Oracle Responds To Java Security Critics With Massive 50 Flaw Patch Update 270
darthcamaro writes "Oracle has been slammed a lot in recent months about its lackluster handling of Java security. Now Oracle is responding as strongly as it can with one of the largest Java security updates in history. 50 flaws in total with the vast majority carrying the highest-possible CVSS score of 10."
OK (Score:1, Insightful)
Now please start working on an ARM version for my Surface RT.
Too late (Score:5, Insightful)
The knee-jerk reaction of getting the patches for Java out now following public criticism is not going to make up for their previous apparent disinterest in supporting the platform. The damage they have done to the reputation of Java is incalculable, and I for one as a C++ programmer thank them for it!
Confused. (Score:5, Insightful)
I'm not sure how I feel about this;
1. Good. It's awesome that Oracle are finally taking notice of java security issues and doing something positive.
2. Bad. That's a lot of CVSS2.0 score 10 bugs they've been letting slide.
3. Confused. How many more are there?
Re:Java sucks. (Score:5, Insightful)
I like the way it took a Federal agency (DHS) to recommend deinstalling Java before Oracle did anything.
I think the Fed recommendation stands. Stop using Java.
Re:Clean up your shit, Oracle. (Score:5, Insightful)
I know Oracle didn't write Java to being with but they sure had a hard-on to acquire it, presumably so soak up profits by wedging themselves in to yet more enterprise services. I'd like them to take ownership of this issue and really hammer out these nasty problems.
Didn't they just do exactly that? Granted there are probably still lots of other unannounced issues, but this is a good step in the right direction.
Re:Java sucks. (Score:4, Insightful)
Does another patch change the fact that Java runs slower than new programming languages like Nimrod [nimrod-code.org], which let developers accomplish the same tasks in far less code?
there's a new latest greatest language every 6 months. customers don't like to re-write their platforms every 6 months when language X goes out of favor and they can't hire people to maintain their code or get updates for the runtime / tools.
do you think it's possible that nimrod also has security flaws, but they haven't been exposed ... consider the usage of java vs. nimrod and therefore the interest of hackers in finding the security flaws?
Re:Confused. (Score:5, Insightful)
3. Confused. How many more are there?
I'm sure there are enough that I feel fairly confident in my advice to just not install Java unless you really, really need it. Which, unless you're a developer or a Minecraft addict, you really don't.
So I have the JDK installed, but the plugin disabled. (Well, I have the 64-bit JDK installed and use 32-bit Firefox, which works well enough on that front.)
Where there are 50 found... (Score:4, Insightful)
There are probably 500 unaddressed.. you know...
Oracle's you know... rearranging the deck chairs on the Titanic. plugging a few of the small leaks here in there. Doesn't mean the ship is saved:)
Recall Cisco just released this big 2013 annual security report the other day, showing Java exploit as a #1 infection vector for malware.... :)
They managed to let 50 critical flaws unpatched??? (Score:4, Insightful)
I wonder how many are still open after this publicity stunt and how many they did patch badly (as before), but now the attackers know what to look at.
Lets face it: Java is a mess. Use in anything but protected environment where the Java code and runtime cannot be attacked is highly unprofessional and borders on gross negligence.
Re:Clean up your shit, Oracle. (Score:5, Insightful)
Oracle's behavior isn't really making me want to go out and seek other Oracle products. And fuck, if I can't escape this piece software at work.
Two good points, and the later is why Oracle doesn't care about the former.
Re:*sigh*.... Java... (Score:5, Insightful)
You forget the place that Java has had the most success: Enterprise computing.
I'll agree that the sum total of the Java Plugin + JDK Libraries + JVM provides too much opportunity to attack on the desktop / web app space. There's simply too many flaws in the plugin and libraries. The JVM itself, though, is very solid (fewer than 10 major flaws over 15 years).
However, Java as a middleware platform is simply far better than any of the alternatives, and that's where I expect it to remain. Insulated from the types of attacks that render Java dangerous on the desktop, middleware app servers play directly to Java's big strengths: speed, ease of development, and massive library support, plus a framework which helps discourage the types of coding flaws that hurt middleware computing the most. Java will likely remain king of middlewhere for a long time, and deservedly so.
On the desktop or as a downloadable app, well, yes, Java is simply never going to measure up to the better cross-platform alternatives.
-Erik
Re:Too late (Score:5, Insightful)
It is good that they released the patches, but since they waited until DHS actually suggested uninstalling it (and all the implications of that) to do so, it doesn't inspire much confidence. If they want to rehabilitate their reputation, they're going to have to be MUCH more proactive about security and it will take a while to convince people.
Re:Effectiveness of a cop... (Score:2, Insightful)
Re:The stupidity hurts my head. (Score:4, Insightful)
On what screwed up platform is this?
Seriously, I have 1.6.0_39 and 1.7.0_13 happily running together on all the platforms that I'm responsible for (Linux, Windows, UNIX of various flavors).
This patch was rather important in that there are some server side security issues being patched as well as browser plugin issues.
I'm seeing all of this hate, but you know what, I just don't get it. Software of any complexity has bugs. Microsoft used to be the champion of security exploits. Now it's Java. And lest anyone forget, there are myriads of PHP / Ruby / Python security bugs that allow systems to be exploited. I'm not even sure that there's a secure Ruby on Rails platform at this point, for example. I don't know for certain about Ruby, since the only Ruby platform I have right now is for Redmine.
I guess though everyone likes the Faux News mentality of computer security reporting. It garners page clicks, makes people feel important and is a lot easier than actually doing any work. It's like the hit piece someone at InfoWorld did on a Spring Framework bug that could possibly be exploited (albeit not very easily). The sensationalist piece completely overlooked the fact that the issue had been addressed over a year ago. The "journalist" at InfoWorld was too busy jumping on the "all things Java are evil and insecure" bandwagon to do the tiny bit of research needed to write intelligently about the problem . . .
Just like people are now doing about the current issue . . .
My favorite comment so far has been along the following lines
Sure, they may have fixed these security flaws, but there's no guarantee that this will fix future security flaws. It's better that you just go ahead and uninstall Java now.
Sure, [insert-least-favorite-software-of-the-day] may be patched now, but will it remain patched?
I thought at least professionals were a bit more intelligent than this. I guess not.
Re:OK (Score:4, Insightful)