Forgot your password?
typodupeerror
Java Oracle Security Software Upgrades

Oracle Promises Patches Next Week For 36 Exploits In Latest Java 154

Posted by timothy
from the they-call-this-progress dept.
An anonymous reader writes "Oracle is posting patches for all its products next Tuesday, which include 36 exploits for Java alone and over 140 for all Oracle products currently supported, included over 80 that require no authentication to execute.These patches look to be critical for any administrator. Java 6 users who use equipment or programs that rely on older versions are SOL unless they sign up for a very expensive support contract, as these patches are for Java 7 only."
This discussion has been archived. No new comments can be posted.

Oracle Promises Patches Next Week For 36 Exploits In Latest Java

Comments Filter:
  • concerning is ... (Score:3, Interesting)

    by Selur (2745445) on Saturday January 11, 2014 @05:01AM (#45925227)

    that of the 36 Java related bugs, "34 of them (are) exploitable remotely without authentication".

    "Java 6 users who use equipment or programs that rely on older versions are SOL unless they sign up for a very expensive support contract, as these patches are for Java 7 only."
    +
    "Oracle Java JDK and JRE, versions 5.0u55 and earlier, 6u65 and earlier, 7u45 and earlier"
    -> Muhahahaha,...

    • by mrmeval (662166) <`mrmeval' `at' `gmail.com'> on Saturday January 11, 2014 @08:36AM (#45925793) Journal

      ADP forces the use of an ancient and bug infested version of java for it's timecard application. We've been infected SO MANY times they finally decided to setup a dedicated PC that has no other access.

      This of course removes all the benefit of having web acdess to time card entry, eats up time employees could be working but the gossip and knife fights are good entertainment.

      • by TubeSteak (669689)

        We've been infected SO MANY times they finally decided to setup a dedicated PC that has no other access.

        I cringe whenever I see a Point of Sale or other commercial system being used to browse the web.

        If you can't afford a separate computer for looking stuff up, you certainly can't afford the pain from getting your crown jewels pwned..

  • by Tim99 (984437) on Saturday January 11, 2014 @05:48AM (#45925337)
    Oracle and Java exploits - An anecdote:-
    A couple of weeks ago I tried to log into my superannuation account, the browser fired back an authentication error, so I notified the company (MLC) who asked me to send them as many technical details as I could. After a little bit of looking around, I noted that the Oracle Access Management system that gave me the error code was was at version (11.1.1.5.0). Oracle's currently version was 11.1.2.1.0. Not too surprising, a supplier that had not patched to the current version.

    What did surprise me was that Oracle's Identity Management Patch Set that was available for the version displayed was >2GB - A compressed Java application and framework for a database authentication application that was over 2 Gigabytes in size .

    It has been a few years since I wrote any Oracle stuff, but that is ridiculous, what the hell have web based script kiddy/Java type developers been up to. Admittedly I started with Oracle in the Stone Age (V3) and actually shipped an application that used V4. By V6 the C interface which included all the necessary external validation code was small enough to be easily understood and modifiable by a single programmer. My memory is going now, but I seem to remember that in the 1990s all of the code for an early web CGI Oracle interface, including user validation would fit on a floppy.

    • Oracle and Java exploits - An anecdote:- A couple of weeks ago I tried to log into my superannuation account, the browser fired back an authentication error, so I notified the company (MLC) who asked me to send them as many technical details as I could. After a little bit of looking around, I noted that the Oracle Access Management system that gave me the error code was was at version (11.1.1.5.0). Oracle's currently version was 11.1.2.1.0. Not too surprising, a supplier that had not patched to the current version.

      What did surprise me was that Oracle's Identity Management Patch Set that was available for the version displayed was >2GB - A compressed Java application and framework for a database authentication application that was over 2 Gigabytes in size .

      It has been a few years since I wrote any Oracle stuff, but that is ridiculous, what the hell have web based script kiddy/Java type developers been up to. Admittedly I started with Oracle in the Stone Age (V3) and actually shipped an application that used V4. By V6 the C interface which included all the necessary external validation code was small enough to be easily understood and modifiable by a single programmer. My memory is going now, but I seem to remember that in the 1990s all of the code for an early web CGI Oracle interface, including user validation would fit on a floppy.

      Why are/were you surprised at the size of the package? I, and many other /.ers remember days when a 30 MB (no kids, that's not a typo) hard disk held dozens of applications, the GUI-based OS, and all our data files. Somewhere along the line APIs, OS frameworks and data files got less compact and then grew as the size of hard drives grew. More features, larger frameworks to accommodate those features and WHAM! you have a 2GB patch set. Sure, I still grumble when I see how big a small application (from a raw

  • by Arith (708986)
    How about that vulnerability where they package crap with the install? I had to clear a few spyware incursions on my father's machine resulting from the crap they stowed in the install including the ask toolbar. I don't care how many actual bugs there are. If you try to slide this shit by regular users like this, I just have zero respect for companies who do that.
  • web developers provided alternative site access without JAVA.
    Why? Simply because JAVA is a product designed to always have things that need patched.
    Its not safe, and never will be.

    • by iggymanz (596061)

      you think any other language framework also does not have horrendous security issues?

  • All those having internet facing java services had remote vulnerabilities known by oracle and the NSA for months (at least if Oracle does the same as Microsoft [techweekeurope.co.uk], something very probable if not worse), and if your internal network had some value for the NSA or people working for it, it is already backdoored.
  • by Max Threshold (540114) on Saturday January 11, 2014 @12:45PM (#45926919)
    Android developers are forced to use Java 6. I don't know if I should be more pissed at Oracle or Google right now...
  • 34 of those don't require authentication.
    That's for the "Java" product group, containing the following products
    Java SE
    Java SE Embedded
    JavaFX
    JRockit
    What I want to know, is how many are related to the JRE and how many to the Java browser plugin, Webstart and other components.

  • Like many people, I have Java installed but don't have the browser plugin enabled. This means that the remote-exploitable attack surface is zero; if you don't provide a route for the attacker to get to anything vulnerable, you're totally defended from that whole class of attacks. With applications where you've already installed them locally and which don't download extra code from random locations, the nature of these issues is entirely different. (Any language which it is impossible to deliberately write a

  • Anyone know if this is yet another band-aid patch or are they really fixing the underlying problem? This is why we continue to see patch after patch after patch after patch.. well you get the idea. Turns admins into firemen trying to patch all of the vulnerable machines. Even for my personal machines it's really, really, really old. Glad I'm not an admin. Wonder if Ellison is sorry he bought SUN yet.

What this country needs is a dime that will buy a good five-cent bagel.

Working...