Java

Another Java Exploit For Sale 150

tsamsoniw writes "Mere days after Oracle rolled out a fix for the latest Java zero-day vulnerabilities, an admin for an Underweb hacker forum put code for a purportedly new Java exploit up for sale for $5,000. Though unconfirmed, it's certainly plausible that the latest Java patch didn't do the job, based on an analysis by the OpenJDK community. Maybe it's high time for Oracle to fix Java to better protect both its enterprise customers and the millions of home users it picked up when it acquired Sun."
Bug

Security Expert Says Java Vulnerability Could Take Years To Fix, Despite Patch 320

An anonymous reader writes "After the Department of Homeland Security's US-CERT warned users to disable Java to stop hackers from taking control of users' machines, Oracle issued an emergency patch on Sunday. However, HD Moore, chief security officer of Rapid7, said it could take two years for Oracle to fix all the security flaws in the version of Java used to surf the web; that timeframe doesn't count any additional Java exploits discovered in the future. 'The safest thing to do at this point is just assume that Java is always going to be vulnerable,' Moore said."
Java

Oracle Ships Java 7 Update 11 With Vulnerability Fixes 243

An anonymous reader writes "After announcing a fix was coming just yesterday, Oracle on Sunday released Java 7 Update 11 to address the recently disclosed security vulnerability. If you use Java, you can download the latest update now from the Java Control Panel or directly from Oracle's website here: Java SE 7u11. In the release notes for this update, Oracle notes this version "contains fixes for security vulnerabilities." A closer look at Oracle Security Alert for CVE-2013-0422 details that Update 11 fixes two vulnerabilities."
Java

Oracle Knew of Latest Java 0-Day Security Hole In August 265

An anonymous reader writes "After news broke on Thursday that a new Java 0-day vulnerability had been discovered, and was already being included in multiple popular exploit kits, two new important tidbits have come in on Friday. Firstly, this whole fiasco could have been avoided if Oracle had properly patched a previous vulnerability. Furthermore, not only is the vulnerability being exploited in the wild, but it is being used to push ransomware." Meanwhile, writes reader Beeftopia, the U.S. Department of Homeland Security is getting in on the action, and "has warned users to disable or uninstall Java software on their computers, amid continuing fears and an escalation in warnings from security experts that hundreds of millions of business and consumer users are vulnerable to a serious flaw."
Education

Raspberry Pi Gets an Open Source Educational Manual 56

Last year a group of UK teachers started working on a Creative Commons licensed teaching manual for the Raspberry Pi. That work has produced the Raspberry Pi Education Manual which is available at the Pi Store or here as a PDF. From Raspberry Pi: "The manual is released under a Creative Commons Attribution-NonCommercial-ShareAlike 3.0 unported licence, which is a complicated way of saying that it’s free for you to download, copy, adapt and use – you just can’t sell it. You’ll find chapters here on Scratch, Python, interfacing, and the command line. There’s a group at Oracle which is currently working with us on a faster Java virtual machine (JVM) for the Pi, and once that work’s done, chapters on Greenfoot and Geogebra will also be made available – we hope that’ll be very soon."
Cloud

Official Doc Reveals Oracle's Cloud Rules 84

itwbennett writes "In an official document that is both 'confidential' and publicly available on Oracle's website, the company lays out its cloud policies. Most of the policies follow industry standards, but then there are a few that should give customers pause. Like the one that allows Oracle to turn off access to accounts in the event of a dispute or account violation."
Ubuntu

Mark Shuttleworth Answers Your Questions 236

A couple of weeks ago you had a chance to ask Canonical Ltd. and the Ubuntu Foundation founder, Mark Shuttleworth, anything about software and vacationing in space. Below you'll find his answers to your questions. Make sure to look for our live discussion tomorrow with free software advocate and CTO of Rhombus Tech, Luke Leighton. The interview will start at 1:30 EST.
Open Source

Researcher Discloses New Batch of MySQL Vulnerabilities 76

wiredmikey writes "Over the weekend, a security researcher disclosed seven security vulnerabilities related to MySQL. Of the flaws disclosed, CVE assignments have been issued for five of them. The Red Hat Security Team has opened tracking reports, and according to comments on the Full Disclosure mailing list, Oracle is aware of the zero-days, but has not yet commented on them directly. Researchers who have tested the vulnerabilities themselves state that all of them require that the system administrator failed to properly setup the MySQL server, or the firewall installed in front of it. Yet, they admit that the disclosures are legitimate, and they need to be fixed. One disclosure included details of a user privilege elevation vulnerability, which if exploited could allow an attacker with file permissions the ability to elevate its permissions to that of the MySQL admin user."
Java

Oracle Proposes New Native JavaScript Engine for OpenJDK 80

hypnosec writes "Oracle has proposed a new project for OpenJDK — Nashorn, which aims to implement a high-performance yet lightweight JavaScript runtime that would run on the JVM natively. Nashorn will be headed by Jim Laskey, multi-language Lead at Oracle and the project will be sponsored by HotSpot group. The project proposes an implementation of JavaScript such that it can run standalone JavaScript applications via the JSR 223 APIs. Nashorn's design will enable it to take advantage of new JVM technologies like the MethodHandles and the InvokeDynamic APIs."
Open Source

Oracle Makes Red Hat Kernel Changes Available As Broken-Out Patches 104

Artefacto writes "The Ksplice team has made available a git repository with the changes Red Hat made to the kernel broken down. They are calling this project RedPatch. This comes in response to a policy change Red Hat had implemented in early 2011, with the goal of undercutting Oracle and other vendors' strategy of poaching Red Hat's customers. The Ksplice team says they've been working on these individual patches since then. They claim to be now making it public because they 'feel everyone in the Linux community can benefit from the work.' 'For Ksplice, we build individual updates for each change and rely on source patches that are broken-out, not a giant tarball. Otherwise, we wouldn't be able to take the right patches to create individual updates for each fix, and to skip over the noise — like a change that speeds up bootup — which is unnecessary for an already-running system.'"
Open Source

Bruce Perens Answers Your Questions 52

A while ago you had the chance to ask Bruce Perens about how open source has changed in the past 15 years, what's happening now, and what's to come. Bruce has been busy traveling, but he's found some free time and sent in his answers. Read below to see what he has to say.
Java

Red Hat Devs Working On ARM64 OpenJDK Port 63

hypnosec writes "Developers over at Red Hat are busy porting OpenJDK to ARM's latest 64-bit architecture — the ARMv8, also known as the AArch64. The current OpenJDK ARM situation is rather unsatisfactory: for the current 32-bit ARM processors, there are two versions of the HotSpot JVM for OpenJDK — Oracle's proprietary JIT, and a less sophisticated free JIT that performs poorly in comparison. To avoid a similar situation for the 64-bit platform, the developers are working on an entirely Free Software port of HotSpot to 64-bit ARM."
Java

Researcher Develops Patch For Java Zero Day In 30 Minutes 57

Trailrunner7 writes "A security researcher has submitted to Oracle a patch he said took him 30 minutes to produce that would repair a zero-day vulnerability currently exposed in Java SE. He hopes his actions will spur Oracle to issue an out-of-band patch for the sandbox-escape vulnerability, rather than wait for the February 2013 Critical Patch Update as Oracle earlier said it would. Adam Gowdiak of Polish security consultancy Security Explorations reported the vulnerability to Oracle on Sept. 25, as well as proof-of-concept exploit code his team produced. The vulnerability is present in Java versions 5, 6 and 7 and would allow an attacker to remotely control an infected machine once a user landed on a malicious website hosting the exploit. Gowdiak said his proof-of-concept exploit was successfully used against a fully patched Windows 7 machine using Firefox 15.0.1, Chrome 21, IE 9, Opera 12, and Safari 5.1.7."
Businesses

Salesforce.com's Benioff Disses Windows 8, Oracle 182

An anonymous reader writes "Salesforce.com CEO Marc Benioff is the latest to predict Windows 8 will be a disaster for Microsoft, but for a different reason than some others: he says that Windows is simply irrelevant in the new era of cloud computing and bring-your-own-devices (BYOD), which will become clear to corporate IT decision makers when they confront the upgrade decision. Of course, this conveniently dovetails with Salesforce's market position, so consider the source. Another interesting development is the growing rivalry between Benioff and his old boss Larry Ellison; Salesforce.com is a longtime Oracle shop, but they have just announced intentions to hire 40-50 PostgreSQL developers."
Oracle

Oracle's Sparc T5 Chip Evidently Pushed Back to 2013 98

Mark Hachman writes in Slash Datacenter that the Sparc T5 chip Oracle announced earlier this year apparently won't be ready until sometime in 2013. John Fowler, executive vice president, Systems, Oracle, presented at Oracle Open World a chart outlining highlights of Oracle's plans for the future. "But Fowler also skipped over some bad news: an apparent delay for the Sparc T5. A year ago, Oracle’s Sun division announced the Sparc T4—and according to Fowler, Oracle chief Larry Ellison set a very high bar for the next iteration: double the performance while maintaining app compatibility on an annual basis. Apparently, that didn’t quite happen with the T5; Oracle had the opportunity to announce a T5-based server, and didn’t. That’s a bit of bad news for the Sun design team, which already had to watch Intel’s Xeon chief, Diane Bryant, give the preceding keynote. ... As detailed at this year’s Hot Chips conference, the T5 combines 16 CPU cores running at 3.6 GHz on a 28-nm manufacturing process. Continuing the trend of hardware acceleration of specific functions, Sun executives claimed the chip would lead in on-chip encryption acceleration, with support for asymmetric (public key) encryption, symmetric encryption, hashing up to SHA-512, plus a hardware random number generator."
Businesses

Nokia Bets Big On Mapping 104

angry tapir writes "Nokia and Oracle have joined forces on mapping, with details of the deal to be announced at the Oracle OpenWorld conference. To differentiate its smartphones from the competition, Nokia is betting big on location as well as imaging technology. Oracle is expected to add Nokia's mapping technology to its applications. Part of Nokia's location strategy is signing deals for the use of its Navteq mapping technology with as many companies as possible. Besides the deal with Oracle, Nokia has recently announced contracts with car makers BMW, Mercedes, Volkswagen and Korean Hyundai, which will all use Navteq map data in some of their vehicles. Garmin will also start using Nokia data on transit services and walking routes to power a new Urban Guidance feature, which will be available as part of its Navigon app for Android and iOS. Nokia's most important partner on navigation, though, is Microsoft. All smartphones based on Windows Phone 8 will have Nokia's Drive application as standard, while Microsoft's Bing Maps geographical search engine uses Nokia data."
Cloud

Oracle Open World: Ellison Preaches Cloud Religion 49

Nerval's Lobster writes "Oracle CEO Larry Ellison used his opening keynote at Oracle Open World (OOW) to unveil several initiatives to accelerate the cloud, including its own private cloud, Infrastructure-as-a-Service, and its latest database version—which, coincidentally, can be stored in memory within Oracle's latest Exadata database machines. Ellison also paid tribute to Oracle hardware partner Fujitsu, which had earlier announced 'Project Athena': a server designed with a UltraSPARC chip that (he claimed) can run the Oracle database 'faster than any microprocessor on the planet.' Ellison opened OpenWorld with four key announcements: that Oracle is now offering infrastructure as a service; that it will complement the IaaS offering by allowing customers to run that same infrastructure behind their corporate firewall as a private cloud; the launch of Oracle database 12C (where the 'c' stands for 'cloud'); and, finally, the new Exadata servers, which barely use disk drives at all in-favor of in-memory storage, with flash memory as a fallback."
GNU is Not Unix

Prime Minister to French Government: Favor FOSS Wherever Possible 112

concertina226 writes with interesting news from France. From the article: "French government agencies could become more active participants in Free Software projects, under an action plan sent by Prime Minister Jean-Marc Ayrault in a letter to ministers (PDF, and in French of course), while software giants Microsoft and Oracle might lose out as the government pushes Free Software such as LibreOffice or PostgreSQL in some areas. ... He also wants them to reinvest between 5 percent and 10 percent of the money they save through not paying for proprietary software licenses, spending it instead on contributing to the development of the free software. The administration already submits patches and bug fixes for the applications it uses, but Ayrault wants to go beyond that, contributing to or paying for the addition of new functionality to the software."
Bug

New Java Vulnerability Found Affecting Java 5, 6, and 7 SE 121

jcatcw writes "Just as Oracle is ramping up for the September 30 start of JavaOne 2012 in San Francisco, researchers from the Polish firm Security Explorations disclosed yet another critical Java vulnerability that might 'spoil the taste of Larry Ellison's morning ... Java.' According to Security Explorations researcher Adam Gowdiak, who sent the email to the Full Disclosure Seclist, this Java exploit affects one billion users of Oracle Java SE software, Java 5, 6 and 7. It could be exploited by apps on Chrome, Firefox, Internet Explorer, Opera and Safari. Wow, thanks a lot Oracle."
Security

Data Breach Reveals 100k IEEE.org Members' Plaintext Passwords 160

First time accepted submitter radudragusin writes "IEEE suffered a data breach which I discovered on September 18. For a few days I was uncertain what to do with the information and the data. Yesterday I let them know, and they fixed (at least partially) the problem. The usernames and passwords kept in plaintext were publicly available on their FTP server for at least one month prior to my discovery. Among the almost 100.000 compromised users are Apple, Google, IBM, Oracle and Samsung employees, as well as researchers from NASA, Stanford and many other places. I did not and will not make the raw data available, but I took the liberty to analyse it briefly."

Slashdot Top Deals