Slashdot Mirror
Oracle Fixes Java Vulnerability Used By Russian Cyberspies (itworld.com)
itwbennett writes: Oracle said that it has fixed 154 security flaws in Java and a wide range of its other products, including one that Russian cyberespionage group Pawn Storm used to launch stealthy attacks earlier this year. The vulnerability, tracked as CVE-2015-4902, was being used by the Pawn Storm attackers to enable the execution of a malicious Java application without user interaction.
I wonder how many of these security flaw bugs would happen if we made companies actually legal responsible for the flaws in them?
Be seeing you...
I'm really excited because I don't need Flash installed on my PCs anymore. The next one is Java. That one is going to be a while. Stupid IPMI.
unless you have to run some business app, nobody should have Java installed. seriously, there is no need for bytecode language bullshit. Flash is almost gone, please, put a bullet in Java.
Anons need not reply. Questions end with a question mark.
... for those on Java 5/6 to get these updates.
So wonderful our Cisco routers, SAP, and Kronos require +200 exploitable holes be on all corporate computers where I get blamed and writeups for cryptolocker infections.
Needless to say our accounting department does not want to pay upgrade as they work fine.
http://saveie6.com/
Every software company would go out of business. How many non-embedded, non-life critical developers here check every mathematical operation for under or over flows? How many computer systems are hardened against a random bit flip? And how would the world react to the sudden and massive increase in unemployment as all employees of those companies lose their jobs.
It'll never happen. Consumers don't care about buggy software and non-buggy software is too difficult to code. Perfect code can fail on bad hardware too.
It'll never happen. Consumers don't care about buggy software and non-buggy software is too difficult to code. Perfect code can fail on bad hardware too.
It doesn't have to be perfect. The sad reality is our software could be drastically more secure without coming anywhere close to perfection.
If a programmer is even thinking a little about security, or is even informed what typical security problems are, then they start writing better code. But most programmers don't think about security at all.
"First they came for the slanderers and i said nothing."
On top of that, WHO would be responsible, considering the deep integration of technology today? Can you even name the number of libraries in use in an application like Chrome? Check chrome://credits/ at some point! Now, is the security flaw in the library? Or the application implementing the library? Or in some interaction between two particular libraries? Or only possible on certain hardware not present in the development studio? Many exploits in the wild today require a very sophisticated arrangement of variables to become exploitable.
Large companies would simply sick their lawyers on it, and small companies or even individual maintaining open source projects would seriously take the fall for any and all security exploits, effectively crippling and eventually killing the entire computer industry. New entities in the market would be killed off while still small and would never gain the chance to mature into larger projects or companies.
Is that thing still around?
If you made people legally liable for damages as a result of software bugs, no one would ever write software again. Bugs are inevitable, including security holes, and anyone writing code would go under in very short order.
On the other hand, I'm in favor of holding companies responsible for data breaches. It's far more practical, and is a better target for protecting privacy and other assets. Your code doesn't have to be perfect to prevent it, your security practices just have to be good. And as an added bonus, companies would have an incentive to not store sensitive data that they don't need, since it's a legal liability if it ever gets out.
I wonder how many of these security flaw bugs would happen if we made companies actually legal responsible for the flaws in them?
A lot fewer. Oracle fixed 154 security issues here, which means they are going through their code looking for them.
They should have done that a long time ago.
"First they came for the slanderers and i said nothing."
Muliple in the sense you use a plural 's' when saying things like "zero dogs".
(-1: Post disagrees with my already-settled worldview) is not a valid mod option.
How many non-embedded, non-life critical developers here check every mathematical operation for under or over flows?
You don't need to check every operation for over/underflow. You do need to properly purge any data input comes from the user (or other untrusted source), including sizes and numbers.
"First they came for the slanderers and i said nothing."
They would be, if the fine print didn't force you to agree that they aren't.
How many non-embedded, non-life critical developers here check every mathematical operation for under or over flows?
You don't need to check every operation for over/underflow. You do need to properly purge any data input comes from the user (or other untrusted source), including sizes and numbers.
There's simply no time for this. No one wants old, dependable software. They demand new and buggy, and they want it now, now, now! Don't make me PoetteringWin this thread!
All OSS software would go belly up. Good job!
Bye!
There's definitely time to purge your inputs. We're not talking about something that's going to take weeks here, or even days in most cases. We're talking about something that takes seconds or minutes.
"First they came for the slanderers and i said nothing."
I dunno, ask Bobby Tables mom...
Chaos maximizes locally around me.
I wonder how many of these security flaw bugs would happen if we made companies actually legal responsible for the flaws in them?
Every software has bugs . Companies should be made legally responsible for knowing the existence of a bug and not disclosing / fixing it for whatever reasons.
... get rid of that !@#$%^&* Ask Toolbar bug...
When is there a bright hacker that can find a major bug in that thing in order to have it finally removed from the installation.
It only caused a new bug that changes your search settings to Yahoo Search by default.
Wonder who's bonus at ORacle is depending on adding all this crap to the installer.
None, because nobody would sell software.
Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
It's not without precedence, software in safety critical machinery deals with the responsibility issue when someone gets hurt.
If libraries are used then it is up to the person that uses them to ensure that the library is safe to use.
The responsibility can be shifted to the library developer by them providing a document claiming that it is safe to use, otherwise it is up to the developer of the safe machinery to ensure that the functions used are safe.
Typically you don't just use a library, you use a library of a specific version with a compiler of a specific version. You also set up a test procedure for each critical software module as well as the complete software.
If you really are interested you can read ISO 13849.
When you need to make sure that software works and you can get sued into oblivion when it doesn't you don't pull in random libraries that aren't well tested. NiH means that you either have to spend more time learning how the code works than it would take writing it yourself or that you have the big black box that can come and bite you in the ass.
Yet there is software in applications where the developers are legally liable for damages.
People don't even realize that there is software in those applications because it just works and failures typically only happens when mechanical parts are worn out.
I've seen people here claim that EE can't code for shit. That is a pretty strange claim since they are the ones that has write software that stands up to safety certification and has to prove that the software is incapable of causing danger, even in the cases when bugs occur because of memory error or whatnot.
I have noticed a disturbing trend in F/LOSS in which entire libraries are installed because another library requires a single function from the second library. Why not copy the needed function into the first library with appropriate attribution?
It is worse than that. I work for a 'security' startup that has many fortune 500s as customers. Developers ignore security reports and will mark most of the issues as false positive because they don't want to do defensive programming. They even will use years old outdated libraries, known to have security holes, to develop new features because they would have to learn the new APIs of the new versions and that would hinder their perceived development speed.
I wonder how many of these security flaw bugs would happen if we made companies actually legal responsible for the flaws in them?
That would be the death of open-source software.
Good morning, Sir.
Thanks God nuclear plants does run under Java. Or do they?????????
Best regards,
Human resource's Nuclear Machine Guy 3000.
All that corporate resource and yet, won't release an Java MSI installer without paying for a support contract. Of course, support contracts for anything touching Oracle involve sums of money usually reserved for oil rich middle eastern nations.
I know one can extract the hidden MSI inside the EXE file. However, frequency of updates and the non-trivial upgrade procedure in controlled/locked-down corporate environments means a lot of businesses are more exposed than they should be.
Die Java, Die. (And I'm not say "The Java, The" in German).
Q:I was listening to a CD in Grip and it sounded horrible! What's up? A:Perhaps you are listening to country music
Every software company would go out of business.
There's a difference between "We found a bug in our software and are notifying our customers with an update" and Oracle's "Here's this months bucketload of bugs, updating last months bucketload of bugs, and the month before that, and the month before that, and the month before that, and the month... . Next month's bucketload of bugs will be delivered on schedule, and further bugs will be delivered every subsequent month until the Sun burns out".
As everyone should have realised by now, JVM actually stands for "Java Vulnerability Machine". Everyone makes a few programming errors, but products like Java seem to consist mostly of programming errors, held together with rubber bands and duct tape. There needs to be some point at which companies are held liable for shipping truly bad products.
Thank lord now theres only 200k more bugs to go, and 99% of them doesn't need more than 3 operations to be fixed, so in fact theres only old Windows machines running as the remaining security flaws foiund on big data age. And please, a Russian is jjst a hot women inviting to have a drink under cold days... The problem are the trolls around the world taking money to have lunch at school.
Copy/Paste of source code is a really ignorant thing to do. The point of libraries is so we end up with less bugs -- common algorithms are implemented once, by someone who knows wtf they are doing. If there is a bug, it gets fixed in the one common library and you are done.
That's because we don't really hire software "engineers". We hire "hackers" in the literal sense of the term - people who hack and slash with crude brute force to just "Git 'R Dun!" as fast and as cheap as we can. It's like furnishing a house and all your furniture was made by the side of the road by a guy with a chain saw. No sanding, no gloss, no detail work, no mortise-and-tenon or complex joinery, just 10-penny nails and lots of splinters.
Or maybe a better analogy is particle board. Stamp on a pretty faux-woodgrain facade and ship it. Just hope it doesn't get wet.
We don't value polished quality work. As long as it's pretty and it's cheap, that's "good enough".
Can you even name the number of libraries in use in an application like Chrome?
Can you even name the number of (different) components in use in the Empire State Building?
Quantity is no excuse.
There's definitely time to purge your inputs. We're not talking about something that's going to take weeks here, or even days in most cases. We're talking about something that takes seconds or minutes.
Yah. All You Have To Do Is...
If you made people legally liable for damages as a result of software bugs, no one would ever write software again. Bugs are inevitable, including security holes, and anyone writing code would go under in very short order.
By that logic, there should be no automobile, construction, or medical device industries.
Nothing is perfect and there's always something you can be held legally liable for. On the other hand, if you are making an honest effort and observe best practices, you can still produce something of sufficient quality that you can stand behind and still stay in business.
But that's not what users demand. They demand cheap products and expect them to fail. Because, in the end, they're getting what they pay for.
Probably none of them - however, we would see every software product instantly bereft of its internet stack, no connectivity to anything except the system it was run on.
I agree we need to do more to protect systems, but we should do this with education and standardised connectivity libraries and similar systems rather than draconian penalties.
FTFY
Confucius say, "Find worm in apple - bad. Find half a worm - worse."
Java came out in 1991 and it's still being patched for security? Very lame indeed.
Have fun having most open source software disappear since no one will be able to afford the equivalent of malpractice insurance. The only thing you'll be left with is megacorps writing software that will be able to afford to shield themselves.
Joe Biden is a square shooter. Joe Biden 2016
Not every company. Companies like Oracle/Microsoft/Apple/IBM would be able to afford it. But it would destroy basically almost all non-commercial open source software and most if not all small/medium software companies.
Basically the GPs idea would leave us ONLY with companies like Oracle being able to afford to write software.
By that logic, there should be no automobile, construction, or medical device industries.
At least in the automobile and medical device industries, most of the players are huge megacorps who can afford the liability insurance and lawyers when it comes to lawsuits. Do you really want a software world where only the likes of companies like Oracle can play because they're the only ones who can afford the liability costs?
If a programmer is even thinking a little about security, or is even informed what typical security problems are, then they start writing better code. But most programmers don't think about security at all.
And then the programmer wakes up into the reality of the fact that their manager demands that the product be done yesterday and far under budget leaving them next to no time to worry about such issues.
Developers ignore security reports and will mark most of the issues as false positive because they don't want to do defensive programming. They even will use years old outdated libraries, known to have security holes, to develop new features because they would have to learn the new APIs of the new versions and that would hinder their perceived development speed.
You act as if the developer has a choice in 99.9% of the cases. You must live in a wonderful alternate universe from the one where most programmers work.
I fixed the Java vulnerabilities by simply uninstalling it.
News to all Slashdot people: Just disable Java plugins from your browser. Really, that's all you have to do to save yourself from any Java vulnerabilities. Java ON THE SERVERS of the websites you hit all day long will continue to work tireless and without issue. Java integration with the browser has always been a clusterf***; this has not been news to anyone for the past dozen years. Otherwise, it's perfectly fine, excellent, even.
You are far more likely to get hacked by a vulnerability in your browser connecting to a Java-powered website than by anything on the server side that runs Java. Open source's record hasn't been all peaches in this regard. (OpenSSL, Firefox, etc.--nothing is perfect.)
And most of that software costs orders of magnitude more and does, ultimately, dramatically less (does one thing and one thing well but nothing more). In some situations there are also hardware-based redundancies and interlocks in place (and there _have_ been issues when those get replaced by software interlocks that have caused serious injury). I don't think that most people have the money to pay 100k for their copy of windows...
Most of the time they do because they set the requirements and estimates. But they always underestimate and over promise. It is a collective cultural mentality. Occasionally you meet a developer that knows what they hell they are doing and they get shouted down and ignored by the rest, so they retreat to operations where they can block shitty behaviors in other ways.
I can want a pony also, I still have never gotten on delivered (though my boss tried once).
They have a responsibility to set honest expections to their superiors and if your superiors refuse to acknowledge the consensus of their underlings then the underlings should as a group, appeal to the next level up regarding the incompetence of the yahoo that expects the fucking pony.
We hire "hackers" in the literal sense of the term - people who hack and slash with crude brute force to just "Git 'R Dun!" as fast and as cheap as we can
These are the people Edsgar Dijkstra was talking about when he said, "It is practically impossible to teach good programming to students that have had a prior exposure to BASIC: as potential programmers they are mentally mutilated beyond hope of regeneration." Because BASIC is a hack-and-slash language. It takes a while to get out of that mindset.
"First they came for the slanderers and i said nothing."
You act as if the developer has a choice in 99.9% of the cases.
If you think you don't have a choice, you need to read this book. It will teach you how to act professional and do the right thing, while keeping your job. There is no excuse for not using defensive programming.....those programmers should be fired.
"First they came for the slanderers and i said nothing."
Most of the time they do because they set the requirements and estimates.
Hahahahahaha. +5 funny. Yeah, you do live in a fantasy world.
There is no excuse for not using defensive programming.....
"It's not a business goal that will drive sales."
- Manager
They have a responsibility to set honest expections to their superiors and if your superiors refuse to acknowledge the consensus of their underlings then the underlings should as a group, appeal to the next level up regarding the incompetence of the yahoo that expects the fucking pony.
And then you get fired for being a troublemaker. Thanks for your delusional postings. I'll be sure to pass them around to the rest of my team for a good laugh.
And then the programmer wakes up into the reality of the fact that their manager demands that the product be done yesterday and far under budget leaving them next to no time to worry about such issues.
Next time you are standing in line at the checkout, start yelling and screaming, demanding that you be checked-out immediately, and you be given a 30% discount on everything.
The reason your manager does that to you is because you are a pushover. Read this book and it will tell you how to do better..
"First they came for the slanderers and i said nothing."
There is no excuse for not using defensive programming.....
"It's not a business goal that will drive sales."
- Manager
You're stubborn holding on to your negative misconceptions of the world, but this book will teach you how to do defensive programming within your schedule.
"First they came for the slanderers and i said nothing."
I messed up on the link in that previous comment sorry, this book will help you do defensive programming within your schedule (and once you get the hang of it, probably faster than schedule because you'll have fewer bugs).
"First they came for the slanderers and i said nothing."
We hire "hackers" in the literal sense of the term - people who hack and slash with crude brute force to just "Git 'R Dun!" as fast and as cheap as we can
These are the people Edsgar Dijkstra was talking about when he said, "It is practically impossible to teach good programming to students that have had a prior exposure to BASIC: as potential programmers they are mentally mutilated beyond hope of regeneration." Because BASIC is a hack-and-slash language. It takes a while to get out of that mindset.
You know that Dijkstra wrote that as part of a joke paper where he trashed every single one of the major programming languages available at the time, right? Yet you repeat it as if it were some kind of gospel.
Oh, who am I kidding? None of the losers here, including you, have ever read one of Dijkstra's works, nor would any understand them if they did.
I wonder how many of these security flaw bugs would happen if we made companies actually legal responsible for the flaws in them?
Fine by me. It would kill off open source for good.
Yah. All You Have To Do Is...
If you even start thinking about it, your code will be improved automatically, without even taking extra time. Too many programmers don't even give a first thought to security. Hack and slash and get it done.
"First they came for the slanderers and i said nothing."
You know that Dijkstra wrote that as part of a joke paper where he trashed every single one of the major programming languages available at the time, right?
It wasn't a joke paper. It was a serious paper that had jokes in it. Apparently you didn't realize that.
"First they came for the slanderers and i said nothing."
I fixed the Java vulnerabilities by simply uninstalling it.
So what did you do about Windows?
I wonder how many of these security flaw bugs would happen if we made companies actually legal responsible for the flaws in them?
This only makes sense when said software platforms that are 1) explicitly marketed for critical software development, and 2) client companies are, in good faith, using such platforms to build real critical systems.
Java is specifically marketed with a very clear disclaimer to not be used for critical systems. Same with, oh, I dunno, 99.99999 (and a whole bunch of other 9's)% of the rest of software built on this planet.
You would have to have a set of parameters by which bugs would be considered critical, in a manner agreed upon by a governing body that represents the majority of the software industry.
Software is not just a technical problem (certainly not one based off puritanical views of what software must do.) It is also an economic problem. Large bodies of software are far more complex than construction. And in construction, you can have flaws that would not cause a litigation against a construction company.
It is the reality of operating in an imperfect world with competing forces and limited resources.
In other words, shit happens. We fix it. We move on.
You need to prove a software bug is not just critical, but that is also bound by a kickass SLA that is agreed by seller and consumer (and which can be afforded by both, otherwise, shit never gets done, even if it is imperfect.)
We hire "hackers" in the literal sense of the term - people who hack and slash with crude brute force to just "Git 'R Dun!" as fast and as cheap as we can
These are the people Edsgar Dijkstra was talking about when he said, "It is practically impossible to teach good programming to students that have had a prior exposure to BASIC: as potential programmers they are mentally mutilated beyond hope of regeneration." Because BASIC is a hack-and-slash language. It takes a while to get out of that mindset.
I admire Dijkstra's wise words (in particular about this thought of software being usefully constructed.) With that said, that was a moronic thing to say (like, "never use goto".)
God knows WTF Dijkstra meant to say with that saying, but the l33t hax0r echo chamber has been repeating that saying for years without even thinking what it means to the merits of said language or the malleability and adaptability of the human brain.
Do not treat long ago spouted tongue-in-check remarks as axioms.
God knows WTF Dijkstra meant to say with that saying, but the l33t hax0r echo chamber has been repeating that saying for years without even thinking what it means to the merits of said language or the malleability and adaptability of the human brain.
I've spent a long time reading through Dijkstra's works, trying to understand what he meant. I'm fairly confident my explanation is accurate.
"First they came for the slanderers and i said nothing."
Some of the reviews in the description:
"This is the best book I have ever read." - Anonymous reviewer
"Four score and seven years ago this book helped me debug my server code." -Abraham Lincoln
"Would my Javascript have memory leaks without this book? Would fishes fly without water?" -Socrates
"This book is the greatest victory since the Spanish Armada, and the best about programming." -Queen Elizabeth
Yea really helpful.
Go eat a bag of dicks, you "conservative" piece of trash.
Sounds like you are a pushover if you think one book will solve all of the security problems in our code.
Did your girlfriend write this book or something?
The automobile companies weren't always mega-corporations. They typically started out the size of Tesla. GM is the conglomeration of the Chevrolet, Buick, Pontiac, Cadillac companies plus probably a few names that used to be well-known before being bought out long ago.
I think if you took inventory of a typical hospital you'd still find lots of specialty devices and products that aren't from GE, et. al. Not everything is a hulking big MRI machine that requires major resources to build.
Architectural and engineering firms are often small partnerships.
Liability insurance and having a lawyer on retainer has pretty much always been the mark of a professional association, right up there with having a CPA on contract.
Uninstalled it. Purchased a Mac and switched all servers to openbsd and FreeBSD.
And why would you want this? Do you work for Microsoft? I can guess with almost 99% certainty that you have atleast one FOSS project on your computer. You probably have a lot and don't even know it. And if you don't, I can bet that at least one of those proprietary solutions you use, uses atleast one FOSS project in their code.
You are dense. The world needs less people
Like you.
No, my girlfriend wrote this one. Don't judge.
"First they came for the slanderers and i said nothing."
Run Windoze? You're joking, right?
No, I'm merely pointing out reality. You live in fantasy land.
No, I'm merely pointing out reality. You live in fantasy land.
This comment is meaningless. Plenty of people have told you how to solve your problems; books have been written about how to solve your problems.
I don't know why you refuse to try to fix your problems, but that does explain why you have so many problems in the first place. Your problems keep piling up because you don't fix them.
"First they came for the slanderers and i said nothing."
God knows WTF Dijkstra meant to say with that saying, but the l33t hax0r echo chamber has been repeating that saying for years without even thinking what it means to the merits of said language or the malleability and adaptability of the human brain.
I've spent a long time reading through Dijkstra's works, trying to understand what he meant. I'm fairly confident my explanation is accurate.
Accurate with respect to what? About what?
When Dijkstra was talking about people whose mind had been 'mutilated' by BASIC, he was talking about people with the hack-and-get-er-done mindset, people who don't try to think of everything that can go wrong, people who just try to get it working in the case needed now, and don't worry about future proofing it (or even debugging it really, except in simple cases).
"First they came for the slanderers and i said nothing."
99 little bugs in the code,
99 little bugs in the code.
Take one down, patch it around.
127 little bugs in the code.