An anonymous reader writes: A faulty security patch has left Java users vulnerable to attacks in the past two years, researchers from Polish security firm Security Explorations are claiming. The issue in question is CVE-2013-5838, which was discovered and patched in October 2013. Two years later, going back over their researcher, the same security researchers have now discovered that Oracle had not only misclassified its impact but also botched the fix. In a Full Disclosureexposé, the researcher says that changing four characters in the company's original proof-of-concept code allowed them to exploit the flaw, despite Oracle's patch.

whoever57 writes: A California jury in one of the cases between Synopsys and Atoptech found copyright infringement in Atoptech's use of the "Primetime commands". These companies compete in the field of EDA ("Electronic Design Automation") software: software that is used by semiconductor companies to design ICs. The Primetime commands are merely an interface. Atoptech has their own implementation of the functionality that these commands [provide]. This can be seen as similar to the Oracle vs. Google lawsuit, in which an appeals court has found that providing a similar interface (via header files) can constitute copyright infringement. Naturally, there will be appeals in this case.

itwbennett writes: On Friday, Oracle published a security advisory recommending that users delete all the Java installers they might have laying around on their computers and use new ones for versions 6u113, 7u97, 8u73 or later. The reason: Older versions of the Java installer were vulnerable to binary planting in the Downloads folder. 'Though considered relatively complex to exploit, this vulnerability may result, if successfully exploited, in a complete compromise of the unsuspecting user's system,' said Eric Maurice, Oracle's software security assurance director, in a blog post.

An anonymous reader writes: There's a German security researcher that is arduously testing the installers of tens of software products to see which of them are vulnerable to basic DLL hijacking. Surprisingly, many companies are ignoring his reports. Until now, only Oracle seems to have addressed this problem in Java and VirtualBox. Here's a short (probably incomplete) list of applications that he found vulnerable to this attack: Firefox, Google Chrome, Adobe Reader, 7Zip, WinRAR, OpenOffice, VLC Media Player, Nmap, Python, TrueCrypt, and Apple iTunes. Mr. Kanthak also seems to have paid special attention to antivirus software installers. Here are some of the security products he discovered vulnerable to DLL hijacking: ZoneAlarm, Emsisoft Anti-Malware, Trend Micro, ESET NOD32, Avira, Panda Security, McAfee Security, Microsoft Security Essentials, Bitdefender, Rapid7's ScanNowUPnP, Kaspersky, and F-Secure.

An anonymous reader writes: After Mozilla said in October that it would stop supporting Firefox plugins on the older NPAPI technology, Oracle had no choice now but to announce the deprecation of the Java browser plugin starting with the release of the JDK version 9, which is set for release in March 2017, and developers are urged to start using the Java Web Start pluginless technology instead. Security issues also had a big part in Java's demise.

phantomfive writes: As the Google v. Oracle copyright case drags on, Oracle is claiming that Android has generated $31 billion in revenue for Google, $22 billion of which was profit. Court records also show Google paid Apple $1 billion USD to keep their search bar on the iPhone. A revenue sharing agreement was in place as well. At one point, Apple got 34% of the revenue generated by Google searches on iPhones. Both companies later requested that the information be redacted from the record, but once something is released on the internet, it tends to stay there.

prisoninmate writes: Oracle's Unbreakable Enterprise Kernel (UEK) Release 4 is an important engineering effort and introduces performance improvements and enhancements for some of the most essential components, including CPU schedulers and Automatic NUMA Balancing, along with powerful new features, such as real-time kernel patching, which is possible thanks to the Ksplice open-source extension of the Linux kernel 4 branch, which lets users to apply patches to the running kernel without the need to reboot the system, thus improving security and simplify the management of cloud infrastructures.

An anonymous reader writes: Oracle's database management system has seen the biggest rise in terms of popularity in the past year. Oracle didn't only see a rise in the number of deployed instances, job offerings and mentions on LinkedIn profiles, but for the first time also became a popular topic on Twitter and a constant mention on StackOverflow, a popular Q&A support forum for developers. Second on DB-Engine's popularity list was MongoDB, which barely missed winning the DBMS of the Year award for the third time in a row.

itwbennett writes: Roughly 100 low-income families were evicted from an apartment complex on the land in Austin, Texas where Oracle plans to build a new 560,000 sq. foot cloud-computing campus. Some of the former tenants of Lakeview Apartments had leases through the end of the year, but were reportedly forced by owner Cypress Real Estate Advisors to move out early. Some have said their security deposits were not returned, and they have had no assistance as they've struggled to find comparably priced housing. Last week, some of those residents gathered near the site of their former home to protest and to appeal to Oracle for assistance.

An anonymous reader writes: Google is ditching the Java application programming interfaces (APIs) in Android and moving to only OpenJDK. The news first came by a "mysterious Android codebase commit" from last month submitted to Hacker News. Google confirmed to VentureBeat that Android N will rely solely on OpenJDK. “As an open-source platform, Android is built upon the collaboration of the open-source community,” a Google spokesperson told VentureBeat. “In our upcoming release of Android, we plan to move Android’s Java language libraries to an OpenJDK-based approach, creating a common code base for developers to build apps and services. Google has long worked with and contributed to the OpenJDK community, and we look forward to making even more contributions to the OpenJDK project in the future.”

An anonymous reader writes: The FTC and Oracle have come to an agreement regarding Oracle's deceptive Java security updates, which only removed recent versions of vulnerable Java SE, but left behind older, insecure versions. Oracle got away without a fine, but will have to overhaul its Java update process to remove older versions as well.

itwbennett writes: When Intel and Micron Technology first announced the 3D XPoint memory in July, they promised about 1,000 times the performance of NAND flash, 1,000 times the endurance of NAND flash, and about 10 times the density of DRAM. At OpenWorld last week, Intel CEO Brian Krzanich disclosed a little more information on the new memory, which Intel will sell under the Optane brand, and did a demo on a pair of matching servers running two Oracle benchmarks. One server had Intel's P3700 NAND PCI Express SSD, which is no slouch of a drive. It can perform up to 250,000 IOPS per second. The other was a prototype Optane SSD. The Optane SSD outperformed the P3700 by 4.4 times in IOPS with 6.4 times less latency.

AmiMoJo writes: According to data from Secunia, Apple's software for Windows is now the biggest threat to PC security, surpassing previous long term champion Java. Among U.S. users, some 61 percent of computers detected running QuickTime did not have the latest version. With iTunes, 47 percent of the installations were outdated versions. There were 18 vulnerabilities in Apple QuickTime 7 at the time of the study. Oracle has now fallen/risen to 2nd place, followed by Adobe. All three vendors bundle automatic updater utilities with their software, but users seem to be declining new versions. Update fatigue, perhaps?

An anonymous reader writes: Oracle's Larry Ellison gave a presentation yesterday at OpenWorld in which he detailed how the M7 chip's new Silicon Secured Memory system works. "On the M7, pointers and their memory blocks are stamped with a 4-bit 'color,' and accesses are verified to make sure the color in the highest bits of the pointer matches the color of the memory allocation. This works with virtual memory allocated from the heap rather from the stack, it appears. Solaris tries to avoid giving adjacent blocks the same color." El Reg notes that a 4-bit security stamp doesn't really offer that many distinct options. "Four bits of color means there are 24, or 16, possible colors a memory block can have. A hijacked pointer has a one-in-16 chance of having a matching color when it accesses any block of memory, allowing it to circumvent the SSM defense mechanism. ... It is even possible [a hacker] can alter the color bits in a pointer to match the color of a block she wishes to access, and thus avoid any crashes and detection. In short, SSM is a mitigation rather than bulletproof protection." Still, Ellison claims this would have shut down vulnerabilities like Heartbleed and Venom.

itwbennett writes: Oracle said that it has fixed 154 security flaws in Java and a wide range of its other products, including one that Russian cyberespionage group Pawn Storm used to launch stealthy attacks earlier this year. The vulnerability, tracked as CVE-2015-4902, was being used by the Pawn Storm attackers to enable the execution of a malicious Java application without user interaction.

itwbennett writes: Slashdot readers are no strangers to Oracle's aggressive licensing practices, practices that have earned them notoriety over the years. This week, Texas law firm Scott & Scott wrote a blog post warning enterprises about the 'traps' in Oracle software licensing. One of the biggest problems with Oracle software is how difficult it is for companies to track internally what they're using and how they're using it, said Julie Machal-Fulks, a partner with Scott & Scott, in an interview with Katherine Noyes. 'They may use just one Oracle product and think they're using it correctly, but then Oracle comes along and says, 'no, you're using it wrong — you owe us a million bucks.'

An anonymous reader writes: Mozilla announced that it will follow the lead of Google Chrome and Microsoft Edge in phasing out support for NPAPI plugins. They expect to have it done by the end of next year. "Plugins are a source of performance problems, crashes, and security incidents for Web users. ... Moreover, since new Firefox platforms do not have to support an existing ecosystem of users and plugins, new platforms such as 64-bit Firefox for Windows will launch without plugin support." Of course, there's an exception: "Because Adobe Flash is still a common part of the Web experience for most users, we will continue to support Flash within Firefox as an exception to the general plugin policy. Mozilla and Adobe will continue to collaborate to bring improvements to the Flash experience on Firefox, including on stability and performance, features and security architecture." There's no exception for Java, though.

An anonymous reader writes: It's been five years since Oracle killed off OpenSolaris while the community of developers are letting it live on with the new OpenIndiana "Hipster" 15.10 release. OpenIndiana 15.10 improves its Python-based text installer as it looks to drop its GUI installer, switches out the Oracle JDK/JRE for OpenJDK, and updates its vast package set. However, there are still a number of outdated packages on the system like Firefox 24 and X.Org Server 1.14 while the default office suite is a broken OpenOffice build, due to various obstacles in maintaining open-source software support for Solaris while being challenged by limited contributors. Download links are available via the OpenIndiana.org release notes. There's also a page for getting involved if wishing to improve the state of open-source Solaris.

An anonymous reader writes: Italo Vignoli, founding member of The Document Foundation, reflects on the project's five-year mark in an article on Opensource.com: "LibreOffice was launched as a fork of OpenOffice.org on September 28, 2010, by a tiny group of people representing the community in their capacity as community project leaders. At the time, forking the office suite was a brave -- and necessary -- decision, because the open source community did not expect OpenOffice.org to survive for long under Oracle stewardship." The project that was OpenOffice.org does still exist, in the form of Apache Open Office, but along with most Linux distros, I've switched completely to LibreOffice, after some initial misgivings.

New submitter Da w00t writes: Talos security researchers detected a malicious shockwave flash file that not only bypasses pop-up blockers, but also accurately fingerprints computers with the help of some JavaScript. The 'Infinity Popup Toolkit' is a prime example of software that falls into this gray area by bypassing browser pop-up blocking. In deciding to classify the toolkit as malware, the researchers pondered where the line lies between software that's harmful and software that's not. Quoting: "Without a clear standard defining what is and is not acceptable behavior, identifying malware is problematic. In many situations, users are confronted with software that exhibits undesirable behavior such as the Java installer including a default option to install the Ask.com toolbar. Even though many users objected to the inclusion of the Ask.com toolbar, Oracle only recently discontinued including it in Java downloads after Microsoft changed their definition of malware which then classified the Ask.com toolbar as malware."