Oracle Promises Patches Next Week For 36 Exploits In Latest Java 154
An anonymous reader writes "Oracle is posting patches for all its products next Tuesday, which include 36 exploits for Java alone and over 140 for all Oracle products currently supported, included over 80 that require no authentication to execute.These patches look to be critical for any administrator. Java 6 users who use equipment or programs that rely on older versions are SOL unless they sign up for a very expensive support contract, as these patches are for Java 7 only."
Re:again? (Score:4, Insightful)
Java, one of the worst things to happen to computing, ever.
Nah, I doubt anything would be much better, if they were in position Java is now. If it were native code, anybody without the sources would be screwed, now only anybody with Java6 requirement and no sources to fix it is screwed (but they were the moment their software got tied to specific JRE6 version). If it were .net instead of Java, when do you think MS would get around to patching Linux versions? If it were some scripting language... ok, it couldn't be: duck typing is too fragile, performance is problem, no serious contenders for many (not most, but many) Java use cases.
In absence of Java, maybe something really better would exist now, but I very much doubt it. It's a paradoxical package deal.
Why doubt something better would exist? (Score:3, Insightful)
Sun was very much responding to a need when they started developing Java all those years ago. Other groups largely left them to it as Sun was a company with an excellent reputation. Things would have been just fine but for one most unfortunate event.
Oracle bought Java.
We suddenly switch from famous to infamous. As far as I'm concerned, Java died on that day, and I've been far more interested in freer languages since then. I feel for those that continue to endure Java due to corporate inflexibility.
Re:Why doubt something better would exist? (Score:5, Insightful)
What is telling is, JRE installer from Oracle keeps pushing ask.com toolbar (borderline malware) with underhanded tactics (check box checked by default, re-checked for updates, and hidden behind changing install directory from default). Business is business, sure, and I wouldn't want something this dirty anywhere near my business...
Re:Why doubt something better would exist? (Score:5, Insightful)
Sun did that for years, that's hardly something new Oracle brought in. It's because Sun, despite their excellent engineering reputation, never figured out how to make money off Java. Lots of other companies did but Sun didn't. So they ended up resorting to pushing crapware through the Windows installer in a desperate attempt to monetize. Oracle merely continued that awful tradition.
The good news is that ever since Java has been open source, distributing it in other ways is possible and with Java 8 they're changing the license on the Oracle packagings of it so you can cut it down to size for your specific app. It's getting a lot close to just being a big runtime library than an entire parallel OS which it was trying to be in previous years.
As to whether Java is secure or not, I don't think we should be too hard on the Oracle/Sun developers here. Every attempt to do mobile code has turned into a security nightmare. Not just Java, ActiveX and Flash, but web browsers routinely patch exploits in their core rendering or JavaScript engines, and that's HTML5 - a vastly simpler and more crippled platform than even the most basic core Java system provides. In fact browser developers have given up trying to make renderers secure which is why they're all heavily sandboxed, it's inevitable people will find ways to exploit the mobile code aspects of the rendering engines. Even then, Chrome sandbox escapes still get found from time to time.
I don't think we should read these stories as "Java sucks". Programs written in Java or any other modern managed language are still much more secure than code written in C++. There are no stack or heap overflows to worry about, no double frees. These stories are not about how easy it is to write secure code in any given language or platform. Instead we should understand these stories as "sandboxing malicious code is incredibly hard". Java hurts from it more because Java was a lot more ambitious than other attempts.
Re:again? (Score:5, Insightful)
Its amazing how Java went from being the favoured child here on Slashdot to something generally reviled and hated over the past decade.
I don't think this is unique to Java; the same thing has happened here with Ubuntu/Canonical. Love can easily turn to hate whereas indifference rarely does.
.tar.gz for Linux and just unpack it to install, and for #3 there is always OpenJDK in the background to keep Oracle on the straight an narrow.
.NET, which for me (using Linux) would mean using Mono. Interestingly, open-source Mono seems to generate more hatred here on Slashdot than the closed-source and proprietary .NET does.
Concerning Java, I don't think it is Java per se that is the cause of the 'hatred', it is more (1) the insecurity of the browser plug-in, (2) the attempt to install the ask.com toolbar when installing the JRE and (3) a general distrust of Oracle.
I don't have a problem with any of these. For #1 this can be disabled, for #2 I just download the JDK
The only real alternative to Java is
Re:concerning is ... (Score:4, Insightful)
ADP forces the use of an ancient and bug infested version of java for it's timecard application. We've been infected SO MANY times they finally decided to setup a dedicated PC that has no other access.
This of course removes all the benefit of having web acdess to time card entry, eats up time employees could be working but the gossip and knife fights are good entertainment.