as periodic updates to java tend to break access to them if the client hasn't been keeping up with their firmware updates(which is pretty much everyone)
It can be frustrating when you need 3 different versions of java to complete one job.
It's highly integrated all over the place and is leading the way as the language of choice for everything from big-data processing a'la MapReduce frameworks in Hadoop to Mom & Pop shops just looking for a new college grad to put together something for their needs.
Yes! COBOL all the way!
What's the deal with people saying Java is a major source of insecurity?
Does that mean compared to C++? Are they comparing (Java + all its libraries) to (C++ plus one instance of each library which is needed to match Java's standard libraries)? Insecurity of the JVM itself, compared to native object code?
I honestly can't tell.
It's been worrying me that the tagline "News for nerds, stuff that matters" has been removed from Slashdot (except in the source code, but gets replaced on any/all page loads), but this story is coming behind both TFA and the actual patches being available for two full days prior.
It's no "Preskill mocks Stephen Hawking" quote from 2012, like the other article, but maybe this could've ended up -slightly- higher priority given that it fixes 1-2 remote unauthenticated exploits in Java, and IIRC 3 in Oracle DB.
"A Goddess rarely smiles for she is forced by others to be an island unto herself." - Zephiris
What is 6 times ... ah .. nevermind.
Java isn't evil, Browser plugins are.
Leave Java on the server side and be done with it.
Write once, debug everywhere.
Write once, run anywhere*
* where available, void where prohibited, quantities limited, some restrictions may apply, batteries not included.
Michael J. Ryan - tracker1.info
What are you smoking? 1.6 update 45, released a few days ago contains all these fixes.
yeah, it should read: 3 Java security vulnerabilities (2 are client only) and 39 Java Web Start vulnerabilities fixed.
Reminds me of my dad always breaking shit when he tried to fix it. Then he actually fixed something and we flipped our shit!
"That's right...I said it."
Yep, +1 there, what's annoying is having to work with an old pix firewall from a modern day machine running an up-to-date version of java. Java Web Start and Java Applets are the bane of my existence and I hope they burn in hell real soon. Then we talk about updates...Has anyone ever tried to update java without admin access on a Windows box? As often as they are rolling out updates we find ourselves spending 1/3rd of our weeks just keeping java up to date on everyone's machines.
TheVeryBest
With tje taste of Java exploits exceeding one per day, it seems clear the problem is bigger than the specific exploits they are fixing. The DESIGN that allows for hundreds of vulnerabilities is seriously flawed and THAT is what they should fix.
It really looks like someone trying to use chicken wire fencing to build a dam, and they keep patching each little hole. Instead, they need to ditch the porous chicken wire and use something watertight for the barrier between VM and system.
Oracle has been releasing scheduled security updates for years now, as has virtually other software vendor in the world. Java is no less secure than any other software product. If anything, it is far more secure than alternative programming languages and VMs.
When Oracle fails to patch known vulnerabilities, they get nailed for it (rightfully so). But then when they actually *do* patch known vulnerabilities, Slashdot nails them *anyway*. That's just biased!
Yeah!
Its also used for terribly engineered front end software and to slow down the most powerful supercomputer to a crawl because the guys that used it were too lazy to learn c++ and proper coding.
Oh... developed for Object Oriented Programming you say? Well hell yeah... it only take 15 lines of code to say "Hello World!"
WWWWEEEEEEEEEEEEEEE!!!!!
I thought Web Start was invoked through file associations for JNLP files, not through the Java plugin. In other words, you could disable the plugin entirely and still be vulnerable to JWS exploits. Is that the case?
Yet still they are trying to sneak the "Ask" toolbar in there.....
it only take 15 lines of code to say "Hello World!"
lolwut?
if you need 15 lines of java to do a 'hello world', then the problem is with the person in the mirror.
for all its faults, the browser plugin being the most obvious, java for apps is freakin awesome. None of the obtuse BS of C and C++ but all the ability...not to mention all the free libs. Frankly, if it weren't for Java, I'd be sleeping on the streets.
Every time they release one of these my companies IT department insists on the new version being mandatory and installs it on every PC without any testing.
This then breaks one (or more) of our externally provided and supported, business critical, small user base, Java client/server systems. After a few days of frantic phone calls and manual un-installs of the new Java version (which have to be done by IT support due to security lockdown remoting into PCs, after senior signoff) we have to keep doing to combat the overnight updates) we end up with an emergency change to install a very alpha version of the client/server system.
The updated client is normally so full of bugs that it gets several further emergency updates over the next 3 months and is just about stable and almost bug free in time for Oracle to release another patch...
[The Universe] has gone offline.
The reason you have not heard about this more, is that Macs and Firefox/Chrome (not sure about IE) resist the Ask.com installer, so you just don't see it, but the crappy Oracle behavior is in fact going on each time. The result is that naive users are getting this toxic thing installed and it really messes up their whole internet experience.
Hey Oracle: you're pissing away tons of Java goodwill in exchange for pennies form the Ask.com spammers. Who on the heck thought that was a good trade? Like what techie who learns of this behavior is ever going to install Java anywhere? Aren't you trying to make JavaFX into a real client thing?
See http://www.zdnet.com/a-close-look-at-how-oracle-installs-deceptive-software-with-java-updates-7000010038/ for lots of details on how the Ask.com installer tries to trick the users and hide itself. It's kind of interesting arms race between the spamming toolbar and the browser vendors.
Java is "the language of choice" for programming in roughly the same way that the military is "the method of choice" for dealing with diplomatic problems.
Java language evolution has been cosmetic, not substantive; Sun and Oracle have refused to fix things at the VM level. As a result, Java has fallen behind more and more over the years.
In Scandinavia we have to use a java applet called BankID for login to our bank account. This has for the past few months become REALLY frustrating for people who really don't know what Java is. Even technicians who has a basic understanding of what a computer is, has problems keeping Java up to date(they don't know where to download it, and therefore accidentally download something they shouldn't) and all the them are infected with that Oracle search toolbar malware.
My teller offered me online banking once. But her monitor was tilted just enough that I could tell she was using IE6. "Um, no. Thanks. I'm good."
Help stamp out iliturcy.
These are java APPLET or BROWSER PLUGIN vulnerabilities. Completely different thing.
Slashdot should stop with this misinformation. Java the LANGUAGE is OK. Java Virtual Machine is OK. Servers using Java as server-side language are OK. Java desktop applications are OK.
Java the BROWSER PLUGIN is vulnerable. But Java Browser plugin should never have happened in the first place and should be killed with fire.
So stop with the whole bashing of Java in general. Java is a very good and mature language, with the fastest JVM on planet today, lots of open source 3rd party libraries, servers, frameworks and tools. It's very very good for server-side development.
--Coder
It's also used for Minecraft. And that's why I make my son boot from a fresh network image each day. He's too young to understand why enabling his Minecraft habit is a bad thing, so I do what I must.
Help stamp out iliturcy.
I really would tell all my country-cousins to update their Java, but I couldn't rely on them to untick the 'Make Ask my default homepage, and add the toolbar' box. That sort of inertia-sell to the ignorant inspires no confidence at all.
Kids these days.
Help stamp out iliturcy.
In Scandinavia we have to use a java applet called BankID for login to our bank account. This has for the past few months become REALLY frustrating for people who really don't know what Java is. Even technicians who has a basic understanding of what a computer is, has problems keeping Java up to date(they don't know where to download it, and therefore accidentally download something they shouldn't) and all the them are infected with that Oracle search toolbar malware.
I'm in Scandinavia and don't need to use any java applets...
Have you considered that there are tens of banks in Scandinavia, and only a handful require java support in browsers? I would be surprised if such banks did not exist outside Scandinavia too. Just switch to something else (at least for day to day banking if you can't move loans).
"Organizations should to take a long, hard look at Java and answer for themselves if it's worth it, Williamson added.". This doesn't sound very balanced. It sounds like he has some sort of ulterior motive
Languages need to keep up with the times, or they become an albatross.
Unless through being steeped in the art and basic principles and with an eye toward the future the authors built their language in such a way that it could be timeless art that stood for all time, like for example Brian Kernighan and Dennis Ritchie's "C".
Go ahead and learn ALGOL, FORTRAN, BASIC, SNOBOL, APL, ADA, brainfuck, R, LISP and dozens of others like I did if that's your nerd thing. It's fun. After you've done that you'll come to the same conclusion I did: programming languages are syntactic sugar. They are constructs for interpreting your ideas into references to libraries that instantiate the desired result in predictable ways.
C is. It stands like the Oedipus trilogy as a distillation of all prior art and a foundation of all subsequent art. It is beautiful and timeless in the same way. Learn this one thing and all else becomes easy. Unfortunately, like the Tau, it is not possible to really understand C until you don't need to do so any more. When you have learned enough about C to know why it is a fool's game you will have become ready to launch your own inferior language.
Help stamp out iliturcy.
That is rather curios. Java has always been backwards compatible - using the latest version should always work with older code (unless these libraries use proprietary extensions, in which case this is not a Java issue but a library issue). Care to share what type of problems you run into?
Oh boy....
Have you heard about JEE?
Besides could you give us your reasons why C++ would be a better choice?
Yeah, but that doesn't make for such an impressive OP... Spreading FUD makes for better headlines you know...
One example: Groovy code compiled with JDK 6 will throw exceptions when running in JRE 7. It is indeed a design flaw in Groovy, not in Java:
http://blog.proxerd.pl/article/how-to-fix-incompatibleclasschangeerror-for-your-groovy-projects-running-on-jdk7
I'm getting tired of this Java bashing in the media due to security issues. Java isn't inherently more insecure than any other platform. On the contrary, it has a sophisticated, built-in security system that most other platforms lack. But of course there are bugs and holes, just like with any other software. The only reason why Java is being exploited and making headlines so much recently is because Java is so widely adopted now that it makes a big target. It's what hackers have their sights on at the moment, just like they had their sights on Flash or Acrobat Reader a while back. If enough people switched to a different platform because Java is so insecure, the only result would be that in a couple of years hackers would be targeting the new platform, because it's the new prime target. Then all of its security holes will gradually be uncovered and the switchers will be just as exposed or even more so than if they had sticked with Java in the first place.
That sounds pretty final to me :)
That will remove 42 exploits and add 17 new ones for a balance of 17243.
And no, I am not joking but estimating.
Write once, run away*
* I can't take original credit for this. I read it somewhere and thought it was very funny.
Sorry, bad pun :o)
But I agree, K&R really nailed it with C. Sophisticated enough to do any major task required of it - eg linux kernel - but simple enough for a beginner to write basic apps in even if he doesn't quite understand for example the subtle difference between pointers and arrays yet.
Sure its not the best language now for a lot of things but as a general purpose language that will let you program virtually anything it can't be beaten.
I agree wholeheartedly. Almost the entire software development industry is rotten, and Java is just an easy target to pick on because of the browser plug-in vulnerabilities.
Certainly security is a difficult thing to get right, but that's no excuse for using tools and techniques that are horribly inadequate for writing secure code. Take a look at how many critical vulnerabilities get patched in every major browser in a year and you see they're no shining beacons of security virtue either. A substantial proportion of our core infrastructure is still written in error-prone, bug-friendly languages like C and C++, which looking objectively from the outside is just crazy.
Unfortunately, it's an institutional malaise, something that is hard for any individual actor in the system to fix. Most development projects simply can't afford to just give up on languages and run-time platforms with vast ecosystems surrounding them that dramatically increase productivity or they'll put themselves at a significant competitive disadvantage. That will continue until someone's "better alternative" language/platform also comes with the same kind of ecosystem.
Realistically, we'll probably have to put up with this sort of nonsense until either the general public start wising up to how much security failures really cost and vote with their wallets, or governments step in and regulate to force the issue, or some project starts eating everyone's lunch because it really does offer such an improvement that using it is a compelling advantage and it can bootstrap its own ecosystem. And it's not as if any of those options doesn't have problems of its own...
If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
C was a great language for its time, but from a security point of view it is still a nightmare. Unfortunately, whatever theoretical equivalence they might have, in practice different programming languages are not just syntactic sugar.
C is the language that introduced many of us to terms like "buffer overrun" and "access violation" and "null pointer dereference" and "off by one error". These are kinds of programmer error that everyone makes sometimes if they have the chance, even world class programmers who write core OS and networking tools we all rely on every day, and of course most programmers aren't world class and make far, far more mistakes if you give them the opportunity to do so.
C also has very little expressive power, in the sense of letting programmers implement the concepts they need concisely and elegantly, and it hardly has a type system worth mentioning at all. Both of these things are also severe disadvantages when it comes to writing robust, secure code.
If you really think that C is the pinnacle of programming language design and that all these more modern languages are inferior, you might like to consider the sage advice Kipling almost gave: "If you can keep your head when all about you are losing theirs... they probably know something you don't."
Or it's too early in the morning, my sense of humour hasn't finished booting, and your post really was intended as a troll, in which case you have succeeded gloriously and I tip my virtual hat to you...
If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
Why your bank? They're using Java because it isn't going anywhere soon. It's highly integrated all over the place and is leading the way as the language of choice for everything
Sure ... but is it necessary for me to install it in my machine just so I can log into their web site? (Thus exposing me to every other malicious site on the web)
Same for all those government web sites, etc., that require Java. Not necessary just for a login.
In reality I only access those web sites via IE and use Firefox for general surfing, but how many ordinary people do that?
No sig today...
Nice troll.
C doesn't have safety belts and airbags, that's your complaint? They gave you the framework to create those things if you need them. If you can't be bothered to check your work and your inputs, to consider pathological cases and data, no linguistic tool is going to make your work stable and secure.
Languages are syntactic sugar. When you have implemented the basic stacks of OO, heap, stack, garbage collection, array transforms, list and set processing, the dually-linked-list-dancing-btree-with-bucket-hash, the things that other languages give as algorithms in C then you know you can implement them as C libraries properly once and be done with them. Things like inheritance, soft-typing and operator overloading are a distraction and a menace to predictability, readability and debugging. When you encounter a new problem with no lib you can just write an algorithm that can transform the datastructure in the desired way, make it a lib and call it. The usages of the various languages add nothing but orientation hurdles to get the C programmer into the language developer's state of mind. The states of mind of language developers can be sometimes interesting, but sometimes they are mad. This is not high art. This is fingerpainting. There is a guy here on /. (not me) who designs sorting algorithms that dynamically optimize on processor cache size, in 1KB of code and competes with the world's best. There is another who designed a procedurally generated FPS with unlimited terrain in 4KB. THAT is high art. Once you have mastered the use of your programming tools, you can begin to explore what art can be made with them.
Admittedly some languages have some rapid development potentials and usages where the programmer need not know his programming art, but that is "tools for fools", not real work. Even at their most obtuse, these are almost always implemented in C. Windows is almost entirely C, as is Linux, BSD, of course Unix, every game engine and of course all of the libraries and drivers. It is all C. Even the C++ compilers are more than 90% C.
Other languages, like LOGO, are for children who can't be bothered to learn their Wirth before they make the turtle draw.
Help stamp out iliturcy.
FWIW, the only "major" bank in Scandinavia which requires java applets is AFAIK Danske Bank, and they are set to introduce a java-free banking site sometime this summer.
With a C++ program it is up to me, the programmer to make sure there are no exploits.
Which is why of course all those ActiveX controls running in IE, mostly written in C++ were so immune to exploitation. The security exceeded everybody's wildest expectations.
I don't blame Java per se - the bank used Java because it was the only way to achieve what they wanted to do. The problem is that what they want to do is stupid and there are alternatives which don't involve so much hassle. e.g. instead of issuing a cert, banks could use a hard token or post out a one time pad book, or employ several layers security.
What I find interesting is that Java security problems were almost a non-issue until Sun was bought by Oracle.
Great minds think alike; fools seldom differ.
I use NemId to login to my bank accounts - Nordea et al., as well as the tax authorities and any government website you choose to log in to.
They all use Java, and I am fine with that.
No, just truth.
With a C++ program it is up to me, the programmer to make sure there are no exploits.
Guess how many programmers are adequately up to that task... And when I say "many", I actually mean "few".
you mean in your country it is?
"I think this line is mostly filler"
1.... that organizations apply the security fixes as soon as possible
2.... that you install the Ask Toolbar
And here goes the credibility of Oracle.
The only reason why Java is being exploited and making headlines so much recently is because Java is so widely adopted now that it makes a big target.
But there's nothing wrong with examining whether Java in the browser should be widely adopted. After the last merry-go-round of critical updates I deleted the Java plugin and haven't noticed a difference. The only site I encountered since then that used any embedded Java was the Taiwan Ministry of Education using it for some unimportant news ticker (which sums up browser applets in general: a distant reminder of Geocities and Livejournal). Even before then, Firefox intermittently would disable Java plugins as being insecure, so Java applets haven't been a seamless experience for a while.
I still have the JRE around on my work machine for some development tools that need it. But the usage is all local, so there is no urgent need to update. Plus, the update process has been broken in Windows 7. The update check and nag warning comes up for all users, but the installation can only be done by an admin account. Even as an admin, the update fails because it's expecting to download to a temp directory that doesn't exist. I deleted Java completely from my family computers, because I got tired of reassuring everyone that the constant update warnings weren't serious. Nobody has missed it.
Yeah, C is great, and timeless; as long as by "timeless" you mean, "has gone through 4 different versions". Haven't you heard about C89, C99 and C11?
C doesn't have safety belts and airbags, that's your complaint?
Your car analogy is poor. You're talking about whether the language is good for safety, and safety belts and airbags save lives.
If you can't be bothered to check your work and your inputs, to consider pathological cases and data, no linguistic tool is going to make your work stable and secure.
That's an absolute argument in a relative world.
I don't need to check that I'm not dereferencing a NULL pointer everywhere if my programming language's type system means there is no NULL value in that context. The entire class of mistakes is removed.
I don't need to check for an off-by-one error updating a loop counter if I'm using a loop control structure in my programming language that has no explicit counter at all. The entire class of mistakes is removed.
No human programmer is perfect, no matter how good or experienced they are. I make mistakes. You make mistakes. Every single programmer reading these posts makes mistakes. The only way to remove a class of errors with close to 100% reliability is to use tools and processes that remove the possibility of the human error in the first place.
If my tools do that for me in some cases, it leaves me that much longer to think about the other ones, and makes it that much clearer for my peer reviewers to check that I got the logic right when I do. It's not as if I have somehow mysteriously lost all my defensive programming skills by using a more powerful language instead of C! I'll just be using those skills to better effect, because I can concentrate on the harder problems and trust that the easy ones are already solved.
If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
True. I suppose a third of the people with Java installed don't really need Java. Another third probably don't want or need the browser plugin. It should be an optional part of the installation. The final third are the professional or educated users who know what they are doing, probably need Java and are savvy enough to disable the browser plugin, if they don't need it.
The main problem of IT security is always that most users just don't know better.
In the hands of an experienced and disciplined professional, the C++ compiler can generate extremely efficient and secure(*) code, while even the very best Java developer will be inhibted by
Like the developers working on browsers and operating systems? Extremely efficient and secure?
Thank you!
Java security problems have been brought up in a larger scale only in the past few months.
If you install this on your Mac and you are using a Drobo iscsi device, then you are no longer using your iscsi device. This java update breaks Drobo's iscsi initiator.
Sorry, teleporters just kill you and then make a copy. A perfect, soul-less copy.
Citation? I thought not. Try harder.
Yeah, Perl and Python nowadays. Ruby is getting there, and Javascript entered the run lately, but it's nearer the starting point than that goal. And of course, there are the JVM alternatives that can use any Java lib, but also share its vunerabilities. And also, that's just one kind of development shop. Other kinds may be best served with something more powerful like Haskel, or nearer to the metal, like C.
Now, if "Easy access to developers with varying degrees of cost / performance" means "We'll hire incompetent programmers and don't want them to destroy everything", Java seems to be the only option.
Rethinking email
This is not high art. This is fingerpainting.
In the case of assembly, I think it's more like pointillism than finger-painting. :-)
"What are you doing here, Elijah?"
When Danske Bank bought Finnish Sampo Pankki, they forced it (and its customers) to move to Danske Bank group's online banking software which pretty much sucked and supposedly still sucks. And requires Java.
Sampo Pankki had one of the best online banking experience in Finland, feature- and usability-wise. It did not require Java or other sillyness from the client.
IIRC The Danske Bank applet's the client code had some obfuscation/encryption features in it but the author hadn't used it. So the code was easily opened and analyzed. One of the things they found out that the Java software collected very detailed information from the client computer and user and sent it to the server. This was information which has nothing to do with banking.
During the transition Danske Bank had a lot of problems not only in the web bank but in money transfers etc. The fiasco caused an outrage and they say even tens of thousands of customers left. This is not a small thing in a country of about 5,4 million people.
I closed all my accounts with Sampo Pankki soon after the whole thing, mainly because of the crappy web bank, Java dependency and the privacy violations. Sadly though my new bank's web bank wasn't nearly as good as Sampo Pankki had before Danske crap. But it sure beats running some spyware Java applet while doing banking online...
Tapio 'itn' Nuutinen
Out of how many? 42? 420? 69105? 10^42?
Also, in C++, I'm also constrained by the libraries I have to use. Much of the stuff that's in Java standard libraries just isn't in C++ standard libraries (although C++11 improved that a lot, and Boost is very useful for what it covers). It's a lot easier to write secure code in C++ than in C, but (as a C++ fan) I'm not at all convinced it has advantages over Java.
"When you have eliminated the unacceptable, whatever is left, however improbable, must be the truthiness" - Holmes
If you're looking for a language that will always produce extremely efficient and secure code, well, I think you'll need to incorporate unicorn farts into the compiler and linker both. If you're looking for a language that can produce extremely efficient and secure code when written by a non-expert, that's maybe slightly more achievable. If you're looking for a language that can produce extremely efficient and secure code when written by experts (and this includes knowing which features of the language to use, and which to run screaming from), C++ will do very well.
"When you have eliminated the unacceptable, whatever is left, however improbable, must be the truthiness" - Holmes
More like its lack of ABS, traction control, air and fuel filters, visibility, windshield, etc. Sure, you can write your own, but it's always going to be clumsy and error-prone. Sure, you can check some stuff beforehand, but there's a lot of things (like when to free memory) that's Turing-undecidable at writing or even compile time. Garbage collection or std::shared_ptr are nice, easy-to-use ways of solving that problem in ways that are not tricky to use (well, there are some circumstances where std::shared_ptr gets tricky, but nowhere near as bad as any C counterpart).
Sounds like you've never bothered to learn anything other than C well. Sorting in C and C++ is available in the standard libraries, but qsort() and std::sort aren't exactly the same thing. qsort() requires at least one separate function to be defined, and requires that you pass in assorted pointers correctly. At that time, it will do a lot of indirect memory references and function calls, which can cost performance and even cause cache misses. With C++, you can define the comparison function in a natural place (either in the class definition or the std::sort invocation itself, frequently), and the compiler can inline what it sees fit. C++ sorting is easier to use and much harder to get wrong.
As far as your complaints about inheritance and such, you need to consider programmer competence. If you gave me my choice of knives and swords and put me up against an unarmed martial artist, you would observe that weapons are useless using that reasoning. We're talking about a C programmer who can be trusted with stdio.h, and knows when and how to use the str* and strn* functions. Somebody who knows C++ that well is not going to screw up inheritance and operator overloading in that way. I don't know what "soft-typing" is, but C's type system is about the softest around.
C is a very good language for some purposes, but it's really hard to make it secure. There's many more pathological cases to consider than in most more modern languages, and the incessant attention to detail that this requires can lead to making much larger-scale errors. A C programmer has to be very careful to avoid buffer overflows, while a C++ or Java programmer can generally avoid them with a few intelligent practices.
"When you have eliminated the unacceptable, whatever is left, however improbable, must be the truthiness" - Holmes
If you're looking for a language that can produce extremely efficient and secure code when written by experts (and this includes knowing which features of the language to use, and which to run screaming from), C++ will do very well.
The thing is that even Java would do fine under those circumstances. I am not talking about browser plugins though.
Coming from someone which has developed in both languages decades.
Damnit. If they've fixed 42, that means they've found the question, and now the universe is just going to turn into a new confusing and illogical mess.
Too bad Java suffers from null pointers.
Yes, it is. In that respect, Java has a design almost as unfortunate as C and C++.
If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.