Forgot your password?
typodupeerror
Java Security Software IT

Oracle Responds To Java Security Critics With Massive 50 Flaw Patch Update 270

Posted by timothy
from the no-more-jeans-all-patches dept.
darthcamaro writes "Oracle has been slammed a lot in recent months about its lackluster handling of Java security. Now Oracle is responding as strongly as it can with one of the largest Java security updates in history. 50 flaws in total with the vast majority carrying the highest-possible CVSS score of 10."
This discussion has been archived. No new comments can be posted.

Oracle Responds To Java Security Critics With Massive 50 Flaw Patch Update

Comments Filter:
  • Re:Java sucks. (Score:5, Interesting)

    by mark-t (151149) <markt@ l y n x.bc.ca> on Friday February 01, 2013 @07:33PM (#42767501) Journal

    Ask IBM.

    Substantial portions (>80%) of Watson are written in Java.

    The remainder is C++ and, of all things, Prolog.

  • *sigh*.... Java... (Score:5, Interesting)

    by wierd_w (1375923) on Friday February 01, 2013 @07:50PM (#42767655)

    I like the *idea* of java.... but I don't like java.

    It has been my experience, even way back when the JVM was owned by SUN, and when MS tried their crazy IE only "not really a real JVM but we say it is!" Bull--- that the JVM was a festering turd, that was slow, carried around a lot of baggage, and was a vector through wich malicious programs could be executed in secret due to its bugs.

    Granted, that is just an anecdote. So, here's some old, tinned bugs from days of yore... clicky. [ait.ac.th]

    As far as I can tell, Java has always been a very attractive target for malefactors who want to run malicious executable code on remote systems, because the innate abstraction provided by the JVM makes it an ideal incubator for that malware. As such, malefactors have consistently looked for, found, and exploited holes in Java to accomplish their nefarious tasks, despite the JVM dev team's best efforts.

    In short, Java has always been a security risk. The question I have always asked myself is if the benefits of that security risk outweigh the benefits. So far, my answer has always been "no." When it comes to desktop computing. For the originally intended ecosystem that Java was made for, (things like portable computers, set top boxes, and custom computing devices) java is a godsend that makes development time get spent more efficiently. For a mostly monolithic desktop hardware space, java doesn't make nearly as much sense, and carries with it a very large attack surface.

    In short, I would rather do without your software, than expose myself to java's attack surface, if you refuse to write your software in a properly portable fashion, and choose to rely exclusively on the JVM.

      If you need cross platform support, use cross platform libraries, and compile platform appropriate executables from your codebase. Maintaining platform agnosticism through writing exclusively portable code will force you to write better code anyway.

    Leave Java in the ecosystem it belongs in: one off hardware implentations, novelty devices, and low power computing platforms. Bringing java kicking and screaming to the desktop ecosystem makes it too big of a target for malefactors, and only exposes your own unwillingness to practice best practices when writing your software.

  • Nostalgia (Score:3, Interesting)

    by mrbester (200927) on Friday February 01, 2013 @08:04PM (#42767757) Homepage

    I remember those halcyon days when Java had just emerged, acorn like if you will, from Oak. It promised a brave new world of write once, run anywhere programming that was to usher in a wonderful alternative to all that dangerous mucking about with C++ and flatten the disparate paradigms of software development from Microsoft, Apple and others. I went to trade shows and conferences with like minded souls all excited about this Next Big Thing. Hell, I even bought books and marvelled how easy it was to get Duke to cartwheel on any OS with a JVM.

    Then it all went to shit with internecine wars and disparate implementations.

    But it didn't stop there. It then carved out of the psyches of beleaguered programmers the world over a new level of hell just for itself.

    Adieu. At least it was fun in the beginning.

  • Re:Too late (Score:1, Interesting)

    by pevans (44803) on Friday February 01, 2013 @11:05PM (#42768865)

    Just uninstall it everywhere.

    Beginning a while back I began removing it from all the little SMBs I do work for. At first just a few with trepidation. Then the rest.

    It turns out that exactly none of them needed it. None.

    Who wants to pay for their employees to play Pogo games anyhow?

    Sure, there may be enterprise sized outfits who rely on it, but I'm guessing most slashdotters aren't that well-monied with their clients and are more small-time as I am. Just uninstall it everywhere and save yourself one of the tedious, recurring headaches supporting windows boxes.

    Ten boxes here, thirty there... and we can kill the thing and get it off our plate entirely.

    Full disclosure: I've long hated java as a user suffering bloated start-up times and xplatform probs, as an IT drone endlessly updating it and for its sheer verbosity as a language (it's just way too much typing for me to bother with vs other langs).

    Needless to say, I was very disappointed with the choice Google made with Android... :-(

  • by ahabswhale (1189519) on Friday February 01, 2013 @11:10PM (#42768889)

    ROFL...are you fucking serious? You can find a lot more security holes in C and C++ than you can in Java. The ONLY reason you see all this shit about Java security is that Java can be run client-side via a simple download by your browser. There are very very few languages that allow this and I can guarantee you that any other ones are thoroughly explored for security holes by hackers. Ever heard of Flash? They've had many many security holes too but that's because they are a target. There are no safe fucking languages. Get that ridiculous idea out of your head. It's about the language's ecosystem and when that ecosystem ends up getting quietly download by somebodies browser, it's gonna get fucking raped by every hacker worth a shit.

    I have to say that I'm pretty shocked about how utterly clueless the /. community is about this kind of technology. Sad stuff.

  • by wierd_w (1375923) on Saturday February 02, 2013 @12:07AM (#42769155)

    Agreed! Client side execution is the problem! But, where would you expect it to run otherwise? On the server? Congrats, you just pointed a bullseye on big iron! One that can potentially run general purpose programs, and not just a simple script parser!

    The problem with java, is that it is standardized, and everywhere. This makes it desirable to target. It needs alternatives, and lots of them, with heavy market penetration.

  • Re:Confused. (Score:4, Interesting)

    by DMUTPeregrine (612791) on Saturday February 02, 2013 @04:01AM (#42769957) Journal
    So install a second browser, just for Java. Disable the plugin on your other browsers, and sandbox the browser with Java as well as you can.

    I use Chrome in a VM for Java (and some other probably insecure things, like viewing sites where I can't block ads.)

There is no royal road to geometry. -- Euclid

Working...