New Java Vulnerability Found Affecting Java 5, 6, and 7 SE 121
jcatcw writes "Just as Oracle is ramping up for the September 30 start of JavaOne 2012 in San Francisco, researchers from the Polish firm Security Explorations disclosed yet another critical Java vulnerability that might 'spoil the taste of Larry Ellison's morning ... Java.' According to Security Explorations researcher Adam Gowdiak, who sent the email to the Full Disclosure Seclist, this Java exploit affects one billion users of Oracle Java SE software, Java 5, 6 and 7. It could be exploited by apps on Chrome, Firefox, Internet Explorer, Opera and Safari. Wow, thanks a lot Oracle."
Re:Java runtime vs. .NET runtime (Score:0, Insightful)
Ever hear of activeX?
Report exploits to Debian and Red Hat too (Score:5, Insightful)
The OpenJDK teams at Debian (who also do Ubuntu) and Red Hat are good people to notify as well. Unlike Oracle, they won't sit on bugs.
"Wow, thanks a lot Oracle." (Score:5, Insightful)
Release of Java 5: September 30, 2004
Oracle's acquisition of Sun: January 27, 2010
I know it's fun to hate on Oracle (commencing Ellison yacht joke in 5, 4, 3...), but it makes you look a little imbalanced to blame them for a vulnerability that exists in a product created by a different company almost 5+ years before Oracle even bought them.
Shouldn't we at least wait until after we find out that Oracle knew all about this for months on end, chose to tell no one, and then ported it forward into Java 7 before we lambaste them?
Re:"Wow, thanks a lot Oracle." (Score:2, Insightful)
No! Fuck Oracle! They are the 1%!
Re:"Wow, thanks a lot Oracle." (Score:5, Insightful)
Number of fscks Larry Ellison has given about Java since finding out owning it doesn't mean Google owes him a ton of money for Dalvik: 0
Useless platform (Score:0, Insightful)
Java is a useless platform, along with Flash Actionscript and whatever other web-based multimedia api is out there. If people would start coding pages without those additional pieces of garbage, the amount of malware on the internet would drop tremendously.
Re:"Wow, thanks a lot Oracle." (Score:5, Insightful)
They've owned the product for almost three years now, so I'd say that bugs in current versions are their fault for not doing sufficient QA to find/fix, regardless of where they originated. When you own something, you own the responsibility too.
Oracle, did you learn from last time? (Score:5, Insightful)
Oracle, did you learn from last time?
1. Have you publicly acknowledged the exploit?
2. Have you given at least some idea of how it works?
3. Have you given any mitigation instructions or will people simply have to uninstall your product since your not saying how to mitigate this?
4. Have you given any type of public communication along the lines of "were working on it"?
5. Are you giving any type of eta for a hot fix?
6. Have you learned that saying, we'll fix a critical exploit on one billion machines at the regular quarterly update schedule is not acceptable?
Home sick today or I would have been neck deep in this all bloody day. Haven't had a chance to look and see if they learned from their last royal clusterfuck or not.
Re:Report exploits to Debian and Red Hat too (Score:2, Insightful)
you do realize that installing a package as root does not automatically cause the binary to be run AS root. I could chown every file on a linux system to be owned by root:root and still be able to run programs as a non-privileged account.
I don't know if you're trolling or misinformed, but there is nothing inherently insecure about installing packages as root. RUNNING them as root is something completely different.
The Captha was "Audited" ... funny.