Oracle Promises Patches Next Week For 36 Exploits In Latest Java

An anonymous reader writes "Oracle is posting patches for all its products next Tuesday, which include 36 exploits for Java alone and over 140 for all Oracle products currently supported, included over 80 that require no authentication to execute.These patches look to be critical for any administrator. Java 6 users who use equipment or programs that rely on older versions are SOL unless they sign up for a very expensive support contract, as these patches are for Java 7 only."

Re:Why doubt something better would exist?

[Urkki]

What is telling is, JRE installer from Oracle keeps pushing ask.com toolbar (borderline malware) with underhanded tactics (check box checked by default, re-checked for updates, and hidden behind changing install directory from default). Business is business, sure, and I wouldn't want something this dirty anywhere near my business...

Re:Why doubt something better would exist?

[IamTheRealMike]

Sun did that for years, that's hardly something new Oracle brought in. It's because Sun, despite their excellent engineering reputation, never figured out how to make money off Java. Lots of other companies did but Sun didn't. So they ended up resorting to pushing crapware through the Windows installer in a desperate attempt to monetize. Oracle merely continued that awful tradition.

The good news is that ever since Java has been open source, distributing it in other ways is possible and with Java 8 they're changing the license on the Oracle packagings of it so you can cut it down to size for your specific app. It's getting a lot close to just being a big runtime library than an entire parallel OS which it was trying to be in previous years.

As to whether Java is secure or not, I don't think we should be too hard on the Oracle/Sun developers here. Every attempt to do mobile code has turned into a security nightmare. Not just Java, ActiveX and Flash, but web browsers routinely patch exploits in their core rendering or JavaScript engines, and that's HTML5 - a vastly simpler and more crippled platform than even the most basic core Java system provides. In fact browser developers have given up trying to make renderers secure which is why they're all heavily sandboxed, it's inevitable people will find ways to exploit the mobile code aspects of the rendering engines. Even then, Chrome sandbox escapes still get found from time to time.

I don't think we should read these stories as "Java sucks". Programs written in Java or any other modern managed language are still much more secure than code written in C++. There are no stack or heap overflows to worry about, no double frees. These stories are not about how easy it is to write secure code in any given language or platform. Instead we should understand these stories as "sandboxing malicious code is incredibly hard". Java hurts from it more because Java was a lot more ambitious than other attempts.

Re:again?

[Sesostris+III]

Its amazing how Java went from being the favoured child here on Slashdot to something generally reviled and hated over the past decade.

I don't think this is unique to Java; the same thing has happened here with Ubuntu/Canonical. Love can easily turn to hate whereas indifference rarely does.

Concerning Java, I don't think it is Java per se that is the cause of the 'hatred', it is more (1) the insecurity of the browser plug-in, (2) the attempt to install the ask.com toolbar when installing the JRE and (3) a general distrust of Oracle.

I don't have a problem with any of these. For #1 this can be disabled, for #2 I just download the JDK .tar.gz for Linux and just unpack it to install, and for #3 there is always OpenJDK in the background to keep Oracle on the straight an narrow.

The only real alternative to Java is .NET, which for me (using Linux) would mean using Mono. Interestingly, open-source Mono seems to generate more hatred here on Slashdot than the closed-source and proprietary .NET does.