Latest Java Update Broken; Two New Sandbox Bypass Flaws Found

msm1267 writes "Oracle's long security nightmare with Java just gets worse. A post to Full Disclosure this morning from a security researcher indicated that two new sandbox bypass vulnerabilities have been discovered and reported to Oracle, along with working exploit code. Oracle released Java 7u11 last Sunday and said it fixed a pair of vulnerabilities being exploited by all the major exploit kits. Turns out one of those two bugs wasn't completely patched. Today's bugs are apparently not related to the previous security issues."

Re:Enough Already

[arth1]

Someone, please put Java in the browser out of our misery.

As a sysadmin, I say someone please put Java outside the browser out of my misery.
"Oh, the system has 24 GB RAM, that means I, Java, can hog 18 GB by default, no problem!", followed by anguish from users who neither understands NUMA nor cgroups, and wonder why their java "creations" are killed by the system.

Re:Enough Already

[CodeReign]

That's not how java works. Java has a very small memory footprint by default. This is why running minecraft requires you to run java -Xmx6G minecraft_server.jar so you can use upto 6GB

Re:The same old story

[sjames]

Reflection is extremely useful given a language that considers it a first class feature rather than a bolt-on. Duck typing, for example,is a specific application of reflection. In turn, duck typing can actually fulfill the promise of reusable code that OOP promises but rarely delivers.

Re:Just let it die already

[The Moof]

It's the screwy way Windows does network trust. The "Internet Options" from the control panel is actually IE's preferences. This is also the place you set up trusted zones, allowing network applications or applications downloaded from external sources to run on the OS.

Like I said, it's screwy.

Re:The same old story

[AuMatar]

Its major use is to avoid busy work for the programmer. An example is ORM where the program can analyze what fields a class has and figure out what data types those fields are and build sql querries from it. Another example is xml/json parsing, where you can pass in a json string and a class definition and have it match all of the fields in the json to members in the class. You can spend 15 minutes writing annoying boilerplate code or 15 seconds making 1 method call.

Re:Enough Already

[Above]

I would love to banish Java from all of my machines never to see it again. Most of the uses for Java are well, useless to me, HOWEVER....

There are a few things I do that require Java and even if I wanted to badger my vendors to do them in some other cross platform way I'm not sure how they could. The two I regularly use are access to IPMI cards and Cisco WebEx. Both do things that as far as I can tell can't simply be done in a browser with HTML5 and JavaScript.

If someone had a good solution for those sorts of things I would dump Java in a heartbeat.

Re:Enough Already

[Anonymous Coward]

in defense of both sysad and java, there are developers which just tink that garbage collection is magic and create a memory problem where there is none

Re:The same old story

[K. S. Kyosuke]

I would omit the "sub-class" part of your post. This is about substitutability, and that is all about subtyping, whereas subclassing is about representation and implementaiton. You can have a subclass that is not a subtype (per LSP, at least, although most OO languages like to pretend in their type systems that subclasses are always subtypes), and a subtype that is not a subclass (which is typical with interfaces).

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:Enough Already

[roman_mir]

The user has to set memory limits for the application, either using to much memory or too little, and the memory used is based on the usage for the application so that it is always a possibility to run out of memory for a Java application even if you have enough memory on your machine. This is a major usability and design flaw in Java.

- I agree, it's terrible that you have to tell the VM how much memory it is allowed to take from the physical box it is running on.

Oh, wait.

That's like every VM, at least every VM that runs on a server. Seriously, you have limits on how much memory is set to a specific VM. You think that's the wrong approach for a VM?

--

Now, maybe there should be a way to tell JVM upfront that you want it to be bound only by the underlying OS and the memory that it can give to the JVM, that I actually agree with.

Re:Enough Already

[Anonymous Coward]

If there were no limit then Java would consume all the memory on the machine (in fact it seems to do this even with limits).

Java sucks.

Re:Enough Already

[TopSpin]

Java has a very small memory footprint by default.

Erm. No. Just no.

class Main { public static void main(String[] args) { while (true); } }

(jdk 1.7.0.6 x86_64 linux)

17M resident for that. 0.5G of virtual address space. The only other class referenced is java.lang.String.

The equivalent Perl is 1.7M. Node.js is 9M. Python is 4M. TCL is 1.9M.

EVERYTHING uses less RAM than bleeping Java. A lot less. And this isn't some fail test where Java gets better as applications scale. Go look over here [debian.org] and observe how almost every other language consumes less memory across a wide variety of algorithms. Anecdotal evidence from any app server admin will corroborate this.

Java is a RAM pig and it always has been. The problem, at least regarding initial memory footprint (and start-up time), is excessive class loading. This is not opinion [mreinhold.org]. There has been a project [java.net] to correct it on the books for almost four years [google.com].

Like everything else with Java, it has been neglected [dzone.com]. Supposedly the results will appear in JDK 9..... sometime in 2015.

And don't cite Android as some exception. Dalvik isn't JRE.