Forgot your password?
typodupeerror
Java Oracle Technology

Oracle Knew of Latest Java 0-Day Security Hole In August 265

Posted by timothy
from the when-the-living-is-easy dept.
An anonymous reader writes "After news broke on Thursday that a new Java 0-day vulnerability had been discovered, and was already being included in multiple popular exploit kits, two new important tidbits have come in on Friday. Firstly, this whole fiasco could have been avoided if Oracle had properly patched a previous vulnerability. Furthermore, not only is the vulnerability being exploited in the wild, but it is being used to push ransomware." Meanwhile, writes reader Beeftopia, the U.S. Department of Homeland Security is getting in on the action, and "has warned users to disable or uninstall Java software on their computers, amid continuing fears and an escalation in warnings from security experts that hundreds of millions of business and consumer users are vulnerable to a serious flaw."
This discussion has been archived. No new comments can be posted.

Oracle Knew of Latest Java 0-Day Security Hole In August

Comments Filter:
  • Burned (Score:5, Interesting)

    by Anonymous Coward on Saturday January 12, 2013 @12:12AM (#42565075)

    Had a few users burned by this today at work. One emergency security meeting later and we pulled Java from 3000 workstations this afternoon. Should have done this a year ago.

    • Re:Burned (Score:4, Funny)

      by ILongForDarkness (1134931) on Saturday January 12, 2013 @01:08AM (#42565319)

      But than how are you going to run Vuze?

    • Re: (Score:2, Flamebait)

      by aled (228417)

      the latest java updates have a feature to disable the Java Plugin. From the original article:
      "As several readers have noted, Java 7 Update 10 ships with a feature that makes it far simpler to unplug Java from the browser than in previous. Oracle’s instructions for using that feature are here, and the folks at DHS’s U.S.-CERT are now recommending this method as well."

      It amazes me how many people confuses the java runtime, sdk and the java pluging (that is the component that executes applets in br

      • I am surprised that you find it amazing that list of obscure lumps of software all beginning with the word java confuse people.
        Do you find it more, or less amazing that java (perhaps java dash some-obscure-addendum) has eclipsed flash and windows as the malware enabler of choice?
        17 years ago java(-.*)* was unleashed, heralded as the saviour of robustness, security and apple pie at only the cost of a few âoemooreâ(TM)s incrementsâ and uniformly ugly interfaces. Now we have this steaming pile.

        • by aled (228417)

          I am surprised that you find it amazing that list of obscure lumps of software all beginning with the word java confuse people.

          I had expected the slashdot community not to make that kind of mistakes. Wrong assumption it seams.

          Do you find it more, or less amazing that java (perhaps java dash some-obscure-addendum) has eclipsed flash and windows as the malware enabler of choice?

          More. I must confess I hadn't expected it at all. I started to be aware of serious security problems with the series of exploits for the Java implementation for Apple platform, 1 or 2 years ago.
          I don't know if it something that Oracle is doing particularly wrong in the last years or if it is just that hackers are more active lately. Oracle will have to strengthen seriously Java for any kind of remote exploits

  • by Billly Gates (198444) on Saturday January 12, 2013 @12:16AM (#42565105) Journal

    I use java solely for Eclipse development but I do not have the plugin installed on my browsers.

    The people at work who still cling to IE 6 and IE 7 also are stuck in Java land and is the sole reason why XP is still alive kicking and screaming. Many still use NTLM version 1 security pre 1999 that can crack any account on AD because these apps wont work with anything newer than 13 years old!

    With the department of homeland security recommendations perhaps we can finally move on and get rid of these dinosaurs that are a liability to our employers.

    Shame on Oracle.

    Java had such high hopes and Sun fucked up royally too beforehand. If Java could have native .exes and kept being updated perhaps it could be as good as .NET and we could all run Linux with our cross platform natively compiled apps in such an alternative universe.

    Besides a few limited uses for mainframes I think it is time we said goodbye and put it to legacy ala Cobol 2.0? The question is what next? ... not language wise but richness in api wise and frameworks which is why .NET and Java are liked for complex 3-tier enterprise platforms.

    • Web Applications... rich UI's (HTML5, Canvas, WebRTC), NodeJS (express, nunjucks, socket.io), MongoDB (Redis, Couch, etc.)
      • by Anonymous Coward

        Javascript. Fuck me!

        The only thing in computing more fucking brain dead than javascript is XML. You bastards! You've sucked the brain cells out of too many people with your bullshit non-programming and bullshit non-formats.

        If java is dead and javascript is the answer then you've asked the wrong fucking question!

  • it's not 0-day (Score:5, Insightful)

    by Anonymous Coward on Saturday January 12, 2013 @12:17AM (#42565109)

    if Oracle knew about it in August

    • Re:it's not 0-day (Score:5, Insightful)

      by Anonymous Coward on Saturday January 12, 2013 @02:04AM (#42565551)

      And if they knew about it for that long then they should be able to be sued for negligence.

      Perhaps when the software industry has to accept the same liability and culpability as anyone else they will take their job seriously.

      Aircraft are extremely complex and they cant use that as a get out of jail free card, software should not be able to either. If they want protection and patents then they can accept the down side, liability.

      • Re:it's not 0-day (Score:5, Insightful)

        by Lisias (447563) on Saturday January 12, 2013 @02:42AM (#42565709) Homepage Journal

        If they want protection and patents then they can accept the down side, liability.

        +2 Really Insightful

      • Re:it's not 0-day (Score:5, Insightful)

        by Ambassador Kosh (18352) on Saturday January 12, 2013 @02:46AM (#42565719)

        This is why programming is not an engineering profession despite what many keep claiming.

        Until they have the same standards as a mechanical, aerospace, chemical, etc engineers they are not really engineers.

        • Re: it's not 0-day (Score:3, Interesting)

          by Anonymous Coward

          You get what you pay for. "So, you want me to synthesize a new material, build a few skyscrapers with it, all on top of the landfill foundation the last team built, and make last at least 2 years before any substantial maintenance is performed? In a few months with a small team of survivalists?" I'm sure that'll work out great because those structural engineers are accredited.

          • Re: it's not 0-day (Score:5, Insightful)

            by Ambassador Kosh (18352) on Saturday January 12, 2013 @04:05AM (#42566001)

            If a structural engineer signs off on that without doing the actual calculations to show it is safe and that project is investigated they will lose their license.

            They will also end up with criminal liability.

            • by geoskd (321194)

              If a structural engineer signs off on that without doing the actual calculations to show it is safe and that project is investigated they will lose their license.

              They will also end up with criminal liability.

              Yes, but if a structural engineer signs off, and a year later someone switches out the landfill or the foundation (Think hardware upgrade), then the civil engineer is no longer liable. Software works the same way, except that it is a given that large scale components of the system will be changed on a regular basis.

              Imagine the chaos if IT professionals had to re-evaluate each system every time they wanted to add RAM or drives to a server...

              The civil engineering equivalent to that would be adding floors ont

      • This is the first time I personally, have heard this argument. :-)

        I have to admit that my mind was definitely blown...it was an almost spiritually moving 'light bulb' moment.

        Wow! The simplicity....the 'rightness'...the 'total awesome!

        Really, no sarcasm meant or implied. That was one of the best arguments on the subject of software patents I have seen to date.

        Thank you very much, kind Mr./Ms. AC for this gem.

      • by geoskd (321194)

        And if they knew about it for that long then they should be able to be sued for negligence.

        Perhaps when the software industry has to accept the same liability and culpability as anyone else they will take their job seriously.

        Aircraft are extremely complex and they cant use that as a get out of jail free card, software should not be able to either. If they want protection and patents then they can accept the down side, liability.

        Your argument actually exemplifies why software creators typically have reduced liability. An aircraft is not a component of a larger system in the classic sense. It is operated as a standalone appliance that works as designed. You can't switch the wings out for a different version and expect it to work as designed.

        Software by contrast is, by definition, run on a piece of hardware that can be swapped for different hardware that may or may not behave the same way. Even seemingly innocuous changes that have n

  • by gQuigs (913879) on Saturday January 12, 2013 @12:17AM (#42565115) Homepage

    They are used on less than .2% of websites, and many are false positives. Yes some might not be detected as well. I am aware there is one very popular video service that uses Silverlight, can't say the same about Java.

    Click on the language for more details
    http://w3techs.com/technologies/overview/client_side_language/all [w3techs.com]

    • by Billly Gates (198444) on Saturday January 12, 2013 @12:22AM (#42565135) Journal

      Silverlight is at least used for NetFlex and is much more secure and updated by MS.

      Java is insanely popular with old IE in the enterprise market. Banks which support Chrome and Firefox for us with consumer banking sometimes only support IE 6 - 8 with Java 5 (no I did not mistype that) for corporate customers where security exploits are used in java so accountants can put ole excel spreadsheets inside their browser for the bank to see.

      Apparently these banks have not discovered javascript yet and tools to read excel docs and reformat them internally. I guess many corps still use excel 2003 with binary data in their .xls files unlike .xlsx which make reading and parsing harder.

      Anyway, this is who heavily still uses it.

    • by slapout (93640)

      There's quiet a few Android devices running Java. And developers need Java on their PCs to write apps for them

      • by 93 Escort Wagon (326346) on Saturday January 12, 2013 @12:54AM (#42565269)

        There's quiet a few Android devices running Java. And developers need Java on their PCs to write apps for them

        That may be so; but it's not really a reason for people to keep Java enabled in their browsers.

        Several months ago I disabled the Java plugins/extensions in all the browsers I use. Know what I noticed? Absolutely nothing. No sites that I frequent used Java *at all*. My experience browsing the web didn't change an iota.

        • Several months ago I disabled the Java plugins/extensions in all the browsers I use. Know what I noticed? Absolutely nothing. No sites that I frequent used Java *at all*. My experience browsing the web didn't change an iota.

          I had the exact same experience. Kind of sad actually given all the potential we could see when java was first announced. But in this world, java on the web is effectively dead.

          • Several months ago I disabled the Java plugins/extensions in all the browsers I use. Know what I noticed? Absolutely nothing. No sites that I frequent used Java *at all*. My experience browsing the web didn't change an iota.

            I had the exact same experience. Kind of sad actually given all the potential we could see when java was first announced. But in this world, java on the web is effectively dead.

            You know its bad when ActiveX from 2001/IE6 era at least had trust signed applets witn security turning unsigned applets off by default . Fucking pathetic and shows how out of date Java really is even back in 2001! Sun really let it out to rot while Oracle wont even release fixes until a quarterly update.

            May Java RIP.

            I really wanted to like it as I thought with native compiler or a fat binary we could all be using Linux now with a gui framework next to none. Swing is really powerfull but ugly and slow in 19

          • by TubeSteak (669689)

            But in this world, java on the web is effectively dead.

            What killed it?
            My experience seems to be that flash has replaced everything that java was supposed to do.

            • by TopSpin (753) on Saturday January 12, 2013 @04:32AM (#42566055) Journal

              java on the web is effectively dead

              What killed it?

              It's clunky. That's the shortest correct explanation I can provide. The whole user experience is just awful.

              The first thing you experience when you encounter a Java applet is a sinking feeling as the browser becomes unresponsive with a large gray void somewhere on the page that will eventually render the applet. Sometimes this is alleviated slightly by a progress indicator in some weird JVM font that looks like it was salvaged from OpenBoot. All this "loading" takes large amounts of RAM so the OS starts paging which creates more anxiety for the user as the drive LED indicates vast amounts of mysterious IO. In any case the process takes too long and by the time the applet has rendered something meaningful most users have lost patience.

              At this point the applet has started rendering. Frequently this is a bad thing because many Java applets are tragically ugly. Repulsive, really. So bad they look like hastily made email phishing attempts. It would have been better if the "loading" had never ended leaving the user to seek alternatives. The moment a user sees those fonts they squint, groan a bit inside and consider calling someone for help. The GUI widgets look weird. Things don't work right, like copy and paste or common GUI hot keys. And everything lags; you can feel extra tens of milliseconds of lag with every UI operation; click, scroll, whatever. It all lags.

              Finally whatever unfortunate task led our victim here has been accomplished and it's time to leave. You click 'home' or some link or whatever to be on your way and BOOM!, the browser segfaults and closes. Recent browsers mitigate this habit by isolating applets (and other plug-ins) in process sandboxes, but the user still gets that extra little poke in the eye to top off the rest of the 'experience.' The sort of effort required to make the JVM run smoothly inside common browsers has never been applied and to this day it is a fragile and crashy combination.

              People that care about the user experience, people with tens or hundreds of millions of users using their site(s), don't tolerate this heinous shit. So Java applets die the death they deserve.

      • by medv4380 (1604309)
        What Android device would actually have a JRE installed? I believe you're mistaken the Java Language for the Virtual Machine. I could be mistaken. Someone may have gone crazy and developed and packaged one for Android, but i doubt it.
      • by BradleyUffner (103496) on Saturday January 12, 2013 @01:22AM (#42565379) Homepage

        There's quiet a few Android devices running Java. And developers need Java on their PCs to write apps for them

        Android is NOT running java. It's applications are written in the java language, but are not compiled to java byte-code.

      • Android runs Dalvik. It's a clean-room partial implementation but uses a different architecture. Perhaps, theoretically, it's vulnerable to the same problem but Android doesn't include applet nor java web start functionality.

        As for developing using the JDK, don't install the public JRE. The 64bit version is safer since, last time I checked, browsers for 64bit Windows are still 32bit and hence the plugin won't work!

      • by mwvdlee (775178)

        I don't think I've ever seen an Android device running Java, certainly not Oracle's Java distribution which is at stake here.

    • by Trepidity (597)

      Unfortunately, a lot of European banks use Java applets as part of their login process. Many EU countries were a bit ahead of the curve in requiring better logins than just user/pass in the early 2000s (e.g. two-factor authentication), which at the time was a good idea, but the downside is that a lot of those systems were built in Java, since that was the obvious choice circa 2001 (doing serious client-side stuff in JavaScript wasn't really done at the time), and now there's a bunch of legacy cruft still st

  • by Anonymous Coward on Saturday January 12, 2013 @12:25AM (#42565149)

    Can we please, please, please stop using the term "0-day"? It's completely meaningless here. Actually, it's worse than meaningless as it's used incorrectly and just makes things confusing. Is it a noun? Is it an adjective? Depends on who's writing the Slashdot headline! Try reading the headline and article while omitting the text "0-day" and you'll see it reads just fine and actually makes sense now.

  • by mark_osmd (812581) on Saturday January 12, 2013 @12:29AM (#42565165)
    I was reading that the vulnerability is not in general standalone Java but only in the Java plugin in your browser, that is, you can secure from the issue by disabling the Java plugin in your web browsers but it's not that big of a risk to a standalone Java app. Is that true?
    • by Anonymous Coward on Saturday January 12, 2013 @12:37AM (#42565203)

      I was reading that the vulnerability is not in general standalone Java but only in the Java plugin in your browser, that is, you can secure from the issue by disabling the Java plugin in your web browsers but it's not that big of a risk to a standalone Java app. Is that true?

      Yep. Instructions are here [microsoft.com] to disable it. Or enable it for corporate folks in a seperate secure zone. IE 6 - 9 maybe retarded in HTML rendering, but knows when it is on the net vs a lan and loads different security settings.

      If you are just a home user go under addons in Firefox and IE and disable sun/oracle and java. DONE. You are secure at this point. The security exploit is not java per say but the browser as it executes by default unsigned with no authentication nor permission! A HUGE security risk. BUt without access to run it can't do anything.

      • by TubeSteak (669689)

        If you are just a home user go under addons in Firefox and IE and disable sun/oracle and java. DONE.

        I just updated yesterday to the latest Java (addons v7.10.2.18 in FF, v7.0.100.18 in IE) and I swear that the update re-enabled my previously disabled plugins in FF and IE.

        I only checked on a whim after reading your post.

        • by Tridus (79566)

          Yeah, the Java updater likes to enable itself in your browser for future exploiting.

          That's why the best advice is "remove Java".

    • by thue (121682) on Saturday January 12, 2013 @02:38AM (#42565693) Homepage

      Standalone Java apps already have full arbitrary code execution and full access to the system. What would be the point of using an exploit to gain access to a system you can already access. If you are running a standalone Java app, you have already chosen to trust the code completely, unlike a sandboxed app in a browser.

      • by _xeno_ (155264)

        Conceptually the hole is in all Java apps, though, it just only really matters in the browser setting.

        If you have a Java app (say, a Java-based web server) that in fact runs untrusted code (say, third-party web applications) and places them in a Java sandbox, then they can use this exploit to leave the sandbox.

        So it's effectively only an issue for browsers, since that's the real-life example where many people have Java installed in such a way that they might unexpectedly receive hostile code. But it can als

        • by sourcerror (1718066) on Saturday January 12, 2013 @03:54AM (#42565969)

          that in fact runs untrusted code (say, third-party web applications) and places them in a Java sandbox, then they can use this exploit to leave the sandbox.

          Only applets run in sandbox so there's nothing to leave. On the server side there are two choices:

          - shared hosting (Tomcat): everyone uses the same VM just like with PHP so we are sparing memory, but increasing the security risk
          - virtual private server: everyone uses the their own VM and everyone is secure

          • by _xeno_ (155264)

            Only applets run in sandbox so there's nothing to leave.

            Wrong. Anything can be placed, optionally, in a sandbox.

            - shared hosting (Tomcat): everyone uses the same VM just like with PHP so we are sparing memory, but increasing the security risk

            Look up the Tomcat -security option [apache.org], which enables a SecurityManager and places each individual web application in its own sandbox. It's an option, it "works," and this vulnerability would circumvent it.

            Now, granted, no one bothers actually using the option, but it is there.

    • I was reading that the vulnerability is not in general standalone Java...

      That's true, which is why the people saying to uninstall Java sound like blathering idiots. You need to either uninstall the Java browser plugin, or use NoScript to whitelist your internal sites only. Frankly, you need to do this for all browser plugins (Flash, Silverlight, Java, etc.), as the entire browser plugin architecture is fundamentally flawed.

      Standalone Java apps are not a problem.

  • It is so obvious... (Score:4, Interesting)

    by QuietLagoon (813062) on Saturday January 12, 2013 @12:58AM (#42565281)
    It is so obvious, why do not the Java users see this...

    .
    It has become apparent that Oracle either does not understand the concept of computer security....

    - or -

    Oracle does understand the concept of computer security, and they are using these exploits to kill off Java, which they do not want to support anymore.

    What else can it be?

    (btw, my bet is that Oracle is clueless regarding computing security)

    • by Junta (36770)
      Why does Oracle's incompetency and disinterest in Java have to be mutually exclusive propositions?

      Of course, for having spent 7.4 billion dollars acquiring Sun, Oracle hasn't put much effort into preseving the value of the assets from that acquisition. Solaris is stagnant, all the Sun efforts to *try* to compete with Linux seem abandoned. Java is a security nightmare on top of being generally despised on end user client platforms. Java's biggest success as a platform has been in Android, and Oracle's res
    • It sure makes you want to go look for vulnerabilities in OracleDB, doesn't it?
    • by gweihir (88907) on Saturday January 12, 2013 @08:20AM (#42566529)

      There are numerous indications to be found in their enterprise database products that Oracle really _is_ clueless with regard to security. For example, they do not know how to protect passwords and certificates against competent attackers. Such a company has no business being even a tiny bit as important as Oracle is today. Apparently there are no working mechanisms in capitalism to keep monsters like them under control.

  • I tried you back in the early days and you crashed me one too many times.. since then the bad taste never left and I have avoided you. I never got on the bandwagon when it was neat to be a Java guru and now Ive come to realize you are simply a pain in my ass. Begone.. I break with thee, I break with thee..I break with thee.
  • by segoy (641704) on Saturday January 12, 2013 @01:17AM (#42565361)
    a -150 (approx) day vulnerability?
  • by Jeremi (14640) on Saturday January 12, 2013 @01:38AM (#42565433) Homepage

    Back in college (when Java was the new thing) one of its big touted features was security -- all applets would run in a sandbox, Java would be written in bytecode that would be automatically verified before it was executed, array access indices would be bounds-checked, etc etc. This all made Java execute more slowly than the alternatives (er, ActiveX?), but the (expected) upside was that Java would be super-secure and we wouldn't have to worry about our computers getting exploited by evil web pages that we accidentally loaded.

    Now it's 2013 and Java (at least in the context of a web browser) is turning into an unreliable bug-fest.

    So, what happened? Is it just a matter of incompetence at Oracle (and/or Sun)? Or is Java's security model fundamentally broken in some way that other in-web-browser languages (particularly JavaScript) are not? Where are all these security holes coming from?

    • Re: (Score:2, Informative)

      by Anonymous Coward

      The problem is that security cost usability.

      Completely disable the ability of Java to read/write files on the local filesystem and it'd be a lot more secure for example, but then it'd be more useful as well.
      "" direct access to graphics hardware, "" - well pretty much everything. And once you crack the door open a little it's really hard to find and close all the corner cases that open up.

      • The problem is that security cost usability.

        Completely disable the ability of Java to read/write files on the local filesystem and it'd be a lot more secure for example, but then it'd be more useful as well.

        This problem has already been solved, and solved mostly well. It is possible to specify exactly where a piece of java code may access files, and enforce it.

        The problem is that some bugs in the JVM make it possible to bypass these checks, and then p.ex. access files that should be impossible to access.

    • by Dolda2000 (759023) <fredrik@d o l d a 2 000.com> on Saturday January 12, 2013 @01:59AM (#42565527) Homepage

      It's mostly a matter of incompetence in the implementation, indeed. The Java vulnerabilities I have followed have always included calling some obscure part of the Java class library which is implemented using native code (mostly for optimization reasons) that happened to be buggy in some way.

      It should be said in this case, however, that the new Java 7 dynamic language support infrastructure, which is one of the things Oracle added since they took Java over. Many of the things Oracle has done to Java lately (and especially as additions in Java 7) have struck me as poorly designed features that just allowed Oracle to check of some feature-lists to make Java appear as "feature-complete" as dotnet.

    • by phantomfive (622387) on Saturday January 12, 2013 @04:22AM (#42566039) Journal
      Theo de Raadt once said, "these guys can't write a secure OS, why would you expect them to write a secure VM?"

      These bugs have always existed in Java, but no one went out to exploit them because there were easier vulnerabilities available. Now as Microsoft has put more emphasis on security, the low-hanging fruit has become Acrobat reader, then Flash, now Java. Used to be you could smash the Microsoft stack any time you wanted. Now they are randomizing the stack and it's not so easy.....
    • It wasn't used enough.

      Seriously. Theoretically there's no reason Java-as-a-web-technology can't be as secure, when implemented as a plug-in, as Javascript, and it absolutely (because it's a much simpler architecture) ought to be much, much, more secure than Flash. The only reason it isn't is because it's been ignored. There's only one company out there making Java plug-ins that anyone uses, and that company - which had problems at the best of times - was recently swallowed by a large corporation that doe

  • It drives me crazy- my kids have several java-based websites they are required to use for school. I'm not too worried if their laptops get borked- there's nothing of value on them. When the nasties spread across the network to my PC and my server, I've got real problems. What do I do besides complain to the school?
    • Install decent security on your network, auto scan your kids pcs whenever they connect, don't share devices that contain sensitive information on the network, (like the drive, or folder that contains your bank details..), use a server with a non-windows OS...

      Or just get the kids a dedicated nas if they need the extra space. A cheap wifi box to allow them to share your internet connnection and you're done.

  • by bcrowell (177657) on Saturday January 12, 2013 @02:32AM (#42565663) Homepage

    I see a lot of posts saying, "I don't need java applets. None of the web sites I visit use java applets. We should use this an an opportunity to let java applets die. Die, applets, die die!"

    There are a lot of problems with this simplistic response.

    One problem is that a lot of people are using java applets to do things that are important to them. Applets are widely used in the medical industry. I teach physics for a living, and there are several educational applets, written by other people, that I use to demonstrate ideas about thermodynamics. (Warning, car analogy coming up.) Just because you don't drive a Honda Fit, that doesn't mean it's OK to tell every owner of a Honda Fit that they aren't allowed to drive it anymore.

    The other problem is that you have to consider the alternatives.

    Javascript is in many ways a nice little language. However, it's a disaster because of the lack of a standardized DOM, and it simply doesn't have the necessary facilities to do all the things that a java applet can do.

    Flash is essentially proprietary, has been designed in a chaotic way, and is a frequent vector for malware [net-security.org], comparable to java applets and adobe reader.

    Silverlight is only viable on Windows.

    Java applets, warts and all, have some important advantages because of the design of java. Java was designed to be extremely portable. Java (unlike flash and javascript) was intended from the start to be a good general-purpose programming language. Java and java applets were vastly overhyped back in the 90's, but java applets are in fact an important and useful web technology that some people need and want. The problem seems to be that an important and useful web technology has fallen under the control of a corporation that is irresponsible about security.

  • by Required Snark (1702878) on Saturday January 12, 2013 @02:34AM (#42565677)
    This is remarkably similar the recent post on SCADA devices being vulnerable because they were directly accessible on the net. http://slashdot.org/index2.pl?fhfilter=scada [slashdot.org]

    These are not primarily technical failures, they are institutional failures. The issue is not that Java has a zero day failure; these things happen. The critical failure is that Oracle knew what was going on before this hit the news and they could have avoided the problem with better practices.

    The US has a Laissez-faire attitude towards computer security. It's all left up to the good will of the provider, which is clearly a mistake. Some organizations do a good job, but many fail. This is because security requires expending effort, and there is a natural tendency to cut corners to save money.

    In theory, the market will be self correcting, because of the cost associated with failure. In practice, this does not occur. Neither the direct financial cost or the reputational costs are big enough to modify organizational behavior. That's why there is an never ending stream of these kinds of events.

    Ironically, it seems that highly visible open source projects have a better track record then the private sector. This shows the high level of professionalism that open source organizations maintain.

    Thing will never get any better until the cost of failure becomes much greater. This means having serious fines and/or larger payouts to those who are harmed by the security breach.

    Right now the cost of cleanup after a security failure is so low that there is no meaningful incentive to be proactive. Is Oracle going to have any negative economic repercussions as a result of this screw up? Of course not. Therefore, they will do nothing to change their ways. Until there is some mechanism to hold providers responsible for failure to act there will be no change.

    To clarify the point, the liability should be for failure to act once a problem is found, not for the existence of the original security problem. Having a SCADA device visible on the net with a default password is the kind of event that should cause liability. Likewise not fixing a critical security hole as soon as it is discovered as in this case with Oracle.

  • Why so horrified? (Score:4, Insightful)

    by Tony Isaac (1301187) on Saturday January 12, 2013 @02:36AM (#42565685) Homepage

    Has nobody on this site actually had to meet a deadline? Has nobody had to make some trade-offs to get a product out the door? Why would Java be different?

    If you are working on a non-trivial project, and you don't know about at least half a dozen horrible "zero-day" flaws, then you don't know your project very well!

    In real life, businesses have to make trade-offs. They can't fix everything. Every release cycle, product managers have to make decisions about which fixes go in, and which fixes have to wait. I'm no Java fan, but with as many people poking around it as there are, I'm amazed that there aren't many more known vulnerabilities!

    • by dbIII (701233) on Saturday January 12, 2013 @03:07AM (#42565801)

      Has nobody on this site actually had to meet a deadline? Has nobody had to make some trade-offs to get a product out the door?

      Because it's used by others so effectively infrastructure, thus irresponsible to cut corners before release. To invoke a car analogy it's like opening a bridge on the announced date without finishing it in one lane so that cars driving from one direction keep falling into the water. Such an example appears so ridiculous because it's comparing a carefully planned engineering project on one hand (the bridge) with a room full of blindfolded basketweavers trying to weave bits of an elephant shaped basket while being shouted at in a language they cannot understand and none of them know what an elephant looks like (a typical mismanaged software project like your above example with your "tradeoffs").

      • There is a serious flaw in your analogy. Opening the bridge without finishing one lane would be serious because, when used as designed, it would fail. Java, however, when used as designed, generally does what it is supposed to do. This is evidenced by the success of the Android platform, which relies heavily on Java.

        By contrast, the situation described in this article occurs when someone intentionally uses Java in a way that it was specifically NOT designed to be used. So to extend your analogy, the bri

    • Re: (Score:2, Insightful)

      by Anonymous Coward

      Java is a platform, not a normal application. It's infrastructure. A bug in the infrastructure potentially affects every application depending on that infrastructure. That makes the impact of every bug orders of magnitude larger than it is in a normal application. The importance of that outweighs the importance of deadlines.

  • ... Java will never reach any reasonable level of security. This must have drastic consequences for them or they will continue to invest the minimum amount of effort possible in Java security. Nothing else will help. The users are not mature enough to do anything, see all the people here that do not want to go without the Java plug-in even for a few days. (How stupid can you get??)

  • I presume OpenJDK 7 is also vulnerable, since Oracle JDK 7 is basically OpenJDK 7 with some proprietary libraries.

    Is OpenJDK 6 vulnerable? It's actually OpenJDK 7 cut down to pass JCK 6. Has anyone tested it?

  • "Nobody is using $product anymore" is the new "First Post!"
  • by buddyglass (925859) on Saturday January 12, 2013 @11:02AM (#42567291)
    Oracle was notified of the vulnerability and attempted to fix it. Their fix was inadequate. So they're just incompetent instead of willfully dismissive of security concerns.

A penny saved is a penny to squander. -- Ambrose Bierce

Working...