Security Expert Says Java Vulnerability Could Take Years To Fix, Despite Patch 320
An anonymous reader writes "After the Department of Homeland Security's US-CERT warned users to disable Java to stop hackers from taking control of users' machines, Oracle issued an emergency patch on Sunday. However, HD Moore, chief security officer of Rapid7, said it could take two years for Oracle to fix all the security flaws in the version of Java used to surf the web; that timeframe doesn't count any additional Java exploits discovered in the future. 'The safest thing to do at this point is just assume that Java is always going to be vulnerable,' Moore said."
Re:So long/The way the future was (Score:5, Funny)
This might seriously impede the Year of Java on the Desktop
Re:So long/The way the future was (Score:5, Funny)
Re:Fact free claims (Score:3, Funny)
Re:Two years? (Score:0, Funny)
Put away the hard-on for Larry Ellison and calm down.
Re:So long/The way the future was (Score:3, Funny)
Re:WTF is the deal with Java and being so insecure (Score:0, Funny)
Javascript has NOTHING to do with java.
Actually, they're both rather mediocre programming languages in their own miserable ways. They have that in common.
Re:Browser Plugins are Always Vulnerable (Score:4, Funny)
But there are also well-documented CSS vulnerabilities [metasploit.com], XUL exploits [secunia.com] and even one in a JPG parser [verisigninc.com].
Should we disable those as well? Are you part of some guerrilla marketing campaign to bring back Lynx?
Re:So long/The way the future was (Score:5, Funny)
Re:Java used to be secure and sandboxed (Score:5, Funny)
This is absolutely not true. This vulnerability was a zero-day exploit. Zero-day means, by definition, nobody knew about it except the guys who wrote the exploit. We learned about this exploit last Thursday and had a fix on Sunday. Folks were up working around the clock to get the fix out.
We take security exploits incredibly seriously. Three times a year Oracle produces "critical patch updates" and we're working hard to clear out every bug from our backlog related to security, at the expense of new feature development. The suggestion that Oracle doesn't care about fixing these security problems is simply not true.
Re:Browser Plugins are Always Vulnerable (Score:4, Funny)
Personally I'd vote for bringing back gopher! And if that means we "lose" that blinged out "web-2.0" crap, it's not a day too soon.