Polish Researcher: Oracle Knew For Months About Java Zero-Day 367
dutchwhizzman writes "Polish security researcher Adam Gowdiak submitted bug reports months ago for the current Java 7 zero-day exploit that's wreaking havoc all over the Internet. It seems that Oracle can't — or won't? — take such reports seriously. Is it really time to ditch Oracle's Java and go for an open source VM?"
Re:Why are people still using this? (Score:5, Insightful)
You sound like someone who shouldn't be giving technical advice.
C/C++ has advantages over Java, just like Java has advantages over C/C++
Saying you should use one over the other for every purpose is foolhardy.
Ask Toolbar Really ? (Score:5, Insightful)
This is the programming language that still bundles the "Ask Toolbar" crapware with their installer. Nuff said.
Re:Ditch Java entirely. (Score:4, Insightful)
Re:Why are people still using this? (Score:3, Insightful)
Does it really matter how verbose a language is if it gets compiled down byte code? If it's good code, it doesn't matter. You have the same logic that managers have, i.e., counting lines of code is a measure of productivity. There's plenty to dislike about the way Oracle has handled Java, however, complaining that it takes too many lines to accomplish something is not one of them. My guess is that there's a Perl programmer out there who thinks C++ is bloated.
The complaint I see, but hasn't been verbalized, is that Oracle isn't making money off of the Java language so their technical support has failed. That's as bad as Microsoft screwing with the VB to VB.NET change. That's a reason to reconsider your programming language choice. However, nothing better has come along.
For now, Java is good enough.
Re:Ditch Java entirely. (Score:5, Insightful)
Ditch Java applets entirely.
Re:No (Score:5, Insightful)
The real problem here is the quarterly patch cycle that seems to ignore the severity of security bugs. If you want to do a quarterly cycle that's fine - but you need to make exceptions for security bugs.
All bugs should be reported opening (Score:4, Insightful)
This is why reporting bugs to the software developers is stupid. Post the bug into the public, so they have no choice but to upgrade. Corporations are run by people who want to spend as little as possible to make as much money as possible. They won't patch bugs unless they are forced. They need to be forced.
As a former Oracle dev (Score:5, Insightful)
Unless an SVP gets involved, it's unlikely that it will be rushed.
Re:Ditch Java entirely. (Score:3, Insightful)
Mono sucks and is inferior to OpenJDK .NET
LLVM is awesome but a different technology all together
LOL @
Re:As a former Oracle dev (Score:5, Insightful)
Re:java is an abomination (Score:5, Insightful)
!? Java is basically the only language you can seriously use to write apps on Android. The NDK? It's awful. I love Android but I seriously hate Java. As a language it's terrible, and anyone who says otherwise needs to pull their head out of their ass and play with some other languages. What's awesome about Java is the JVM... which is basically just an open standard. It doesn't necessarily need to run Java code just Java *bytecode*. There are some fantastic alternatives that run on the JVM too, like Scala (and in sort of a different way JRuby). Unfortunately Scala on Android isn't so mature and is a nightmare to get working or really use.
Not fully supporting the NDK is one of the biggest things that pisses me off about Android. I'd drop Java in a heartbeat for C++ if the NDK was decent. Google would do well to start supporting some scripting languages natively too - there's a reason there are so many projects trying to make platforms in Python and Ruby for Android, but they all end up half assed or running out of time/money and they start going non-free.
Seriously Google, give us some alternatives. Java is the absolute worst part of Android.
Re:As a former Oracle dev (Score:4, Insightful)
If that's the way they work, they should not be selling mission-critical software that is exposed to the internet.
Re:IBM (Score:5, Insightful)
This is something I struggle with. Lots of people would reply "python", but I think they're off their rocker. Yes, python is probably just fine for a lot of website development, and yes, I know some enterprises are using it heavily, but when you dig into it, it's really a hacked up POS that carries WAY too much of its evolutionary baggage. Java certainly has a bit of that as well, mostly in the bundled libraries, but they are much more consistently architected than the Python libraries. Plus, the lack of true multi-threading support is just...unconscionable for a modern language, I think. Yeah, it simplifies things for the hoi polloi, but that should hardly be the standard we aspire to.
Unfortunately, the only languages I know which have the features I expect from the next great modern language are all research languages at this point. What I'd really like: Start with Java (convenient syntax that is familiar to many people, and a VM with a lot of important concepts). Go through the standard library and rework it to make it consistent, ditch the older paradigms that still hang around to support backwards compatibility. Rework generics, also ditching compatibility but to improve usefulness. Add support for design-by-contract. Add in language level (not library level) features to support fork-join with support for some mechanism to declare affinity between work units and data so that the VM can optimize thread placement and data placement in memory. Add better built in support for both dynamic class creation and bytecode injection. Add a smart/flexible int/float/number types where the VM will take care of sizing depending on how big the number is, something which can flow up to the Big range without needing to keep track of sizes yourself...and crucially, where the math operations work regardless of number size, efficiently (i.e., under the covers, this would mean allowing for a mutable big integer/decimal). Also add support for primitive collections...but do it in such a way that it's made as transparent as possible. This would probably mean it would allow treating primitives as Objects from a parameter passing perspective, so, say, your Map put method would still be put(K,V), but if you used a map which supported primitives (which would be a lot easier to write with the smart-number facility), it would pass a primitive straight through without any boxing/unboxing.
I'm sure if I thought a bit longer, I could come up with some other features I'd like to see. Importantly, this language still has a VM...I think that becomes more important for the future, not less, as we move to higher core/processor counts and NUMA becomes a bigger and bigger issue. There will always be a place for lower level coding a-la C/C++; but I think that a higher level language really...you need a VM. And, as with the JVM/CLR, I would want the VM for this language to offer support for running bytecode which could be compiled from a multitude of languages. People who have done work developing those sorts of compilers would probably have suggestions on how that could be even better supported, and I certainly think that input would be important for ensuring that support is done right.
Re:Stop spreading ridiculous myths (Score:5, Insightful)
First of all, I think the comparison was Apple to Microsoft, not Linux to MS.
Second, when you talk desktop to server, you are talking apples (heh) to oranges. Desktops are important hosts for viruses because of what they are used for and who they are used by. Which is to say they tend to run on-demand applications and web browsing, and are run by anyone, usually amateurs who are easy to socially engineer.
A server is going to be run by professionals who operate services that are either developed in-house, or purchased and supported professionally. They will not frequently install new software, and that will usually be vetted carefully, if only because they will tend to spend money on purchase or support. You can still socially engineer professionals, but you will tend to have a lot harder time doing it, as they usually receive training covering that very contingency.
Consequently, while server exploits definitely exist, exploits that are directly related to a server tend to be fewer and more difficult to make use of where they exist, so Linux is going to have a much lower exploit penetration simply by virtue of being used mostly as a server, despite its market share of the server business. Hence, the comparison of the Windows market share, which is primarily desktop computing, to the Linux market share, which is mostly servers, is going to show significant deviation based on their usage patterns. That invalidates a direct comparison of their market shares in this instance and fatally undermines the argument.
Desktop market share is a big deal for viruses particularly if it is as high as that for Windows. The argument that Microsoft only cares about money doesn't cut it when you'd consider that Apple only cares about making money as well. MacOS is not a community project like most distributions of Linux, it may have more links to Open Source, but that doesn't mean that Apple is immune to profit motive, as we well know. You may well argue that Microsoft ignored the issues in favor of their vision of interoperability and control, but simple profit motive alone is not going to explain the differences without further elaboration.
Apple did and does have a smaller market share. It was also used, primarily, for purposes like design until it became more popular for developers in the last few years. While Apple probably has better security, part of which is inherited from it's UNIX roots, this is not going to be sufficient to deter malicious coders if there is interest in penetrating the MacOS share of PCs. In short, Apple users are a minority who don't really have a usage pattern that will be useful for most exploit developers. This is a real effect which decreases number and extent of exploitation and it *does* make using that platform safer, but it is a smokescreen, not a shield against future attacks.
You could make more of an argument for the security of an iOS specifically than Apple in general. However, even that security model was built more on the need to generate revenue than it was to prevent infections.
So, market share does matter significantly. While amateur hackers may well like the challenge of cracking something like a Mac or an Amiga for that matter, the more professional exploiters are going to spend time on the platform that they can generate the most effect from for the smallest initial investment. These professional exploiters will be more effective and more persistent than amateurs, which means they will tend to keep at exploits until they work well enough for significant penetration. This is a primary reason that Windows is riddled with exploits and would continue to be riddled with them even with better security measures.
Java on Slashdot is almost a meme now (Score:4, Insightful)
Same old jokes and criticisms. Reading these posts, you'd think Java was relegated to driving outhouse fans in Siberia and not the #3 language by popularity in the world.
That being said, the Java *browser* vulnerabilities need to be taken far more seriously. The only exploit that I know I've been hit by was through an unpatched Java install and it was nasty; as in rebuild my laptop from the ground up nasty.
Zero Day? (Score:4, Insightful)
Re:Why are people still using this? (Score:5, Insightful)
To be fair to AC, Java is dead slow to start up. Once it's up and running there are no issues anymore, but on the desktop, the startup time is pretty bad.
Also, IIRC, I think there are still a few libraries that are not open source (and that don't work well in OpenJDK)
Re:Java on Slashdot is almost a meme now (Score:4, Insightful)
Same old jokes and criticisms. Reading these posts, you'd think Java was relegated to driving outhouse fans in Siberia and not the #3 language by popularity in the world.
A lot of these problems could be resolved if the Java installer didn't include the browser plugin. That should be a separate download, or at least it should require the user to affirmatively check a box. At this point, Java in the browser is, for most users, little more than a giant security hole. Virtually no legitimate public websites require it.