Security Expert Says Java Vulnerability Could Take Years To Fix, Despite Patch

An anonymous reader writes "After the Department of Homeland Security's US-CERT warned users to disable Java to stop hackers from taking control of users' machines, Oracle issued an emergency patch on Sunday. However, HD Moore, chief security officer of Rapid7, said it could take two years for Oracle to fix all the security flaws in the version of Java used to surf the web; that timeframe doesn't count any additional Java exploits discovered in the future. 'The safest thing to do at this point is just assume that Java is always going to be vulnerable,' Moore said."

Re:So long/The way the future was

[tripleevenfall]

This might seriously impede the Year of Java on the Desktop

Re:So long/The way the future was

[Anonymous Coward]

Sure, Java will be dead in 5 years.. just like COBOL.

Re:Fact free claims

[HaZardman27]

Microsoft told him that in a message that included a "Welcome to C#!" brochure.

Re:Two years?

[Anonymous Coward]

Put away the hard-on for Larry Ellison and calm down.

Re:So long/The way the future was

[gabereiser]

I think he meant Kobol, the originating planet of the thirteen tribes.... Took a lot longer than 5 years to die but then again, the Galactica found it in ruin and didn't stay for archeological studies...

Re:WTF is the deal with Java and being so insecure

[Anonymous Coward]

Javascript has NOTHING to do with java.

Actually, they're both rather mediocre programming languages in their own miserable ways. They have that in common.

Re:Browser Plugins are Always Vulnerable

[Wrath0fb0b]

But there are also well-documented CSS vulnerabilities [metasploit.com], XUL exploits [secunia.com] and even one in a JPG parser [verisigninc.com].

Should we disable those as well? Are you part of some guerrilla marketing campaign to bring back Lynx?

Re:So long/The way the future was

[BotnetZombie]

Perhaps the time is right for a COBOL browser plugin?

Re:Java used to be secure and sandboxed

[Anonymous Coward]

This is absolutely not true. This vulnerability was a zero-day exploit. Zero-day means, by definition, nobody knew about it except the guys who wrote the exploit. We learned about this exploit last Thursday and had a fix on Sunday. Folks were up working around the clock to get the fix out.

We take security exploits incredibly seriously. Three times a year Oracle produces "critical patch updates" and we're working hard to clear out every bug from our backlog related to security, at the expense of new feature development. The suggestion that Oracle doesn't care about fixing these security problems is simply not true.

Re:Browser Plugins are Always Vulnerable

[Anonymous Coward]

Personally I'd vote for bringing back gopher! And if that means we "lose" that blinged out "web-2.0" crap, it's not a day too soon.