Slashdot Mirror

← Back to Stories (view on slashdot.org)

Oracle Promises Patches Next Week For 36 Exploits In Latest Java

Posted by timothy on from the they-call-this-progress dept.

An anonymous reader writes "Oracle is posting patches for all its products next Tuesday, which include 36 exploits for Java alone and over 140 for all Oracle products currently supported, included over 80 that require no authentication to execute.These patches look to be critical for any administrator. Java 6 users who use equipment or programs that rely on older versions are SOL unless they sign up for a very expensive support contract, as these patches are for Java 7 only."

20 of 154 comments (clear)

  1. concerning is ... by Selur · · Score: 3, Interesting

    that of the 36 Java related bugs, "34 of them (are) exploitable remotely without authentication".

    "Java 6 users who use equipment or programs that rely on older versions are SOL unless they sign up for a very expensive support contract, as these patches are for Java 7 only."
    +
    "Oracle Java JDK and JRE, versions 5.0u55 and earlier, 6u65 and earlier, 7u45 and earlier"
    -> Muhahahaha,...

    1. Re:concerning is ... by mrmeval · · Score: 3, Insightful

      ADP forces the use of an ancient and bug infested version of java for it's timecard application. We've been infected SO MANY times they finally decided to setup a dedicated PC that has no other access.

      This of course removes all the benefit of having web acdess to time card entry, eats up time employees could be working but the gossip and knife fights are good entertainment.

      --
      I'd go on a Vegan diet but the delivery time from Vega is too long. --brownkitty
    2. Re:concerning is ... by drinkypoo · · Score: 2

      Any Java program that wont run on a new JVM is already questionable

      Yeah, the majority of big Java programs ship with a JRE specifically because switching to a new one may well break something. That doesn't really detract from your statement, but most big Java programs are questionable. Or perhaps the question is why anyone thinks Java is a good idea to begin with.

      --
      "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
    3. Re:concerning is ... by TubeSteak · · Score: 2

      We've been infected SO MANY times they finally decided to setup a dedicated PC that has no other access.

      I cringe whenever I see a Point of Sale or other commercial system being used to browse the web.

      If you can't afford a separate computer for looking stuff up, you certainly can't afford the pain from getting your crown jewels pwned..

      --
      [Fuck Beta]
      o0t!
  2. Re:again? by Urkki · · Score: 3, Insightful

    Java, one of the worst things to happen to computing, ever.

    Nah, I doubt anything would be much better, if they were in position Java is now. If it were native code, anybody without the sources would be screwed, now only anybody with Java6 requirement and no sources to fix it is screwed (but they were the moment their software got tied to specific JRE6 version). If it were .net instead of Java, when do you think MS would get around to patching Linux versions? If it were some scripting language... ok, it couldn't be: duck typing is too fragile, performance is problem, no serious contenders for many (not most, but many) Java use cases.

    In absence of Java, maybe something really better would exist now, but I very much doubt it. It's a paradoxical package deal.
     

  3. Comment removed by account_deleted · · Score: 3, Interesting

    Comment removed based on user account deletion

  4. Why doubt something better would exist? by Anonymous Coward · · Score: 3, Insightful

    Sun was very much responding to a need when they started developing Java all those years ago. Other groups largely left them to it as Sun was a company with an excellent reputation. Things would have been just fine but for one most unfortunate event.

    Oracle bought Java.

    We suddenly switch from famous to infamous. As far as I'm concerned, Java died on that day, and I've been far more interested in freer languages since then. I feel for those that continue to endure Java due to corporate inflexibility.

    1. Re:Why doubt something better would exist? by Urkki · · Score: 5, Insightful

      What is telling is, JRE installer from Oracle keeps pushing ask.com toolbar (borderline malware) with underhanded tactics (check box checked by default, re-checked for updates, and hidden behind changing install directory from default). Business is business, sure, and I wouldn't want something this dirty anywhere near my business...

    2. Re:Why doubt something better would exist? by IamTheRealMike · · Score: 5, Insightful

      Sun did that for years, that's hardly something new Oracle brought in. It's because Sun, despite their excellent engineering reputation, never figured out how to make money off Java. Lots of other companies did but Sun didn't. So they ended up resorting to pushing crapware through the Windows installer in a desperate attempt to monetize. Oracle merely continued that awful tradition.

      The good news is that ever since Java has been open source, distributing it in other ways is possible and with Java 8 they're changing the license on the Oracle packagings of it so you can cut it down to size for your specific app. It's getting a lot close to just being a big runtime library than an entire parallel OS which it was trying to be in previous years.

      As to whether Java is secure or not, I don't think we should be too hard on the Oracle/Sun developers here. Every attempt to do mobile code has turned into a security nightmare. Not just Java, ActiveX and Flash, but web browsers routinely patch exploits in their core rendering or JavaScript engines, and that's HTML5 - a vastly simpler and more crippled platform than even the most basic core Java system provides. In fact browser developers have given up trying to make renderers secure which is why they're all heavily sandboxed, it's inevitable people will find ways to exploit the mobile code aspects of the rendering engines. Even then, Chrome sandbox escapes still get found from time to time.

      I don't think we should read these stories as "Java sucks". Programs written in Java or any other modern managed language are still much more secure than code written in C++. There are no stack or heap overflows to worry about, no double frees. These stories are not about how easy it is to write secure code in any given language or platform. Instead we should understand these stories as "sandboxing malicious code is incredibly hard". Java hurts from it more because Java was a lot more ambitious than other attempts.

    3. Re:Why doubt something better would exist? by RabidReindeer · · Score: 2

      Programs written in Java or any other modern managed language are still much more secure than code written in C++. There are no stack or heap overflows to worry about, no double frees.

      You're thinking of C, not C++.

      (Trouble is, so are many people who put "C++" on their resumes...)

      The problem with Java is that the exploits are in Oracle's hands, not ours. We can't fix them even if we know what they are...

      The other problem with Java is that if I install the runtime on my machine to run a little corporate desktop app it also ends up in the web browser, exposed to every single web page I visit. In what universe was that a good idea?

      WHERE did you get the idea that C++ is more immune to memory leaks or buffer overflows than C? C++ adds to the basic C memory management services and memory organization, but it still retains the original C ones. And adds an additional way to leak memory - undisposed objects.

      I think that the stock JVM's ability to auto-activate itself in browsers in something that varies by machine and by browser, but if it is enabled, there are ways to switch it off.

    4. Re:Why doubt something better would exist? by ChunderDownunder · · Score: 2

      The problem with Java is that the exploits are in Oracle's hands, not ours. We can't fix them even if we know what they are...

      Only if you use Oracle's binaries. linux distros switched to openJDK years ago, whose source is available under the GPL.

    5. Re:Why doubt something better would exist? by IamTheRealMike · · Score: 2

      No, you haven't understood what these vulnerabilities are about. They're all issues that affect you if you download and run malicious Java programs from the internet, which describes applets that are often disabled in the browser anyway. Not "any Java program that talks to the network is remotely exploitable". So if you aren't a malicious programmer then your code is still secure.

      As I said above, I'm thinking of C++. You'll find a lot of C++ programs that use unsafe calls, but even if they are STL only, you can still easily do things like use after free and other bugs.

    6. Re:Why doubt something better would exist? by RabidReindeer · · Score: 3, Informative

      This particular "ignorant fool" was one of the first commercial vendors of C++.

      Just because some people may use certain features that make C++ safer doesn't mean that it is safer. Plenty of people think they're so clever that they can invent their own "more efficient/better" systems. And use scanf, for that matter.

      I'm not generally of that ilk myself, but STL did make me itch. The worst features of programming and mathematics combined into one.

  5. Re:again? by Richard_at_work · · Score: 2

    Its amazing how Java went from being the favoured child here on Slashdot to something generally reviled and hated over the past decade.

  6. Re: Java 6 on Mac by IamTheRealMike · · Score: 2

    Mac browsers (Chrome, Safari, Firefox) don't run Java applets automatically anyway, so it doesn't matter what version of Java you have installed. Remember these exploits are all getting in because you run malicious code inside a sandbox and the sandbox fails. Don't download and run malicious code and you're OK.

  7. Re:again? by Sesostris+III · · Score: 5, Insightful

    Its amazing how Java went from being the favoured child here on Slashdot to something generally reviled and hated over the past decade.

    I don't think this is unique to Java; the same thing has happened here with Ubuntu/Canonical. Love can easily turn to hate whereas indifference rarely does.

    Concerning Java, I don't think it is Java per se that is the cause of the 'hatred', it is more (1) the insecurity of the browser plug-in, (2) the attempt to install the ask.com toolbar when installing the JRE and (3) a general distrust of Oracle.

    I don't have a problem with any of these. For #1 this can be disabled, for #2 I just download the JDK .tar.gz for Linux and just unpack it to install, and for #3 there is always OpenJDK in the background to keep Oracle on the straight an narrow.

    The only real alternative to Java is .NET, which for me (using Linux) would mean using Mono. Interestingly, open-source Mono seems to generate more hatred here on Slashdot than the closed-source and proprietary .NET does.

    --
    You never know what is enough unless you know what is more than enough. - Blake
  8. Re:again? by Joce640k · · Score: 2

    Its amazing how Java went from being the favoured child here on Slashdot to something generally reviled and hated over the past decade.

    Why? Changing your mind when presented with strong evidence is a sign of intelligence.

    You should only be "amazed" when this doesn't happen (ie. religion, politics...)

    --
    No sig today...
  9. Re:again? by Kjella · · Score: 2

    It's more of a "there and back again" story really. Ten years ago RMS published his Java Trap and the open source community was rather weary of making anything depending on a JRE blob. In 2006 Sun announced they'd open source Java and all hearts rejoiced. Except it took a really long time, here's an article on how it might finish in 2008.

    Perhaps of biggest imporance is that Java ME never got freed, Sun and later Oracle always wanted a fee if you wanted to put it on your mobile phone. Then Sun got bought by Oracle in 2009, and where Sun had been admicable about the existance of Android Oracle instead chose to sue Google in 2010, claiming patent violations and copyright to the APIs. Particularly the latter is anathema in the open source community.

    Due to Android being a runaway success driving Java ME out of the market and Oracle fighting it all the way in court they got branded with "stopped innovating, started suing" and the divide between Oracle with OpenOffice and the open source community with LibreOffice didn't help either. Whatever Sun and Java might have been, a friend bought out by your enemy is now your enemy.

    Not that this is what's bothered the rest of the world though. For them it's all the constant critical security exploits which has turned Java into the security bad boy. It used to be ActiveX, it used to be Flash but these days the #1 security advice seems to be "disable Java". They should have just pulled support for applets because it's tar and feathering the whole brand, even for software that doesn't suffer from remote exploits.

    --
    Live today, because you never know what tomorrow brings
  10. Re:again? by drinkypoo · · Score: 2

    Its amazing how Java went from being the favoured child here on Slashdot to something generally reviled and hated over the past decade.

    Having actually been here for the last decade, I don't know what you're on about. Java has never been the favorite son of Slashdot. There has always been a massive contingent that holds that Java is slow and stupid. Sure, there's always been a group that opposes it, but it's always been smaller. Where do you think you are, anyway?

    --
    "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
  11. Hello, Android? by Max+Threshold · · Score: 2

    Android developers are forced to use Java 6. I don't know if I should be more pissed at Oracle or Google right now...