Oracle Responds To Java Security Critics With Massive 50 Flaw Patch Update 270
darthcamaro writes "Oracle has been slammed a lot in recent months about its lackluster handling of Java security. Now Oracle is responding as strongly as it can with one of the largest Java security updates in history. 50 flaws in total with the vast majority carrying the highest-possible CVSS score of 10."
April Fools! (Score:1, Informative)
Clean up your shit, Oracle. (Score:5, Informative)
I know Oracle didn't write Java to being with but they sure had a hard-on to acquire it, presumably so soak up profits by wedging themselves in to yet more enterprise services. I'd like them to take ownership of this issue and really hammer out these nasty problems. I know it's just the client side JVM-plugin-whatever but Oracle's behavior isn't really making me want to go out and seek other Oracle products.
And fuck, if I can't escape this piece software at work. I've got client applications, and web applications that we rely on that absolutely require the full fat oracle JVM. I'd love to disable the plugin or do away with it all together but I can't.
For that matter, deploying this supposedly enterprise piece of software is a massive pain in the ass. If you want to deploy it like usual (Published through AD) You've got to open the installer EXE, go to your temp folder to copy out the .msi, then use an .msi editor to create an .msp file to disable the really annoying and awful java auto-updater. (The auto updater requires admin privs to install.. And it will trigger on it's own without user intervention. It's really annoying to end users to have a UAC prompt pop up randomly out of nowhere when they're working)
Oh yeah, and if you run the exe manually to install? Make sure you uncheck the yahoo toolbar! And this is supposed to be business software?
Re:OK (Score:5, Informative)
Yeah, like Orrible's (and specifically the Java section) going to lift a finger to help Microsoft after the whole J++ fiasco
1. that was not oracle, it was sun microsystem.
2. it was 10 years ago. you think any of the same people are around, and have the same motivations?
2. it wasn't a fiasco, it made sun $700 million. they were pretty happy about it.
And the update is here. (Score:5, Informative)
Would it kill you idiots to post a direct link to the update in a story that is about nothing *but* the update?
http://www.oracle.com/technetwork/java/javase/downloads/index.html [oracle.com]
Re:Java sucks. (Score:3, Informative)
The remainder is C++ and, of all things, Prolog.
Prolog is actually very appropriate.
Re:OK (Score:0, Informative)
C, C++, Go, Python, Perl. That was the main ones.
Then there's an insane number of other languages that of course has compilers, and that do compile or has virtual machines on all these pltaforms.
Of course there are others.. haskell, php, and all the other minor languages...
Re:Confused. (Score:2, Informative)
Really? You don't need it?
I need it to use the various financial calculators on my brokerage's website.
I need it to use the VOIP software from my employer that lets me telecommute full time.
I need it for countless open source utilities I use frequently.
It's not just Java... (Score:4, Informative)
This whole thing about Java being the issue annoys me - if you take a broader look at the whole ecosystem.
Take a look at no more than 2 weeks ago with CVE-2012-4414 [mitre.org] for example...
This is a MySQL security bug where any authorised DB user can arbitrarily inject SQL in the binlog used for replication...
For those that don't know Oracle has recently (over the past year) moved the majority of their bugs database internal only so that inhibits discussions for a start and on top of that they no longer publish test cases for fixes ... it looks like they might be going into an internal/tests directory but that isn't provided in the GPL tarball they provide.
However the curiousness doesn't stop there - if they are still writing test cases for code as opposed to just changing stuff willynilly they don't seem to be writing them very well.
When the Percona guys were merging from the upstream code they used the test case that the MariaDB team put together for this CVE - since there is no test provided by Oracle as previously mentioned.
They naturally expected the test to be fine seeing as Oracle claimed the CVE was fixed in 5.5.29 but shock horror it failed.
They ended up merging the MariaDB fix instead [mysqlperformanceblog.com].
Given that what makes you think the rest of the code is *really* like and why that Java fix recently introduced a new bug and so on...
Ah well in the meantime FESCO has accepted the proposal to replace MySQL with MariaDB in Fedora 19 [fedoraproject.org] which is something that Oracle weren't too pleased with [fedoraproject.org]...
That Oracle response was prior to the FESCO vote by the way - time to get the popcorn methinks!
Re:Clean up your shit, Oracle. (Score:4, Informative)
It isn't as widely known but you can make a private Java install just by copying the JRE directory. For example if you want your application not to depend on the system version. It works ok in Linux and in Windows.