Java 8 Delayed To Fix Security 135
mikejuk writes "Java Development Kit 8, planned for September 2013, is being delayed until next year because of 'a renewed focus on security.' Java has been having security publicity problems recently, but Oracle now seems to be taking them more seriously. Mark Reinhold, chief architect of the Java platform group, said, 'Maintaining the security of the Java Platform always takes priority over developing new features, and so these efforts have inevitably taken engineers away from working on Java 8.' The major change still to be made to Java 8 is Project Lambda, which Reinhold says is 'the sole driving feature of the release.' He laid out alternatives, such as dropping Lambda from this release, but said Oracle has decided instead to wait until Lambda is ready. The revised schedule for JDK 8 has a developer preview scheduled for September, a release candidate scheduled for January 2014, and general availablity scheduled for March 2014. The delay means that Java SE 9 will probably be released in early 2016, rather than late 2015."
Always the goal (Score:3)
Re: (Score:2)
Their previous focus was providing the best submarine screendoor to keep out the oceans of malware.
Re: (Score:2)
Their previous focus was providing the best submarine screendoor to keep out the oceans of malware.
They must have brought in a project manager from Redmond.
Re:Always the goal (Score:5, Insightful)
I think the main focus is on getting people to install the Ask Toolbar.
The more updates they can push out, the more chance there is of somebody slipping up and installing it by mistake.
Re: (Score:2, Informative)
I just did the latest update today and instead of the Ask Toolbar is was some McAfee software. Same old shit. You'd think a billion dollar company wouldn't have to resort to cheap tricks like this.
Re:Always the goal (Score:4, Funny)
You'd think a billion dollar company wouldn't have to resort to cheap tricks like this.
* Looks pointedly at Adobe *
Re: (Score:2)
And many other companies. :(
Re: (Score:3)
Or maybe that's why they're a billion dollar company. :)
Re: (Score:1)
I just did the latest update today and instead of the Ask Toolbar is was some McAfee software. Same old shit. You'd think a billion dollar company wouldn't have to resort to cheap tricks like this.
Would be even funnier if McAfee recognized Java as mal-ware.
Re:Always the goal (Score:5, Informative)
The Java Dev site [oracle.com] has an installer [oracle.com] without stupid addon crap.
Re: (Score:3)
At least in the EU, I'm really surprised this crap isn't illegal (bundling snare ware with security updates).
Re: (Score:1)
Re: (Score:1)
They should really rename that piece of garbage software into "Larry Ellison's pocket lint he can't throw away" bar.
Time to fork it... (Score:2)
Its GPLv2 (and as far as I can tell there are no restrictions on distributing modified versions of Java, plenty of linux distros seem to do it) so why not fork it and give people who need Java for some reason but dont want the crap that goes with it (crappy bundle-ware, security holes that go unfixed for months etc etc) can get an alternative that doesn't suck.
Re: (Score:2)
If you use the offline installer option from http://www.oracle.com/technetwork/java/javase/downloads/index.html [oracle.com] it doesn't try to install the Ask Toolbar or any other software. I just tried.
Re: (Score:1)
The day I heard that Oracle was taking over, I knew it was going to go down hill, Oracle is a corporation, it won't give a damn about people, unless there is money involved (lots of it)
That's why I liked it when Sun had it. They weren't a corporation.
Re: (Score:2)
Re: (Score:1)
The goal should be to provide the best security possible with out getting in the way of the programmer. I'm confused on what the focus was before :S
It is their responsibility to provide the best security possible. They suck at it.
Re: (Score:2)
I'm confused on what the focus was before :S
Sure as hell wasn't security.
Re: (Score:2)
Of course not.
Oracle's corporate focus comes down to only two directions: this one [google.com], and this one [wikipedia.org].
There is truly no other focus for them.
Re: (Score:1)
humn then it isn't really a focus... it's foci
Hmm... (Score:2)
Doesn't' a 'renewed' focus on security imply the existence of a focus on security at some prior point in time?
Sure, the JVM itself always got a reasonable amount of love, and the historically-comical nature of Windows security took some of the heat off browser plugins; but has the 'well, if we just add a sandbox, we can take something that works fairly well for instruction-set and OS abstraction of trusted workloads and adapt it to the 'run any old shit the internet throws at you' use case ever been anythin
Re: (Score:2)
Re: (Score:2)
Doesn't' a 'renewed' focus on security imply the existence of a focus on security at some prior point in time?
a "renewed" focus on security implies that they were focused on security but then quit, and now are going back to it. So the real question is why did they abandon the focus on security.
Of course, the obvious answer is that there never was any focus on security and now saying that they have a "renewed focus on security" is 100% pure Public Relations Bullshit.
Re: (Score:1)
Doesn't' a 'renewed' focus on security imply the existence of a focus on security at some prior point in time?
a "renewed" focus on security implies that they were focused on security but then quit, and now are going back to it. So the real question is why did they abandon the focus on security.
Of course, the obvious answer is that there never was any focus on security and now saying that they have a "renewed focus on security" is 100% pure Public Relations Bullshit.
I'm sure the developers from Sun stopped caring after they all nearly lost their jobs to bankruptcy. Then they were purchased by Oracle and as any big company transition happens, they lose certain perks. It sounds like management has put their foot down and told people to fix their shit.
As long as it comes with.. (Score:3, Funny)
...an Ask toolbar I have to deselect whenever there's a security update (around twice a week), it's all good!
Laughable (Score:5, Informative)
If security was at all a real concern, let alone a priority, java would never install itself as a plugin in every browser it can find, ready to run arbriary code from untrusted sources, by default and with every update. All credability here has been lost ages ago.
Re: (Score:2)
The only credibility that has been lost is from people who assume Java is intended to run arbitrary code and do not understand it's security model.
There are still distinct limitations on what the JVM allows to be executed from browser plugins without signing and executing a signed application gives you all the security prompts you'd expect and is in fact really not all that different to a download link where the user gets a "save" or "open" button that lets them execute genuinely arbitrary code. Or in other
Re: (Score:2)
You mean, like this window [rbemrose.com]?
That's from the current Java release trying to load Oracle's Java detection applet [java.com]. And before you ask, I'm required to have Java installed for work because one of our apps relies on an applet.
Re: (Score:2)
There are two types of applet, "trusted" and "untrusted"
"untrusted" applets show no warning on startup and are run in a sandbox that is supposed to limit their access to your computer and network. Unfortunately that sandbox has proven time and time again to have bugs that provide ways for the code inside to "escape" the sandbox and do what it wants to your computer.
"trusted" applets show that warning on startup. Then if the user clicks yes the applet gets the ability to do whatever the hell it likes.
First time (Score:1)
Fork!!! (Score:3)
I mean, sure, it's good Oracle is doing this. They're just way late, as usual.
Why doesn't somebody just fork it (from back when it was easily forkable), then re-implement the security fixes?
Granted, it would take a lot of work to do that NOW, but if somebody had done it way back when it should have been done, it would have been lots easier.
I firmly believe that an active open source community would be a much better caretaker of Java. Oracle has proven again and again that it doesn't care much about people who actually use Java.
Re:Fork!!! (Score:5, Informative)
Re: (Score:3)
Openjdk has its own browser plugin.
Re: (Score:2)
I would argue that though it may be "widely" used, it is nowhere near as wide as it should be.
Re: (Score:2)
"... and the goal is for Oracle Java and OpenJDK to be the same thing."
If that were true, they could accomplish it instantly: simply drop their own fork and go with OpenJDK.
Therefore, it must not be true.
Re: (Score:2)
Sun open sourced the main components of Java 6 as OpenJDK. Notably exceptions are the Java browser plugin and web start. IcedTea was a fork by Redhat but now they are OpenJDK contributors. What people refer simply as Java covers a lot of different things (compiler, library, plugin, hotspot jvm, etc).
Read the article on wikipedia for more details: http://en.wikipedia.org/wiki/OpenJDK [wikipedia.org].
Re: (Score:3)
Just to add to this,
OpenJDK is the official Java 7 reference platform and is fully "open", Oracle java is basically OpenJDK with a different browser plugin and some proprietary components (webstart , hotspot, etc) and while IcedTea used to be a full java implementation, it is my understanding that it is basically just an open source version of the proprietary components (WebStart) now.
Oracle is one of the main sponsors/contributors to OpenJDK as well as Redhat and a slew of other companies. The Wikipedia
Re: (Score:3)
When Sun announced that they were going to open source Java they got a lot of bashing of people here because they didn't want to believe it or because Sun was slow in its process. Some things are not instantaneous (code reviews, packaging, third party licenced components, etc) and people should not have unrealistic expectations on this. But they Sun was true and open sourced the main components of Java. I don't know if Oracle plans to continue on this path with the remaining components but they are not the
Re: (Score:1)
The problem is that the browser plugin and WebStart parts of Java are not included in OpenJDK.
That's not a problem, that's two great points in it's favor!
Re: (Score:2)
I mean, sure, it's good Oracle is doing this. They're just way late, as usual.
When should they have done it? Ten years ago?
Re: (Score:2)
Re: (Score:2)
Re: (Score:3)
What I am meant is what I have already stated: Oracle is notorious for being slow to implement security fixes.
Re: (Score:2)
Re: (Score:2)
"And yet, it's not like Sun was any better."
You're comparing apples and oranges. First, security was less of an issue back when Sun was the "legal guardian" of Java. Second, it was also more of a community project then. It was far more open than Oracle has allowed it to be.
Re: (Score:2)
Which isn't to say I think anything good of Oracle.
Re: (Score:2)
Security was important then. But not as important. Nobody considered security to be such a big issue then. Hell, even Microsoft didn't... which is why IE was so full of holes.
But it wasn't as much of an issue because a lot fewer people were actively hunting for vulnerabilities, and a lot fewer vulnerabilities had been found. As you say: "there weren't mainstream exploits being found in Java". Yes there were, just not nearly as many. Nor were there nearly as many people trying to find them.
Re: (Score:2)
Now, that's just plain a dumb thing to say. First, as I say, it wasn't as important at the time.
It was obvious by 2003 that security was a huge issue.
Re: (Score:2)
I think that's pretty funny. But you're entitled to your opinion.
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Microsoft tried and was sued by Sun for it.
Re: (Score:2)
For chrissakes, will somebody just fork Java and have done with this persistent Oracle nonsense?
I mean, sure, it's good Oracle is doing this. They're just way late, as usual.
Why doesn't somebody just fork it (from back when it was easily forkable), then re-implement the security fixes?
Granted, it would take a lot of work to do that NOW, but if somebody had done it way back when it should have been done, it would have been lots easier.
I firmly believe that an active open source community would be a much better caretaker of Java. Oracle has proven again and again that it doesn't care much about people who actually use Java.
And why exactly would "someone" want to do that? Why exactly would "someone" want to take on something that you admit is "a lot of work". Whats in it for that "someone"? What do they get for the many, many months of hard work that would be required to do this?
Instead of demanding that "someone" do it, why don't YOU do it?
What's that you say? You don't have the programming skills? You don't know anything about the code base and wouldn't even know where to start? You don't feel like spending an enormou
Re: (Score:2)
the fork has been done, and it is useful. what 'fallacy" are you imaging in your ignorance?
Re: (Score:2)
It was not a fork, rather Java was open sourced as OpenJDK.
Re: (Score:1)
For chrissakes, will somebody just fork Java and have done with this persistent Oracle nonsense? I mean, sure, it's good Oracle is doing this. They're just way late, as usual. Why doesn't somebody just fork it (from back when it was easily forkable), then re-implement the security fixes? Granted, it would take a lot of work to do that NOW, but if somebody had done it way back when it should have been done, it would have been lots easier. I firmly believe that an active open source community would be a much better caretaker of Java. Oracle has proven again and again that it doesn't care much about people who actually use Java.
Better yet. Why don't the people being paid to write Java stop making ridiculous security mistakes? You can blame Oracle management but somewhere there's a developer taking shortcuts.
Fortune (Score:1)
Strange fortune cookie or whatever else that quote at the bottom of a Slashdot page is called:
To err is human; to forgive is simply not our policy. -- MIT Assasination Club
Seems somewhat awkward given events in Boston over the last 24 hours.
Re: (Score:2)
Strange fortune cookie or whatever else that quote at the bottom of a Slashdot page is called:
To err is human; to forgive is simply not our policy. -- MIT Assasination Club
Seems somewhat awkward given events in Boston over the last 24 hours.
Or, more pointedly, Aaron Swartz [wikipedia.org]
I want to believe (Score:2)
I feel like one of those UFO people standing in a field waiting for little green men to pop out of flying saucers on the second blue moon when the planets line up just right with the moon. I want to believe, really I do want to believe. But like the buffoon in the field waiting on the little green men I'm going to be waiting a very long time before Oracle /gets/ security.
It takes a lot more than simply delaying a given release of a given product to get your security ducks in a row. Here are some things Orac
Re: (Score:2)
You already use Java but you don't know. Lots of those websites you visit use Java at the server side to process your requests (if we forget usage of Java on mobile phones).
Java is almost the default language in financial, insurance and healthcare applications.
Re: (Score:2)
You already use Java but you don't know. Lots of those websites you visit use Java at the server side to process your requests (if we forget usage of Java on mobile phones).
Java is almost the default language in financial, insurance and healthcare applications.
And all Blu-ray players [wikipedia.org]:
At the 2005 JavaOne trade show, it was announced that Sun Microsystems' Java cross-platform software environment would be included in all Blu-ray Disc players as a mandatory part of the standard. Java is used to implement interactive menus on Blu-ray Discs, as opposed to the method used on DVD-video discs.
I gave up on Java almost a year ago. (Score:2)
-It comes out almost as often as Flash
-I don't see sites using it
-LibreOffice doesn't need it (unless you use Base)
So I didn't install it on my new box back in July 2012.
To date: Not one site yet complaining about it not being there.
Java as web browser plug-in is no longer needed. It's done.
Re: (Score:2)
Wait until you have to use a KVM server, reconfig a fiber switch, use ASDM for older Cisco gear, eyeball monitoring software (stupid NetApp esp.), or anything else in a sysadmin role these days.
Unfortunately, while my home machine is blissfully free of Java (and Silverlight, Flash, etc), my work machines are not.
Still no unsigned integers (Score:1)
Funny (Score:1)
Why, Why Why???? (Score:3)
Why is Java still persisting with this notion that it should be a browser plugin? No one wants Java as a browser plugin and that's where the security vulnerabilities have been found. Meanwhile, in the area where Java is popular (the server and, to a lesser extent, desktop applications) and in need of the features that Java 8 was supposed to bring, these security problems are a secondary concern--there's very little need to worry about malicious code when you're not downloading it from an untrusted source.
It's time to retire Applets and Web Start entirely and leave Java to the things it's good at.
Re: (Score:2)
1- What should users of older applications do?
2- Sun and Oracle have invested a lot of money on JavaFX which (in browser environment) is the equivalent of Flash and Silverlight. It uses Applets to run. It is much cleaner and advanced than Flash and it may have a good future.
Re: (Score:2)
No one wants Java as a browser plugin
i.e. YOU. There were several game sites I used to frequent and there are a lot of useful Java applets out there for things like education I used to run. While they were safe, I just got tired of the risk of possibly following a link to an exploit. Even some mainstream torrent sites are riddled with hostile applets. I found this out when I watched one start to install an EXE. Having to rebuild a system from scratch vs. disabling Java plugins is a no brainer.
I just don't get it... (Score:2)
It could be argued that if you are manipulating classes that represent some sort of number or mathematical type, using methods like add() or multiply(), instead of using arguably much more intuitive operators is just as unwieldy or unclear (while the only sustainable argumen
Re: (Score:2)
Not all types for which operator overloading would make sense are a number, however.
Vectors and Matrices come to mind as immediate examples, and not all operators even necessarily make sense for both. More generally, any class which represents any kind of algebraic ring could sensibly have very intuitive operator overloading.
LOL (Score:2, Funny)
If that's "always" the case mate, give up, and go back to burger king. You guys are just shit at it.
Re: (Score:2)
Missing the Point, it's all Microsoft fault. (Score:2)
The problem with Java Applets is the same problem that you have with ActiveX, they suck because they run third party code in a sand-box like manner and isolating that kind of code from your precious system is pretty hard. The people that implemente
Re: (Score:2)
Well, if we're going to get specific, okay. We agree and disagree on some things here. Java without some sort of qualifier refers to the ecosystem, right? So Java means the Java programming language, the Java compiler, the JVM (JRE), J2EE, the Java plugin... you know, all that stuff. The Java programming language isn't vulnerable, it's just a language. The rest of the Java products, the ones with actual executable code, are all exploitable and there are plenty of CVEs and breaches across the entire product
Re: (Score:2)
Sorry, you are saying that there are security bugs in older versions of the JRE that allow drive-in attacks when Java is used only in the server-side? Please provide some examples because I'm interested.
Of course, if companies that spend millions in applications can't update the old versions it can't be blamed all on Java, could it? And yes, I know very well how companies work.
Re: (Score:2)
Did I miss something? Why are you calling him a shill?
Regardless of whether he proves to be a shill or not, I think Daniel Hoffmann is 100% correct with this post. Every one of his points are spot on. Large IT Orgs are dinosaurs with a lot of inertia and it takes a lot to get them to start moving. Him blaming Microsoft seems a bit tongue-in-cheek to me as I don't think MS wants people to be using XP/IE8 anymore either.
There are many, many high end things out there that require Java Applets to manage,
Let java applets DIE (Score:4, Insightful)
Kill the damn thing. It's slow to start and it will always be slow even with the Jigsaw vaporware. I don't wan't Java in my browser. We are in 2013, ActiveX was crap, Flash is crap, java applets were, are and will always be crap.
Disclaimer, I am a java/J2EE developper and I am totally tired of the reputation that java is getting because of this damn browser plugin.
Re: (Score:3)
I'd rather deal with a cleaned up Java plugin than extending the influence of Flash.
Re: (Score:2)
surely complex javascript implementations deeply integrated in browsers will have no security problems at all...
Security (Score:2)
Make note boys and girls: this is what happens when you try to have the language+compiler+VM make up for the holes in the OS+browser.
Delays help languages (Score:1)
Delays seem to help languages. Perl 6 was the best thing that happened to Perl, since it allowed Perl 5 to become mature and widely used. Python 3 was the worst thing to happen to Python. C++ was miraculously stable for over a decade until the new 2011 standard. Even Java 7 was delayed for a long time with the Sun->Oracle move, and that helped Java 1.5/1.6 mature and be deployed instead of older versions.
Re:Incorrect headline. (Score:4, Insightful)
What they should really do is reconsider if applets really is that important anymore and just scrap the concept completely. At least that's where the problem seams to be most of the time.
Re: (Score:3)
At the very least it should be either an optional (with the default set to "no") or separate install. There are still some systems that require it. I have an old HP JetDirect I still use to put an even older HP LaserJet 4 on our network, and it's interface is a Java applet.
Re: (Score:3)
You can telnet into a JetDirect card to control it without the fancy web interface. Bonus if you make an application to simplify the process.
Re: (Score:1)
Agree 100%. Consider that applets were created back when Flash didn't exist, HTML 5 wasn't even a thought in someone's head and Javascript was a toy.
They've been superseded and should be dropped completely. A big step to improving security is simplifying the codebase.
It's dependency e.g. in Danske Bank (Score:1)
Danske Bank requires Java browser plugin to access their online banking, because it supposedly "enhances security".
In reality: Online payment's have become nightmare to do cause it frequently crashes during payment, and it's not always clear how you can restart only the payment process to avoid doing duplicate order to web store.
For their defense I can say that after last bug/update cycles of Java they seem to have become so frustrated also that they've decided to scrap that requirement, and in few mont
Re: (Score:1)
Danske Bank requires Java browser
Ya know, that should be reason #1 to drop any contact with said bank. Space them. Now.
Java applets are not acceptable. Do not use them. Stay away from anyone that tries to foist applets on you. Fire anyone that suggests their use.
Just stop it. Java applets are fail. Stop doing this to people.
Re: (Score:2)
Re: (Score:2)
I'm pretty sure that bank would switch to something more sane if Java 8 came out with no support whatsoever for applets.
Re: (Score:3)
The problem is _WHERE_ java is actually used. For the most part that is "enterprise software" and embedded gear. At work its pretty much unavoidable, from the IP KVM's, and fibre switches with their java applets to enterprise middleware running all over the place. Its apparent what all those java developers have been doing for the last decade.
In many cases, simple HTML applications would have been much better but some organization hired a java programmer to write the back-end and the front-end ended up bei
Re: (Score:2)
Of course there will be a transition phase where those vendors will have to change their behavior, but that's absolutely doable. People said the same thing about Flash, but it turns out that it wasn't much of a problem.
Re: (Score:2)
It makes me a bit sad that Java in the browser never really took off to the extent that JavaScript did. These days we have people coming up with monstrosities like asm.js to make it possible to write fast, cross-platform applications, whereas the JVM is a compiler target that's been much better suited to the task for a decade and a half. I suppose its downfall was in its proprietary nature, lack of integration with the DOM, and slow start-up time. If the browsers had included an easily sandboxed subset o
Re: (Score:2)
They should update their version number with every security release so they can keep up with Chrome and Firefox.
I'm sorry, but I'm not turning on hugepages support on my desktop just to read a version number.
Re: (Score:3)
Not many other parasites sing such high praise for their HOSTS.