Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
Bug Java Oracle Security

Security Expert Says Java Vulnerability Could Take Years To Fix, Despite Patch 320

Posted by samzenpus
from the long-road-coming dept.
An anonymous reader writes "After the Department of Homeland Security's US-CERT warned users to disable Java to stop hackers from taking control of users' machines, Oracle issued an emergency patch on Sunday. However, HD Moore, chief security officer of Rapid7, said it could take two years for Oracle to fix all the security flaws in the version of Java used to surf the web; that timeframe doesn't count any additional Java exploits discovered in the future. 'The safest thing to do at this point is just assume that Java is always going to be vulnerable,' Moore said."
This discussion has been archived. No new comments can be posted.

Security Expert Says Java Vulnerability Could Take Years To Fix, Despite Patch

Comments Filter:
  • Two years? (Score:5, Interesting)

    by schneidafunk (795759) on Monday January 14, 2013 @12:33PM (#42583183)
    It looks like he randomly pulled a time frame. I cannot find an explanation for the two year estimate.
  • So? (Score:4, Interesting)

    by Hatta (162192) on Monday January 14, 2013 @12:36PM (#42583221) Journal

    Running programs from untrusted sources has always been unadvisable. I run java every day, and I'm not worried at all about getting compromised. Apps like ImageJ or UGENE, if they weren't written in Java would be written in a native language which would be just as dangerous to install. So don't be an idiot and run programs from random websites and you'll be fine.

  • OpenJDK (Score:2, Interesting)

    by Anonymous Coward on Monday January 14, 2013 @12:45PM (#42583323)

    Are those security flaws also affecting OpenJDK 6 and/or 7?

  • by Zero__Kelvin (151819) on Monday January 14, 2013 @12:51PM (#42583403) Homepage
    That's not specific to Sun/Oracle's JVM Implementation, but goes for all software, at all times.

    "it could take two years for Oracle to fix all the security flaws in the version of Java used to surf the web" ... "The safest thing to do at this point is just assume that Java is always going to be vulnerable,""

    This guy isn't a security expert. He doesn't even know that Java is a programming language, and that Oracle's JVM is not "a version of Java used to surf the web". No self respecting expert would misuse terms the way he is, and he should be sued for doing it. It leads to ridiculous situations, where people think Java is inherently bad. I mean, isn't Android based on Java? OMFG ... don't get one of those! Haven't you heard. Java is vulnerable to attack! If the writer got what this guy said correct then his guy is either shilling for Apple or Microsoft against Google/Android, hates Oracle, or is phenomenally incompetent.

  • by Anonymous Coward on Monday January 14, 2013 @12:54PM (#42583431)

    I find it strange that I can install a flash blocker that allows me to whitelist certain websites but that similar functionality seems to be missing for Java... the easy answer is to not allow java to run unless the site or even specific URL is in a whitelist.

    The java engine should check whether the code it is about to execute is from a whitelisted location before it executes it. If the code is not, it should warn the user, perhaps prompting to add the site.

    That way your banking and ecommerce sites would still work easily while the "bad guys" would at least have to successfully social-engineer you into adding their site, a situation much better than what we currently see where all you have to do is inadvertently browse to a web page with compromized java applets embedded.

  • Re:Two years? (Score:5, Interesting)

    by Zocalo (252965) on Monday January 14, 2013 @12:54PM (#42583437) Homepage
    Possibly, but it could also have something to do with Oracle's announcement that Java will be getting regular updates on a two year schedule [computerworld.com]. Maybe he's just assuming it's going to take a major iteration - from the v8.x series due in September to the next release, v9.x to completely fix this class of flaws.
  • Reflection API (Score:3, Interesting)

    by RedHackTea (2779623) on Monday January 14, 2013 @01:49PM (#42584033)
    So after following the rabbit hole, the article links here [security-e...ations.com] (see PDF) and here [security-e...ations.com] (same site, just "codes" for the issues) while exclaiming about 50 issues in Java! If you cut out the fluff, the only issue is the Reflection API. C# will and does have the same exact vulnerabilities. And after looking through it, it wouldn't take 2 years to apply these "fixes"; however, some "fixes" remove Java functionality, so it will never be "fixed" because why remove functionality. Any language can do bad things. We can only hope that the general public doesn't read this shill crap.

    However, I admit that this is also a good thing to hopefully encourage Oracle to provider quicker updates/patches/etc.

    I still don't see a mass migration to other languages happening. JAXB (and annotations in general) is one of the best things Java ever invented. I have yet to find a language with features that make XML reading/writing as easy as JAXB. Unicode, i18n, and l10n were well-done from the beginning. Even though people laugh at the notion of byte code and the cross-platformness of Java, I still have yet to see another language do this better. Java will die when either a better solution emerges or enough corporate shill kills it.

    And I still don't understand why Linux is being bogged down with C# mono programs such as Banshee, TomBoy, etc. Don't get me wrong, these are great programs, but why not write them in a language that is more open? It would have been just as easy to do these in Java with GTK+.

    /endrant
  • by msobkow (48369) on Monday January 14, 2013 @02:52PM (#42584659) Homepage Journal

    Of course there are hundreds or thousands of native API calls made by the Java stack.

    Sooner or later you have to talk to the OS.

An authority is a person who can tell you more about something than you really care to know.

Working...