Slashdot Mirror
Oracle Fixes Java Vulnerability Used By Russian Cyberspies (itworld.com)
itwbennett writes: Oracle said that it has fixed 154 security flaws in Java and a wide range of its other products, including one that Russian cyberespionage group Pawn Storm used to launch stealthy attacks earlier this year. The vulnerability, tracked as CVE-2015-4902, was being used by the Pawn Storm attackers to enable the execution of a malicious Java application without user interaction.
... for those on Java 5/6 to get these updates.
So wonderful our Cisco routers, SAP, and Kronos require +200 exploitable holes be on all corporate computers where I get blamed and writeups for cryptolocker infections.
Needless to say our accounting department does not want to pay upgrade as they work fine.
http://saveie6.com/
Every software company would go out of business. How many non-embedded, non-life critical developers here check every mathematical operation for under or over flows? How many computer systems are hardened against a random bit flip? And how would the world react to the sudden and massive increase in unemployment as all employees of those companies lose their jobs.
It'll never happen. Consumers don't care about buggy software and non-buggy software is too difficult to code. Perfect code can fail on bad hardware too.
Bytecode language bullshit? The majority of languages these days compile down to bytecode. And while verbose, Java is one of the best statically typed, cross-platform languages out there. The core library is massive and well documented. Cross-platform threading, cross-platform GUI, cross-platform networking, etc... No need to worry about managing a bunch of dependices and versions upgrades for the collection of libraries you'd need to replace what you'd get from the main Java library, all consistently documented, updated, and supported for you for free. A lot of the Python documentation doesn't even tell you the structure or type of what is returned. The Java docs handle all parameters, return values, and most of the edge causes like what happens when you pass in a bad value. Many 'modern' languages leave that important info out.
All these massive security holes in Java are actually in the C++ code. Part of the web start framework. Anyone bashing Java about it's security vulnerabilities is actually basing C++.
We're going to be wishing for flash to come back. HTML5, canvas only websites will be much worse.
I wonder how many of these security flaw bugs would happen if we made companies actually legal responsible for the flaws in them?
A lot fewer. Oracle fixed 154 security issues here, which means they are going through their code looking for them.
They should have done that a long time ago.
"First they came for the slanderers and i said nothing."
It is worse than that. I work for a 'security' startup that has many fortune 500s as customers. Developers ignore security reports and will mark most of the issues as false positive because they don't want to do defensive programming. They even will use years old outdated libraries, known to have security holes, to develop new features because they would have to learn the new APIs of the new versions and that would hinder their perceived development speed.
That's because we don't really hire software "engineers". We hire "hackers" in the literal sense of the term - people who hack and slash with crude brute force to just "Git 'R Dun!" as fast and as cheap as we can. It's like furnishing a house and all your furniture was made by the side of the road by a guy with a chain saw. No sanding, no gloss, no detail work, no mortise-and-tenon or complex joinery, just 10-penny nails and lots of splinters.
Or maybe a better analogy is particle board. Stamp on a pretty faux-woodgrain facade and ship it. Just hope it doesn't get wet.
We don't value polished quality work. As long as it's pretty and it's cheap, that's "good enough".