Polish Researcher: Oracle Knew For Months About Java Zero-Day

dutchwhizzman writes "Polish security researcher Adam Gowdiak submitted bug reports months ago for the current Java 7 zero-day exploit that's wreaking havoc all over the Internet. It seems that Oracle can't — or won't? — take such reports seriously. Is it really time to ditch Oracle's Java and go for an open source VM?"

Re:Why are people still using this?

[Anonymous Coward]

I know you were trying to be clever, but since you asked:
https://en.wikipedia.org/wiki/Comparison_of_Java_and_C%2B%2B [wikipedia.org]

Re:Why are people still using this?

[gbjbaanb]

good honest work :)

All those things are artifacts of how crappy java is, in order to get anything done you need a metric ton of framework crap slapped on, and this is why people say "java is fast to develop in" - they mean, the frameworks make it faster to develop stuff, as long as you're developing exactly the kind of thing those frameworks are designed for. C/C++ world tends to have libraries that provide you with functionality you then plug in to your code, rather than having to code the way the framework wants you to (roughly).

You could use Ruby on Rails and get much better developer productivity, or Python, or node.js

As for C++, we don't tend to use EJBs - straight forward classes are fine, though you could use COM if you're on Windows (or COM+). The JSP frameworks are covered by either Microsoft's new Casablanca project or various web-server libraries like cppCMSS. C++ doesn't have much in the way of ORMs, preferring faster access to DB code but there are still plenty, eg ODB [wikipedia.org]

For example, you need tomcat to host your java beans and pages, but C++ would just run off Apache - either as a mod_xxx module, or via pass though to a running service. A C++ developer wouldn't necessarily embed a webserver into his code, instead expecting to reuse the existing web server infrastructure.

Generally the best place to start looking for C++ libraries is Boost. From there, just use google for what you need.

Re:IBM

[Simon Brooke]

Whatever happened to them? Didn't they at one time have a Java implementation?

IBM's Java work is now part of [wikipedia.org] OpenJDK [java.net]. How close OpenJDK is to Oracle Java and whether it shares this exploit I don't know (although the OpenJDK home page says they are '...based largely on the same code'), but if it does it should be patchable.

I'm not ready to give up on Java. It is not because I think it's the best, I still think C# beats it as a language, but at times when a client requires non-microsoft, it is my only choice for a modern language. Yeah, I know C++11, I've looked at it quite a bit, and it is better than it was, but as long as it needs header files, I don't put it into a modern language category.

I could happily give up Java, but I wouldn't willingly give up Clojure [clojure.org]. There's more (and better) languages for the JVM [wikipedia.org] than just Java.

Re:Ditch Java entirely.

[bennomatic]

I'm pretty sure Apple (a) doesn't include Java by default and (b) even once you install it, they make you jump through hoops to allow it in the browser/applet context. I seem to recall them being called evil for making those decisions a while back.

Re:IBM

[Anonymous Coward]

see http://www.ibm.com/developerworks/java/jdk/

Re:Ditch Java entirely.

[chfriley]

And if you have not used Java in 30 days, Apple disables it in the browser. (At least Java 6 and I believe any Java version). :-)

e.g., see http://www.christopherprice.net/making-sense-of-oracle-java-7-for-os-x-2119.html [christopherprice.net]

Re:Why are people still using this?

[binarylarry]

You have provided some terrible answers. Please stop posting about technologies when it's clear you have little technical knowledge.

Java is much, much faster than Flash.
The JVM set bundled with OpenJDK is the same as the one bundled with Oracle Java (Oracle Java is built on OpenJDK)
Java is cross platform, it's worked reliably for a long time
Java is open source, so blaming Oracle for slow development isn't fair (not that I like them, Fuck Oracle)

Some things that suck about Java:

No runtime generics
No lambda support
You have define your maximum heap size when the application is started
AWT and Swing are the official UI technologies and they're fucking terrible
It's very hard to port to platforms where it doesn't exist already

Re:Why are people still using this?

[Blakey Rat]

Ignoring for a moment Eclipse's awful UI, its entirely broken in Windows because of the way it handles (or rather, fails to handle) per-user special folders. Last time I installed it, it basically engaged in a DoS attack against every other app trying to use named folders.

Re:No

[VGPowerlord]

If you think "looks native" has ANYTHING to do with usability, you are entirely unqualified to judge the usability of an app. So I stand by my statement that your app is an unusable mess.

SWT doesn't just make it look native, it calls the OS's underlying libraries... SWT is (formerly) IBM's Java Native Interface library, written in C to do those calls. As such, its C code is wildly different on each OS. For that matter, the Linux/BSD versions require that GTK be installed, because there is no QT version of SWT.

Not a zero day bug

[slashkitty]

It's not a zero day if it was privately submitted over a month before. Zero Day means "a previously unknown vulnerability". It just wasn't public, so they didn't have as much urgency in fixing. Just stop calling it a zero day bug if the developers knew about it before hand.