Oracle Releases Massive Security Update

← Back to Stories (view on slashdot.org)

Oracle Releases Massive Security Update

Posted by samzenpus on Wednesday January 21, 2015 @09:45AM from the protect-ya-neck dept.

wiredmikey writes Oracle has pushed out a massive security update, including critical fixes for Java SE and the Oracle Sun Systems Products Suite. Overall, the update contains nearly 170 new security vulnerability fixes, including 36 for Oracle Fusion Middleware. Twenty-eight of these may be remotely exploitable without authentication and can possibly be exploited over a network without the need for a username and password.

79 comments

Min score:

Reason:

Sort:

No secure download by buchner.johannes · 2015-01-21 09:51 · Score: 5, Informative

There is still no way of authenticating Java downloads? Either a download through HTTPS or a hash fingerprint of the file, accessible via HTTPS? This used to exist up until ~2 years ago, but now it is all insecure (the download can include drive-by malware).

--
NB: The message above might reflect my opinion right now, but not necessarily tomorrow or next year.
1. Re:No secure download by Anonymous Coward · 2015-01-21 10:00 · Score: 0
  
  Nah, just secure your download by using TOR.
2. Re:No secure download by Wootery · 2015-01-21 10:14 · Score: 4, Insightful
  
  the download can include drive-by malware
  Can? If memory serves, you have to opt-out of McAfee, in the Java installer.
3. Re:No secure download by Anonymous Coward · 2015-01-21 10:15 · Score: 2, Informative
  
  For Standard Edition JDK or JRE:
  http://www.oracle.com/technetwork/java/javase/downloads/index.html
  click which package you want to download, and then on the download page click the checksum link
  https://www.oracle.com/webfolder/s/digest/8u31checksum.html
  There's no bundleware like the Ask toolbar with the java installer from Oracle's website.
4. Re:No secure download by Wootery · 2015-01-21 10:18 · Score: 2
  
  Just so I know, you are kidding, right?
5. Re:No secure download by hawguy · 2015-01-21 10:24 · Score: 2
  
  For Standard Edition JDK or JRE:
  http://www.oracle.com/technetwork/java/javase/downloads/index.html
  click which package you want to download, and then on the download page click the checksum link
  https://www.oracle.com/webfolder/s/digest/8u31checksum.html
  There's no bundleware like the Ask toolbar with the java installer from Oracle's website.
  A simple checksum stored with the binary is not a means of authentication, it's only a means to validate that there was no file corruption on download (since an attacker can update the checksum(s) at the same time he modifies the binary). Something like a cryptographic signature would be needed for authentication (with a validated means of public key distribution)
  Since the download link does not use SSL, even if you trust that no one has corrupted Oracle's repository, you have no assurance that the file you download hasn't been modified in-transit using a man-in-the-middle attack.
6. Re:No secure download by Anonymous Coward · 2015-01-21 10:33 · Score: 2, Informative
  
  Um, the checksum is the binary's MD5 hash. It's not "stored" with the binary. The hashes are listed in that second link I provided, which is an SSL page. To verify the binary's integrity, run a md5 sum generator on the binary and compare the hash you get with the hash listed on the SSL page. If they match, you got a good download. If they don't, then you got a bad download and you shouldn't install it.
  Geez, I can't believe this has to be explained on Slashdot.
7. Re:No secure download by Anonymous Coward · 2015-01-21 10:43 · Score: 0
  
  The Windows installer is cryptographically signed by Oracle. Don't know about the others.
8. Re:No secure download by Atzanteol · 2015-01-21 10:45 · Score: 1
  
  Mod up!
  
  --
  "Ignorance more frequently begets confidence than does knowledge"
  
  - Charles Darwin
9. Re:No secure download by hawguy · 2015-01-21 10:54 · Score: 3, Informative
  
  Um, the checksum is the binary's MD5 hash. It's not "stored" with the binary. The hashes are listed in that second link I provided, which is an SSL page. To verify the binary's integrity, run a md5 sum generator on the binary and compare the hash you get with the hash listed on the SSL page.
  That would be more meaningful if the link to the MD5 checksums was not on the same non-SSL page as the link to the binaries, so is subject to manipulation -- an attacker can make it point anywhere they want, and unless a user "knows" that the checksum page is supposed to be SSL, they'd never know (yes, you gave the SSL page, but how do I know that you're not an attacker and that you gave me a fake page that you happened to upload to an Oracle server?). Likewise, if someone can alter the binary on the repo, who is to say that they can't alter the checksum file as well?
  There's one well-established method to validate downloads, and that is to use a cryptographic signature (with a well protected private key, the signature should be generated on a completely offline computer.
  MD5 verification may be "good enough" for most uses, but it's very weak authentication.
  
  If they match, you got a good download. If they don't, then you got a bad download and you shouldn't install it.
  Geez, I can't believe this has to be explained on Slashdot.
  You seem to be confusing download verification with authentication -- they are different concepts.
10. Re:No secure download by hawguy · 2015-01-21 11:08 · Score: 1
  
  The Windows installer is cryptographically signed by Oracle. Don't know about the others.
  That sounds promising, though I don't see a signature in the rpm download, just sha1/md5 checksums.
11. Re:No secure download by Anonymous Coward · 2015-01-21 11:18 · Score: 0
  
  Bullshit. The rulers of Oracle are Republicans so they require you to have JavaScript running in your browser in order to be allowed to remove these security problems. The Republicans hate us and want us dead. To work-around this Republican-created problem, you can use this command line option with wget:
  wget --header "Cookie: oraclelicense=accept-securebackup-cookie;isuckrepublicandicks" http://download.oracle.com/otn-pub/java/jdk/8u25-b17/jre-8u25-linux-x64.rpm
  They hate us.
12. Re:No secure download by Anonymous Coward · 2015-01-21 12:04 · Score: 0
  
  There is still no way of authenticating Java downloads?
  If it tries to sneak in the ask.com toolbar then you know it's authentic.
13. Re:No secure download by Anonymous Coward · 2015-01-21 12:06 · Score: 0
  
  Technetwork is for developers. Sometimes Java versions are prereleased there before they are ready for the general public. Using those versions can cause problem. It certainly has been a headache for the Java project I've been lightly involved with. Today that isn't a problem. Both versions are the same revision.
14. Re:No secure download by JazzXP · 2015-01-21 12:14 · Score: 2
  
  Close, Ask.com toolbar. Why Oracle need to do that is beyond me....
15. Re:No secure download by kelemvor4 · 2015-01-21 12:26 · Score: 1
  
  Just so I know, you are kidding, right?
  Didn't you hear? TOR protects you from everything. It's even more effective than trojan condoms at preventing STD's and unwanted pregnancy.
16. Re:No secure download by Anonymous Coward · 2015-01-21 12:39 · Score: 0
  
  $$$$$$$$
17. Re:No secure download by Anonymous Coward · 2015-01-21 13:19 · Score: 0
  
  Excuse me, but the correct term is 'rethuglican.' If you're going to defend the People's Republic from these capitalist scum, you must use the proper terms.
18. Re:No secure download by Anonymous Coward · 2015-01-21 14:16 · Score: 0
  
  > There's one well-established method to validate downloads, and that is to use a cryptographic signature (with a well protected private key, the signature should be generated on a completely offline computer.
  You mean like the ones Red Hat *used* to use for publich source RPM's, but stopped publishing and handed off instead to the Mickey Mouse security of git.centos.org? "Oh, yeah, we have an SSL key so we're secure, du-huh-du-du-huh! And you can tell our actual build tags because the log messages says 'import', so you know it's for real and for true from Red Hat, yuppers!"
  You may as well tape your car door shut with duct tape. That system is not only not secure, it cannot *be* secured. Red Hat should never have hired anyone from a team that let such a stupid idea show up, not when "git tags" were built into git precisely to support robust GPG signatures. But*no-o-o-o*, we're too clever to use tags, we'll invent our *own* shell script based hackaround because we're smarter than anyone else who's ever worked with source control! Our website is secure because we're *s-o-o-o smart!!!*.
  Anyone stupid enough to pull a stunt like that should not have their website considered secure, for *anything*. This is one of the strongest reasons that I've refused the CentOS 7 update, the source repository cannot possibly be considered secure.
19. Re:No secure download by Anonymous Coward · 2015-01-21 17:15 · Score: 0
  
  McAfee is Flash Player. :(
20. Re:No secure download by PhunkySchtuff · 2015-01-21 21:40 · Score: 2
  
  Whilst a non https download can totally include drive-by malware, what's even worse is Oracle insistence on bundling the Ask toolbar with the PC version of the JRE, with it selected by default in the installer .
  
  --
  Specialist Mac support for creative pros, Melbourne
21. Re:No secure download by Anonymous Coward · 2015-01-21 23:18 · Score: 0
  
  Not to mention you can generate MD5 collisions on your home computer pretty quickly. MD5 is *not* good enough.
22. Re:No secure download by monkeyzoo · 2015-01-22 03:06 · Score: 1
  
  For the JRE, you can get it directly via a valid SSL download here:
  https://www.java.com/en/downlo...
  For the JDK, I will try your method.
  Thanks for the tip about the checksum!
23. Re:No secure download by PincushionMan · 2015-01-22 03:38 · Score: 1
  
  Other workarounds:
  Use ninite, and you will get the latest 32 bit and 64 bit JREs. Run the installer again and it updates again. No spyware pushed by updates. Also does more than Java.
  
  If you prefer, you can install the JRE the normal way, and then in the Java Control Panel (start / type 'java' / click on 'Configure Java', or click the java icon in the control panel), go to advanced, scroll to the bottom, and check the last checkbox Suppress sponsor offers when installing or updating Java. All fixed, and you can use the standard java update method. Wish I could make a .reg for this, and push it out with GP or as a login script.
24. Re:No secure download by PincushionMan · 2015-01-22 03:48 · Score: 1
  
  Ah, I found it. It is in the registry:
  
  Windows Registry Editor Version 5.00 [HKEY_CURRENT_USER\Software\AppDataLow\Software\JavaSoft\DeploymentProperties] "install.disable.sponsor.offers"="true"
25. Re:No secure download by PincushionMan · 2015-01-22 04:26 · Score: 1
  
  This is infuriating. You can change the registry value above - doesn't work, and the program resets it for you. Digging around on the filesystem, I found this gem:
  C:\Users\USERNAME\AppData\LocalLow\Sun\Java\Deployment\deployment.properties
  It has the same entries as in the registry. However, changing those also has no effect on the checkbox, either. In fact, when you reload that registry key and file, those settings will automatically change back to false. I'm baffled.
  
  The only way that seems to be available is the Config Java advanced checkbox. Nothing else appears to work. MS must cache something somewhere with the LocalLow directory or AppDataLow registry entries. This was attempted on Windows 7 & 8 64 bit.
26. Re:No secure download by Anonymous Coward · 2015-01-22 22:30 · Score: 0
  
  North Korea is calling and wants you to head back home.
In other news... by Anonymous Coward · 2015-01-21 09:52 · Score: 0

In other news, dogs bark and water is wet.
Film at 11.
Have they fixed their installer? by Anonymous Coward · 2015-01-21 09:55 · Score: 0

Or does it still fail to use UAC properly on Windows if your day-to-day login account is non-admin?
But Java... by Anonymous Coward · 2015-01-21 09:55 · Score: 0

Java doesn't have security holes like C or C++ .... or so I was told.
Then again, I haven't seen too many security patches for gcc or libstdc++ or glibc
1. Re:But Java... by Anonymous Coward · 2015-01-21 09:57 · Score: 1
  
  Those languages strongly encourage you to produce your own security holes.
2. Re:But Java... by niftymitch · 2015-01-21 19:25 · Score: 1
  
  Those languages strongly encourage you to produce your own security holes.
  This is sage... No language can protect from a stupid programmer.
  Of interest the security model and features in Java as far as I can tell has foundational
  problems. The sandbox is not as well built as it might be .... and parts of the security
  model are unverified and ill understood.
  It is a notable language. It is not magically secure...
  The moderately recent enhancements to the VM to permit other languages to use the VM are interesting.
  Oracle has used Java for a long time and before they picked off Sun depended on a very old
  and outdated version of Java to run many Oracle tools in a browser. This left such a bad
  impression on me that I have been unwilling to look and see if it is still necessary to use Java 4.5
  or whatever it was...
  In the intervening years I would hope that Oracle fixed this now that they own both parts.
  Not owning a dependency is like having a pebble in your shoe, painful and crippling.
  Being an optimist I hope this was the reason for getting Sun... I hope they acted on it.
  
  --
  Truth is stranger than fiction, but it is because Fiction is obliged to stick to possibilities; Truth isn't. Mark Twain.
3. Re:But Java... by peppepz · 2015-01-21 19:48 · Score: 1
  
  Then again, I haven't seen too many security patches for gcc or libstdc++ or glibc
  Then have a closer look.
4. Re:But Java... by petermgreen · 2015-01-22 01:38 · Score: 2
  
  Java protects against some of the common screwups that lead to security holes in C (and to a lesser extent C++) programs. It simply won't let you do things like read/write beyond the end/before the start of an array, perform an unprotected typecast between two object types or use memory that you have already freed. However there are many other classes of security hole it doesn't help with.
  Java sees lots of security patches for a couple of reasons
  1: Java provides sandboxing features intended to allow safe running of untrusted code. Unfortunately such sandboxes seem to be very difficult to get right (whether it's java applets, flash or javascript in browsers).
  2: Java provides a massive standard library. It's virtually an OS within an OS and that means lots of code to be potentially vulnerable (especially in light of point 1)
  
  --
  note: i'm known as plugwash most places but i screwd up registering that here somehow in the past and now can't register
5. Re:But Java... by IamTheRealMike · 2015-01-22 02:17 · Score: 1
  
  Java doesn't have security holes like C or C++ .... or so I was told.
  Then again, I haven't seen too many security patches for gcc or libstdc++ or glibc
  You're comparing apples and oranges. The "remotely exploitable bugs" in this Java update, like all the others, are assuming you download and run malicious code in the sandbox. GCC and glibc don't have protecting you from malicious code as a goal, in fact Linux typically requires all software to be installed as root no matter what. Obviously if you never even try, you cannot fail.
  The interesting story here is not so much that sandboxes have holes (look at the Chrome release notes to see how many security holes are fixed in every update), but rather than the sandbox makers seem to be currently outrunning the sandbox breakers. In 2014 Java had security holes, but no zero days at all - all the exploits were found by whitehat auditors. Same thing for Chrome, people found bugs but they were found by the good guys.
  I'm not sure if this means the industry is finally turning a corner on sandboxing of mobile code or not, but it's an interesting trend.
6. Re:But Java... by PrimaryConsult · 2015-01-22 06:45 · Score: 1
  
  in fact Linux typically requires all software to be installed as root no matter what
  Technically yes, running "make install", using a package manager or installing an rpm/deb almost certainly requires root/sudo. However, there is nothing stopping you from keeping it all within your home directory (provided the /home filesystem has space and isn't set to noexec), many cases only requiring a wrapper script to modify LD_LIBRARY_PATH. A good example of a complex program which works this way would be apache directory studio, you just untar and launch the executable.
Job security... by __aaclcg7560 · 2015-01-21 09:57 · Score: 1

As a security remediation specialist, I'll look forward to seeing the Nessus scan spreadsheet that identifies the systems that has a Java vulnerability that wasn't automatically updated. Last time I only had 3,600 systems to fix over a six week period. Thanks, Oracle!
1. Re:Job security... by Anonymous Coward · 2015-01-21 10:08 · Score: 0
  
  Yeah, I hate their default update policy:
  
  Typically, you will be notified of an update within a month of it's release. However, if an update is considered critical, you will be notified within a week of it's release.
  Notice that those are averages. It is possible to go almost two months and just over a week, respectively, before the update checker tells you it is available. Otherwise, you have to do the whole process manually.
2. Re:Job security... by armanox · 2015-01-21 10:14 · Score: 1
  
  You'll have wait for us to add that to the Nessus plugins! I'm looking forward to all the tickets coming in tomorrow (We need package xxx from Oracle for Nessus plugins...))!
  
  --
  I'm starting to think GNU is the problem with "GNU/Linux" these days.
lol, Java by Anonymous Coward · 2015-01-21 10:01 · Score: 0

Seriously, Java was suppose to be secure and cross-platform yet in reality it is less secure and less portable than well written C or C++ code. Good job?!
1. Re:lol, Java by MightyMartian · 2015-01-21 10:11 · Score: 2
  
  And what percentage of C/C++ code is well written?
  Or, to put it another way, is there any evidence that Java applications are LESS secure, on average, than C/C++ applications?
  
  --
  The world's burning. Moped Jesus spotted on I50. Details at 11.
2. Re:lol, Java by StikyPad · 2015-01-21 10:28 · Score: 1
  
  I mean, when you qualify your comparisons by using ambiguous, ill-defined phrases like "well written," you can say anything. Novels are less interesting than a well written comic. Rules are less useful than a well written law.
  Java is generally going to require less effort to port unless you're using platform-specific libraries, and that's easy to avoid since so much is included in the JDK.
  As for the security of that code, everything may be within your control in C, but that doesn't come without some cost -- namely requiring deep knowledge of everything that's within your control to avoid creating your own security holes. And if you're using third party libraries (which is typical) then you're sacrificing some degree of control anyway. This is especially true if they're closed-source libraries, but even with open source, many people just trust that someone else has reviewed the code.
  
  --
  https://www.eff.org/https-everywhere
3. Re:lol, Java by Tablizer · 2015-01-21 10:56 · Score: 1
  
  Java was suppose to be secure and cross-platform yet...
  I wonder what percent of typical security flaws are caused by language-specific features versus poor design decisions and human error (such as passing the wrong variable). I suspect most are the latter.
  
  --
  Table-ized A.I.
4. Re:lol, Java by toonces33 · 2015-01-21 11:41 · Score: 1
  
  Java isn't at all immune to the 3rd party library issue and in fact the Java world seems to have it far worse when you start developing complex applications.
  What I find even more appalling is that fact projects that use maven seem to want to hoover down half of the internet, and you have to trust that the bundles/jars that it is pulling down are all of decent quality, and that the repository has not in fact been compromised.
5. Re:lol, Java by Anonymous Coward · 2015-01-21 13:30 · Score: 0
  
  The buggy parts where most of the fixes go are on the parts of Java implemented in C++.
  It's faster to learn and easier to write well written Java than well written C or C++.
  You can easily write portable, threaded, Java GUI applications without requiring any dependencies/libraries except the JVM. The same can't be said for C and C++. None of the Java code needs to be platform dependent, unlike the C/C++ code, and Java IDEs detect far more potential issues.
  Good job? Yes.
6. Re:lol, Java by epyT-R · 2015-01-21 14:02 · Score: 1
  
  A large percentage works just fine even with holes, and with greater performance and less overhead. The supposed claim to fame for java was that, while slower and resource intensive, it prevented programmers from writing exploitable code. Today, we know it's possible to make a shitpile with any tool, leaving java and other runtimes to sacrifice much of the potential for lean, high performance software for small gains in security (the latter with a growing list of caveats). I'm not a fan of such mediocrity but it has become the norm these days. It also doesn't help that java comes with a browser plugin that opens a complete runtime environment to drivebys. Microsoft abandoned activex for this reason.
7. Re:lol, Java by peppepz · 2015-01-21 20:28 · Score: 1
  
  A large percentage works just fine even with holes, and with greater performance and less overhead.
  You need benchmarks to prove such blanket statements. In my experience, Java code usually isn't far from C++ performance and it's actually faster when we're talking about high level "glue" code. It vastly outperforms C in string handling, because C's standard string routines are awful not only to the programmer, but to the processor, too. And then again, for maximum performance there's FORTRAN.
  
  Today, we know it's possible to make a shitpile with any tool, leaving java and other runtimes to sacrifice much of the potential for lean, high performance software for small gains in security (the latter with a growing list of caveats).
  Do you know any example of stack smashing, buffer overflows, invalid pointer dereference, malloc failures, code overwriting done by a program written in pure Java? They're the stuff that hackers love. They happen automatically in C: any code you write causes them by default, and you need to be very clever, to have complete information about the machine state after every instruction (which is usually impossible), to have platform-specific tool support (relro, noexecstack, ASLR, ...) in order to avoid or prevent them. In Java, they just don't happen, barring bugs in the JVM, which are akin to bugs in the runtime library of any compiled language of your choice. If this isn't an improvement...
  
  It also doesn't help that java comes with a browser plugin that opens a complete runtime environment to drivebys. Microsoft abandoned activex for this reason.
  To be honest, the runtime environment for applets was supposed to be restricted (it's not the same runtime environment that Java applications see). It's the same mechanism that post-HTML5 Javascript has, except that at least we can disable (or better delete) the awful Java plugin, while we can't do the same for the browsers' Javascript support.
8. Re:lol, Java by epyT-R · 2015-01-21 21:58 · Score: 1
  
  Obviously, the efficiency of the C lib functions will vary by hardware and by author competence, but here's no way virtualized code could run faster and with less cpu and ram overhead than well written (or compiler generated) native code on given hardware.
  An interesting bench done with 7 year old software and hardware (perhaps things are better today?).
  http://zi.fi/shootout/
  While it's gotten a lot better since the 90s, ~35-50% slower is still significant (assuming you discount the 'compiled away' situations). The strings bench is near the bottom. Unfortunately, he did not measure memory footprint or calling overhead. This is too bad because this is another area where managed runtimes come up short.
  For example, the installer for freespace2 SCP is java based, and it takes 50MB of ram on startup, and grows from there as it downloads files from the network. I use tinywall on my windows box, and currently that's sitting at over 100 MB..for something that just inserts rules into the system firewall based on PID/name. That's nuts for such simple programs.
  Most managed programs call out to C libraries through shims when speed is needed because the vm carries too much overhead, even when the executable is targeted for specific hardware. For example, modern game engines do this a lot. The fact that virtualized logic can touch unmanaged space breaks the security model, making it pointless to expect any additional security from the virtualization.
  
  stack smashing, buffer overflows, invalid pointer dereference, malloc failures, code overwriting done by a program written in pure Java?
  Properly written C does not cause those. Buggy C certainly does, just like buggy vms. The fact that oracle has been patching java exploits for years suggests its security isn't much better than a typical unmanaged C++ program at least as far as the user's concerned.
  I mentioned the UI/system integration before. For me this is reason enough to avoid managed/interpreted runtime programs unless I have no choice. The shimming and overhead is prone to breakage and there're usually native alternatives that behave better.
Solaris by Anonymous Coward · 2015-01-21 10:04 · Score: 1

Looking forward to when I migrate the last Solaris 10 server over to Solaris 11 (or 12?) and get a real package manager.
1. Re:Solaris by armanox · 2015-01-21 10:17 · Score: 2
  
  I think the pkg command was the single greatest change in Solaris 11.
  
  --
  I'm starting to think GNU is the problem with "GNU/Linux" these days.
2. Re:Solaris by NatasRevol · 2015-01-21 10:23 · Score: 2
  
  Does it balance against all the horrible command changes? Like changing IP/hostname/DNS?
  
  --
  There are two types of people in the world: Those who crave closure
3. Re:Solaris by StillAnonymous · 2015-01-22 02:54 · Score: 1
  
  ipadm is pretty good once you get used to it.
  I still don't care for the move of nearly everything in /etc into the SMF though. That's just annoying to modify, and I don't see any added benefit to it.
4. Re:Solaris by NatasRevol · 2015-01-22 07:56 · Score: 1
  
  ipadm doesn't do DNS.
  SMF does, and it's obnoxiously bad for just setting DNS.
  http://docs.oracle.com/cd/E238...
  
  --
  There are two types of people in the world: Those who crave closure
Hackers must be salivating... by bogaboga · 2015-01-21 10:13 · Score: 1

This [massive] update will surely provide fertile playground for those hacker boys.
I can almost guarantee that we will be asking ourselves whether Oracle did anything useful with this update within a year.
Which "those" are "these"? by jtara · 2015-01-21 10:20 · Score: 4, Funny

"Twenty-eight of these may be remotely exploitable without authentication and can possibly be exploited over a network without the need for a username and password."
Which?
The original bugs, or the new security fixes?
1. Re:Which "those" are "these"? by stoborrobots · 2015-01-21 12:21 · Score: 1
  
  Also, for a tech site, this lack of comprehension is offensive:
  
  may be remotely exploitable without authentication and can possibly be exploited over a network without the need for a username and password
  
  The two halves of this sentence say exactly the same thing, but present it as two statements.
  
  --
  "Go to CNN [for a] spell-checked, fact-checked summary" -- CmdrTaco
2. Re:Which "those" are "these"? by Anonymous Coward · 2015-01-21 12:36 · Score: 0
  
  Also, for a tech site, this lack of comprehension is offensive:
  
  may be remotely exploitable without authentication and can possibly be exploited over a network without the need for a username and password
  The two halves of this sentence say exactly the same thing, but present it as two statements.
  being slashdot, I'm not surprised to see someone like yourself who complains about reading comprehension while missing the point themselves.
  he is asking if the exploits are on the old java code, or if these patches are adding 28 new remotely exploitable holes.
  in other words, it's a funny joke because of course you wouldn't want to add more holes, right?
  let me know if I can explain other paragraphs to you, ok?
3. Re:Which "those" are "these"? by Anonymous Coward · 2015-01-21 13:02 · Score: 0
  
  let me know if I can explain other paragraphs to you, ok?
  Only once you've learned what the word "also" means.
4. Re:Which "those" are "these"? by Anonymous Coward · 2015-01-21 13:21 · Score: 0
  
  actually they don't say the same thing. many remote vulnerabilities can be for back end processes that first require you to have authenticated user session, some are remote vulnerabilities that can be done without having to be authenticated first hence the no username and password required.
5. Re:Which "those" are "these"? by Anonymous Coward · 2015-01-21 19:20 · Score: 0
  
  I will split the sentence into two parts, to make it easier to see:
  
  remotely exploitable without authentication
  and
  
  exploited over a network without the need for a username and password
  The parts "remotely exploitable" and "exploited over a network" are the same thing.
  The parts "without authentication" and "without the need for a username and password" are also the same thing.
  Do you see now?
Here I thought Adobe Flash was bad! by Anonymous Coward · 2015-01-21 10:53 · Score: 0

Gee, and I thought Adobe Flash was bad. But I guess Adobe does win on frequency of security updates. Have not used Java for some time now, but know a lot of people who still need it. My Wife for one, plays Java built games online. Always wondered why Silverlight was never plagued with problems like Flash and Java?
Java 8 broke my system by TomR+teh+Pirate · 2015-01-21 11:06 · Score: 1

Even trying to go back to version 7u71 doesn't work now. Never had java problems until this update. YMMV.
Impressive by WaffleMonster · 2015-01-21 11:15 · Score: 2

How many unauthenticated remote exploits in a HTTP stack does it take to lose a customer?
Never understood how Oracle is allowed to continue to operate like this. The only thing worse than a multi-billion dollar software company failing to exercise any discipline over their systems unauthenticated attack surface is length of time they must have sat on all of these exploits just so they could package it up and release all at once.
1. Re:Impressive by Anonymous Coward · 2015-01-21 17:00 · Score: 0
  
  Never understood how Oracle is allowed to continue to operate like this.
  Massive vendor lock-in for customers and mindshare buy-in for tech employees.
2. Re:Impressive by IamTheRealMike · 2015-01-22 02:18 · Score: 1
  
  How many unauthenticated remote exploits in a HTTP stack does it take to lose a customer?
  Not many, I should imagine, but your comment is irrelevant because there were no such bugs fixed in this Java update. The way Oracle describes these bugs is horribly confusing. Normally we expect "remotely exploitable without authentication" to mean you can send a packet across the network and pwn the box. If you actually check the CVEs you will see that there's only one bug like that, and it's an SSL downgrade attack - doesn't give you access to the box. All the others are sandbox escapes. If you aren't trying to sandbox malicious code then they don't affect you.
I don't know about the rest of you... by tlambert · 2015-01-21 11:42 · Score: 2

I don't know about the rest of you... but I, for one, am very happy that Oracle's products are now Massively Secure.
Why users need Java today - scary! by jtara · 2015-01-21 11:52 · Score: 1

Well, letsee, I'm a developer, I hate Java programming, I don't write Java, but I need to have it installed. Why?
- Android developers need Java, even if they don't write Java. Writing a hybrid app using, say, PhoneGap/Cordova, Rhodes, Titanium, etc? You need Java.
- Backup with CrashPlan? You need Java. CrashPlan is not alone here. Many similar programs need Java.
- Many other disk/file type utilities use Java. Pretty much any of those nifty applications that show you what's using all your disk space using graphics.
- I have a home automation controller (isy99i). It has a web UI, but that still needs Java. (You can use it in a browser or on desktop, but either way the UI uses Java.)
- Again for developers, way too many build processes that aren't Java-based seem to throw in one little part of the build process that uses Java. (That is, say, they use rake, Grunt, etc. I guess they had one developer who was in-disposable and that just couldn't go along with the program.
- Developer using Eclipse IDE? Or many other development environments that use a bundled Eclipse? You need Java. (I try to avoid these if at all possible, but sometimes it is unavoidable.
Do you see the scary thing here? Java is used by a lot of software developers, even if they don't program in Java. It's also used for a lot of backup and file utilities. Perfect vectors for mischief.
But I still get prompted to install the Ask Bar! by djnanite · 2015-01-21 12:46 · Score: 2

Oracle releases a Java SE update to plug security vulnerabilities, but the installer still prompts me to install the 'Ask Search App' by default.

Does anyone see a conflict of interest here?
Toolbar-free download location by Anonymous Coward · 2015-01-21 12:46 · Score: 0

Since it seems to be something of a secret to most people, I remind folks that if you want clean Java updates that are free of Ask-toolbar bundles, get them from the developers page here (end user would probably just want the JRE download):
http://www.oracle.com/technetwork/java/javase/downloads/index.html
I've known of this link for years and only ever download Java updates from it, to the point where I was totally confused for a long time with people complaining about bundled toolbars that I never ever saw.
1. Re:Toolbar-free download location by nosfucious · 2015-01-21 21:04 · Score: 1
  
  Still wondering if they will be able to publicly release their java MSI package.
  I know they have one, because I see it on the downloads and support page for JDE E1. However I don't have access to the inner working of our corporate licence and work out if we are eligible to deploy it.
  It would be possible just to download the MSI and deploy it. But Oracle do keep auditing us. So, better safe than sorry. (For various values of the word 'safe').
  
  --
  Q:I was listening to a CD in Grip and it sounded horrible! What's up? A:Perhaps you are listening to country music
same old story for them by bloodhawk · 2015-01-21 13:19 · Score: 1

Oracle seem to be the one organization that doesn't appear to be getting better with security, if anything they have deteriorated over the last few years. wonder what it will take for them to take security seriously.
So much for progress by thogard · 2015-01-21 15:11 · Score: 1

We buy the Solaris 9 patch support. The changes for this cycle are 1) TimeZone files updated, 2) Fix to zip and 3) Java fixes
The last kernel patch which required a reboot was 122300-68 from June 2013.
My Solaris 11.2 box gets rebooted way too often to replace other production servers and its better than Sol 10.
Someone at Oracle should learn the difference between an operating system and an operating environment and making sure the OS is rock solid.
1. Re:So much for progress by Anonymous Coward · 2015-01-21 20:05 · Score: 0
  
  Well, it's up to you if the patch is critical enough that you should reboot now or wait for the next one.
2. Re:So much for progress by thogard · 2015-01-22 02:51 · Score: 1
  
  Yet if the OS isn't broken so bad it needs patches every few weeks, then I don't need to make that decision.
  IT is to support my business. It isn't my business. Downtime due to idiot coders who didn't test new features that I don't need isn't good for my business.
obvious answer is obvious by Anonymous Coward · 2015-01-21 20:48 · Score: 0

> The original bugs, or the new security fixes?
Yes.
What's the big news? by Spacelord · 2015-01-21 22:14 · Score: 1

Seriously, what's the big news here?
They have been pushing out bundled security patches every quarter for years with their Critical Patch Update program. This is just another CPU.
Purged Oracle* from here years ago. by Anonymous Coward · 2015-01-22 00:51 · Score: 0

Purged Oracle* from here years ago, so this doesn't matter.
We don't allow Java on servers or desktops.
If I could, I'd purge it from Android too. ;)
The only thing worse than Java is Php.
Tried to make me install Ask by Anonymous Coward · 2015-01-22 02:35 · Score: 0

When updating, the installer stated that by pressing "Next", I agree to some dubious ToS and allow the Ask add-on be installed. Even when I cleared the checkboxes allowing to make Ask my default search engine and homepage, the update installer would not continue unless I accept.