Oracle Ships Java 7 Update 11 With Vulnerability Fixes

An anonymous reader writes "After announcing a fix was coming just yesterday, Oracle on Sunday released Java 7 Update 11 to address the recently disclosed security vulnerability. If you use Java, you can download the latest update now from the Java Control Panel or directly from Oracle's website here: Java SE 7u11. In the release notes for this update, Oracle notes this version "contains fixes for security vulnerabilities." A closer look at Oracle Security Alert for CVE-2013-0422 details that Update 11 fixes two vulnerabilities."

August 2012 to January 2013

[QuietLagoon]

A vuln that apparently was first reported in August 2012 [seclists.org] is finally fixed (maybe) in January 2013.

.
Why can't the larger companies, e.g. Microsoft and Oracle, respond to and fix the sucrity issues more quickly than on a timeline expressed in months?

Re:August 2012 to January 2013

[dreamchaser]

I couldn't agree more. It will probably take legal action to change this mentality. Eventually someone will sue one of the big software companies and win because a known vulnerability wasn't patched.

I really hate saying this because I am mostly libertarian and wary of too much regulation, but I think it is high time that there are regulations akin to those imposed on other engineering disciplines put into place over software that is used in 'e-infrastructure' such as banking, etc. Right now there isn't any, and thus huge multi-billion dollar companies are free to drag their feet on fixes or even outright ignore vulnerabilities that can cause serious harm to people.

Re:What about Java 6 (et al)?

[Anonymous Coward]

So they give you something for free, choose to dictate how they will support this something and you complain?

No wonder these companies gouge on the licensing where they can,ppl like you will demand an inch and take a mile.

Be careful what you wish for

[Anonymous Brave Guy]

I really hate saying this because I am mostly libertarian and wary of too much regulation, but I think it is high time that there are regulations akin to those imposed on other engineering disciplines put into place over software that is used in 'e-infrastructure' such as banking, etc.

Be careful what you wish for.

As a professional software developer, I find the poor choices made by big name software companies very frustrating, and I'm well aware of the cumulative damage caused when software used by many people fails.

On the other hand, if you mandate heavyweight regulation in such an industry, you're going to see prices go up significantly, and a lot of useful free-as-in-beer software would probably disappear almost overnight because the people writing it are going to be reluctant to accept engineering-level liability for work they do at charity/PR level prices.

Then you'll get some sort of approved person/recognised competency qualification, probably administered by some bureaucratic organisation with expensive membership fees and a lofty title, possibly backed by law so people can't even practise software development without jumping over the officially sanctioned barriers to entry any more, or at least such that you can't get professional insurance policies to cover your engineering-level liabilities without playing the game.

Oh, and since there are about three people on the planet who actually know how to write really robust software and they're all in very high profile jobs already, that organisation is instead going to be run (or more likely "advised" by some sort of "expert panel") by the kind of smooth-talking consultants who move from one fad to the next, making lots of money on the upside and then running away before they have to face the consequences of their expensive advice. You know, the ones who use terms like "Agile" and "software craftsmanship", but who can't manage to write a Sudoku solver or who think there are no more programming languages left.

In short, if you want to stifle genuine innovation in the industry by people who really are competing on quality or exploring better ways to write software, and ensure that all you ever get is junk written by people who are more interested in competing on compliance with "quality standards" and exploring better ways to make money from software, regulation is exactly how you do it. In time, we'll learn how to build software better and people who make the effort to do so will be able to compete on genuine quality, but until we have learned how to do that with some level of consistency, any attempt to turn software development into some sort of engineering profession is doomed.

Re:What about Java 6 (et al)?

[fuzzyfuzzyfungus]

So they give you something for free, choose to dictate how they will support this something and you complain?

No wonder these companies gouge on the licensing where they can,ppl like you will demand an inch and take a mile.

Nobody said that owning a 'platform' was a fun job. It's high blame, low praise, your undemanding customers have a willingness to pay hovering around $0, your customers who are willing to pay have a list of whiny demands about 'compatibility' and such. That's just how these things roll. Is it worth it to you to suck it up and reap the rewards, or is a different category of software a better fit?

It honestly looks like (consumer) in-browser java is nearly dead, and the JVM isn't as lively on the client side as it once was, so Oracle might not have to decide whether they are in the 'platform' business in that area. The general point still stands. "Platform" is not a pretty category of software to be responsible for, it just sometimes happens to be lucrative enough to be worth it.

Re:Disaster

[Jeremi]

There is so many more things that can go wrong with Java than a standard C++ application.

I think you grossly underestimate C++'s ability to go wrong :^)

Any announcement of policy changes in Oracle?

[GodfatherofSoul]

Their rep and that of Java took a huge punch in the gut. I'm a long time Java developer and I'm fuming at the way Oracle has handled this. When non-techies are associating Java with hacking, this is terrible news for the language and platform. It won't be long before the pointed-headed bosses start calling down to their IT shops making sure "we got all the java out of the computers."

Re:Is this really a fix?

[Mike Frett]

Yes. people tend to forget Minecraft is popular and uses Java. There are also Webcam sites that are very popular with the Porn crowd that use Java. If you want people to ditch Java, then you need to fix the reason WHY they need it. Instead of coming here and pushing your views about how you managed to avoid Java, because after all it's your opinion and the last time I checked; It's no one else's.

Re:Disaster

[Anonymous Coward]

Then you (or your sales people) need to explain to your customers that the vulnerabilities only apply to applets. Tell them how your desktop applications aren't a vulnerability. Extend your installation docs to cover how to install a JRE for desktop use and disable it n all the browsers.

This "four legs is good, Java is bad" meme is obstructive but good advice can beat it down.

subject

[Legion303]

No, I don't want the fucking Ass Toolbar installed, Oracle. Thanks for asking.