Oracle Fixes Java Vulnerability Used By Russian Cyberspies

itwbennett writes: Oracle said that it has fixed 154 security flaws in Java and a wide range of its other products, including one that Russian cyberespionage group Pawn Storm used to launch stealthy attacks earlier this year. The vulnerability, tracked as CVE-2015-4902, was being used by the Pawn Storm attackers to enable the execution of a malicious Java application without user interaction.

What if we make them legally responsible for bugs?

[Nyder]

I wonder how many of these security flaw bugs would happen if we made companies actually legal responsible for the flaws in them?

Re:remove Java

Bytecode language bullshit? The majority of languages these days compile down to bytecode. And while verbose, Java is one of the best statically typed, cross-platform languages out there. The core library is massive and well documented. Cross-platform threading, cross-platform GUI, cross-platform networking, etc... No need to worry about managing a bunch of dependices and versions upgrades for the collection of libraries you'd need to replace what you'd get from the main Java library, all consistently documented, updated, and supported for you for free. A lot of the Python documentation doesn't even tell you the structure or type of what is returned. The Java docs handle all parameters, return values, and most of the edge causes like what happens when you pass in a bad value. Many 'modern' languages leave that important info out.

All these massive security holes in Java are actually in the C++ code. Part of the web start framework. Anyone bashing Java about it's security vulnerabilities is actually basing C++.

We're going to be wishing for flash to come back. HTML5, canvas only websites will be much worse.

Re:What if we make them legally responsible for bu

It's not without precedence, software in safety critical machinery deals with the responsibility issue when someone gets hurt.

If libraries are used then it is up to the person that uses them to ensure that the library is safe to use.
The responsibility can be shifted to the library developer by them providing a document claiming that it is safe to use, otherwise it is up to the developer of the safe machinery to ensure that the functions used are safe.
Typically you don't just use a library, you use a library of a specific version with a compiler of a specific version. You also set up a test procedure for each critical software module as well as the complete software.
If you really are interested you can read ISO 13849.

When you need to make sure that software works and you can get sued into oblivion when it doesn't you don't pull in random libraries that aren't well tested. NiH means that you either have to spend more time learning how the code works than it would take writing it yourself or that you have the big black box that can come and bite you in the ass.

Re:What if we make them legally responsible for bu

It is worse than that. I work for a 'security' startup that has many fortune 500s as customers. Developers ignore security reports and will mark most of the issues as false positive because they don't want to do defensive programming. They even will use years old outdated libraries, known to have security holes, to develop new features because they would have to learn the new APIs of the new versions and that would hinder their perceived development speed.