Oracle Promises Patches Next Week For 36 Exploits In Latest Java

An anonymous reader writes "Oracle is posting patches for all its products next Tuesday, which include 36 exploits for Java alone and over 140 for all Oracle products currently supported, included over 80 that require no authentication to execute.These patches look to be critical for any administrator. Java 6 users who use equipment or programs that rely on older versions are SOL unless they sign up for a very expensive support contract, as these patches are for Java 7 only."

again?

Java, one of the worst things to happen to computing, ever.

Re:again?

[Selur]

it's only bad if you believe in secure computing and thought java was secure to begin with ;)

Re:again?

[Urkki]

Java, one of the worst things to happen to computing, ever.

Nah, I doubt anything would be much better, if they were in position Java is now. If it were native code, anybody without the sources would be screwed, now only anybody with Java6 requirement and no sources to fix it is screwed (but they were the moment their software got tied to specific JRE6 version). If it were .net instead of Java, when do you think MS would get around to patching Linux versions? If it were some scripting language... ok, it couldn't be: duck typing is too fragile, performance is problem, no serious contenders for many (not most, but many) Java use cases.

In absence of Java, maybe something really better would exist now, but I very much doubt it. It's a paradoxical package deal.
 

Re:again?

*Javascript.

Java applets are way nicer than Javascript "apps": they're easier to program, they have a decent set of libraries, they're more fluid, and they have a more consistent UI. The only problem here is that a dying Sun and then Oracle left Java to rot, while the hundreds of bugs found in DHTML+Javascript over the last decade have been fixed at a pace steady enough to please people.

You want to know why there's a reduction in PC sales? Because Google+Apple have won the war of turning the PC into a lowest common denominator web browsing platform, even while more native platform specific software - in the form of "apps" - has been written than ever before, just not for Windows. Even Oracle doesn't seem to like the idea of Java on the desktop, hence meaningless changes to make it harder to run (e.g. requiring purchase of security certs now even though that does nothign to improve security). Because Oracle also wants you to keep everything in the "cloud", as that means someone somewhere purchasing its database engine.

Don't be fooled by the propaganda of salesmen.

Re:again?

[myowntrueself]

Java, one of the worst things to happen to computing, ever.

Unless you make/sell RAM.

Re:again?

Who knew anyone could make a bytecode interpreter even more bloated than Emacs?

Re:again?

[Richard_at_work]

Its amazing how Java went from being the favoured child here on Slashdot to something generally reviled and hated over the past decade.

Re:again?

Its amazing how Java went from being the favoured child here on Slashdot to something generally reviled and hated over the past decade.

Why? Do you just assume that slashdotters are incapable to change their point of view given more information?
Perhaps Java has gotten worse over the years? More bloat and more security holes compared to when it started out.

Re:again?

JavaScript is the new darling.

Re:again?

[Mashiki]

Java could have been fixed when they found out that their sandbox execution back in the early 2000's had so many holes that it made a sieve look like a glass. And by fix, I mean nuke it from orbit and rebuild it from the ground up instead of issuing bandage after bandage, on something they knew was already a mess.

Re:again?

[Sesostris+III]

Its amazing how Java went from being the favoured child here on Slashdot to something generally reviled and hated over the past decade.

I don't think this is unique to Java; the same thing has happened here with Ubuntu/Canonical. Love can easily turn to hate whereas indifference rarely does.

Concerning Java, I don't think it is Java per se that is the cause of the 'hatred', it is more (1) the insecurity of the browser plug-in, (2) the attempt to install the ask.com toolbar when installing the JRE and (3) a general distrust of Oracle.

I don't have a problem with any of these. For #1 this can be disabled, for #2 I just download the JDK .tar.gz for Linux and just unpack it to install, and for #3 there is always OpenJDK in the background to keep Oracle on the straight an narrow.

The only real alternative to Java is .NET, which for me (using Linux) would mean using Mono. Interestingly, open-source Mono seems to generate more hatred here on Slashdot than the closed-source and proprietary .NET does.

Re:again?

[IamTheRealMike]

A lot of people can't/won't distinguish between "Java sandboxing isn't good", "Java the language isn't good" and "Java the platform isn't good".

Java sandboxing is clearly not good enough for real world use and most browser makers have realised this and disabled it. On the other hand, it's only in very recent times that browsers got sandboxes and some common ones like Firefox still don't. That fact was exploited recently to de-anonymize Tor users. So it's not like Java is alone here. Pretty much every attempt to sandbox malicious code has failed badly.

Java the language is mediocre at best, though its strength is not to be fun or pleasant but good for large projects with large teams. Lots of people try to build enormous codebases in PHP, JavaScript or Python which are dramatically worse for the task, so apparently that message hasn't really got through (unfortunately by the time a project notices this it's usually too late to switch to anything else).

Java the platform has got a lot better in recent years. The worst excesses of the "enterprise Java" world, with its ridiculously over-engineered libraries and XML config files everywhere, have largely been left behind. There are now quite a lot of slick and modern frameworks. The JVM has come to support other languages much better in recent years and there are now quite a few very cool and interesting languages like Scala, Ceylon or Kotlin targeting the JVM that have really good Java interop, so you have access to lots of libraries. There's an apt-get style dependency management system and central repository so depending on those libraries is a breeze, and Java IDEs (IntelliJ in particular) finally became really fast and slick. Also, JavaFX is turning into a really nice replacement for Swing, so your Java GUIs can finally feel modern and fit in natively amazingly well. JavaFX can be OpenGL/DX accelerated when the hardware supports it so you can get a consistent 60fps, it's got a great animation framework, a nice GUI builder tool, lots of visual effects along with the basics like charting components. And even an embedded WebKit if you want that. I've been playing with JFX in the Java 8 previews and it's really quite impressive.

Re:again?

[war4peace]

Because Oracle got it, and Oracle is evil, therefore now Jave MUST be evil too.

Re:again?

[Joce640k]

Its amazing how Java went from being the favoured child here on Slashdot to something generally reviled and hated over the past decade.

Why? Changing your mind when presented with strong evidence is a sign of intelligence.

You should only be "amazed" when this doesn't happen (ie. religion, politics...)

Re:again?

Java, one of the worst things to happen to computing, ever.

Unless you make/sell RAM.

Large hard drives are another culprit. Without a shitload of storage space to write bloatware, code would have to be efficient, as it used to be due to system restrictions.

A single install of the most popular PDF reading program will likely be larger in size than the entire collection of PDFs a person might ever view in their lifetime.

That's fucking ridiculous.

Re:again?

[Kjella]

It's more of a "there and back again" story really. Ten years ago RMS published his Java Trap and the open source community was rather weary of making anything depending on a JRE blob. In 2006 Sun announced they'd open source Java and all hearts rejoiced. Except it took a really long time, here's an article on how it might finish in 2008.

Perhaps of biggest imporance is that Java ME never got freed, Sun and later Oracle always wanted a fee if you wanted to put it on your mobile phone. Then Sun got bought by Oracle in 2009, and where Sun had been admicable about the existance of Android Oracle instead chose to sue Google in 2010, claiming patent violations and copyright to the APIs. Particularly the latter is anathema in the open source community.

Due to Android being a runaway success driving Java ME out of the market and Oracle fighting it all the way in court they got branded with "stopped innovating, started suing" and the divide between Oracle with OpenOffice and the open source community with LibreOffice didn't help either. Whatever Sun and Java might have been, a friend bought out by your enemy is now your enemy.

Not that this is what's bothered the rest of the world though. For them it's all the constant critical security exploits which has turned Java into the security bad boy. It used to be ActiveX, it used to be Flash but these days the #1 security advice seems to be "disable Java". They should have just pulled support for applets because it's tar and feathering the whole brand, even for software that doesn't suffer from remote exploits.

Re:again?

[Urkki]

Java could have been fixed when they found out that their sandbox execution back in the early 2000's had so many holes that it made a sieve look like a glass. And by fix, I mean nuke it from orbit and rebuild it from the ground up instead of issuing bandage after bandage, on something they knew was already a mess.

Coulda Woulda Shoulda...

It's interesting how technical debt has interest, sometimes so high you can only keep doing the equivalent of "pressing more money" and see where that takes you (as if everybody didn't know).

Re: again?

There are lots of alternatives from FreePascal to Perl. Or Sappeur. SUN have played the sales whore instead of doing proper engineering. They nicely fit into Oracle.

Re: again?

JS is an untyped crapola. But that doesn't mean Java is good.It's merely a bit better. Go for Pascal, Ada, Sappeur and even FORTRAN if you want engineering-quality instead of "lastest and greatest brainfart of random hipster"

Re: again?

You are referring to Adobe who are very likely in the pay of the intel overlords, so that they have an avenue into your computer in case they don't have a windows or linux exploit for a certain time frame.

Re: again?

oracle products are indeed evil, as you can shoot down the ora listener by merely telneting into it and then typing some random characters. At least that was the state of affairs in 1998. I bet they got only superficially better.

Larry is a commerce whore.

Re: again?

I have a CS degree and about 15 years of developer experience. I designed a language myself (Sappeur). From my P.O.V. Java has not been much more than a Sales Tool for SUN. Nothing in Java is brilliant or elegant.

Rather it is clunky, energy-wasting, RAM-devouring, non-realtime-capable, overly complex and thereby a massive security risk.

I hope Oracle will "defend" Java and all the assorted patents with fervour, so that the world can move on. So that Java can die a proper death in a corporate graveyard.

Pascal, Ada, Fortran - take these any time over this creation of commerical-men.

Re: again?

I have seriosu doubts whether there will ever be a high-performance and secure implementation of a JVM. Java itself is systematically inefficient and they need to do massively complex buttfucks to make it fast. Complexity normally equates to insecurity in computer science.

Re:again?

[drinkypoo]

Its amazing how Java went from being the favoured child here on Slashdot to something generally reviled and hated over the past decade.

Having actually been here for the last decade, I don't know what you're on about. Java has never been the favorite son of Slashdot. There has always been a massive contingent that holds that Java is slow and stupid. Sure, there's always been a group that opposes it, but it's always been smaller. Where do you think you are, anyway?

Re:again?

It's because Java has become extremely popular as a language, and the generally prevailing opinion on Slashdot is that only hip things are cool.

There's also a HUGE amount of misunderstanding about what's exactly "insecure" about Java. This is to the point that a "security expert" told me he was nervous about Java code written by internal developers because Java isn't "secure". For code written by internal developers running outside a browser, that's like saying "C++ isn't secure". This was the opinion of someone hired at a Fortune 100 company as the security expert holding high level security certifications. Now, I'm not terribly impressed with either of those things, but it goes to show the level to which the missinformation has risen.

There's a big difference between Java the language, Java the runtime environment, and Java the browser plugin designed to run untrusted code in a sandbox environment. Only the last one isn't secure, and for the most part people have abandoned these apps long ago (with sadly some exceptions). Java the browser plugin is about as insecure as Flash is/was (which is pretty damn insecure), though Flash was/is far more popular and hard to get rid of than Java ever was.

Java the runtime environment, and Java the language are about as secure as any other runtime environment. If you trust the person who wrote the code to not do nasty things, it's secure. We could have a discussion about whether Java is more secure than C++ because of the inability to perform buffer exploits in Java, or if it's more secure than PHP because PHP is..... well broken. But that's at least something that's debatable.

Personally, I think the big thing that's changed on Slashdot over the last 10 years is that it's gotten far dumber and more reactionary. I see more inflated article, more inflamatory responses, less intelligent criticism, and less facts than I ever have. About 3 years ago I decided it'd gotten bad enough that it wasn't even worth logging in and posting anymore.

Re:again?

That is really what is going on. The poor security is just an excuse. Is Java really less secure now that Oracle is doing massive security updates than when Sun had it and rarely did security updates?

Re:again?

[blippo]

I actually do like Java - the lanugage. It is very stringent and well defined and not sprinkled with random syntactic sugar. Quite the opposite to PHP actually.
The core libraries are mostly nice, except some pre 1.2 crap and some outdated javax junk.

Some of the 'code bloat' has been fixed, and more is fixed in the coming versions, so that's getting better.

A lot of 'code bloat' is actually culturally inherited 'architecture bloat' since IBM decided to market a servlet container + transaction manager as a e-commerce platform, and puked out the worst programming model ever. Enterprise Java was then abused by thousands of programmers and attracted hoards of useless "architects" and consultants that built "enterprise" applications and sprinkled them with billions of lines of xml configuration.

However, the jvm is still unbelievably slow to start. As it's rather fast while actually running, it seem to me that it should be possible to fix with some reasonable effort, like not loading every class in the known universe during startup for instance, and not jit-ing unless the program has been running for a while.

Java is also confusing from a user perspective since Sun messed up with executable jars, which could have been fixed by just using a separate suffix, like jxe . which even looks cool. Some more polish on the look-and-feel, and perhaps a better looking default font, and then it's done :-)

Re:again?

[Billly+Gates]

Java could have been fixed when they found out that their sandbox execution back in the early 2000's had so many holes that it made a sieve look like a glass. And by fix, I mean nuke it from orbit and rebuild it from the ground up instead of issuing bandage after bandage, on something they knew was already a mess.

Coulda Woulda Shoulda...

It's interesting how technical debt has interest, sometimes so high you can only keep doing the equivalent of "pressing more money" and see where that takes you (as if everybody didn't know).

As the saying goes money talks shit walks. It is more true in business than anywhere else. Technical debt means nothing. Financial debt and costs mean everything. If it costs money to fix the answer will always be NO even with long term financial benefits.

Some people tend to leave IT and go into management or other technical but not computer fields like statistics for reasons like these that drive people up the wall.

Re: again?

try ibm jvm

Re:again?

[blippo]

Spot-on about java.

Regarding Slashdot, I think that Slashdot just reflects the state of affairs in software development (or the world) in general. Younger generations appear clueless, since they don't know certain obvious things. They will therefore reinvent a lot of wheels, and while doing that, inventing a few new things, some other things just like before but a bit different, while all the time making some old stuff irrelevant.

It is to expect, but It might get worse. I'm a bit worried that a lot of young people don't seem to be able to read, as in "read a lot of text, fast". One indication is that a lot of new projects have video introductions and video tutorials instead of text documents.

I mean, why watch a 40 minute long video to figure out if a toolkit might be of use or not, instead of skimming through a few documents for 2 minutes.
But then, It's clearly is a huge effort for many to read a long document - maybe they can't skim or speed read and they need to subvocalize but a lot people don't like to read long texts.

If it's "quicker" to watch a video then less is learned since it's not as efficient as speed reading. Maybe the youtube generation have learned to skim through videos quickly but I doubt it.

Also, the universities are not exactly excelling at producing good developers ( the trade , not researchers ) . Further, very little seems to be focused on "modern history" other than unproductive academical anecdotes. I think that schools should stay away from teaching "products" but maybe there is value in exploring historic and existing products and ideas. There are some giant's shoulders to stand on, or at least code monkey shoulders, actually, but it's hard to know since some of the knowledge is stored in long boring texts, and most just exists in wetware outside academia.

I mean, no one would have been using PHP (or creating PHP) if they had paid a minimum of attention to what's been happening the last 30 years.

Re: again?

...says someone who knows nothing about JavaScript.

Re:again?

I'm just trying to understand how PHP could even remotely enter this conversation. We're talking about Java, right?

Don't get pissed-off at the popularity PHP has acquired just because your generation dropped the ball in making Java a non-Darvocet circumstance to get going on servers as well as development environments.

Re: again?

[Lisias]

I have a CS degree and about 15 years of developer experience. I designed a language myself (Sappeur). From my P.O.V. Java has not been much more than a Sales Tool for SUN. Nothing in Java is brilliant or elegant.

Rather it is clunky, energy-wasting, RAM-devouring, non-realtime-capable, overly complex and thereby a massive security risk.

I hope Oracle will "defend" Java and all the assorted patents with fervour, so that the world can move on. So that Java can die a proper death in a corporate graveyard.

Pascal, Ada, Fortran - take these any time over this creation of commerical-men.

And I have 20 years of development experience, had implemented a couple of compilers and my own operating system. I'm not impressed. Neither particularly proud, as some of my acquaintances managed to accomplish even more.

Java is not the best thing under the Sun (pun really intended), but is far from being the worst.

All the vices attributed to Java are, in fact, programmer's vices. I managed to lower the memory consumption from most java programs with simple measures that, guess what, are not taken by the programmers using Ruby or any other hype language of the moment (most of them with the same "flaws" you attribute to Java).

In the aftermath, the real problem is bad choices: use the right tool to the right job - there's no good hammer when what you have in hands are screws.

Re:again?

[Lisias]

I'm just trying to understand how PHP could even remotely enter this conversation. We're talking about Java, right?

No. We're talking about security flaws wrongly pinpointed to be inherent to Java. Had you read TFA? It's short! ;-)

Don't get pissed-off at the popularity PHP has acquired just because your generation dropped the ball in making Java a non-Darvocet circumstance to get going on servers as well as development environments.

You have a point, however. In the 90's, Java was to much of a burden to the hardware of the time. Man, running NetBeans with 64 or even 128Mb of RAM was a pain in the ass.

It took almost 10 years to computers had enough memory to allow Java to be really feasible.

Re:again?

[atomicxblue]

I'm a Linux user, so it's back to that status for me after they ended support.

Re:again?

I don't remember there being a lot of Java love.
Maybe from some folks, but they were fucking morons.

Re:again?

[hibiki_r]

The platform still has some glaring holes for languages other than Java. For instance, the call stack is still represented in a C style stack, with a depth that is insufficient for functional programming. In Scala, for instance, we have people explicitly using trampolines and such to avoid running out of stack.

Re:again?

Its amazing how Java went from being the favoured child here on Slashdot to something generally reviled and hated over the past decade.

Java was loved here on Slashdot? I've seen little evidence of it. Typically Java's not nearly as loved as C++, Javascript, PHP, or just about anything else you can imagine. Slashdot commentators were pushing 1990's Java benchmarks to compare to 2010 benchmarks of other languages, look and feel complaints, gripes about being wordy, scoffs at the idea of using it for web programming, complaining about this and that, and generally keeping the Java FUD alive.

You'll have to work a bit harder to get me to believe that Java was loved on Slashdot.

Re:again?

No. We're talking about security flaws wrongly pinpointed to be inherent to Java. Had you read TFA? It's short! ;-)

...now we are, sure.

In the 90's, Java was to much of a burden to the hardware of the time. Man, running NetBeans with 64 or even 128Mb of RAM was a pain in the ass.

It took almost 10 years to computers had enough memory to allow Java to be really feasible.

Depending on who you speak to, one might argue that it's still too much of a burden to use it. In the shop I work, we opted to use an entire VM using XP for development with Eclipse. Setting up the VM required about 1-2 gigabytes and running the VM required about 2-4 gigabytes of RAM. This was after making sure that the Eclipse installation had all the respective JAR files properly configured along with the Subclipse crap configured within the C: drive folders... That took a long time to figure out how to do, too, because of how everything is deployed with our stages (and since we're using Tomcat as a wrapper to Apache).

Long story short, it's been a nightmare. Hell, the main application we support and use all this shit for never has any enhancements that are less than one gigabyte and almost all of those require their own Redhat VM servers just to deploy.

Java is a nightmare to setup. It's a nightmare to develop with. It's a nightmare to version control. It's a nightmare to test... You get the point.

Re:again?

[Lisias]

We have different experiences on Java, as it appears.

On my shop, what's was a HELL was bad programmers doing bad code, and yet worst decisions. Some SOB thought to be a good idea, for example, to use JBOSS just for the sake of it - and we endup with Faces Controllers using REMOTE Services as glorified DAOs. God damned dumbass. =/

I gone mad, got rid of JBOSS and some (WTF?) Spring client classes - made some glue code to emulate some key functionalities (realizing how to handle transactions on Faces was tricky, but now that it's done, it's trivial), and our memory and processor consumption drop to less than half! The response time dropped to almost one tenth of the original code when testing on localhost.

Some key features from Java were crucial to the success of this task. Of course that on C++ and others strong typed languages I would manage to do the same, but Java + Eclipse + J2SE was enough for our needs. I didn't had any trouble setting up Eclipse on my Win 7 64 VM however. I did it in half a hour, I think... Setting up the various JBOSS runtimes on my workplaces was more troublesome.

(In time, in our shop we do also development using C++ using Visual Studio 2011 and believe, this beast uses even more memory than Eclipse - and it's not half the good!)

I understand that Eclipse is a hungry memory eater - but every other (good) IDE was also. Some bad ones too (as Visual Studio). I don't see this as a problem with Java or Eclipse, but as the way we do things now.

By the way, get rid of your 32 bits boxes for Java development. I think that a lot of the trouble you have is WinXP's fault. My life became better when I dumped 32 bits VMs and migrated my development box to a 64 bit Win box.

Who needs

Native code now

Discontinuing Java - what will it take?

nt

Re:Discontinuing Java - what will it take?

Magnets?

Re:Discontinuing Java - what will it take?

Flash is more fun.

Re:Discontinuing Java - what will it take?

Let's all go back to using BCPL O-code!

Re:Discontinuing Java - what will it take?

[myowntrueself]

Magnets?

How do they work?

concerning is ...

[Selur]

that of the 36 Java related bugs, "34 of them (are) exploitable remotely without authentication".

"Java 6 users who use equipment or programs that rely on older versions are SOL unless they sign up for a very expensive support contract, as these patches are for Java 7 only."
+
"Oracle Java JDK and JRE, versions 5.0u55 and earlier, 6u65 and earlier, 7u45 and earlier"
-> Muhahahaha,...

Re:concerning is ...

programs that rely on older versions

Any Java program that wont run on a new JVM is already questionable - even breaking language changes will not affect compiled bytecode. You might however need more RAM (or most likely less) since Java 7 changes implementation details of substring to fix some memory leaks.

Re:concerning is ...

[mrmeval]

ADP forces the use of an ancient and bug infested version of java for it's timecard application. We've been infected SO MANY times they finally decided to setup a dedicated PC that has no other access.

This of course removes all the benefit of having web acdess to time card entry, eats up time employees could be working but the gossip and knife fights are good entertainment.

Re:concerning is ...

[drinkypoo]

Any Java program that wont run on a new JVM is already questionable

Yeah, the majority of big Java programs ship with a JRE specifically because switching to a new one may well break something. That doesn't really detract from your statement, but most big Java programs are questionable. Or perhaps the question is why anyone thinks Java is a good idea to begin with.

Re:concerning is ...

No more concerning than usual.

"Exploitable remotely without authentication" doesn't mean "install Java, get remotely pwnd", it's just a common classification for all bugs exploitable via the Java plugin in this case. There's also a question of what attacker can achieve by succesful exploit: from crashing plugin thru reading data he shouldn't be able to and to privilege escalation and arbitrary code execution.

For example, a bug in HTML renderer that crashes your browser, or bug in DNS server that makes it slow to a crawl on an incorrect request would be "exploitable remotely without authentication" as well.

Re:concerning is ...

To clarify, it's not "meh, it's nothing!", it's "not enough data, but likely just keep that Java browser plugin disabled and you're safe".

Re:concerning is ...

[TubeSteak]

We've been infected SO MANY times they finally decided to setup a dedicated PC that has no other access.

I cringe whenever I see a Point of Sale or other commercial system being used to browse the web.

If you can't afford a separate computer for looking stuff up, you certainly can't afford the pain from getting your crown jewels pwned..

Re:concerning is ...

[gbjbaanb]

a load of bollocks. This "its only the plugin, everything else about Java is completely secure, don't worry" is just sticking your head in the sand.

There are loads of programs that are exploitable, and they get fixed - no-one says "its fine" with them, why would any part of Java be different. If there is an exploit, and you have a java app that connects to the internet or otherwise is accessible, then its a potential exploit waiting to happen.

That the plugin is a bad idea, and that it allows these exploits to be abused with almost trivial effort does not mean everything else is somehow magically 100% secure. Stop spreading that dangerous FUD. Someone might believe you, not bother patching and end up as part of a botnet.

Java is insecure, get it patched, keep it patched. (just like everything else).

Re:concerning is ...

FUD - you keep using that word, I don't think it means what you think it means. FUD stands for "Fear, Uncertainity and Doubt", and this is much more applicable to what you try to achieve with your posts.

I'm trying to find where I said "Ha-ha, you don't need any patches, ever, trust me!" and can't find that - I guess it was just a strawman that your irrational hate spawned. I only said that these vulnerabilities won't likely affect you if you don't run untrusted code.

Mind posting some links about so widely exploited Java platform specific insecurities being used to pwn Java-using software? You know, like, "send this specially crafted packet - get full access to any program using java.net.ServerSocket" or something, not "Run some program you downloaded from Internet - get pwnd" or "Use string concatenation to build queries - get your DB dumped".

You're no more and no less secure than when you use any other third party libraries. You should apply security updates, true, just like you would update OpenSSL or Qt or .NET frameworks or libc or libstdc++ or any other component on your system. You're less likely to introduce your own insecurities when writing in Java, as compared to plain old C or C++.

Stop spreading FUD, indeed.

Re:concerning is ...

Incorrect! ADP provides an option to use either Java or the HTML version of the website. I regularly use the HTML version. If you mistakenly opted for the Java version, remove their cookie and they'll pop up the question to you again. Be careful to choose HTML this time :)

Re:concerning is ...

From your perspective it may be a lot of bollocks, but I have always had the Java browser plug-in turned off, so for me it's still relevant.
Of course it's bad that the plug-in is such a pile of crap. Yes.
But when I as a consumer have to make decisions about what software to keep installed on my computer, I have to go by some kind of prognosis about how weak a piece of software is likely to be. If all the plug-in exploits that we've seen would have been general Java exploits, I would have completely de-installed Java along with every program that needs it. Which would have been necessary, but terrible, as I have good reasons to want to use these programs in the first place. But as it turns out, you can just turn off the plug-in and you will likely be just fine.
And yes, one should always keep software up-to-date and I don't think anyone could interpret GP's post as suggesting that you don't need to. Rather, the way I, as would any sensible person, read GP's comment was as saying ‘installing Java won't get your computer owned’ and that much is true. Just turn the plug-in off.

Re:concerning is ...

[blippo]

Running an old C or C++ program with newer libs isn't exactly without risks either. Even if the abi is the same, the behaviour might have changed, unintentionally most of the times.

It's more a question of what you can manage to test and support. Large applications are more expensive to test, so you are reluctant to upgrade infrastructure components. (Be it Windows versions, JRE:s, dll:s, database servers, etc)

Re:concerning is ...

Well, Java 6 was released 7 years ago, and had it's end of live extended twice. Java 7 is now three years old, so there's been plenty of time to move, especially for a platform that provides full forwards compatibility (provided you didn't write something explicitly to prevent it).

Re:concerning is ...

Poor programming and maintenance is the fault of the programmer. Same thing happens with all your .NET garbage, you end up having to install 10 different versions of .NET framework just to get some applications to run. Bundling the JRE is usually done to absolutely minimize the support calls. The days of new java versions breaking applications have been gone for many many years now. Deprecation happens for years before removal. If you're running an app that's 10 years old -- well... who's fault is that?

Re:concerning is ...

To consider any system secure is really is time to just uninstall Oracle Java entirely. Use another vendor if you must.

Re:concerning is ...

[drinkypoo]

If you're running an app that's 10 years old -- well... who's fault is that?

If you're running an app that's ten years old, you must be on Windows. Or using Open Source.

Wimpy

I will gladly patch you Tuesday for an exploit today.

Oh No Not Java!

I use Java for everything! I'm so screwed.............

Re:Oh No Not Java!

[smittyoneeach]

You'll just have to switch over to XML.

Re:Oh No Not Java!

But I use Java to process XML! Shiiiiiiiiiit.

Re:Oh No Not Java!

[smittyoneeach]

Let it go. Just use pure XML plus XSLT to get everything done.
In your mind. No binaries. Just think it into being.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Patch has leaked early

The patch in full

#!/bin/sh
if [ -e /usr/bin/apt ]; then
apt-get purge sun-java6-jre
elif [ -e /usr/bin/rpm ]; then
rpm -e jre-7u7-linux-x64
fi

# Fix bug #5826106: make sure it's fully patched
rm -f $(which java)

exit 0

Java 6 on Mac

"Java 6 users who use equipment or programs that rely on older versions are SOL unless they sign up for a very expensive support contract, as these patches are for Java 7 only."

Anyone know if that includes Java for Mac OS X? I know Apple rolls Java 6 on Mac, and receives those updates (source) as part of their contract with Oracle.

Re: Java 6 on Mac

Not anymore. These days Java are treated as a virus on OS X.

Re: Java 6 on Mac

[IamTheRealMike]

Mac browsers (Chrome, Safari, Firefox) don't run Java applets automatically anyway, so it doesn't matter what version of Java you have installed. Remember these exploits are all getting in because you run malicious code inside a sandbox and the sandbox fails. Don't download and run malicious code and you're OK.

Re: Java 6 on Mac

[multimediavt]

Mac browsers (Chrome, Safari, Firefox) don't run Java applets automatically anyway, so it doesn't matter what version of Java you have installed. Remember these exploits are all getting in because you run malicious code inside a sandbox and the sandbox fails. Don't download and run malicious code and you're OK.

Depends on what version of the OS and Java you are running and whether the user has already acknowledged the site as "safe". Weather.gov uses a mix of Java and other tech to display satellite and radar loops, for instance. The local radar loops (Base and Composite) are Java and after one acknowledgement will load without user intervention another time.

Why doubt something better would exist?

Sun was very much responding to a need when they started developing Java all those years ago. Other groups largely left them to it as Sun was a company with an excellent reputation. Things would have been just fine but for one most unfortunate event.

Oracle bought Java.

We suddenly switch from famous to infamous. As far as I'm concerned, Java died on that day, and I've been far more interested in freer languages since then. I feel for those that continue to endure Java due to corporate inflexibility.

Re:Why doubt something better would exist?

[Urkki]

What is telling is, JRE installer from Oracle keeps pushing ask.com toolbar (borderline malware) with underhanded tactics (check box checked by default, re-checked for updates, and hidden behind changing install directory from default). Business is business, sure, and I wouldn't want something this dirty anywhere near my business...

Re:Why doubt something better would exist?

I wouldn't want something this dirty anywhere near my business...

Better never take a shit; it's only a taint away from your business.

Re:Why doubt something better would exist?

[IamTheRealMike]

Sun did that for years, that's hardly something new Oracle brought in. It's because Sun, despite their excellent engineering reputation, never figured out how to make money off Java. Lots of other companies did but Sun didn't. So they ended up resorting to pushing crapware through the Windows installer in a desperate attempt to monetize. Oracle merely continued that awful tradition.

The good news is that ever since Java has been open source, distributing it in other ways is possible and with Java 8 they're changing the license on the Oracle packagings of it so you can cut it down to size for your specific app. It's getting a lot close to just being a big runtime library than an entire parallel OS which it was trying to be in previous years.

As to whether Java is secure or not, I don't think we should be too hard on the Oracle/Sun developers here. Every attempt to do mobile code has turned into a security nightmare. Not just Java, ActiveX and Flash, but web browsers routinely patch exploits in their core rendering or JavaScript engines, and that's HTML5 - a vastly simpler and more crippled platform than even the most basic core Java system provides. In fact browser developers have given up trying to make renderers secure which is why they're all heavily sandboxed, it's inevitable people will find ways to exploit the mobile code aspects of the rendering engines. Even then, Chrome sandbox escapes still get found from time to time.

I don't think we should read these stories as "Java sucks". Programs written in Java or any other modern managed language are still much more secure than code written in C++. There are no stack or heap overflows to worry about, no double frees. These stories are not about how easy it is to write secure code in any given language or platform. Instead we should understand these stories as "sandboxing malicious code is incredibly hard". Java hurts from it more because Java was a lot more ambitious than other attempts.

Re:Why doubt something better would exist?

This seems like revisionist or at least incorrect history. I've owned and managed Sun products and worked in Java as well a very long time.

Sun had a reputation for solid, but overpriced hardware even from the beginning. After the late 90s and early 2000s as Linux on the server to catch up to Solaris and at least an improved Linux desktop, Sun really was in trouble. They didn't do very much to justify the prices of their hardware vs. cheaper PC server hardware that could run Linux, and buying Sun just for the OS wasn't getting you much either other than perhaps a vendor backed nix.

On the Java end, the need they were responding to was a somewhat of a perfect storm for them, but it wasn't a computing need so much as something that came as a result of better products killing themselves. At the time, there were many tools and languages that allowed you to write cross-platform code. Most of them had more mature, better IDEs than Java, and usually they were also faster. Lucky for Sun, there were a few major issues:

1. Some of the vendors of related languages were too greedy and the markets too fragmented. The most obvious example is Smalltalk, which in many ways is still arguably better than Java, and at the time was far superior technically.

2. Nerds. Lisp had been around a long time, but wasn't "cool" and had a huge, unwelcoming, and unforgiving nerd culture. It didn't help that there were powerful IDEs that were completely inaccessible to your average garbage business programmer.

3. Promises by some of the front-runners based on nonsense or promising too much. COBOL is one example.

4. Lots of C-style programmers that weren't getting stuff done fast enough and lacked the skills and tools to write cross-platform code.

5. RAD/Microsoft. People wanted a response to things like Visual Basic as the Java market started to develop more. No reason another language, especially Smalltalk couldn't be the answer, but greed + nerd culture really screwed that one up.

6. Boredom and lack of silver bullets (see #3), so the search for another. Fortran and others didn't really do much to make people fall in love long-term.

So Sun came in, over promised, delivered something that didn't perform, but hey you could learn it in a few hours if you knew a C-style language and you didn't have to pay at least to get started. I used the first few versions of Java (of course Java 7 and the JVM today) and they really really sucked. It was actually a miracle anything ran, especially when people "tried" (operative word) to write GUI apps with it. One only need look at the earlier Sun namespaces and of course previous versions of Java to see what a terrible mess Sun inflicted on the world all these years. Meanwhile various Lisps and Smalltalks still have great standard libraries with code now several decades old that still put Java to shame.

Interesting aside: there were studies and data collected for years and an overwhelming majority of Java systems that Sun and others pushed on large contracts to replace Lisp, Smalltalk, Fortran, and other older systems failed miserably. There's many prominent examples in the case of Smalltalk in particular and those same systems often still haven't been replaced after many tries in some cases. Such is the tech world.

Anyway, Java already was DOA long before Oracle. It took insane sums of money, various acquisitions (ex: hotspot), and a lot of talent to make Java even something 1/2 of what was promised, fast, and usable. It still has plenty of issues today. Sun was always very greedy but smarter about it and at least liked to pretend they were doing something good. The upside was that they at least had interesting if not non-practical visions of computing. Oracle is just boring and greedy. As far as I'm concerned, I'm happy Sun is gone and I will be even happier if Oracle is gone too. It's a shame either company was able to take so much money from the IT world. They deserve to rot together. I hope they join the various greedy Smalltalk vendors they replaced.

Re:Why doubt something better would exist?

[Joce640k]

Programs written in Java or any other modern managed language are still much more secure than code written in C++. There are no stack or heap overflows to worry about, no double frees.

You're thinking of C, not C++.

(Trouble is, so are many people who put "C++" on their resumes...)

The problem with Java is that the exploits are in Oracle's hands, not ours. We can't fix them even if we know what they are...

The other problem with Java is that if I install the runtime on my machine to run a little corporate desktop app it also ends up in the web browser, exposed to every single web page I visit. In what universe was that a good idea?

Re:Why doubt something better would exist?

[RabidReindeer]

Programs written in Java or any other modern managed language are still much more secure than code written in C++. There are no stack or heap overflows to worry about, no double frees.

You're thinking of C, not C++.

(Trouble is, so are many people who put "C++" on their resumes...)

The problem with Java is that the exploits are in Oracle's hands, not ours. We can't fix them even if we know what they are...

The other problem with Java is that if I install the runtime on my machine to run a little corporate desktop app it also ends up in the web browser, exposed to every single web page I visit. In what universe was that a good idea?

WHERE did you get the idea that C++ is more immune to memory leaks or buffer overflows than C? C++ adds to the basic C memory management services and memory organization, but it still retains the original C ones. And adds an additional way to leak memory - undisposed objects.

I think that the stock JVM's ability to auto-activate itself in browsers in something that varies by machine and by browser, but if it is enabled, there are ways to switch it off.

Re:Why doubt something better would exist?

[ThePhilips]

...are still much more secure than code written in C++. There are no stack or heap overflows to worry about, no double frees.

Ah, here we go again: poorly written C++ is worse than poorly written Java.

Coming from network daemons, frankly, I see more often how Java developers manage to fsck-up the most trivial things. All in the name of the "proper design" and "{buzzwords du jour}" and stuff. Where in C++ I needed one routine for which one code review session was enough to harden it, Java people created instead a net of 12 classes for the task. And there is no end to bugs in this convoluted mess.

In the end, I still blame Java itself. The standard library, though swelling in some parts, in many parts remained very very spartan. I've seen lots of stupid reimplementations in the C/C++ - and I tend to remove them and replace with standard functions. But with Java way too often I get back responses like "there is no standard function for it" or "standard function is way too slow". And more code gets written, causing more code to be written to organize the previously written code. And then even more code is written to organize now this code. And it goes on. End result is, a supposedly simple application, linking three 3rd party libraries, has 250 classes and requires minimum 15 threads and 16GB RAM. And that, before you count the requirements of the 3rd party libraries.

What I'm getting at, is that image of "poorly written Java application" is wrong. It probably doesn't have stack overflows, but sure like hell it has RAM and thread abuse. And blanket exception handling. And vast unparsable nets of objects delegating everything to some other objects making finding what is responsible for what virtually impossible. Making fixing the problems virtually impossible.

Re:Why doubt something better would exist?

[darkHanzz]

WHERE did you get the idea that C++ is more immune to memory leaks or buffer overflows than C? C++ adds to the basic C memory management services and memory organization, but it still retains the original C ones. And adds an additional way to leak memory - undisposed objects.

Probably from experience: Consistent use of stl memory classes (shared_ptr and unique_ptr) and containers (mostly std::vector) make it very hard to shoot yourself in the foot. Adhere to "Raw pointers don't transfer livetime from function to function" if you use raw pointers. These things are really easily spotted by code-review.

Re:Why doubt something better would exist?

[ChunderDownunder]

The problem with Java is that the exploits are in Oracle's hands, not ours. We can't fix them even if we know what they are...

Only if you use Oracle's binaries. linux distros switched to openJDK years ago, whose source is available under the GPL.

Re:Why doubt something better would exist?

It only happens on windows, likely their costly enterprise software package wont have it (yes oracle sells Java licenses with better tooling) and rumor has it that they can't get rid of the ask toolbar until a contract signed between Sun and ask.com runs out. Also they are not alone, "free" windows software is a breeding ground for toolbars, limited time free test installations, etc. among other software the flash installer also pulls in crap ware and Adope isn't exactly hurting for money either. In other words the software culture on windows sucks and almost everything free comes with strings attached.

Re:Why doubt something better would exist?

WHERE did you get the idea that C++ is more immune to memory leaks or buffer overflows than C? C++ adds to the basic C memory management services and memory organization, but it still retains the original C ones.

You are supposed to use stringstream and string in C++, you are supposed to use std::vector for growing data arrays, you are supposed to use std::shared_ptr or std:unique_ptr. The C standard library has always been a bad joke, every operation to manipulate buffers or strings needed at least 5 lines of bloat checking array size and data length to make sure that you did not corrupt your memory. The newer C standards now include alternative string and memory manipulation functions that will check several of these problems for you - to the detraction of C purists who loudly complain that these functions bloat C and make their bug riddled programs 5 micro seconds slower (note to flammers: not every fucking piece of a C program is in the middle of a performance critical loop).

So yes C++ is not more immune if you continue to use the old C style string and memory handling methods and avoid C++ features (a.k.a writing C with classes). It is more secure once you actually use what the language has to offer and avoid the replaced features.

Re:Why doubt something better would exist?

[IamTheRealMike]

You can get bad programmers in any language. That doesn't tell you much. The problem with C/C++ is that even extremely good programmers in these languages still write code that is exploitable from time to time. Things like over-engineering or memory bloat can be trained out of people. Some kinds of buffer overflows too. But if one class in your program is bloated and overly verbose, your app will still work. If one class in your C++ program incorrectly uses scanf or starts a thread with a pointer to something on the stack, that can result in your company getting hacked and massive damage beig inflicted.

Re:Why doubt something better would exist?

[IamTheRealMike]

You're thinking of C, not C++.

(Trouble is, so are many people who put "C++" on their resumes...)

No, I'm not. I'm quite fluent in C++ thanks and know how to use the STL. Yes, well written C++ is much better than your typical C app. Unfortunately, even codebases like WebKit that are worked on primarily by experienced, well paid engineers from places like Apple and Google routinely contain exploits in them that would have been avoided by the use of managed languages (not that I think WebKit should be written in Java).

The problem with Java is that the exploits are in Oracle's hands, not ours. We can't fix them even if we know what they are...

I think you missed the memo about Java going open source.

The other problem with Java is that if I install the runtime on my machine to run a little corporate desktop app it also ends up in the web browser, exposed to every single web page I visit. In what universe was that a good idea?

Not so long ago this was considered entirely unremarkable. Browser plugins were a very common and widely used idea, not just Java but Flash, QuickTime, ActiveX, Shockwave (aka Macromedia Director) and so on.

The cost of exposing surface area to malicious code was massively underestimated by practically the entire computing industry, for over a decade. Organized crime has repeatedly exploited that fact and now people are much more realistic about the difficulty of handling malicious code or data: the world learned the hard way that there are lots of ingenious ways to take control of a program that's handling malicious input, especially when those programs are written in unsafe languages!

Re:Why doubt something better would exist?

Yes you are one of those irrational haters. We laugh at you as we take your job.

Re:Why doubt something better would exist?

The STL is the steaming pile of shit that made other languages like Java more competitive when it comes to speed and features.

Re:Why doubt something better would exist?

[gbjbaanb]

as opposed to Java where even if you are the perfect programmer, your code is still insecure, which until Oracle decides to release some patches, can result in your company getting hacked and massive damage being inflicted.

Mind you, if you're running Java code at a company, you've already inflicted massive damage. I would welcome my new hacker overlords if they could rid me of the Enterprise Java code my company insists on using.

Anyway, you're thinking of C. No-one writing C++ uses scanf or any of the other C runtime calls, not for a decade or so.

Re:Why doubt something better would exist?

Programs written in Java or any other modern managed language are still much more secure than code written in C++. There are no stack or heap overflows to worry about, no double frees.

You're thinking of C, not C++.

No, he was thinking of C++.

If you go back to when Java was first released, the main corporate application programming language was C++. (There were other business logic languages that ran on big iron, but for most applications it was C++. C was reserved for operating systems, generally speaking.)

As Guy Steele, a big-time Lisp guy who designed Scheme and also co-wrote the Java spec, once remarked:

And you're right: we were not out to win over the Lisp programmers; we were after the C++ programmers. We managed to drag a lot of them about halfway to Lisp. Aren't you happy?

http://people.csail.mit.edu/gregs/ll1-discuss-archive-html/msg04045.html

While many people may not like Java the language, I think the biggest thing it did was break the "deadlock" of C/C++ in the corporate world. Certainly the the sysadmin morlocks used things Perl, but those folks didn't count: "real" application needed a compile language. Java gave a decent third option, and once you have a third option, a fourth and fifth one don't look unreasonable, which I think is why the rise of Python and all the other dynamic languages were helped to achieve mainstreaming by Java IMHO.

Re:Why doubt something better would exist?

[fnj]

Agreed. Ignorant fools who have no idea about smart pointers and containers should shut their traps rather than pontificate about C++, since they know nothing about its first principles. They probably also think you have to use *scanf in C++.

Re:Why doubt something better would exist?

Ignorant twit.

Re:Why doubt something better would exist?

[IamTheRealMike]

No, you haven't understood what these vulnerabilities are about. They're all issues that affect you if you download and run malicious Java programs from the internet, which describes applets that are often disabled in the browser anyway. Not "any Java program that talks to the network is remotely exploitable". So if you aren't a malicious programmer then your code is still secure.

As I said above, I'm thinking of C++. You'll find a lot of C++ programs that use unsafe calls, but even if they are STL only, you can still easily do things like use after free and other bugs.

Re:Why doubt something better would exist?

[VortexCortex]

Programs written in Java or any other modern managed language are still much more secure than code written in C++. There are no stack or heap overflows to worry about, no double frees.

Well, in C I replaced malloc with my GC allocator, and free is now optional -- it can decrement a ref count to automatically free at zero, but mark/sweep is used to bust reference chains anyway; The GC runs on free after a customizable percent (12.5% default) of total program memory has been freed, or instead of failing from a malloc (before requesting more system RAM -- The system GC is a slower kernel call, so it's last ditch effort). In C++ I overloaded the allocator interface to wrapp this GC, and RAII handles the free()s; Also gave it a slab sub-allocator for various smaller step sizes so it acts like a pooling OBCache too. Best part is I can allocate from global or thread local GC, and even tell the GC mark/sweep not to run at all unless out of memory -- only do the refcounted reclaimation, which is O(1). That way, unlike with Java, I don't have to preallocate everything, create and maintain my own caches, to fight the GC when I'm trying to do something that requires realtime performance -- It won't just up and decide to chug in the middle of an animation, level, etc., because I lost a reference to something in another thread. Java's GC is dumb, literally, it's a loose cannon that heeds nobody.

Your argument that Java code is more secure is unfounded. Java compiles bytecode into machine code -- It marks that data as code, then runs it. If you have a program that is marking data as code and executing it, then you have a vital component needed to create the exploits with. Now you just have to arrange for some of your data to get mixed in with that data before it's routinely marked code and executed. A purely interpreted system could be far more secure, but that's not what Java does.

Nope, instead Java brings a huge attack surface to the table for every program -- Not just the stuff you're using, like in C or C++, etc. Given you can classload dynamically to pull in the kitchen sink after getting just an Applet level exploit going, the whole Java API is exposed for exploitation. Java also makes software firewalling programs a PITA. Say you grant a C program access to the web through the firewall, but other C programs you don't -- Neat, eh? You have to tell your OS firewall to let Java access the web or other features, and so all Java programs then can do those things. Yes, Java has a security manager, but that's emulated security -- it doesn't have hardware enforced barriers for protections like the OS does. It's like putting rats in charge of cheese: If the user mode VM is compromised, then Java's user mode security manager is too; Not true with C or C++, the user mode process can be compromised while not compromising the OS (that requires privilege escalation). Java's updater clutters your drive with every past version -- so it doesn't matter if you get the updates, exploits can specifically target your old version Java's updater leaves installed. (Protip: Now go to add/remove or programs/features and uninstall all your damn past versions of Java @ 100MB a pop).

Java Sucks. The language is meh (so Android's not too bad), but the VM and API and platform suck -- even the sophomoric stack-based VM design is sucky. It could have been a tight little platform abstraction layer VM that has programs distributed in cross platform bytecode but compiled into machine code ONCE, on install... but it isn't. It could have been a lean mean embeddable language great for use in webpages because it could offer only the resources the browser pulls in and/or provides... but it isn't. Any move towards these ends now is too little too late. Now we have GC in compiled languages. We have FLOSS libraries for whatever feature we need. We have abstraction layers for cross platform compiled code -- We can compile our code on the few platforms we need to. Java is Android's programming l

Re:Why doubt something better would exist?

[RabidReindeer]

This particular "ignorant fool" was one of the first commercial vendors of C++.

Just because some people may use certain features that make C++ safer doesn't mean that it is safer. Plenty of people think they're so clever that they can invent their own "more efficient/better" systems. And use scanf, for that matter.

I'm not generally of that ilk myself, but STL did make me itch. The worst features of programming and mathematics combined into one.

Re:Why doubt something better would exist?

[steelfood]

Sun, despite their excellent engineering reputation, never figured out how to make money off Java. Lots of other companies did but Sun didn't.

That pretty much sums up Sun in a nutshell. Brilliant engineers, but couldn't make money if their life depended on it.

web browsers routinely patch exploits in their core rendering or JavaScript engines, and that's HTML5

Ever since the NSA scandal broke, I've been suspecting that the complexity of HTML5 was an attempt to keep browsers insecure.

we should understand these stories as "sandboxing malicious code is incredibly hard".

Implementing a "write once, work anywhere" language is hard. Hell, implementing a write once, work once language is hard enough. To have it not just work anywhere, but work well everywhere, is an engineering nightmare.

Re: Why doubt something better would exist?

Realmike is totally right. These vulnerabilities are only issues in the browsers running applets. This is clearly MS FUD again. Patch build #51 is a security patch that has been in the works for months. Our company has been working with Oracle support to get any applets or other browser-based code to work with signed certs. This is going to be an issue for all bowsers when running code.... Not just Java.
We have discovered that Microsoft has created their own proprietary format for security certificates and these will only work "self-signing" on MS server with only IE browsers. They are locking out every other product. Public certs from a good source has made everything work perfectly... We have been ready for this security patch for over a month now.
        I have worked with both Oracle and java before the purchase and I am a big proponent of open source - I still don't like how Oracle assumes ownership, but we have received our own patch for java through Oracle support and everything rocks. I have developed systems in COBOL, C, C++ , java, SAS, PHP, and even that VB crap in the 90's. Java has been the best between different platforms by far, but it is only one tool of many. This posting is just flame bait, like arguing whether a screw driver is better than a hammer. Given a choice today, I would use PHP,MariaDB, and Python, but in a big enterprise, I would use Oracle and their version of java anyday. I also have a great appreciation for what Google is doing with their java base as well. It's all winning from my perspective and java will always be better than VB,C#, or any other proprietary language.

Re:Why doubt something better would exist?

I don't remember any java update including crap-ware until oracle.

Why doesn't oracle get around to an auto-updater that runs as a service? The reason is that you can't update using a service and also get users to accept a EULA for ask.com or whatever. It's not automatic if you have to issue that popup window. Oracle gets paid for each unchecked accept so they issue as many as they can. Rather than keep things as secure as possible, they are more interested in the payout for bundling.

Do you think they bought java with good intentions (from the perspective of the end users)? It's oracle - regarding motive, need more be said?

Hell, even adobe got around to auto updates.

Re:Why doubt something better would exist?

Should you be trusting auto updates that much?

Adobe had one of their code signing certs stolen last year, not used for Flash though, IIRC. Also, Adobe's updater helpfully installed McAfee's crap last time it updated - without any visible way to opt-out.

Opera had their auto-update serving Opera-signed malware last year - just for few hours, thankfully, but just think about this.

Do you really trust them not to send you malware, or at least crapware as an update, or at least update that'll brick your auto-updated PC?

Re:Why doubt something better would exist?

The other problem with Java is that if I install the runtime on my machine to run a little corporate desktop app it also ends up in the web browser, exposed to every single web page I visit. In what universe was that a good idea?

This is not entirely true. The JRE itself does not need to be installed to be useable.

You can copy the JRE folder to a machine and manually create the environment variables (JAVA_HOME) and whatever other links you want *without* any browser plugin being installed. As someone else pointed out in an earlier comment, many Java SE apps bundle their own JRE to avoid the need for the user to install Java themselves.

The JRE inself it quite a good platform to develop on top of. Not using Java SE because the avoidable browser plugin has problems seems a bit drastic.

Re:Why doubt something better would exist?

[Joce640k]

Is that still allowed? It started out as recommended practice but I thought they changed the license. Maybe it's just me.

OTOH, do people actually do that? Most of the Java apps I've seen just say "Install Java!!"

Re:Why doubt something better would exist?

[Joce640k]

Agreed. Ignorant fools who have no idea about smart pointers and containers should shut their traps rather than pontificate about C++, since they know nothing about its first principles.

Yep. I don't recall the last time I did manual memory management in C++ or had a buffer overflow. C++ pointers are either valid or NULL, just like Java. std::vector has had range checking for operator[] turned on by default for quite a few years. C++ done properly has just as much memory safety and automatic memory management as Java without all the downsides of a garbage collector.

Re:Why doubt something better would exist?

I'm not generally of that ilk myself, but STL did make me itch.

I had an STD that did that.

Re:Why doubt something better would exist?

[aled]

If you download the installer from the developers site it doesn't. Or use the tar.gz version for just uncompress in a directory with no installer at all.

Re:Why doubt something better would exist?

[aled]

Truly. There was real need for a portable, high level and safer (really) language. YMMV but I remember doing C with embedded SQL that was a pain, non-portable between platforms, compilers nor databases, debugger-less, etc. Lots of pain. The same program in Java would be a breeze. No pointers, no hand memory allocation, portable binaries, even the database drivers are portable.
There are lots of applications that are better suited for Java than C or even C++.

right up the ass like the flash plugin

enjoy

Re:right up the ass like the flash plugin

Tell me about my polyps.

Lunar power

[smittyoneeach]

It's all moonshine these days.

Re:Oracle and Java What the hell happened?

. My memory is going now, but I seem to remember that in the 1990s all of the code for an early web CGI Oracle interface, including user validation would fit on a floppy.

What's a "floppy"?

only secure personal data is off line and off site

? so the notion of storing (big (farce)) data about ALL of us on (easy to) open servers was already technically & ethically obsolete? are we daft? free the innocent stem cells. never a better time to consider ourselves in relation to our mom based new clear options...

ASK

[Arith]

How about that vulnerability where they package crap with the install? I had to clear a few spyware incursions on my father's machine resulting from the crap they stowed in the install including the ask toolbar. I don't care how many actual bugs there are. If you try to slide this shit by regular users like this, I just have zero respect for companies who do that.

Re:ASK

Uncheck the box, fucking cretin. Nobody wants your whining about obvious shit.

Re:ASK

[Arith]

Alright, I'll feed a little. Too bad.

Re:ASK

[fnj]

What is wrong with that AC pest anyway?

Re:Oracle and Java What the hell happened?

What's a "floppy"?

There are several meanings, both you'd understand if you were older.

Re:Oracle and Java What the hell happened?

In the Oracle world, patching does not affect version numbers. A different version means different or new functionality, even if it is the last part of the version.
Based on the version, you cannot determine if it is patched or not.

Re:Oracle and Java What the hell happened?

My memory is going now, but I seem to remember that in the 1990s all of the code for an early web CGI Oracle interface, including user validation would fit on a floppy.

You should try writing a plugin for Atlassian Bamboo. Here's the ~120MB worth of dependencies you'll take on:

/javax/activation/activation/1.1.1/activation-1.1.1.jar
/javax/jms/jms/1.1/jms-1.1.jar
/javax/transaction/jta/1.0.1B/jta-1.0.1B.jar
/javax/mail/mail/1.4.1/mail-1.4.1.jar
/javax/servlet/servlet-api/2.3/servlet-api-2.3.jar
/javax/xml/stream/stax-api/1.0-2/stax-api-1.0-2.jar
/org/acegisecurity/acegi-security/1.0.4/acegi-security-1.0.4.jar
/org/apache/activemq/activemq-core/5.6.0/activemq-core-5.6.0.jar
/org/apache/activemq/activemq-pool/5.6.0/activemq-pool-5.6.0.jar
/org/apache/activemq/protobuf/activemq-protobuf/1.1/activemq-protobuf-1.1.jar
/org/apache/activemq/activemq-ra/5.6.0/activemq-ra-5.6.0.jar
/com/atlassian/activeobjects/activeobjects-spi/0.19.11.bamboo.4/activeobjects-spi-0.19.11.bamboo.4.jar
/org/sonatype/aether/aether-api/1.13.1/aether-api-1.13.1.jar
/org/sonatype/aether/aether-connector-wagon/1.13.1/aether-connector-wagon-1.13.1.jar
/org/sonatype/aether/aether-spi/1.13.1/aether-spi-1.13.1.jar
/org/sonatype/aether/aether-util/1.13.1/aether-util-1.13.1.jar
/com/atlassian/analytics/analytics-api/2.29/analytics-api-2.29.jar
/com/intellij/annotations/6.0.5/annotations-6.0.5.jar
/org/apache/ant/ant/1.8.4/ant-1.8.4.jar
/org/apache/ant/ant-launcher/1.8.4/ant-launcher-1.8.4.jar
/antlr/antlr/2.7.7/antlr-2.7.7.jar
/org/antlr/antlr-runtime/3.4/antlr-runtime-3.4.jar
/aopalliance/aopalliance/1.0/aopalliance-1.0.jar
/com/atlassian/applinks/applinks-api/4.0.5/applinks-api-4.0.5.jar
/com/atlassian/applinks/applinks-host/4.0.5/applinks-host-4.0.5.jar
/com/atlassian/applinks/applinks-spi/4.0.5/applinks-spi-4.0.5.jar
/com/atlassian/annotations/atlassian-annotations/0.4/atlassian-annotations-0.4.jar
/com/atlassian/aws/atlassian-aws/1.0.45/atlassian-aws-1.0.45.jar
/com/atlassian/bamboo/atlassian-bamboo-agent-bootstrap/5.2/atlassian-bamboo-agent-bootstrap-5.2.jar
/com/atlassian/bamboo/atlassian-bamboo-agent-classserver/5.2/atlassian-bamboo-agent-classserver-5.2.jar
/com/atlassian/bamboo/atlassian-bamboo-agent-core/5.2/atlassian-bamboo-agent-core-5.2.jar
/com/atlassian/bamboo/atlassian-bamboo-agent-elastic/5.2/atlassian-bamboo-agent-elastic-5.2.jar
/com/atlassian/bamboo/atlassian-bamboo-agent-elastic-server/5.2/atlassian-bamboo-agent-elastic-server-5.2.jar
/com/atlassian/bamboo/atlassian-bamboo-agent-elastic-shared/5.2/atlassian-bamboo-agent-elastic-shared-5.2.jar
/com/atlassian/bamboo/atlassian-bamboo-agent-local/5.2/atlassian-bamboo-agent-local-5.2.jar
/com/atlassian/bamboo/atlassian-bamboo-agent-remote/5.2/atlassian-bamboo-agent-remote-5.2.jar
/com/atlassian/bamboo/atlassian-bamboo-api/5.2/atlassian-bamboo-api-5.2.jar
/com/atlassian/bamboo/atlassian-bamboo-api-agent-bootstrap/5.2/atlassian-bamboo-api-agent-bootstrap-5.2.jar
/com/atlassian/bamboo/atlassian-bamboo-charts/5.2/atlassian-bamboo-charts-5.2.jar

Re:Oracle and Java What the hell happened?

> several
> both

Choose one.

Re:Oracle and Java What the hell happened?

[tenco]

What's a "floppy"?

Less than you can download in a second.

Re:Oracle and Java What the hell happened?

http://xkcd.com/1070/

Re:Oracle and Java What the hell happened?

[c0lo]

What's a "floppy"?

Less than you can download in a second.

Something that took a day to download in the mid '90 over a dialup connection (if it stayed connected that long).

it would be good if....

[3seas]

web developers provided alternative site access without JAVA.
Why? Simply because JAVA is a product designed to always have things that need patched.
Its not safe, and never will be.

Re:it would be good if....

[iggymanz]

you think any other language framework also does not have horrendous security issues?

Try a source with some authority

http://www.oxforddictionaries.com/definition/english/several

Re:Try a source with some authority

[davester666]

sorry, but on slashdot, xkcd is canonical.

Don't you know?

Don't you know that Java is an exploit by itself, exploited by Oracle?

Locale bloat in iostream

[tepples]

You are supposed to use stringstream and string in C++

I have discovered that with GNU libstdc++, instantiation of ostringstream automatically brings the date, time, and money formatting libraries into a statically linked Hello World program that doesn't even print a date, time, or money object. This causes the executable to be a quarter megabyte in size, compared to the C equivalent that's smaller than 6K. Why does this happen?

Re:Locale bloat in iostream

[Joce640k]

Why does this happen?

I dunno, mine doesn't do it.

Try asking the people who maintain that particular compiler...

The managed language itself has exploits

[tepples]

Unfortunately, even codebases like WebKit that are worked on primarily by experienced, well paid engineers from places like Apple and Google routinely contain exploits in them that would have been avoided by the use of managed languages

How would the use of managed languages save the user from exploits when the managed language itself has exploits?

Re:The managed language itself has exploits

[IamTheRealMike]

Because most of these exploits being fixed are not remotely exploitable unless you deliberately download and run malicious Java code. If you write a JavaScript engine in Java, then you can't have use-after-free exploits in your JavaScript engine, to give an example of once recent Chrome vulnerability. You could have other ways bad JavaScript can escape the interpreter, but memory management or overflow errors won't be amongst them.

Re:The managed language itself has exploits

[tepples]

Because most of these exploits being fixed are not remotely exploitable unless you deliberately download and run malicious Java code.

How would an end user know whether or not a particular piece of Java code is malicious?

Bloat everywhere

[multimediavt]

Oracle and Java exploits - An anecdote:- A couple of weeks ago I tried to log into my superannuation account, the browser fired back an authentication error, so I notified the company (MLC) who asked me to send them as many technical details as I could. After a little bit of looking around, I noted that the Oracle Access Management system that gave me the error code was was at version (11.1.1.5.0). Oracle's currently version was 11.1.2.1.0. Not too surprising, a supplier that had not patched to the current version.

What did surprise me was that Oracle's Identity Management Patch Set that was available for the version displayed was >2GB - A compressed Java application and framework for a database authentication application that was over 2 Gigabytes in size .

It has been a few years since I wrote any Oracle stuff, but that is ridiculous, what the hell have web based script kiddy/Java type developers been up to. Admittedly I started with Oracle in the Stone Age (V3) and actually shipped an application that used V4. By V6 the C interface which included all the necessary external validation code was small enough to be easily understood and modifiable by a single programmer. My memory is going now, but I seem to remember that in the 1990s all of the code for an early web CGI Oracle interface, including user validation would fit on a floppy.

Why are/were you surprised at the size of the package? I, and many other /.ers remember days when a 30 MB (no kids, that's not a typo) hard disk held dozens of applications, the GUI-based OS, and all our data files. Somewhere along the line APIs, OS frameworks and data files got less compact and then grew as the size of hard drives grew. More features, larger frameworks to accommodate those features and WHAM! you have a 2GB patch set. Sure, I still grumble when I see how big a small application (from a raw code standpoint) turns into a rather large binary, but if the features are needed then we have to just grit our teeth and accept that the underpinnings of those features in the APIs are asymmetric to the amount of text to implement them in the function call. Times they are ever a changin'.

Re:Oracle and Java What the hell happened?

[Rich0]

In the Oracle world, patching does not affect version numbers. A different version means different or new functionality, even if it is the last part of the version.
Based on the version, you cannot determine if it is patched or not.

Makes sense - if they wanted to actually show patch level they'd need a more complex version numbering scheme. Just how much information do you think can really be communicated in 5 separate version numbers?

In related news...

[gmuslera]

All those having internet facing java services had remote vulnerabilities known by oracle and the NSA for months (at least if Oracle does the same as Microsoft, something very probable if not worse), and if your internal network had some value for the NSA or people working for it, it is already backdoored.

Oracle

I keep thinking that Sun Microsystems makes Java. Some old programs complain when they detect Oracle Java instead of Sun Java on my computer. Somebody needs to update those old programs.

Identifying malicious code first

[tepples]

Don't download and run malicious code and you're OK.

This is true but not very helpful. How should the end user identify malicious code before downloading and running it?

Re:Identifying malicious code first

[Keybounce]

How should the end user identify malicious code before downloading and running it?

Easy. Load it into a sandboxed simulator, and see what it does. It can't escape the sandbox, right?

Oh, right.

Re:GC Standard Support

C17 and C++17

Hello, Android?

[Max+Threshold]

Android developers are forced to use Java 6. I don't know if I should be more pissed at Oracle or Google right now...

Re:Hello, Android?

I thought Android developers are forced to use Java language to write programs using Android platform SDKs, which will be compiled with JDK6 (also, don't they support JDK7 lately?) and run on Dalvik VM later.

I don't think Android developers should be steaming that much over vulnerabilities in Oracle JRE 6, especially when those vulnerabilities require you to download and execute malicious Java code on your machine first.

Re:Hello, Android?

[TheSunborn]

No we are not. We are just forced to set eclipse to generate code which is compatible with Java 6. But there is absolutely no reason to use java 6, just because you do Android development.

Re:Hello, Android?

[Max+Threshold]

Not really. Most of this answer is still true: http://stackoverflow.com/a/13550632/1953590 Android 4.4+ fully supports Java 7, but that's what, about 1% of the device market right now?

Java = backdoor by design

Java exists ENTIRELY to compromise the security of computers that are stupid to use the dreadful language. It was always just another NSA initiative to back the hacking of remote computers far more likely. No aspect of Java as a computer language was ever more useful than pre-existing solutions. A bit of a clue here. And a lesson to NEVER accept gifts from US companies or institutes with any form of link to the US government.

Today, Java is a constant stream of 'fixes' that seek to 'address' a constant stream of zero day exploits. You'll notice, surprise surprise, that across time Java becomes provably LESS secure. Only a few days ago, the extremist zionist owned Yahoo (proud to be the face of Israeli atrocities against its neighbours), purposely injected Java malware onto TWO MILLION PLUS non-American machines that connected to Yahoo servers. This malware immediately began assisting criminal enterprises for the usual cyber-crime gangs in Israel and Ukraine territories.

The criminal use of Java is a side-effect of its NSA engineered purposes. Too many NSA linked agents have connections to the criminal gangs in Israel (and from there to the ex-Soviet States) and are constantly leaking details of the back-doors engineered into Java.

Oracle will NEVER EVER stop compromising their software on behalf of the NSA, as is the situation with Google and Microsoft as well. Sadly, while most people could choose to ignore the NSA side of things, the fact that NSA people are frequently best buds with the cyber-criminals, and ensure the back-doors are used to do the most sickening damage to computers of ordinary users, means that every computer user is going to continue to be massively inconvenienced.
   

Re:Oracle and Java What the hell happened?

> what the hell have web based script kiddy/Java type developers been up to

This is inherent in most "object oriented" worlds. They provide layer after layer of customized libraries, creating towering hierarchies of subtly different, or duplicated, libraries at different levels of the run-time interpretation that *select* the particular Java library to apply. Unfortunately, the owners of the other members of the tower don't necessarily incllude consistent and compatible versions of even core functions, so you wind up replicating the whole thing into *your* library just to ensure compatiblity.

And yes, it's bloated and nasty, It's what you get with deliberately overlapping function names.

The Google method ended Sun's dominance.

[Futurepower(R)]

"It's a shame either company was able to take so much money from the IT world."

Sun depended on IT departments being ignorant. When Google showed everyone that reliability could be achieved with below-consumer-quality hardware by using software that adjusted for failures, Sun began its long, slow decline.

Ok, so 36 problems with Java

[viperidaenz]

34 of those don't require authentication.
That's for the "Java" product group, containing the following products
Java SE
Java SE Embedded
JavaFX
JRockit
What I want to know, is how many are related to the JRE and how many to the Java browser plugin, Webstart and other components.

Oracle is "Unbreakable"

Uncle Larry obviously has better things to do with his cash than invest sufficient money to improve the security of his own products. Exotic carbon fiber yachts don't grow on trees.

Java really does suck though

I take a more pragmatic approach. Hate it? Absolutely. For good reasons, and everybody knows they exist.

However, I do need it on occasion. Just disable it in your primary browser, and only use your like 3rd browser choice for Java applications.

Since those aren't random pages, but well known choices, you have the perfect use case for white listing.

The rest will sort itself out. If Java finds itself needing a white list as a best practices recommendation, then coders will respond and not choose it as a development platform.

That seems like a pretty honest response too.

Hey, all you microsofts oracles apples ibms google

Stop coming up with brand new (redundant) languages and extensions to your bloated APIs. First, test and audit the crap out of your code and fix all your @#$ing bugs. Security and reliability matters.

Harder is better (thats what she said...)

[TiggertheMad]

You are hitting on something important here: No language is going to prevent a coder from doing blitheringly stupid things. But on the whole, C++ has a much higher bar to entry, and I will generalize here, in saying that your average C++ dev is probably going to code circles around the average Java mook.

I grew up writing C++ and ASM, and I now professional work with managed code so I have seen both sides of the street. Managed code makes a lot of things much simpler, and if you are skilled, it makes it faster to accomplish some tasks. This simplicity also makes it possible for idiots to do things that they have no understanding of. Don't believe me? Go look at the quality of code produced professional visual basic coder (even more 'dumbed down' than most managed code) and compare it to the output of C++ dev.

C++ is a better language because it requires a more skilled dev to use.

Re:Oracle and Java What the hell happened?

Oracle and Java exploits - An anecdote:-

A couple of weeks ago I tried to log into my superannuation account, the browser fired back an authentication error, so I notified the company (MLC) who asked me to send them as many technical details as I could. After a little bit of looking around, I noted that the Oracle Access Management system that gave me the error code was was at version (11.1.1.5.0). Oracle's currently version was 11.1.2.1.0. Not too surprising, a supplier that had not patched to the current version.

What did surprise me was that Oracle's Identity Management Patch Set that was available for the version displayed was >2GB - A compressed Java application and framework for a database authentication application that was over 2 Gigabytes in size .

That's normal, because the package you looked at a) is not a patch, but the full version and b) it's for the full security suite (it includes also other products).

How many require the plugin?

[dkf]

Like many people, I have Java installed but don't have the browser plugin enabled. This means that the remote-exploitable attack surface is zero; if you don't provide a route for the attacker to get to anything vulnerable, you're totally defended from that whole class of attacks. With applications where you've already installed them locally and which don't download extra code from random locations, the nature of these issues is entirely different. (Any language which it is impossible to deliberately write an insecure program in is a language that's been castrated to the point where you can't write an interesting program at all.)

So, what about the problems in Java that are not part of the plugin? Those are the ones which it is important to know about, but TFA was extremely light on detail.

The fix - real fix this time?

[ebvwfbw]

Anyone know if this is yet another band-aid patch or are they really fixing the underlying problem? This is why we continue to see patch after patch after patch after patch.. well you get the idea. Turns admins into firemen trying to patch all of the vulnerable machines. Even for my personal machines it's really, really, really old. Glad I'm not an admin. Wonder if Ellison is sorry he bought SUN yet.