Oracle Ships Java 7 Update 11 With Vulnerability Fixes

An anonymous reader writes "After announcing a fix was coming just yesterday, Oracle on Sunday released Java 7 Update 11 to address the recently disclosed security vulnerability. If you use Java, you can download the latest update now from the Java Control Panel or directly from Oracle's website here: Java SE 7u11. In the release notes for this update, Oracle notes this version "contains fixes for security vulnerabilities." A closer look at Oracle Security Alert for CVE-2013-0422 details that Update 11 fixes two vulnerabilities."

Is this really a fix?

[DavidClarkeHR]

It's great that the default security settings have been increased - and the zero-day flaws needed fixing (as always).

Proper web browsing hygiene protected users from this zero-day vulnerability - but my mom needed this update.

Disaster

[timeOday]

All the main codebases I work with and develop are in java. Tonight I was doing some work and tried to google some javadoc, but the first result was an illustration of a java-logo coffee cup going into a garbage can, and the first pageful of results were "how to uninstall java." I already had a customer balking about installing java. Now it seems certain we'll have to port everything away, a huge undertaking. (Even though we'll end up porting it to C++ and have multiple times more vulnerabilities when we're done, but I guess at least they'll be specific to our application).

Too Late Now

[Greyfox]

I'm not going to tell my friends and family it's safe to reinstall it. None of them even noticed that anything had changed after the uninstall.

Re:Java and Flash

[oatworm]

Tell that to lawyers that need it to access PACER or their local court filing repository. Or tell that to various medical professionals that have line-of-business apps written in Java (recently stumbled across an pano controller package written entirely in Java - that was cute). Or tell that to certain financial industries that use Java to submit various bits of paperwork (if you're a merchant filing for credit card processing, there's a decent chance your application was scanned and uploaded using a Java app called "AMA", depending on which platform your processor is underwriting with). Or tell that to businesses that electronically deposit checks - quite a few banks out there use scanners with Java software to get the checks from the business' PC into the banking system.

Java's actually fairly commonly used for line-of-business applications because it's fairly easy to find Java developers ("easy" being synonymous with "cheap"), the tools start at "free", it's sort of platform neutral, and it's been around for a while. Plus, a lot of those Java line-of-business apps were first written 5-10 years ago and, well, they still basically work - given a choice between paying for a total re-implementation of some tool that works "reliably", doing the necessary field testing to prove it's at least as secure, functional, and stable as the current implementation, or just periodically testing it against the latest version of Java, guess what most businesses do?

Now you know why Java exploits are a big deal.

Re:Any announcement of policy changes in Oracle?

[Anonymous Coward]

Their rep and that of Java took a huge punch in the gut. I'm a long time Java developer and I'm fuming at the way Oracle has handled this. When non-techies are associating Java with hacking, this is terrible news for the language and platform. It won't be long before the pointed-headed bosses start calling down to their IT shops making sure "we got all the java out of the computers."

It's already happening. I work as SDM for a major outsourcing company and our clients PHBs are requesting we throw java out as soon as we can eliminate the software that depends on it. I have had three such calls today, and they are for organisations with 10k+ computers. Oracle are really hurting Java with this bad PR.