Slashdot Mirror
Oracle Fixes 42 Security Vulnerabilities In Java
wiredmikey writes "Oracle released its quarterly Critical Patch Update (CPU) for April, which addressed a whopping 128 security issues across multiple product families. As part of its update, Oracle released a Java SE Critical Patch Update to plug 42 security holes in Java, 19 with base CVE score of 10 (the highest you can go) and 39 related to the Java Web Start plugin which can be remotely exploited without authentication. According to security analyst Wade Williamson, organizations need to realize that Java will continue to pose a significant risk. 'The first step is for an organization to understand precisely where and why Java is needed,' Williamson wrote. 'Based on the rate of newly discovered vulnerabilities, security teams should assume that Java is and will continue to be vulnerable.' Organizations should to take a long, hard look at Java and answer for themselves if it's worth it, Williamson added. Due to the threat posed by a successful attack, Oracle is strongly recommending that organizations apply the security fixes as soon as possible."
Few sites use Java applets (which is what you uninstalled).
Far more sites use Java to power the site on the server side (Google, Amazon, Ebay, etc).
Mod me down, my New Earth Global Warmingist friends!
I need to use java interfaces every day, Cisco, EMC, Brocade, HP, IBM, Dell all use java for their management consoles, and I have to keep at list 6 different installers to be able to use them properly as periodic updates to java tend to break access to them if the client hasn't been keeping up with their firmware updates(which is pretty much everyone)
It can be frustrating when you need 3 different versions of java to complete one job.
What's the deal with people saying Java is a major source of insecurity?
Does that mean compared to C++? Are they comparing (Java + all its libraries) to (C++ plus one instance of each library which is needed to match Java's standard libraries)? Insecurity of the JVM itself, compared to native object code?
I honestly can't tell.
It's been worrying me that the tagline "News for nerds, stuff that matters" has been removed from Slashdot (except in the source code, but gets replaced on any/all page loads), but this story is coming behind both TFA and the actual patches being available for two full days prior.
It's no "Preskill mocks Stephen Hawking" quote from 2012, like the other article, but maybe this could've ended up -slightly- higher priority given that it fixes 1-2 remote unauthenticated exploits in Java, and IIRC 3 in Oracle DB.
"A Goddess rarely smiles for she is forced by others to be an island unto herself." - Zephiris
Java isn't evil, Browser plugins are.
Leave Java on the server side and be done with it.
Speaking as someone who does Release Engineering professionally, and thus tends to see all the technologies that a company uses in deploying modern systems, Java is still #1 by a long shot, and I continue to see new development done all the time.
It's all middleware, though. And, frankly, for pretty much any reasonably scalable system which has some sort of a front end web-ish part, a middleware "business logic" part, and a DB backend, Java is not only the leader, but its essentially one of two choices: .Net is the other.
Standalone apps don't much exist in Java anymore (the few that do are mostly legacy). It's also almost completely disappeared as part of the Frontend portion of content delivery (i.e. not in the dynamic content being served to the end user, nor in the "web server" portion of the infrastructure).
But in terms of middleware, well, only .Net is a serious competitor in terms of enterprise requirements. Java's got all the nice library and code support, plus plugins and stuff for all the build/deployment/test infrastructure. C++ doesn't even come close, and python/ruby/perl aren't even in the running. Now, there are architectures where there IS no middleware, and the frontend system actually is a python program which both serves content and has business logic in it, but I see them far less commonly, and they have serious scalability issues.
And, frankly, the middleware tier is also the place which minimizes Java's deficiencies, and maximizes its strengths.
As far as the future goes, I desperately wish Oracle would quit expanding the featureset of Java, and just spend all the time cleaning up the codebase. Java (the language) is more than feature-full at this time, and there's really very little need to keep adding stuff to the language. The codebase, on the other hand, needs at least couple of years of full-on cleanup. The JVM itself is still pretty solid, but everything else is suffering from neglect pretty badly.
yeah, it should read: 3 Java security vulnerabilities (2 are client only) and 39 Java Web Start vulnerabilities fixed.
Yet still they are trying to sneak the "Ask" toolbar in there.....
The reason you have not heard about this more, is that Macs and Firefox/Chrome (not sure about IE) resist the Ask.com installer, so you just don't see it, but the crappy Oracle behavior is in fact going on each time. The result is that naive users are getting this toxic thing installed and it really messes up their whole internet experience.
Hey Oracle: you're pissing away tons of Java goodwill in exchange for pennies form the Ask.com spammers. Who on the heck thought that was a good trade? Like what techie who learns of this behavior is ever going to install Java anywhere? Aren't you trying to make JavaFX into a real client thing?
See http://www.zdnet.com/a-close-look-at-how-oracle-installs-deceptive-software-with-java-updates-7000010038/ for lots of details on how the Ask.com installer tries to trick the users and hide itself. It's kind of interesting arms race between the spamming toolbar and the browser vendors.
My teller offered me online banking once. But her monitor was tilted just enough that I could tell she was using IE6. "Um, no. Thanks. I'm good."
Help stamp out iliturcy.
These are java APPLET or BROWSER PLUGIN vulnerabilities. Completely different thing.
Slashdot should stop with this misinformation. Java the LANGUAGE is OK. Java Virtual Machine is OK. Servers using Java as server-side language are OK. Java desktop applications are OK.
Java the BROWSER PLUGIN is vulnerable. But Java Browser plugin should never have happened in the first place and should be killed with fire.
So stop with the whole bashing of Java in general. Java is a very good and mature language, with the fastest JVM on planet today, lots of open source 3rd party libraries, servers, frameworks and tools. It's very very good for server-side development.
--Coder
"Organizations should to take a long, hard look at Java and answer for themselves if it's worth it, Williamson added.". This doesn't sound very balanced. It sounds like he has some sort of ulterior motive
Languages need to keep up with the times, or they become an albatross.
Unless through being steeped in the art and basic principles and with an eye toward the future the authors built their language in such a way that it could be timeless art that stood for all time, like for example Brian Kernighan and Dennis Ritchie's "C".
Go ahead and learn ALGOL, FORTRAN, BASIC, SNOBOL, APL, ADA, brainfuck, R, LISP and dozens of others like I did if that's your nerd thing. It's fun. After you've done that you'll come to the same conclusion I did: programming languages are syntactic sugar. They are constructs for interpreting your ideas into references to libraries that instantiate the desired result in predictable ways.
C is. It stands like the Oedipus trilogy as a distillation of all prior art and a foundation of all subsequent art. It is beautiful and timeless in the same way. Learn this one thing and all else becomes easy. Unfortunately, like the Tau, it is not possible to really understand C until you don't need to do so any more. When you have learned enough about C to know why it is a fool's game you will have become ready to launch your own inferior language.
Help stamp out iliturcy.
Write once, run away*
* I can't take original credit for this. I read it somewhere and thought it was very funny.
A substantial proportion of our core infrastructure is still written in error-prone, bug-friendly languages like C and C++
A good programmer can write secure code with C++.
A good programmer cannot write secure code with Java - he's at the mercy of the JVM.
Java was sold to the world as a secure platform and has completely failed to deliver. Only a handful of websites need it (usually unnecessarily, and mostly for basic things like authentication) yet the huge all-singing-and-dancing API exposes you on every single web site that you visit. Does anybody really need all those Java multimedia APIs, etc.?
It's become a cancer on the computing world, it needs:
a) To be removed (recommended).
b) To be reduced - bank logins only need a subset of Java 1.1.
(PS: You can still use it for back-end work if you want, but keep it out of the browsers...)
No sig today...
With a C++ program it is up to me, the programmer to make sure there are no exploits.
Which is why of course all those ActiveX controls running in IE, mostly written in C++ were so immune to exploitation. The security exceeded everybody's wildest expectations.
How many good programmers actually exist who are capable of writing secure code in C++? And out of them, how many will still make simple errors like an occasional buffer overrun? Even if you're a "good" programmer there will be lapses in judgement or things that are just overlooked.
I do largely agree with your comment about keeping it out of the browsers though.