Oracle Ships Java 7 Update 11 With Vulnerability Fixes 243
An anonymous reader writes "After announcing a fix was coming just yesterday, Oracle on Sunday released Java 7 Update 11 to address the recently disclosed security vulnerability. If you use Java, you can download the latest update now from the Java Control Panel or directly from Oracle's website here: Java SE 7u11. In the release notes for this update, Oracle notes this version "contains fixes for security vulnerabilities." A closer look at Oracle Security Alert for CVE-2013-0422 details that Update 11 fixes two vulnerabilities."
Is this really a fix? (Score:5, Interesting)
Proper web browsing hygiene protected users from this zero-day vulnerability - but my mom needed this update.
Re: (Score:2)
Re: (Score:2)
To play Minecraft obviously.
Re:Is this really a fix? (Score:4, Insightful)
Re:Is this really a fix? (Score:5, Informative)
Minecraft does not need the java browser plug-in.
Re: (Score:2)
This is a common misunderstanding of apple users.
Re:Is this really a fix? (Score:5, Informative)
People who read this site are mostly geeks, nerds, IT, developers, or some such who are computer literate. But, NO ONE who reads this site is ignorant of how pervasive Java is. NO ONE who reads this site is completely ignorant of the ways in which John and Jane Q. Public uses their computers.
Like DavidClarkeHR's mother, my wife "needs" Java. Her computer may suffer any number of ills, and she'll ignore them. But, if she can't play her Pogo Games, the old broad is going to make my life miserable until the problem is fixed. To her, "the internet" pretty much means Pogo, Facebook, email, Craig's List, classified ads in the Texarkana Gazette, and a little bit of news.
Oh, wait - how can I forget her soap operas? The woman has given up on television, and watches her daily shows on the computer now.
THAT is the internet, for millions of people.
Java don't work? "I WANT IT FIXED BEFORE I GET HOME FROM WORK!! You can forget about taking trash out, you can forget to pick your clothes up off the bathroom floor, you can leave the sink full of dirty dishes, BUT FIX MY INTERNET!!"
Re: (Score:3)
I can't verify identity through my bank without java(to government services).
spend the entire morning trying to make the applet work today.
turned out I had to run the plugin through ie before it would work on either firefox or chrome.
such fucking bullshit really, and both chromes and firefox's installers and their help quite frankly sucks balls. note to developers: check where the fuck your help buttons go and if they go somewhere that just tells you to do what you just already did to see the help button do
Re: (Score:2)
But, NO ONE who reads this site is ignorant of how pervasive Java is.
Tell me about it. I just started my first cup of coffee.
Re: (Score:2)
Proper web browsing hygiene protected users from this zero-day vulnerability...
I'm not sure what you mean by that. What is "proper web browsing hygiene"?
Re:Is this really a fix? (Score:4, Funny)
keeping a box of tissue next to the computer
Re: (Score:2, Offtopic)
Re: (Score:2)
Ringer.
But I'll give you 7/10 since your effort showed character.
Re: (Score:2)
Proper web browsing hygiene includes not infecting one's browser with the Java plugin to begin with.
There, fixed that for you.
Java or Javascript? (Score:2)
I'm totally confused every time this comes up... do browsers have Javascript (more accurately ECMA Script) or Java itself? I understand it is the former; whiereas Java is a plugin that needs to be explicitly installed. And I also believe Javascript has almost nothing to do with Java.
Is Java on browsers so widespread?
Java and Flash (Score:5, Informative)
Re: (Score:2)
Java is a plug-in published by Oracle that plays applets written in Java,
Yes, I understood that bit, which is why I asked the final question: Is the Java plugin downloaded so often, to run on browsers? (alternately)
Is Java plug-in bundled with browsers without the need for separate downloading?
Re: (Score:2, Informative)
You have to manually install it or a piece of software you run needs it and installs it. No modern browser needs it nowadays.
Re: (Score:3)
No modern browser needs it nowadays.
It depends on what you're trying to do.
Re:Java and Flash (Score:5, Interesting)
Java's actually fairly commonly used for line-of-business applications because it's fairly easy to find Java developers ("easy" being synonymous with "cheap"), the tools start at "free", it's sort of platform neutral, and it's been around for a while. Plus, a lot of those Java line-of-business apps were first written 5-10 years ago and, well, they still basically work - given a choice between paying for a total re-implementation of some tool that works "reliably", doing the necessary field testing to prove it's at least as secure, functional, and stable as the current implementation, or just periodically testing it against the latest version of Java, guess what most businesses do?
Now you know why Java exploits are a big deal.
Re: (Score:2)
Java comes preinstalled on a lot of PCs (or at least it used to). Also, some browsers prompt you to install Java when you encounter an applet (or at least they used to).
The result is that a buttzillion users have Java installed even if they don't want or need it.
The one that really pisses me off is when the official Java autoupdate utility decides that you must not have meant it when you disabled the browser plugin, and helpfully re-installs it for you...
Re: (Score:2)
"Secondly, it auto-installs if the plug-in isn't present."
Ahhh, yes, I remember that. That was the Wonderful World of Windows. Things just auto-install themselves with little, if any, input from the user, or the administrator.
In alternate realities, such as the Unixverse, the user must call up a program from which he searches for the particular package he wants to install. Or, he must be familiar enough with his package manager to call it up from a terminal. Auto-install has proven to be a Very_Bad_Thin
Re: (Score:2)
Re: (Score:3)
Is Java plug-in bundled with browsers without the need for separate downloading?
No. As far as I know, Flash isn't bundled either, except with Chrome. Java also has an environment for applications that run outside the browser such as FrostWire and Minecraft. Perhaps people are installing Java to run those, and the installer drops the plug-in into all installed browsers.
Re: (Score:2)
Normally the browser plug-in is a totally different independent install from Java itself. Its POSSIBLE an installer could bundle java and a java browser plug-in (like say icedtea). Linux distros will generally install java to satisfy the plugin's dependencies for instance, which in something like Ubuntu could happen almost automatically. I don't think anything like that will happen in Windows or OSX normally.
Lots of people DO have Java installed for completely other reasons than web applets though. In fact
Re: (Score:2)
Re: (Score:3)
Normally the browser plug-in is a totally different independent install from Java itself
The standard windows 32-bit JRE installer includes the browser plugin and will install it by default. So any user of java on windows who hasn't decided explicitly that they don't want the plugin is likely to end up with it.
Re: (Score:2)
Re:Java or Javascript? (Score:4, Informative)
Many websites utilize Java through in-line apps and modern browsers make the installation process fairly simple (ie, a couple of on-page redirects and a pop-up window which takes care of it all - the same way most browsers simplify Flash installation simply because it's so universal). For example, nVidia's video-card-dectection routine is in Java and if it's not installed, will helpfully let you know and give a button to click to download it. Minecraft, of course, requires Java. Many development tools and even many network management packages are written in Java.
Java on PCs is quite widespread and thus by default, so is Java on browsers.
Javascript, as you rightly raise, is altogether different, and prevalant on all browers by default (even though different browsers have different JS interpreters) and has nothing to do with the JRE.
Re: (Score:2)
I'm totally confused every time this comes up... do browsers have Javascript (more accurately ECMA Script) or Java itself? I understand it is the former; whiereas Java is a plugin that needs to be explicitly installed. And I also believe Javascript has almost nothing to do with Java.
Is Java on browsers so widespread?
I haven't need Java since my last job where I routinely needed to use the web interface of F5 proxies, in which the latest major revision went to an all-Java interface.
Re:Java or Javascript? (Score:5, Informative)
Javascript absolutely has nothing to do with Java.
Netscape realized for the web to take off as a platform it needed to do more than just display text and pictures so logic was needed. Netscape invented Livescript. Sun didn't like it and was in talks with making Java used instead of Livescript for dynamic web content.
So Netscape made a deal to rename Livescript Javascript with the contract to include jre with Netscape 3. It has nothing to do with it other than pure marketing name to confuse users to spread synergy to Java instead which is what Sun hoped as Livescript aka Javascript was very limited at the time.
It became a standard to this day.
Re: (Score:2)
Is Java on browsers so widespread?
Don't know how accurate they are, but some [statowl.com] say more than 40% of the computers connected to internet have Java plugin.
Re: (Score:2)
But there are still sites that want to provide a richer GUI than you can get from CSS, JavaScript/Ajax, for example for interactive vector graphic simulations.
Thanks for the explanation. Any examples of such sites, if they are popular?
Re: (Score:3, Informative)
RuneScape and all of FunOrb (also made by Jagex -- the creators of Runescape) are also Java Applets.
Other than games, you'll see sites use Java Applets for simulati
Re: (Score:2)
FallingSandGame, Minecraft.
August 2012 to January 2013 (Score:5, Insightful)
.
Why can't the larger companies, e.g. Microsoft and Oracle, respond to and fix the sucrity issues more quickly than on a timeline expressed in months?
Re:August 2012 to January 2013 (Score:4, Insightful)
I couldn't agree more. It will probably take legal action to change this mentality. Eventually someone will sue one of the big software companies and win because a known vulnerability wasn't patched.
I really hate saying this because I am mostly libertarian and wary of too much regulation, but I think it is high time that there are regulations akin to those imposed on other engineering disciplines put into place over software that is used in 'e-infrastructure' such as banking, etc. Right now there isn't any, and thus huge multi-billion dollar companies are free to drag their feet on fixes or even outright ignore vulnerabilities that can cause serious harm to people.
Re: (Score:2)
I really hate saying this because I am mostly libertarian and wary of too much regulation, but I think it is high time that there are regulations akin to those imposed on other engineering disciplines put into place over software that is used in 'e-infrastructure' such as banking, etc.
You ask for that, but what you end up with will teach you the problems of regulations.
You will end up with some standards to follow that will slow you down, and won't make the code secure (in some cases, may make it less secure). It will be hard to change the standards, because the legislative process is slow. Large companies will get in on the process and make sure the regulations benefit them in some way (for example, Oracle might lobby that everyone be forced to use Java, because "sandboxes are more se
Be careful what you wish for (Score:5, Insightful)
I really hate saying this because I am mostly libertarian and wary of too much regulation, but I think it is high time that there are regulations akin to those imposed on other engineering disciplines put into place over software that is used in 'e-infrastructure' such as banking, etc.
Be careful what you wish for.
As a professional software developer, I find the poor choices made by big name software companies very frustrating, and I'm well aware of the cumulative damage caused when software used by many people fails.
On the other hand, if you mandate heavyweight regulation in such an industry, you're going to see prices go up significantly, and a lot of useful free-as-in-beer software would probably disappear almost overnight because the people writing it are going to be reluctant to accept engineering-level liability for work they do at charity/PR level prices.
Then you'll get some sort of approved person/recognised competency qualification, probably administered by some bureaucratic organisation with expensive membership fees and a lofty title, possibly backed by law so people can't even practise software development without jumping over the officially sanctioned barriers to entry any more, or at least such that you can't get professional insurance policies to cover your engineering-level liabilities without playing the game.
Oh, and since there are about three people on the planet who actually know how to write really robust software and they're all in very high profile jobs already, that organisation is instead going to be run (or more likely "advised" by some sort of "expert panel") by the kind of smooth-talking consultants who move from one fad to the next, making lots of money on the upside and then running away before they have to face the consequences of their expensive advice. You know, the ones who use terms like "Agile" and "software craftsmanship", but who can't manage to write a Sudoku solver or who think there are no more programming languages left.
In short, if you want to stifle genuine innovation in the industry by people who really are competing on quality or exploring better ways to write software, and ensure that all you ever get is junk written by people who are more interested in competing on compliance with "quality standards" and exploring better ways to make money from software, regulation is exactly how you do it. In time, we'll learn how to build software better and people who make the effort to do so will be able to compete on genuine quality, but until we have learned how to do that with some level of consistency, any attempt to turn software development into some sort of engineering profession is doomed.
Re: (Score:2)
Re: (Score:2)
Then you're not a libertarian, you're a hypocrite.
Re: (Score:3)
Show me a man who's "100% libertarian" and I'll show you an insane man.
If "insane" is too harsh for you, substitute with "wearing intellectual blinders". While Libertatianism portrays itself as a platform of individual rights, taken to the logical extreme all the rights become null and void as they have no bearing on your interactions with anybody else. For example, how do you resolve the good old conflict of "I have a right to speak" with "I have a right no
Re: (Score:2)
how do you resolve the good old conflict of "I have a right to speak" with "I have a right not to hear you"
wouldn't that be covered by trespass?
Re: (Score:2)
Doesn't matter. The minute you accept that the free expression of one's rights may violate another's rights is the moment you accept that there is a ground to force one of the two participants to give up their rights.
As grandparent pointed out, the very basis of Libertarianism is paradoxical, which is why extreme Libertarians always sound like nuts.
Re: (Score:2)
Ok, not as a question, then: trespass covers that.
Re: (Score:2)
Still the paradox remains: the moment you sue someone for trespass, you use the power of the State to restrict their rights.
Libertarianism in its extreme preaches a paradoxical position: individual rights reign supreme until something comes along that makes it allright to restrict them.
Re: (Score:2)
To be fair, he did say "mostly libertarian".
Show me a man who's "100% libertarian" and I'll show you an insane man.
Thank you. It's always nice to see a civil response instead of the normal ad hominems online. I posed it more as a question or a discussion topic. I don't really know the answer but it's an increasing problem. Oracle knew about this and did nothing. In just about any other industry that could lead to criminal charges, let alone a lawsuit.
I'm not a big fan of regulation but I'm mature enough to recognize that sensible regulation is sometimes needed in modern society. I am still struggling with this o
Re: (Score:3)
When a bug report is received, it gets evaluated and prioritised. It can take a non trivial time to track down and fix the bug (and any associated bugs in similar code). It takes time to test it in all the platforms and configurations (they have had to hastily recall patches in the past where the fix does more damage than the original bug).
It probably goes through some review process before being merged into the main code line (large companies can't allow anarchy with their code edits). Finally, patches are
Re: (Score:2, Troll)
When a bug report is received, it gets evaluated and prioritised. It can take a non trivial time to track down and fix the bug (and any associated bugs in similar code).
Instead of trying to rationalize and trivialize the incompetence of the companies that provide a lot of the software infrastructure that the IT industry uses, maybe your online efforts might be better served to try to effect a change in the companies providing that software infrastructure to be able to produce a timely solution that protects the users from vulns.
Re: (Score:2)
What is your solution then? Release patches that are rushed and untested? Mark everything as "top priority" so that all bugs are finished faster?
As a developer in a small team, I can get away with shipping bug fixes without having to go through a process like I described. A small team can be agile and responsive like that. But I can imagine how chaotic this would be in a large organisation. Just because you can't understand that bug fixing actually takes time means that you would be more suited to a career
Re: (Score:2)
Re: (Score:2)
Because no system is perfect. The code behind any modern operating system is far too complicated for any individual to understand. All the best intentions and best practices in the world will not completely catch all the bugs. But they do catch some, so it is worth trying to catch them.
To use a car analogy, what you said is like questioning the worth of seatbelts. Just because they don't save every life in an accident doesn't mean that it not worth wearing them.
Re: (Score:2)
Let's carry your analogy to its conclusion...
The auto industry fought seatbelts tooth and nail and it took Congressional regulation for them to even consider them. That's part of how Ralph Nader earned his name recognition. Much like the software industry is fighting tooth and nail any attempt to make their software safe.
My way to
Re: (Score:2)
My way to fix this is much more simpler. Simply make the "AS-IS" clause of their EULA null and void and allow the users to sue for the damages when their defective products really hurts real people. A few high profile suits will make them put more of a priority on these vulnerabilities.
This would probably also dramatically increase the cost of all the software, not only to pay for the lawsuits but also for all the extra development work required.
Re: (Score:2)
And I am fine with that as long as the quality goes up which it would have to when you remove the AS-IS clause. Why should software be exempt from the product liability laws?
Re: (Score:2)
I think it's more interesting to note this bug took "five months to fix", but 3 days to fix after it started showing up in point-and-click exploit kits.
Seems pretty obvious that those initial five months didn't provide enough shall we say... motivation... to fix it, until Java started taking some black eyes and gut punches. Then, the solution miraculously came about over a weekend.
Re: (Score:2)
Why can't the larger companies, e.g. Microsoft and Oracle, respond to and fix the sucrity issues more quickly than on a timeline expressed in months?
It's because big companies like Oracle are too busy pursuing lawsuits against Google for IP infringement:
http://news.cnet.com/8301-1023_3-57526509-93/oracle-appeals-ruling-in-lawsuit-over-googles-use-of-java/ [cnet.com]
Protection of "IP" takes precedence over fixing security holes in the same "IP" every time.
Re: (Score:3)
Laywers and PHBs do not write code (thankfully). Nor do they test builds.
Re: (Score:2)
It is the CEO of the big company who establish priorities. If the CEO wants a security hole fixed, it will be fixed. When the CEO is personally involved in the courtroom protecting "IP':
http://www.sfgate.com/technology/article/Ellison-testifies-in-Android-suit-against-Google-3489185.php [sfgate.com]
the fixing security of holes will suffer.
Re: (Score:2)
Er, the CEO shouldn't be micromanaging all the different departments and sections of the company. He's got people below for that, and people below those etc.
The people who do product development and maintenance are not the people who would be in the courtroom. They are not the finance people, and they are not the sales/marketing people. Saying that one department being focused on lawsuits would prevent an unrelated department from doing their job tells me you've not been involved with a company larger than
Re: (Score:2)
UH, yeah. I know the large companies I was in, I was constantly getting sidetracked by having to study law so that I could lead an IP infringement suit. That's what all good corporate programmers spend their time on.
Re: (Score:2)
Why can't the larger companies, e.g. Microsoft and Oracle, respond to and fix the sucrity issues more quickly than on a timeline expressed in months?
They can, the reason they don't is because they don't care. There are ways to do this, even in large companies.
If they wanted to do it, they would tell a middle-manager, "Fix this, test it, and get it out quickly. Your performance on this task will show up on your annual review." Then make sure he has the resources he needs to accomplish that. They didn't do this, which indicates that they don't care.
Re: (Score:2)
You cannot draw that conclusion so simply. You have to remember that their first priority is to ship solid, full-feature software.
Yes I can, I'm an experienced professional and I know what it takes. Java is well known to have an extensive automated testing suite, further simplifying the task. If Larry says it's a priority, it will get fixed.
Oracle is facing a problem that many good engineers who used to work at Sun have left. It is likely they are understaffed with the people necessary to maintain their systems, and the remaining people are having trouble making good priorities.
Re: (Score:2)
Why can't the larger companies, e.g. Microsoft and Oracle, respond to and fix the sucrity issues more quickly than on a timeline expressed in months?
They probably had a fix in the drawer since months but didn't release it in order to give the impression to be able to react quickly once the vuln is public. This makes the company look good to consumers and the press, and it pads statistics that measure reaction time to vulnerabilities. Everyone is doing it. Publicity first, consumer last.
Re: (Score:2)
Why can't the larger companies, e.g. Microsoft and Oracle, respond to and fix the sucrity issues more quickly than on a timeline expressed in months?
They are a corporation and have no profit incentive to act faster?
Or more specifically, risk to customers and ill-will generated doesn't cause a large enough monetary impact to the corporation than the cost to fix the problem?
Until now, when the issue is out and actively exploited in malware kits.
Disaster (Score:5, Interesting)
Re: (Score:2)
seriously, you write applets for a living?
otherwise you're barking up the wrong tree.
Re: (Score:2)
Re: (Score:3, Insightful)
Then you (or your sales people) need to explain to your customers that the vulnerabilities only apply to applets. Tell them how your desktop applications aren't a vulnerability. Extend your installation docs to cover how to install a JRE for desktop use and disable it n all the browsers.
This "four legs is good, Java is bad" meme is obstructive but good advice can beat it down.
Re: (Score:2)
Mod up.
Re: (Score:2)
There is no way in hell I could recommend taking a team of Java developers and getting them to port their application to C++. Actually I've seen this attempted back in 2003, and it ended up generating a bunch of
Re: (Score:2)
If you port it to C++ and you have vulnerabilities, they will at least be *your* vulnerabilities and you can fix them.
With Java you're effectively hamstrung until Oracle pulls their finger out and fixes them.
Now, which situation would you rather be in? Noting that C++ isn't insecure by default, and isn't as difficult as its made out to be once you know what you're doing.
Re: (Score:2)
Re: (Score:2)
you should just package a jre with your application.
replicatorg does this, arduino ide does this and a bunch of other applications as well. sure it'll bloat your installation by 90mbytes but seems worth it for avoiding an install link to oracles web...
Re: (Score:2)
Sure, rewriting the applications would take some time, but I think you'll find that you'll spend less time rolling out a C++ application that you would a Java application. There is so many more things that can go wrong with Java than a standard C++ application. And I'm not sure why you even mention having to make sure their machines are up-to-date. That's a bigger issue with having to rely on the JVM than the C++ libraries that get compiled into the application or are dynamically linked in and most insta
Re: (Score:2)
Sure, rewriting the applications would take some time, but I think you'll find that you'll spend less time rolling out a C++ application that you would a Java application. There is so many more things that can go wrong with Java than a standard C++ application. And I'm not sure why you even mention having to make sure their machines are up-to-date. That's a bigger issue with having to rely on the JVM than the C++ libraries that get compiled into the application or are dynamically linked in and most installers can chain in the C++ runtime libraries (that can be set to be application specific or system wide installation -- obviously app specific causes less headaches).
Have you coded any huge +1 million lines of code projects before?
There is a reason developers fled C++ to Java back in the 1990s until recently. It doesn't make sense to go back to C++.
Re: (Score:2)
There is a reason developers fled C++ to Java back in the 1990s
yes, coolness. Java was "cool" and so everyone wanted to stop supporting their crappy C++ apps and wanted to do a big rewrite in the cool new system, and so wrote crappy Java apps instead.
I would hope the industry has grown up enough that they could go back to C++ and write boring, but good, apps.. but I imagine they'll just write crappy C# (or worse) apps.
Re:Disaster (Score:5, Insightful)
There is so many more things that can go wrong with Java than a standard C++ application.
I think you grossly underestimate C++'s ability to go wrong :^)
Re: (Score:2)
The alternative we use on Windows is to include a jre with the app. That way our jre is only used by our app. It is not installed in as a jre in windows so windows don't see the jre as an independent app.
And then we can just install our app as any other app using install shild, or any other installer you want. And we don't have to think about compability with other versions of jre/jdk.
Too Late Now (Score:5, Interesting)
Re: (Score:2)
Java is a really shitty client language. It works, but it's not going to offer a good user experience. Which is why outside of the enterprise or software development environment, nobody really uses it. And I'm talking about applications. On the browser, they lost to Flash ten, fifteen years ago.
At this point, I don't even know why the installer tries to hook onto every browser on the machine. Sure, everybody should have a JRE installed, because there is the occasional niche program that will need it. But a
Re: (Score:2)
1) Huge number of people uses it for various specialised desktop application software. Java is still best crossplatform IT has to offer. No, HTML5 can't do all of it, however it works towards that goal. Java propably will be gone in next 5 years, but not in near future;
2) Applets are used there and there, but also very specific applications. Flash can't cover all areas, especially with specific code which doesn't cover graphics; Still, I agree, Java applets are nightmare to manage from security POV, and las
Any announcement of policy changes in Oracle? (Score:5, Insightful)
Their rep and that of Java took a huge punch in the gut. I'm a long time Java developer and I'm fuming at the way Oracle has handled this. When non-techies are associating Java with hacking, this is terrible news for the language and platform. It won't be long before the pointed-headed bosses start calling down to their IT shops making sure "we got all the java out of the computers."
Re: (Score:2, Interesting)
Their rep and that of Java took a huge punch in the gut. I'm a long time Java developer and I'm fuming at the way Oracle has handled this. When non-techies are associating Java with hacking, this is terrible news for the language and platform. It won't be long before the pointed-headed bosses start calling down to their IT shops making sure "we got all the java out of the computers."
It's already happening. I work as SDM for a major outsourcing company and our clients PHBs are requesting we throw java out as soon as we can eliminate the software that depends on it. I have had three such calls today, and they are for organisations with 10k+ computers. Oracle are really hurting Java with this bad PR.
Is OpenJDK also affected? (Score:2)
I'm interested if OpenJDK is also affected by this exploit or is it only the Oracle JRE?
Since Java 7 OpenJDK is now the reference implementation of Java. Linux ships of course with OpenJDK but you can still install Java from Oracle.
Re: (Score:2)
Depends on whether the vulnerability is in the JRE or the core libraries. The browser plugin, web start, the auto updater, tray icon, control panel etc as found on the Windows install are Oracle-proprietary.
Red Hat (& other contributors) have coded open source substitutes for applets and jnlp applications but I haven't seen info as to whether these IcedTea components are at risk.
OS X version is Lion + (Score:2)
So everyone clinging to Snow Leopard and below (even though they remain the bulk of Mac OS installs in use [OSX version graph [chitika.com]], are left hanging in the wind.
GJ Oracle.
Re:OS X version is Lion + (Score:4, Informative)
Backporting security fixes to an old OS X release isn't feasible for Oracle because they don't own the particular codebase that targeted Snow Leopard and earlier. Apple forked the JDK under a commercial license from Sun back in the day, incorporating OS X specific implementation details, which for earlier Java releases lies in Apple HQ.
When Apple handed over the reins to Oracle, any code they contributed back to the OpenJDK codebase would have been for the then current OS X revision (Lion) and thus likely unportable to Snow Leopard without modification. Code "Soy Latte" existed some 4 years ago as a community effort to port OpenJDK to OS X 10.5 and later but this was never the "official" port used by Apple.
Were Apple any better during their stewardship of Java? I seem to remember JRE versions were tied to releases of OS X. Our efforts to develop a Swing application were stifled because our user base (e.g. schoolkids with iBooks) were stuck forever on Java 1.5.
So blame Oracle but some of the blame goes back to Jobs, who in later years did much to sideline Java.
subject (Score:5, Insightful)
No, I don't want the fucking Ass Toolbar installed, Oracle. Thanks for asking.
Re: (Score:2)
Re: (Score:2)
Odd, as I have regularly run into it when cleaning up peoples computers.
Re: (Score:2)
The JRE, or just the JDK?
For a -loooong- time the JRE gets installed in a place like c:\program files\java\jre[5,6,7]
However, the JDK if you have that, get's it's full version in the path. So when that is updated, the old version remains.
Re: (Score:2)
Malware often masquerades as versions of Java since Java requires all the things malware does. Hence, when you're cleaning up peoples' computers you will find lots of odd versions of java. This is evidence the machine is completely hosed.
When there is malware on a Windows PC, back it up and do a DBAN. Then build new starting from an official Microsoft .ISO and add verified OEM drivers. It is the only way to be sure. Then run a solid AV scan on the backed-up user content from a trusted PC before you pu
Re:Leftovers (Score:4, Informative)
Older versions of Java defaulted to side-by-side installation mode, which was then kept even after newer releases were installed on top.
Newer versions default to in-place upgrade mode instead.
It's poorly documented, and as far as I know, the only way to fix it is to completely uninstall and re-install the latest version.
Re:What about Java 6 (et al)? (Score:5, Informative)
Re: (Score:2)
It isn't cool to force users to do a major version downgrade just to get a security patch.
Re: (Score:2, Insightful)
So they give you something for free, choose to dictate how they will support this something and you complain?
No wonder these companies gouge on the licensing where they can,ppl like you will demand an inch and take a mile.
Re:What about Java 6 (et al)? (Score:4, Insightful)
So they give you something for free, choose to dictate how they will support this something and you complain?
No wonder these companies gouge on the licensing where they can,ppl like you will demand an inch and take a mile.
Nobody said that owning a 'platform' was a fun job. It's high blame, low praise, your undemanding customers have a willingness to pay hovering around $0, your customers who are willing to pay have a list of whiny demands about 'compatibility' and such. That's just how these things roll. Is it worth it to you to suck it up and reap the rewards, or is a different category of software a better fit?
It honestly looks like (consumer) in-browser java is nearly dead, and the JVM isn't as lively on the client side as it once was, so Oracle might not have to decide whether they are in the 'platform' business in that area. The general point still stands. "Platform" is not a pretty category of software to be responsible for, it just sometimes happens to be lucrative enough to be worth it.
Re: (Score:2, Offtopic)
I think Double.NaN is your problem here... Not Java.
If an API call doesn't sanitize/check its input but causes a core dump, then it's the API problem, not the callers'.
Re: (Score:2)
I was going to say "do you have a link for those", but then I realized what I was asking for :)
On the other hand, it wouldn't make a difference - I doubt Mozilla or Apple will whitelist the new version.