Forgot your password?
typodupeerror
Java Oracle Security Software

Java 8 Delayed To Fix Security 135

Posted by Soulskill
from the projected-release-2047 dept.
mikejuk writes "Java Development Kit 8, planned for September 2013, is being delayed until next year because of 'a renewed focus on security.' Java has been having security publicity problems recently, but Oracle now seems to be taking them more seriously. Mark Reinhold, chief architect of the Java platform group, said, 'Maintaining the security of the Java Platform always takes priority over developing new features, and so these efforts have inevitably taken engineers away from working on Java 8.' The major change still to be made to Java 8 is Project Lambda, which Reinhold says is 'the sole driving feature of the release.' He laid out alternatives, such as dropping Lambda from this release, but said Oracle has decided instead to wait until Lambda is ready. The revised schedule for JDK 8 has a developer preview scheduled for September, a release candidate scheduled for January 2014, and general availablity scheduled for March 2014. The delay means that Java SE 9 will probably be released in early 2016, rather than late 2015."
This discussion has been archived. No new comments can be posted.

Java 8 Delayed To Fix Security

Comments Filter:
  • by Murdoch5 (1563847) on Friday April 19, 2013 @11:51AM (#43494289)
    The goal should be to provide the best security possible with out getting in the way of the programmer. I'm confused on what the focus was before :S
    • Their previous focus was providing the best submarine screendoor to keep out the oceans of malware.

      • by ackthpt (218170)

        Their previous focus was providing the best submarine screendoor to keep out the oceans of malware.

        They must have brought in a project manager from Redmond.

    • Re:Always the goal (Score:5, Insightful)

      by Joce640k (829181) on Friday April 19, 2013 @12:09PM (#43494513) Homepage

      I think the main focus is on getting people to install the Ask Toolbar.

      The more updates they can push out, the more chance there is of somebody slipping up and installing it by mistake.

      • Re: (Score:2, Informative)

        by Anonymous Coward

        I just did the latest update today and instead of the Ask Toolbar is was some McAfee software. Same old shit. You'd think a billion dollar company wouldn't have to resort to cheap tricks like this.

      • I think the main focus is on getting people to install the Ask Toolbar.

        The more updates they can push out, the more chance there is of somebody slipping up and installing it by mistake.

        At least in the EU, I'm really surprised this crap isn't illegal (bundling snare ware with security updates).

        • by Anonymous Coward
          Ah, well that is the trick. Oracle (and Sun before them) doesn't DO security updates. They don't understand what patch even means. They only do full versions. So when you go from say 1.7.0_11 to 1.7.0_21, you are actually uninstalling an entire version of their runtime and installing a new one. People wouldn't put up with that shit from Microsoft. Heck, even Adobe does patches for Reader much of the time now (although they do a mysterious full in there once in awhile too). The worst part is that they don't
      • by roman_mir (125474)

        They should really rename that piece of garbage software into "Larry Ellison's pocket lint he can't throw away" bar.

      • Its GPLv2 (and as far as I can tell there are no restrictions on distributing modified versions of Java, plenty of linux distros seem to do it) so why not fork it and give people who need Java for some reason but dont want the crap that goes with it (crappy bundle-ware, security holes that go unfixed for months etc etc) can get an alternative that doesn't suck.

      • by aled (228417)

        If you use the offline installer option from http://www.oracle.com/technetwork/java/javase/downloads/index.html [oracle.com] it doesn't try to install the Ask Toolbar or any other software. I just tried.

    • by Anonymous Coward

      The goal should be to provide the best security possible with out getting in the way of the programmer. I'm confused on what the focus was before :S

      It is their responsibility to provide the best security possible. They suck at it.

    • by Tarlus (1000874)

      I'm confused on what the focus was before :S

      Sure as hell wasn't security.

  • Doesn't' a 'renewed' focus on security imply the existence of a focus on security at some prior point in time?

    Sure, the JVM itself always got a reasonable amount of love, and the historically-comical nature of Windows security took some of the heat off browser plugins; but has the 'well, if we just add a sandbox, we can take something that works fairly well for instruction-set and OS abstraction of trusted workloads and adapt it to the 'run any old shit the internet throws at you' use case ever been anythin

    • by gigaherz (2653757)
      They mean from before they acquired it from SUN.
    • Doesn't' a 'renewed' focus on security imply the existence of a focus on security at some prior point in time?

      a "renewed" focus on security implies that they were focused on security but then quit, and now are going back to it. So the real question is why did they abandon the focus on security.

      Of course, the obvious answer is that there never was any focus on security and now saying that they have a "renewed focus on security" is 100% pure Public Relations Bullshit.

      • by Tharkkun (2605613)

        Doesn't' a 'renewed' focus on security imply the existence of a focus on security at some prior point in time?

        a "renewed" focus on security implies that they were focused on security but then quit, and now are going back to it. So the real question is why did they abandon the focus on security.

        Of course, the obvious answer is that there never was any focus on security and now saying that they have a "renewed focus on security" is 100% pure Public Relations Bullshit.

        I'm sure the developers from Sun stopped caring after they all nearly lost their jobs to bankruptcy. Then they were purchased by Oracle and as any big company transition happens, they lose certain perks. It sounds like management has put their foot down and told people to fix their shit.

  • by Threni (635302) on Friday April 19, 2013 @12:01PM (#43494393)

    ...an Ask toolbar I have to deselect whenever there's a security update (around twice a week), it's all good!

  • Laughable (Score:5, Informative)

    by Rashkae (59673) on Friday April 19, 2013 @12:02PM (#43494401) Homepage

    If security was at all a real concern, let alone a priority, java would never install itself as a plugin in every browser it can find, ready to run arbriary code from untrusted sources, by default and with every update. All credability here has been lost ages ago.

    • by Xest (935314)

      The only credibility that has been lost is from people who assume Java is intended to run arbitrary code and do not understand it's security model.

      There are still distinct limitations on what the JVM allows to be executed from browser plugins without signing and executing a signed application gives you all the security prompts you'd expect and is in fact really not all that different to a download link where the user gets a "save" or "open" button that lets them execute genuinely arbitrary code. Or in other

  • For everything, I suppose.
  • by Jane Q. Public (1010737) on Friday April 19, 2013 @12:10PM (#43494529)
    For chrissakes, will somebody just fork Java and have done with this persistent Oracle nonsense?

    I mean, sure, it's good Oracle is doing this. They're just way late, as usual.

    Why doesn't somebody just fork it (from back when it was easily forkable), then re-implement the security fixes?

    Granted, it would take a lot of work to do that NOW, but if somebody had done it way back when it should have been done, it would have been lots easier.

    I firmly believe that an active open source community would be a much better caretaker of Java. Oracle has proven again and again that it doesn't care much about people who actually use Java.
    • Re:Fork!!! (Score:5, Informative)

      by JamesRing (1789222) on Friday April 19, 2013 @12:18PM (#43494621)
      It was forked: http://en.wikipedia.org/wiki/OpenJDK [wikipedia.org] The problem is that the browser plugin and WebStart parts of Java are not included in OpenJDK. But OpenJDK is excellent and widely used.
      • by lindi (634828)

        Openjdk has its own browser plugin.

      • Ah. It's the old Sun fork. I didn't know it was still around.

        I would argue that though it may be "widely" used, it is nowhere near as wide as it should be.
      • by Anonymous Coward

        The problem is that the browser plugin and WebStart parts of Java are not included in OpenJDK.

        That's not a problem, that's two great points in it's favor!

    • I mean, sure, it's good Oracle is doing this. They're just way late, as usual.

      When should they have done it? Ten years ago?

      • Give me a break. I didn't pull this out of my ass. Oracle is notorious in the industry for taking a long time to do security fixes to Java.
        • So you don't think it should have been done ten years ago?
          • That's kind of like asking "When did you stop beating your wife?"

            What I am meant is what I have already stated: Oracle is notorious for being slow to implement security fixes.
            • And yet, it's not like Sun was any better.
              • "And yet, it's not like Sun was any better."

                You're comparing apples and oranges. First, security was less of an issue back when Sun was the "legal guardian" of Java. Second, it was also more of a community project then. It was far more open than Oracle has allowed it to be.

                • Security was just as much of an issue then. It wasn't as obvious to some people because there weren't mainstream exploits being found in Java. Sun should have realized this a long time ago and fixed these security issues before they got into the news. This just shows sloppiness on their part.

                  Which isn't to say I think anything good of Oracle.
                  • Terminology.

                    Security was important then. But not as important. Nobody considered security to be such a big issue then. Hell, even Microsoft didn't... which is why IE was so full of holes.

                    But it wasn't as much of an issue because a lot fewer people were actively hunting for vulnerabilities, and a lot fewer vulnerabilities had been found. As you say: "there weren't mainstream exploits being found in Java". Yes there were, just not nearly as many. Nor were there nearly as many people trying to find them.
                    • Now, that's just plain a dumb thing to say. First, as I say, it wasn't as important at the time.

                      It was obvious by 2003 that security was a huge issue.

                    • So then, you're saying that after 12 years of prior development, Sun should have fixed all possible Java vulnerabilities in the 3 years prior to Java being released as Open Source. Before most of the vulnerabilities we know about today were even discovered.

                      I think that's pretty funny. But you're entitled to your opinion.
                    • They should have fixed them in the 90s. People who knew were very worried about security by that time (including some people at Sun!). By the mid 2000s it was so obvious that even dogs and cats should have were aware that security was an issue.
                    • Once again: I did not claim that security was not an issue. What I wrote was that it was not as much of an issue.
                    • lol ^+1
    • by Coren22 (1625475)

      Microsoft tried and was sued by Sun for it.

    • For chrissakes, will somebody just fork Java and have done with this persistent Oracle nonsense?

      I mean, sure, it's good Oracle is doing this. They're just way late, as usual.

      Why doesn't somebody just fork it (from back when it was easily forkable), then re-implement the security fixes?

      Granted, it would take a lot of work to do that NOW, but if somebody had done it way back when it should have been done, it would have been lots easier.

      I firmly believe that an active open source community would be a much better caretaker of Java. Oracle has proven again and again that it doesn't care much about people who actually use Java.

      And why exactly would "someone" want to do that? Why exactly would "someone" want to take on something that you admit is "a lot of work". Whats in it for that "someone"? What do they get for the many, many months of hard work that would be required to do this?

      Instead of demanding that "someone" do it, why don't YOU do it?

      What's that you say? You don't have the programming skills? You don't know anything about the code base and wouldn't even know where to start? You don't feel like spending an enormou

    • by Tharkkun (2605613)

      For chrissakes, will somebody just fork Java and have done with this persistent Oracle nonsense? I mean, sure, it's good Oracle is doing this. They're just way late, as usual. Why doesn't somebody just fork it (from back when it was easily forkable), then re-implement the security fixes? Granted, it would take a lot of work to do that NOW, but if somebody had done it way back when it should have been done, it would have been lots easier. I firmly believe that an active open source community would be a much better caretaker of Java. Oracle has proven again and again that it doesn't care much about people who actually use Java.

      Better yet. Why don't the people being paid to write Java stop making ridiculous security mistakes? You can blame Oracle management but somewhere there's a developer taking shortcuts.

  • Strange fortune cookie or whatever else that quote at the bottom of a Slashdot page is called:

    To err is human; to forgive is simply not our policy. -- MIT Assasination Club

    Seems somewhat awkward given events in Boston over the last 24 hours.

    • Strange fortune cookie or whatever else that quote at the bottom of a Slashdot page is called:
      To err is human; to forgive is simply not our policy. -- MIT Assasination Club
      Seems somewhat awkward given events in Boston over the last 24 hours.

      Or, more pointedly, Aaron Swartz [wikipedia.org]

  • I feel like one of those UFO people standing in a field waiting for little green men to pop out of flying saucers on the second blue moon when the planets line up just right with the moon. I want to believe, really I do want to believe. But like the buffoon in the field waiting on the little green men I'm going to be waiting a very long time before Oracle /gets/ security.

    It takes a lot more than simply delaying a given release of a given product to get your security ducks in a row. Here are some things Orac

  • -It comes out almost as often as Flash
    -I don't see sites using it
    -LibreOffice doesn't need it (unless you use Base)

    So I didn't install it on my new box back in July 2012.
    To date: Not one site yet complaining about it not being there.

    Java as web browser plug-in is no longer needed. It's done.

    • Wait until you have to use a KVM server, reconfig a fiber switch, use ASDM for older Cisco gear, eyeball monitoring software (stupid NetApp esp.), or anything else in a sysadmin role these days.

      Unfortunately, while my home machine is blissfully free of Java (and Silverlight, Flash, etc), my work machines are not.

  • But, still no fucking unsigned integers in Java! Jeezusfuckingchristalmighty!!
  • by Horshu (2754893)
    Maybe if they hadn't let the featureset get so stale over the years, they wouldn't have to make a choice between cleaning up the mess that is Java vs. achieving parity with .Net. They should have added lambdas years ago, but it's like pulling teeth to get them to make major releases.
  • by curunir (98273) * on Friday April 19, 2013 @01:20PM (#43495189) Homepage Journal

    Why is Java still persisting with this notion that it should be a browser plugin? No one wants Java as a browser plugin and that's where the security vulnerabilities have been found. Meanwhile, in the area where Java is popular (the server and, to a lesser extent, desktop applications) and in need of the features that Java 8 was supposed to bring, these security problems are a secondary concern--there's very little need to worry about malicious code when you're not downloading it from an untrusted source.

    It's time to retire Applets and Web Start entirely and leave Java to the things it's good at.

    • by wmac1 (2478314)

      1- What should users of older applications do?

      2- Sun and Oracle have invested a lot of money on JavaFX which (in browser environment) is the equivalent of Flash and Silverlight. It uses Applets to run. It is much cleaner and advanced than Flash and it may have a good future.

    • No one wants Java as a browser plugin

      i.e. YOU. There were several game sites I used to frequent and there are a lot of useful Java applets out there for things like education I used to run. While they were safe, I just got tired of the risk of possibly following a link to an exploit. Even some mainstream torrent sites are riddled with hostile applets. I found this out when I watched one start to install an EXE. Having to rebuild a system from scratch vs. disabling Java plugins is a no brainer.

  • From the here [oracle.com]:

    One issue about anonymous classes is that if the implementation of your anonymous class is very simple, such as an interface that contains only one method, the syntax of anonymous classes may seem too unwieldy and unclear.

    It could be argued that if you are manipulating classes that represent some sort of number or mathematical type, using methods like add() or multiply(), instead of using arguably much more intuitive operators is just as unwieldy or unclear (while the only sustainable argumen

  • LOL (Score:2, Funny)

    by smash (1351)

    Maintaining the security of the Java Platform always takes priority over developing new features,

    If that's "always" the case mate, give up, and go back to burger king. You guys are just shit at it.

  • They learn how to properly use launchd items in OS X if they are going to be supporting Apple. Learning how to use a preference .plist so we can remotely manage updates without having to write bash scripts and stuff would help to
  • Many people here are completely missing the point. First the ones that say that Java is insecure (it's not) and the ones correcting them saying that the Java Browser Plugin/Java Applets that are insecure (they are right on this) and should be removed from Java.

    The problem with Java Applets is the same problem that you have with ActiveX, they suck because they run third party code in a sand-box like manner and isolating that kind of code from your precious system is pretty hard. The people that implemente
    • by djdanlib (732853)

      Well, if we're going to get specific, okay. We agree and disagree on some things here. Java without some sort of qualifier refers to the ecosystem, right? So Java means the Java programming language, the Java compiler, the JVM (JRE), J2EE, the Java plugin... you know, all that stuff. The Java programming language isn't vulnerable, it's just a language. The rest of the Java products, the ones with actual executable code, are all exploitable and there are plenty of CVEs and breaches across the entire product

      • by aled (228417)

        Sorry, you are saying that there are security bugs in older versions of the JRE that allow drive-in attacks when Java is used only in the server-side? Please provide some examples because I'm interested.
        Of course, if companies that spend millions in applications can't update the old versions it can't be blamed all on Java, could it? And yes, I know very well how companies work.

  • by damaki (997243) on Friday April 19, 2013 @02:02PM (#43495633)
    Now that javascript is fast, that HTML5 is everywhere, that games can even run on Flash, please Oracle, kill the damn java browser plugin. Sure, Unity uses it. Do J2EE developpers around the world care about it? No, we do not care!
    Kill the damn thing. It's slow to start and it will always be slow even with the Jigsaw vaporware. I don't wan't Java in my browser. We are in 2013, ActiveX was crap, Flash is crap, java applets were, are and will always be crap.

    Disclaimer, I am a java/J2EE developper and I am totally tired of the reputation that java is getting because of this damn browser plugin.
    • I'd rather deal with a cleaned up Java plugin than extending the influence of Flash.

    • by aled (228417)

      surely complex javascript implementations deeply integrated in browsers will have no security problems at all...

  • Make note boys and girls: this is what happens when you try to have the language+compiler+VM make up for the holes in the OS+browser.

  • by Anonymous Coward

    Delays seem to help languages. Perl 6 was the best thing that happened to Perl, since it allowed Perl 5 to become mature and widely used. Python 3 was the worst thing to happen to Python. C++ was miraculously stable for over a decade until the new 2011 standard. Even Java 7 was delayed for a long time with the Sun->Oracle move, and that helped Java 1.5/1.6 mature and be deployed instead of older versions.

Almost anything derogatory you could say about today's software design would be accurate. -- K.E. Iverson

Working...