Oracle Knew of Latest Java 0-Day Security Hole In August 265
An anonymous reader writes "After news broke on Thursday that a new Java 0-day vulnerability had been discovered, and was already being included in multiple popular exploit kits, two new important tidbits have come in on Friday. Firstly, this whole fiasco could have been avoided if Oracle had properly patched a previous vulnerability. Furthermore, not only is the vulnerability being exploited in the wild, but it is being used to push ransomware." Meanwhile, writes reader Beeftopia, the U.S. Department of Homeland Security is getting in on the action, and "has warned users to disable or uninstall Java software on their computers, amid continuing fears and an escalation in warnings from security experts that hundreds of millions of business and consumer users are vulnerable to a serious flaw."
Burned (Score:5, Interesting)
Had a few users burned by this today at work. One emergency security meeting later and we pulled Java from 3000 workstations this afternoon. Should have done this a year ago.
Excuse to upgrade shitty intranet apps? (Score:5, Interesting)
I use java solely for Eclipse development but I do not have the plugin installed on my browsers.
The people at work who still cling to IE 6 and IE 7 also are stuck in Java land and is the sole reason why XP is still alive kicking and screaming. Many still use NTLM version 1 security pre 1999 that can crack any account on AD because these apps wont work with anything newer than 13 years old!
With the department of homeland security recommendations perhaps we can finally move on and get rid of these dinosaurs that are a liability to our employers.
Shame on Oracle.
Java had such high hopes and Sun fucked up royally too beforehand. If Java could have native .exes and kept being updated perhaps it could be as good as .NET and we could all run Linux with our cross platform natively compiled apps in such an alternative universe.
Besides a few limited uses for mainframes I think it is time we said goodbye and put it to legacy ala Cobol 2.0? The question is what next? ... not language wise but richness in api wise and frameworks which is why .NET and Java are liked for complex 3-tier enterprise platforms.
Time to just remove Java (and Silverlight)? (Score:5, Interesting)
They are used on less than .2% of websites, and many are false positives. Yes some might not be detected as well. I am aware there is one very popular video service that uses Silverlight, can't say the same about Java.
Click on the language for more details
http://w3techs.com/technologies/overview/client_side_language/all [w3techs.com]
Re:Time to just remove Java (and Silverlight)? (Score:5, Interesting)
There's quiet a few Android devices running Java. And developers need Java on their PCs to write apps for them
That may be so; but it's not really a reason for people to keep Java enabled in their browsers.
Several months ago I disabled the Java plugins/extensions in all the browsers I use. Know what I noticed? Absolutely nothing. No sites that I frequent used Java *at all*. My experience browsing the web didn't change an iota.
It is so obvious... (Score:4, Interesting)
.
It has become apparent that Oracle either does not understand the concept of computer security....
- or -
Oracle does understand the concept of computer security, and they are using these exploits to kill off Java, which they do not want to support anymore.
What else can it be?
(btw, my bet is that Oracle is clueless regarding computing security)
Re:Time to just remove Java (and Silverlight)? (Score:1, Interesting)
At least Microsoft patches them and even activeX controls are signed by default, and even IE 6 will refuse to run unsigned activeX controls by default as well. Java is behind that 12 year old dinosaur!
MS may not have good intentions at all but they are moving forward and it was so frustrating when I was a java fan still last decade. You can upgrade your .NET apps and they are not browser dependent unless you put proprietary IE code in. We need a good biology anology for this one Samantha?
Java really does suck today.
What happened to Java? (Score:5, Interesting)
Back in college (when Java was the new thing) one of its big touted features was security -- all applets would run in a sandbox, Java would be written in bytecode that would be automatically verified before it was executed, array access indices would be bounds-checked, etc etc. This all made Java execute more slowly than the alternatives (er, ActiveX?), but the (expected) upside was that Java would be super-secure and we wouldn't have to worry about our computers getting exploited by evil web pages that we accidentally loaded.
Now it's 2013 and Java (at least in the context of a web browser) is turning into an unreliable bug-fest.
So, what happened? Is it just a matter of incompetence at Oracle (and/or Sun)? Or is Java's security model fundamentally broken in some way that other in-web-browser languages (particularly JavaScript) are not? Where are all these security holes coming from?
Non Oracle Java (Score:2, Interesting)
I think the future here is Java not from Oracle. We don't use their engine on servers now so why the hell would we use it on clients?
Oracle haven't got their act together, and obviously without a decent revenue stream they're not going to try, so time to move on from them.
Re:Time to just remove Java (and Silverlight)? (Score:5, Interesting)
Horrified because professionalism is expected (Score:4, Interesting)
Because it's used by others so effectively infrastructure, thus irresponsible to cut corners before release. To invoke a car analogy it's like opening a bridge on the announced date without finishing it in one lane so that cars driving from one direction keep falling into the water. Such an example appears so ridiculous because it's comparing a carefully planned engineering project on one hand (the bridge) with a room full of blindfolded basketweavers trying to weave bits of an elephant shaped basket while being shouted at in a language they cannot understand and none of them know what an elephant looks like (a typical mismanaged software project like your above example with your "tradeoffs").
Re: it's not 0-day (Score:3, Interesting)
You get what you pay for. "So, you want me to synthesize a new material, build a few skyscrapers with it, all on top of the landfill foundation the last team built, and make last at least 2 years before any substantial maintenance is performed? In a few months with a small team of survivalists?" I'm sure that'll work out great because those structural engineers are accredited.
Re:it's not 0-day (Score:4, Interesting)
It usually makes for very boring news so it is not covered very much except in things like trade journals. However real engineers are sued for design flaws when they don't do things correctly.
The laws acknowledge that no matter what there is always a chance of failure. If you did the work and can show that the odds of failure are .001% and the system still fails it will be investigated but as long as you are correct it is likely nothing will happen since rare events do happen.
However if you falsify the work, falsify the calculations, end up with calculations that are far off of reality then you can and are held liable in many cases.
Re:What happened to Java? (Score:5, Interesting)
These bugs have always existed in Java, but no one went out to exploit them because there were easier vulnerabilities available. Now as Microsoft has put more emphasis on security, the low-hanging fruit has become Acrobat reader, then Flash, now Java. Used to be you could smash the Microsoft stack any time you wanted. Now they are randomizing the stack and it's not so easy.....
Re: it's not 0-day (Score:5, Interesting)
That is absolutely true. The problem is that software is not delivering on all those things, it just promises all of those things.
For a real engineering profession you have the whole sign off system and if someone wants something done for a song and to do everything you don't sign off on it. If they try to get around that sign off there are some pretty serious legal consequences to that.
For programmers there is no legal way to say that the manpower involved is not sufficient to deliver the required quality. They will just be fired and replaced. Without programmers having some level of authority and the responsibility that goes with that you won't really see software getting better since there is no real incentive for it.
Look at some of the break in stats, 50% of windows break ins last year where form Java and IE made up about 3% yet Microsoft and IE are still blamed for all the security problems. Why should Java or Flash really try to do much better if the average person is not going to blame them or making purchasing decisions based on that anyways?
If you are a programming for Oracle and you say that X design is dangerous and you won't do it you will be fired.
If you are a chemical engineer and you say a certain reactor design is dangerous it will be fixed or it won't get used.
That is the real difference and that is what programmers need to have also.