Slashdot Mirror
Oracle Fixes 42 Security Vulnerabilities In Java
wiredmikey writes "Oracle released its quarterly Critical Patch Update (CPU) for April, which addressed a whopping 128 security issues across multiple product families. As part of its update, Oracle released a Java SE Critical Patch Update to plug 42 security holes in Java, 19 with base CVE score of 10 (the highest you can go) and 39 related to the Java Web Start plugin which can be remotely exploited without authentication. According to security analyst Wade Williamson, organizations need to realize that Java will continue to pose a significant risk. 'The first step is for an organization to understand precisely where and why Java is needed,' Williamson wrote. 'Based on the rate of newly discovered vulnerabilities, security teams should assume that Java is and will continue to be vulnerable.' Organizations should to take a long, hard look at Java and answer for themselves if it's worth it, Williamson added. Due to the threat posed by a successful attack, Oracle is strongly recommending that organizations apply the security fixes as soon as possible."
Why your bank? They're using Java because it isn't going anywhere soon. It's highly integrated all over the place and is leading the way as the language of choice for everything from big-data processing a'la MapReduce frameworks in Hadoop to Mom & Pop shops just looking for a new college grad to put together something for their needs.
Dislike your bank because they're not treating you like their most important customer, not because they're using Java. =)
Few sites use Java applets (which is what you uninstalled).
Far more sites use Java to power the site on the server side (Google, Amazon, Ebay, etc).
Mod me down, my New Earth Global Warmingist friends!
What I have observed is that many corporate types adopted Java about 8-10 years ago and seem to be largely sticking with it. But what I don't see are any organizations now switching to Java. The very occasional organization also seems to be dropping Java. At this rate the corporate world will still be using Java for a long time but I don't think it is where the cool kids are. Interestingly there seems to be no one thing replacing Java. I see python definitely becoming the language of choice in certain limited areas such as science and hedge-funds. I see some people tossing their java web front ends and replacing it with an array of things even including PHP.
So all in all where Java is it will probably stay and I doubt that these security concerns will damage that audience much. What reports like this will certainly do is to dissuade many potential adopters of Java based technologies.
I need to use java interfaces every day, Cisco, EMC, Brocade, HP, IBM, Dell all use java for their management consoles, and I have to keep at list 6 different installers to be able to use them properly as periodic updates to java tend to break access to them if the client hasn't been keeping up with their firmware updates(which is pretty much everyone)
It can be frustrating when you need 3 different versions of java to complete one job.
What's the deal with people saying Java is a major source of insecurity?
Does that mean compared to C++? Are they comparing (Java + all its libraries) to (C++ plus one instance of each library which is needed to match Java's standard libraries)? Insecurity of the JVM itself, compared to native object code?
I honestly can't tell.
It's been worrying me that the tagline "News for nerds, stuff that matters" has been removed from Slashdot (except in the source code, but gets replaced on any/all page loads), but this story is coming behind both TFA and the actual patches being available for two full days prior.
It's no "Preskill mocks Stephen Hawking" quote from 2012, like the other article, but maybe this could've ended up -slightly- higher priority given that it fixes 1-2 remote unauthenticated exploits in Java, and IIRC 3 in Oracle DB.
"A Goddess rarely smiles for she is forced by others to be an island unto herself." - Zephiris
Java isn't evil, Browser plugins are.
Leave Java on the server side and be done with it.
Write once, debug everywhere.
Write once, run anywhere*
* where available, void where prohibited, quantities limited, some restrictions may apply, batteries not included.
Michael J. Ryan - tracker1.info
What are you smoking? 1.6 update 45, released a few days ago contains all these fixes.
yeah, it should read: 3 Java security vulnerabilities (2 are client only) and 39 Java Web Start vulnerabilities fixed.
With tje taste of Java exploits exceeding one per day, it seems clear the problem is bigger than the specific exploits they are fixing. The DESIGN that allows for hundreds of vulnerabilities is seriously flawed and THAT is what they should fix.
It really looks like someone trying to use chicken wire fencing to build a dam, and they keep patching each little hole. Instead, they need to ditch the porous chicken wire and use something watertight for the barrier between VM and system.
Yet still they are trying to sneak the "Ask" toolbar in there.....
it only take 15 lines of code to say "Hello World!"
lolwut?
if you need 15 lines of java to do a 'hello world', then the problem is with the person in the mirror.
for all its faults, the browser plugin being the most obvious, java for apps is freakin awesome. None of the obtuse BS of C and C++ but all the ability...not to mention all the free libs. Frankly, if it weren't for Java, I'd be sleeping on the streets.
Every time they release one of these my companies IT department insists on the new version being mandatory and installs it on every PC without any testing.
This then breaks one (or more) of our externally provided and supported, business critical, small user base, Java client/server systems. After a few days of frantic phone calls and manual un-installs of the new Java version (which have to be done by IT support due to security lockdown remoting into PCs, after senior signoff) we have to keep doing to combat the overnight updates) we end up with an emergency change to install a very alpha version of the client/server system.
The updated client is normally so full of bugs that it gets several further emergency updates over the next 3 months and is just about stable and almost bug free in time for Oracle to release another patch...
[The Universe] has gone offline.
The reason you have not heard about this more, is that Macs and Firefox/Chrome (not sure about IE) resist the Ask.com installer, so you just don't see it, but the crappy Oracle behavior is in fact going on each time. The result is that naive users are getting this toxic thing installed and it really messes up their whole internet experience.
Hey Oracle: you're pissing away tons of Java goodwill in exchange for pennies form the Ask.com spammers. Who on the heck thought that was a good trade? Like what techie who learns of this behavior is ever going to install Java anywhere? Aren't you trying to make JavaFX into a real client thing?
See http://www.zdnet.com/a-close-look-at-how-oracle-installs-deceptive-software-with-java-updates-7000010038/ for lots of details on how the Ask.com installer tries to trick the users and hide itself. It's kind of interesting arms race between the spamming toolbar and the browser vendors.
Java language evolution has been cosmetic, not substantive; Sun and Oracle have refused to fix things at the VM level. As a result, Java has fallen behind more and more over the years.
In Scandinavia we have to use a java applet called BankID for login to our bank account. This has for the past few months become REALLY frustrating for people who really don't know what Java is. Even technicians who has a basic understanding of what a computer is, has problems keeping Java up to date(they don't know where to download it, and therefore accidentally download something they shouldn't) and all the them are infected with that Oracle search toolbar malware.
My teller offered me online banking once. But her monitor was tilted just enough that I could tell she was using IE6. "Um, no. Thanks. I'm good."
Help stamp out iliturcy.
These are java APPLET or BROWSER PLUGIN vulnerabilities. Completely different thing.
Slashdot should stop with this misinformation. Java the LANGUAGE is OK. Java Virtual Machine is OK. Servers using Java as server-side language are OK. Java desktop applications are OK.
Java the BROWSER PLUGIN is vulnerable. But Java Browser plugin should never have happened in the first place and should be killed with fire.
So stop with the whole bashing of Java in general. Java is a very good and mature language, with the fastest JVM on planet today, lots of open source 3rd party libraries, servers, frameworks and tools. It's very very good for server-side development.
--Coder
In Scandinavia we have to use a java applet called BankID for login to our bank account. This has for the past few months become REALLY frustrating for people who really don't know what Java is. Even technicians who has a basic understanding of what a computer is, has problems keeping Java up to date(they don't know where to download it, and therefore accidentally download something they shouldn't) and all the them are infected with that Oracle search toolbar malware.
I'm in Scandinavia and don't need to use any java applets...
Have you considered that there are tens of banks in Scandinavia, and only a handful require java support in browsers? I would be surprised if such banks did not exist outside Scandinavia too. Just switch to something else (at least for day to day banking if you can't move loans).
"Organizations should to take a long, hard look at Java and answer for themselves if it's worth it, Williamson added.". This doesn't sound very balanced. It sounds like he has some sort of ulterior motive
Languages need to keep up with the times, or they become an albatross.
Unless through being steeped in the art and basic principles and with an eye toward the future the authors built their language in such a way that it could be timeless art that stood for all time, like for example Brian Kernighan and Dennis Ritchie's "C".
Go ahead and learn ALGOL, FORTRAN, BASIC, SNOBOL, APL, ADA, brainfuck, R, LISP and dozens of others like I did if that's your nerd thing. It's fun. After you've done that you'll come to the same conclusion I did: programming languages are syntactic sugar. They are constructs for interpreting your ideas into references to libraries that instantiate the desired result in predictable ways.
C is. It stands like the Oedipus trilogy as a distillation of all prior art and a foundation of all subsequent art. It is beautiful and timeless in the same way. Learn this one thing and all else becomes easy. Unfortunately, like the Tau, it is not possible to really understand C until you don't need to do so any more. When you have learned enough about C to know why it is a fool's game you will have become ready to launch your own inferior language.
Help stamp out iliturcy.
I'm getting tired of this Java bashing in the media due to security issues. Java isn't inherently more insecure than any other platform. On the contrary, it has a sophisticated, built-in security system that most other platforms lack. But of course there are bugs and holes, just like with any other software. The only reason why Java is being exploited and making headlines so much recently is because Java is so widely adopted now that it makes a big target. It's what hackers have their sights on at the moment, just like they had their sights on Flash or Acrobat Reader a while back. If enough people switched to a different platform because Java is so insecure, the only result would be that in a couple of years hackers would be targeting the new platform, because it's the new prime target. Then all of its security holes will gradually be uncovered and the switchers will be just as exposed or even more so than if they had sticked with Java in the first place.
Write once, run away*
* I can't take original credit for this. I read it somewhere and thought it was very funny.
I agree wholeheartedly. Almost the entire software development industry is rotten, and Java is just an easy target to pick on because of the browser plug-in vulnerabilities.
Certainly security is a difficult thing to get right, but that's no excuse for using tools and techniques that are horribly inadequate for writing secure code. Take a look at how many critical vulnerabilities get patched in every major browser in a year and you see they're no shining beacons of security virtue either. A substantial proportion of our core infrastructure is still written in error-prone, bug-friendly languages like C and C++, which looking objectively from the outside is just crazy.
Unfortunately, it's an institutional malaise, something that is hard for any individual actor in the system to fix. Most development projects simply can't afford to just give up on languages and run-time platforms with vast ecosystems surrounding them that dramatically increase productivity or they'll put themselves at a significant competitive disadvantage. That will continue until someone's "better alternative" language/platform also comes with the same kind of ecosystem.
Realistically, we'll probably have to put up with this sort of nonsense until either the general public start wising up to how much security failures really cost and vote with their wallets, or governments step in and regulate to force the issue, or some project starts eating everyone's lunch because it really does offer such an improvement that using it is a compelling advantage and it can bootstrap its own ecosystem. And it's not as if any of those options doesn't have problems of its own...
If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
C doesn't have safety belts and airbags, that's your complaint? They gave you the framework to create those things if you need them. If you can't be bothered to check your work and your inputs, to consider pathological cases and data, no linguistic tool is going to make your work stable and secure.
Languages are syntactic sugar. When you have implemented the basic stacks of OO, heap, stack, garbage collection, array transforms, list and set processing, the dually-linked-list-dancing-btree-with-bucket-hash, the things that other languages give as algorithms in C then you know you can implement them as C libraries properly once and be done with them. Things like inheritance, soft-typing and operator overloading are a distraction and a menace to predictability, readability and debugging. When you encounter a new problem with no lib you can just write an algorithm that can transform the datastructure in the desired way, make it a lib and call it. The usages of the various languages add nothing but orientation hurdles to get the C programmer into the language developer's state of mind. The states of mind of language developers can be sometimes interesting, but sometimes they are mad. This is not high art. This is fingerpainting. There is a guy here on /. (not me) who designs sorting algorithms that dynamically optimize on processor cache size, in 1KB of code and competes with the world's best. There is another who designed a procedurally generated FPS with unlimited terrain in 4KB. THAT is high art. Once you have mastered the use of your programming tools, you can begin to explore what art can be made with them.
Admittedly some languages have some rapid development potentials and usages where the programmer need not know his programming art, but that is "tools for fools", not real work. Even at their most obtuse, these are almost always implemented in C. Windows is almost entirely C, as is Linux, BSD, of course Unix, every game engine and of course all of the libraries and drivers. It is all C. Even the C++ compilers are more than 90% C.
Other languages, like LOGO, are for children who can't be bothered to learn their Wirth before they make the turtle draw.
Help stamp out iliturcy.
With a C++ program it is up to me, the programmer to make sure there are no exploits.
Which is why of course all those ActiveX controls running in IE, mostly written in C++ were so immune to exploitation. The security exceeded everybody's wildest expectations.
I don't blame Java per se - the bank used Java because it was the only way to achieve what they wanted to do. The problem is that what they want to do is stupid and there are alternatives which don't involve so much hassle. e.g. instead of issuing a cert, banks could use a hard token or post out a one time pad book, or employ several layers security.
the point is that they just patched 39 vulnerabilities that were not know about last week... how many are still in there that we just haven't discovered yet? That's why we criticise them, because they've found so many vulns, there's a good chance there's a load more waiting to be discovered.
C doesn't have safety belts and airbags, that's your complaint?
Your car analogy is poor. You're talking about whether the language is good for safety, and safety belts and airbags save lives.
If you can't be bothered to check your work and your inputs, to consider pathological cases and data, no linguistic tool is going to make your work stable and secure.
That's an absolute argument in a relative world.
I don't need to check that I'm not dereferencing a NULL pointer everywhere if my programming language's type system means there is no NULL value in that context. The entire class of mistakes is removed.
I don't need to check for an off-by-one error updating a loop counter if I'm using a loop control structure in my programming language that has no explicit counter at all. The entire class of mistakes is removed.
No human programmer is perfect, no matter how good or experienced they are. I make mistakes. You make mistakes. Every single programmer reading these posts makes mistakes. The only way to remove a class of errors with close to 100% reliability is to use tools and processes that remove the possibility of the human error in the first place.
If my tools do that for me in some cases, it leaves me that much longer to think about the other ones, and makes it that much clearer for my peer reviewers to check that I got the logic right when I do. It's not as if I have somehow mysteriously lost all my defensive programming skills by using a more powerful language instead of C! I'll just be using those skills to better effect, because I can concentrate on the harder problems and trust that the easy ones are already solved.
If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.