Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
Oracle Java Security

Oracle Fixes 42 Security Vulnerabilities In Java 211

Posted by samzenpus
from the patching-things-up dept.
wiredmikey writes "Oracle released its quarterly Critical Patch Update (CPU) for April, which addressed a whopping 128 security issues across multiple product families. As part of its update, Oracle released a Java SE Critical Patch Update to plug 42 security holes in Java, 19 with base CVE score of 10 (the highest you can go) and 39 related to the Java Web Start plugin which can be remotely exploited without authentication. According to security analyst Wade Williamson, organizations need to realize that Java will continue to pose a significant risk. 'The first step is for an organization to understand precisely where and why Java is needed,' Williamson wrote. 'Based on the rate of newly discovered vulnerabilities, security teams should assume that Java is and will continue to be vulnerable.' Organizations should to take a long, hard look at Java and answer for themselves if it's worth it, Williamson added. Due to the threat posed by a successful attack, Oracle is strongly recommending that organizations apply the security fixes as soon as possible."
This discussion has been archived. No new comments can be posted.

Oracle Fixes 42 Security Vulnerabilities In Java

Comments Filter:
  • #1 web error (Score:4, Interesting)

    by EmperorOfCanada (1332175) on Thursday April 18, 2013 @09:22PM (#43489177)
    What I have observed is that many corporate types adopted Java about 8-10 years ago and seem to be largely sticking with it. But what I don't see are any organizations now switching to Java. The very occasional organization also seems to be dropping Java. At this rate the corporate world will still be using Java for a long time but I don't think it is where the cool kids are. Interestingly there seems to be no one thing replacing Java. I see python definitely becoming the language of choice in certain limited areas such as science and hedge-funds. I see some people tossing their java web front ends and replacing it with an array of things even including PHP.

    So all in all where Java is it will probably stay and I doubt that these security concerns will damage that audience much. What reports like this will certainly do is to dissuade many potential adopters of Java based technologies.
    • Re: (Score:2, Interesting)

      by Anonymous Coward

      What reports like this will certainly do is to dissuade many potential adopters of Java based technologies.

      Which is a shame, because these vulnerabilities (which, for the most part, are either in the web plugin itself, or in aspects of the JVM that are only exploitable through the web plugin) have no bearing on Java's suitability for its most popular uses.

      The best move Oracle could make to rectify Java's public perception is to un-bundle the goddamn web plugin from the JRE. It's like a festering, oozing sore smack dab on the middle of the face of the platform.

      Make it optional, part of a separate download, and bu

      • As much as I honestly don't care for Java development, I have to agree.. giving me a browser plugin that the vast majority of sites don't legitimately use along with the runtime that's needed to make desktop/background apps run is nutty. At this point I'm avoiding Java apps all together, since I just don't want to deal with the hassle.

        .Net and Java are old and busted, over-engineered slow, bulky crap these days... A lot of the dynamic stuff like Python and NodeJS get you where you're going, maybe a tiny
        • giving me a browser plugin that the vast majority of sites don't legitimately use along with the runtime that's needed to make desktop/background apps run is nutty

          Unfortunately, that's not the situation for many people.

          In reality, a lot of very popular web sites and applications do run Java applets, even if you personally happen not to use any of them. Common examples in these kinds of discussions are a few major banks, some national government web sites, some teleconferencing/screen sharing tools widely used in businesses, a few games, etc.

          Meanwhile, many people at home have no use for Java for desktop/background applications at all. Relatively little end user softw

    • Re:#1 web error (Score:4, Insightful)

      by Anonymous Coward on Thursday April 18, 2013 @10:09PM (#43489457)

      Speaking as someone who does Release Engineering professionally, and thus tends to see all the technologies that a company uses in deploying modern systems, Java is still #1 by a long shot, and I continue to see new development done all the time.

      It's all middleware, though. And, frankly, for pretty much any reasonably scalable system which has some sort of a front end web-ish part, a middleware "business logic" part, and a DB backend, Java is not only the leader, but its essentially one of two choices: .Net is the other.

      Standalone apps don't much exist in Java anymore (the few that do are mostly legacy). It's also almost completely disappeared as part of the Frontend portion of content delivery (i.e. not in the dynamic content being served to the end user, nor in the "web server" portion of the infrastructure).

      But in terms of middleware, well, only .Net is a serious competitor in terms of enterprise requirements. Java's got all the nice library and code support, plus plugins and stuff for all the build/deployment/test infrastructure. C++ doesn't even come close, and python/ruby/perl aren't even in the running. Now, there are architectures where there IS no middleware, and the frontend system actually is a python program which both serves content and has business logic in it, but I see them far less commonly, and they have serious scalability issues.

      And, frankly, the middleware tier is also the place which minimizes Java's deficiencies, and maximizes its strengths.

      As far as the future goes, I desperately wish Oracle would quit expanding the featureset of Java, and just spend all the time cleaning up the codebase. Java (the language) is more than feature-full at this time, and there's really very little need to keep adding stuff to the language. The codebase, on the other hand, needs at least couple of years of full-on cleanup. The JVM itself is still pretty solid, but everything else is suffering from neglect pretty badly.

    • Re:#1 web error (Score:4, Interesting)

      by ADRA (37398) on Friday April 19, 2013 @01:42AM (#43490265)

      Trust me, as an implementor, there are plenty of new enterprises lining up moving to Java from C/C++/legacy. The alternatives are hodge podge languages which will most likely not work for supporting large number of diverse product categories, or you go with C/C++ and pay a crap load more money for developers & more time spent. Or, you can go with .NET which is fine if you're an all MS shop (less and less) or you rely on Mono for your non-windows systems (tough sell).

      Where's the panacea of general programming environments where:
      1. You can integrate it with -practically anything- (whatever the customer's currently plugged into -- protocol/socket, old DB's, all those queue systems, email, batch tools, clustering(scale), etc..) with little development overhead
      2. Easy access to developers with varying degrees of cost / performance
      3. 100% support on mainstream deployment platforms of choice

      If you're not answering these three questions, most non-dev centric businesses won't be playing ball.

      "but I don't think it is where the cool kids are"
      Yes, there's a big difference between what some people want to develop in, and what people actually write useful code in. Joe rock-star could do all his work in Scala/Groovy/Ruby/Python/langoftheweek, but without super unsexy long term support from competent developers, that software will crumble and die with the company forced to move their platform to something more standard just to find people to keep it alive.

      • by hey (83763)

        Java is the only choice for things like that. It is quite nice, actually.

  • Naive question (Score:5, Insightful)

    by DoofusOfDeath (636671) on Thursday April 18, 2013 @09:28PM (#43489215)

    What's the deal with people saying Java is a major source of insecurity?

    Does that mean compared to C++? Are they comparing (Java + all its libraries) to (C++ plus one instance of each library which is needed to match Java's standard libraries)? Insecurity of the JVM itself, compared to native object code?

    I honestly can't tell.

    • Re:Naive question (Score:4, Informative)

      by Anonymous Coward on Thursday April 18, 2013 @10:37PM (#43489581)

      What's the deal with people saying Java is a major source of insecurity?

      Does that mean compared to C++? Are they comparing (Java + all its libraries) to (C++ plus one instance of each library which is needed to match Java's standard libraries)? Insecurity of the JVM itself, compared to native object code?

      I honestly can't tell.

      Really, none of the above. Of those, "Insecurity of the JVM itself" is closest to the truth.

      The big problem with Java is the browser plugin.

      For the most part, these vulnerabilities (I'm generalizing) are in the parts of the JVM that are used by the Java browser plugin, or in the plugin itself.

      It's actually one of the great ironies of Java. The Java language, and the JVM, were actually pretty well designed with regards to security; things like strong typing and garbage-collected memory management go a long way toward preventing ordinary bugs from becoming security issues. Unfortunately, long ago, Sun figured Java was so safe that there would be no risk with running Java code ("applets") off the Internet, right in your browser. So they built in a sandbox into the JVM, and created the Java applet embedding browser plugin that depended on that sandbox to prevent applets from harming your computer.

      And in doing that, they overreached, especially as they began adding features* that made the sandboxing of code from the Web harder and harder to enforce.

      Get rid of the browser plugin, and Java is no worse than any other language/platform. Probably better than some.

      C++ doesn't have this problem, because there is no equivalent browser plugin that allows random bits of C++ code from the web to get onto your comptuer.

      * I have heard that JVM support for dynamic languages in the version 7 JVM is a big reason for the growth in security vulnerabilities. I'm not educated enough to say whether this is true or nonsense, but it seems plausible

      • Re: (Score:2, Insightful)

        by Anonymous Coward

        There was ActiveX, which was a fancy name for "let's download DLLs from websites and execute them in the browser process". We all know that bombed massively, especially because rogue website could launch (e.g.) HP's dlls inside their HTML code. They would then proceed to exploit the buffer overflows in the HP DLLs.

        ActiveX was a security nightmare based on downloaded C++ dlls.You see, mankind enumerates all possible ways of crap until it decides to limit itself to the less dangerous crap (JS).

    • What's the deal with people saying Java is a major source of insecurity?

      Does that mean compared to C++? Are they comparing (Java + all its libraries) to (C++ plus one instance of each library which is needed to match Java's standard libraries)? Insecurity of the JVM itself, compared to native object code?

      I honestly can't tell.

      Yes. The design of the stack based language traded speed for size. When run as an interpreted language pure Java is very secure. However, now that it has JIT compilation you're basically just taking data, flagging that as code, then running it. That's what's inherently insecure. Not only do you have to worry about defects in the applications and library code, but also the virtual machine itself, which lowers the bar for malicious data to get itself marked as code, and executed. Combine that with the f

  • by Zephiris (788562) on Thursday April 18, 2013 @09:40PM (#43489287)

    It's been worrying me that the tagline "News for nerds, stuff that matters" has been removed from Slashdot (except in the source code, but gets replaced on any/all page loads), but this story is coming behind both TFA and the actual patches being available for two full days prior.

    It's no "Preskill mocks Stephen Hawking" quote from 2012, like the other article, but maybe this could've ended up -slightly- higher priority given that it fixes 1-2 remote unauthenticated exploits in Java, and IIRC 3 in Oracle DB.

    • It's been worrying me that the tagline "News for nerds, stuff that matters" has been removed from Slashdot (except in the source code, but gets replaced on any/all page loads), but this story is coming behind both TFA and the actual patches being available for two full days prior.

      It's no "Preskill mocks Stephen Hawking" quote from 2012, like the other article, but maybe this could've ended up -slightly- higher priority given that it fixes 1-2 remote unauthenticated exploits in Java, and IIRC 3 in Oracle DB.

      Nerds submit the news here. This is the stuff they think matters. If it's not prioritized the way you like, then promote the things you like and firehose the other submissions down. Perhaps there are just more nerds that don't give a frack about Java vulns than you think. E.g: None of my 8 home Linux boxes, or the 20 I manage for my day job have that pox installed -- Then again, the only "Enterprise" things I do are related to science fiction. Guess I'm not nerd enough if I'm using Xen VMs to virtuali

  • by viperidaenz (2515578) on Thursday April 18, 2013 @10:06PM (#43489439)

    Java isn't evil, Browser plugins are.
    Leave Java on the server side and be done with it.

    • by StormReaver (59959) on Thursday April 18, 2013 @10:52PM (#43489651)

      Leave Java on the server side and be done with it.

      Or learn to use Java properly on the client side, which means stop using it as a browser plugin. Java makes an excellent desktop application development platform, but an absolutely lousy browser plugin.

      • by viperidaenz (2515578) on Thursday April 18, 2013 @11:02PM (#43489693)

        Yes. That's exactly what I'm doing at my current job. Java back end, Java thick client.

      • by stenvar (2789879)

        Java makes an excellent desktop application development platform, but an absolutely lousy browser plugin.

        You may like Java as a developer, but Java fails to integrate properly with any of the desktops; Java desktop apps are a nightmare.

        • Java makes an excellent desktop application development platform, but an absolutely lousy browser plugin.

          You may like Java as a developer, but Java fails to integrate properly with any of the desktops; Java desktop apps are a nightmare.

          I've seen a lot of nice Java desktop apps and a lot of bad ones.

          • by stenvar (2789879)

            Whether they are "nice" or not in and of themselves isn't the point. They fail to integrate with the desktop, they don't behave like native apps, and they don't look like native apps either.

            • Whether they are "nice" or not in and of themselves isn't the point. They fail to integrate with the desktop, they don't behave like native apps, and they don't look like native apps either.

              Maybe that depends on the desktop? Could it actually be that some (read whatever you are using) desktops are seriously limiting how different kinds of applications can be integrated degrading the user experience? Bashing the apps might be the wrong way around, as the problem is on the desktop environment.

              • by stenvar (2789879)

                It's not the apps that I bash, it's the Java platform: it set out to deliver a great cross platform experience and it failed, because what it attempted to do is impossible. The only way you can get a good experience on each platform is to customize your app for each platform.

        • Citation? I thought not.

          • by stenvar (2789879)

            Citation? I thought not.

            Better than a citation: just download desktop Java apps and run them on OS X or Gnome or KDE.

        • GUI toolkits that promises cross-platform compatibility stick to the lowest common denominator of native features and then build on it. Java does a pretty good job of integrating with most desktops without the burden of cross compiling for every single target environment. Qt and Gtk applications do not look native on all desktops either.

          The main factor affecting desktop integration is the amount of effort a developer will put into programming the GUI. This can be said for all libraries.

      • by Anonymous Coward

        Java makes an excellent* desktop application.

        * Excellent is defined here as "slow, ugly and memory hungry."

        • by pne (93383)

          Java makes an excellent* desktop application.

          * Excellent is defined here as "slow, ugly and memory hungry."

          Reminds me of this joke:

          "Knock, knock"

          "Who's there?"

          ...

          ...

          ...

          ...

          "Java."

      • by Ash-Fox (726320)

        Or learn to use Java properly on the client side, which means stop using it as a browser plugin.

        So, how do I use the virtual machine remote management interface that is only available in java on a webpage?

  • Reminds me of my dad always breaking shit when he tried to fix it. Then he actually fixed something and we flipped our shit!
  • by raymorris (2726007) on Thursday April 18, 2013 @10:31PM (#43489559)
    With tje taste of Java exploits exceeding one per day, it seems clear the problem is bigger than the specific exploits they are fixing. The DESIGN that allows for hundreds of vulnerabilities is seriously flawed and THAT is what they should fix.

    It really looks like someone trying to use chicken wire fencing to build a dam, and they keep patching each little hole. Instead, they need to ditch the porous chicken wire and use something watertight for the barrier between VM and system.
    • We don't read about this many security problems with other general purpose languages. If GCC needed patches every month I sure wouldn't be inclined to use it. Why does Java need to be patched so often? What is so different that it makes it so bad? Is it because it's interpreted rather than compiled? Why does that matter? I'm amazed Java has been such a mess for so long.
      • Re: (Score:2, Informative)

        GCC may not be patches that often but you OS is. Java is not just a language it is a VM that the compiled Java code runs in, a jit compiler that compiles the Java code, a language and a web plug-in. all collectively referred to as Java. Javas big problem is it is used in unsafe ways (via web plug-in). the main security problem is that the Java web plug in grabs arbitrary code and runs it in the same vm as Java app's and it can be abused to take control. You would never run a just any random binary you found

  • Ask (Score:4, Insightful)

    by andrewa (18630) on Thursday April 18, 2013 @11:13PM (#43489743)
    Yet still they are trying to sneak the "Ask" toolbar in there.....
    • Re:Ask (Score:4, Informative)

      by SeaFox (739806) on Friday April 19, 2013 @02:34AM (#43490441)

      I've decided that must be the only reason they haven't created an auto-update system for Java. I mean, my AV software can update its own definitions, my web browser can update itself, yet I still have to click the stupid message every time Oracle farts.

      My mom has been complaining about it too. The frequency of these updates are encouraging people to ignore them or turn them off like the classic boy who cried "Wolf!".

      If the Java system could update itself they'd lose the opportunity to trick people into not unchecking the Ask Toobar, McAfee Security Scan, etc shovel-ware. And as people get frustrated with the constant updates they get sloppier about what they're clicking as they go though them.

  • by mindwhip (894744) on Thursday April 18, 2013 @11:23PM (#43489793)

    Every time they release one of these my companies IT department insists on the new version being mandatory and installs it on every PC without any testing.

    This then breaks one (or more) of our externally provided and supported, business critical, small user base, Java client/server systems. After a few days of frantic phone calls and manual un-installs of the new Java version (which have to be done by IT support due to security lockdown remoting into PCs, after senior signoff) we have to keep doing to combat the overnight updates) we end up with an emergency change to install a very alpha version of the client/server system.

    The updated client is normally so full of bugs that it gets several further emergency updates over the next 3 months and is just about stable and almost bug free in time for Oracle to release another patch...

    • by arkhan_jg (618674)

      And what are IT supposed to do? Leave a known vulnerable version with dozens of critical flaws - including the HIGHLY exploitable browser plugin - on business critical PCs across the org, including the business critical ones of that small group?

      Who's neck would it be if those machines got remote rooted by some chinese hacker driveby? I'm betting not yours.

      Perhaps a dialog with IT where you don't install the browser plugin at least, and firewall the group off from the rest of the network in exchange for a te

  • by icknay (96963) on Thursday April 18, 2013 @11:38PM (#43489843)
    Suppose that when you first run the java installer, it asks you if you wan to install the ask.com toolbar, naturally you select No Ask.com Malware button, and everything installs nicely. Now later on, for each security update that comes along, there's a nice Install Important Update button .. and what do you suppose that does? It installs the Ask.com toolbar! I know Oracle is supposed to be aggressive with their practices, but I cannot believe they abuse security updates this way to get a few pennies out of Ask.com which is basically a search-result-spam engine.

    The reason you have not heard about this more, is that Macs and Firefox/Chrome (not sure about IE) resist the Ask.com installer, so you just don't see it, but the crappy Oracle behavior is in fact going on each time. The result is that naive users are getting this toxic thing installed and it really messes up their whole internet experience.

    Hey Oracle: you're pissing away tons of Java goodwill in exchange for pennies form the Ask.com spammers. Who on the heck thought that was a good trade? Like what techie who learns of this behavior is ever going to install Java anywhere? Aren't you trying to make JavaFX into a real client thing?

    See http://www.zdnet.com/a-close-look-at-how-oracle-installs-deceptive-software-with-java-updates-7000010038/ [zdnet.com] for lots of details on how the Ask.com installer tries to trick the users and hide itself. It's kind of interesting arms race between the spamming toolbar and the browser vendors.

    • What about Flash? That installs a google toolbar and McAfee and doesn't even give me a choice. Where's the rage? I guess cause it's a google toolbar it's OK then?

  • by coder111 (912060) <coder.rrmail@com> on Friday April 19, 2013 @01:00AM (#43490121)
    These are java APPLET or BROWSER PLUGIN vulnerabilities. Completely different thing.

    Slashdot should stop with this misinformation. Java the LANGUAGE is OK. Java Virtual Machine is OK. Servers using Java as server-side language are OK. Java desktop applications are OK.

    Java the BROWSER PLUGIN is vulnerable. But Java Browser plugin should never have happened in the first place and should be killed with fire.

    So stop with the whole bashing of Java in general. Java is a very good and mature language, with the fastest JVM on planet today, lots of open source 3rd party libraries, servers, frameworks and tools. It's very very good for server-side development.

    --Coder
    • by gbjbaanb (229885)

      are you sure about that - check where the vulnerabilities were found. How many were in the plugin, how many in the JVM.

      The fast that the code that executes in the plugin is Java code that runs in a JVM sandbox seems to have passed you by, of course the plugin in a good attack vector as its so readily accessible, but there's nothing stopping the same attack code from running in your desktop or server programs, its just harder (but not impossible) for the attacker to get their code there.

      So, no, Java is not s

  • I really would tell all my country-cousins to update their Java, but I couldn't rely on them to untick the 'Make Ask my default homepage, and add the toolbar' box. That sort of inertia-sell to the ignorant inspires no confidence at all.
  • Ballanced? (Score:4, Insightful)

    by Racerdude (1006357) on Friday April 19, 2013 @01:23AM (#43490191)
    "Organizations should to take a long, hard look at Java and answer for themselves if it's worth it, Williamson added.". This doesn't sound very balanced. It sounds like he has some sort of ulterior motive
  • If you install this on your Mac and you are using a Drobo iscsi device, then you are no longer using your iscsi device. This java update breaks Drobo's iscsi initiator.

  • Out of how many? 42? 420? 69105? 10^42?

I have never seen anything fill up a vacuum so fast and still suck. -- Rob Pike, on X.

Working...