Oracle Fixes Java Vulnerability Used By Russian Cyberspies

itwbennett writes: Oracle said that it has fixed 154 security flaws in Java and a wide range of its other products, including one that Russian cyberespionage group Pawn Storm used to launch stealthy attacks earlier this year. The vulnerability, tracked as CVE-2015-4902, was being used by the Pawn Storm attackers to enable the execution of a malicious Java application without user interaction.

Oracle RDBMS license required

[Billly+Gates]

... for those on Java 5/6 to get these updates.

So wonderful our Cisco routers, SAP, and Kronos require +200 exploitable holes be on all corporate computers where I get blamed and writeups for cryptolocker infections.

Needless to say our accounting department does not want to pay upgrade as they work fine.

Re:What if we make them legally responsible for bu

[arglebargle_xiv]

Every software company would go out of business.

There's a difference between "We found a bug in our software and are notifying our customers with an update" and Oracle's "Here's this months bucketload of bugs, updating last months bucketload of bugs, and the month before that, and the month before that, and the month before that, and the month... . Next month's bucketload of bugs will be delivered on schedule, and further bugs will be delivered every subsequent month until the Sun burns out".

As everyone should have realised by now, JVM actually stands for "Java Vulnerability Machine". Everyone makes a few programming errors, but products like Java seem to consist mostly of programming errors, held together with rubber bands and duct tape. There needs to be some point at which companies are held liable for shipping truly bad products.