New Java 0-Day Vulnerability Being Exploited In the Wild

An anonymous reader writes "Here we go again. A new Java 0-day vulnerability is being exploited in the wild. If you use Java, you can either uninstall/disable the plugin to protect your computer or set your security settings to 'High' and attempt to avoid executing malicious applets. This latest flaw was first discovered by security firm FireEye, which says it has already been used 'to attack multiple customers.' The company has found that the flaw can be exploited successfully in browsers that have Java v1.6 Update 41 or Java v1.7 Update 15 installed, the latest versions of Oracle's plugin."

JAVA - Stands For

[blarkon]

JAVA - Just Another Vulnerability Alert

Re:

[Anonymous Coward]

Friends don't let friends do "JAVA" (Just Another Viral Affliction)!

Re:

[rmdingler]

Gee, Oracles Sun language is news 'gain.

Meanwhile, Larry Ellison

[Anonymous Coward]

...is busy colonizing Hawaii.

ORACLE

[Anonymous Coward]

One Rich Asshole Called Larry Ellison

Re:

[Anonymous Coward]

One Raging Asshole Called Larry Ellison

FTFY

why they don't

[etash]

just set a team of 10-15 experienced programmers to review the code in a period of 3-4 months instead of just-wait-to-see-the-next-exploit-and-fix-just-that-rinse-and-repeat ?

p.s. I have disabled java in my browser since ages. the only reason i keep still installed is because of ps3mediaserver. I wish it wasn't written in java so I could say goodbye to java once and forever.

Re:

[Anonymous Coward]

just set a team of 10-15 experienced programmers to review the code in a period of 3-4 months instead of just-wait-to-see-the-next-exploit-and-fix-just-that-rinse-and-repeat ?

They've probably invested considerably more man-months into the problem than that. The problem is that such a procedure will not find all the bugs in a complicated code base. Another way of saying that is, every time you do this, you'll probably find at least one more bug and the same thing happens when the bad guys do it. Welcome to the world of an impossible task that is never the less very important.

Re:

[marcosdumay]

Try the offline installer next time. The default one doesn't come with the JRE, it downloads it at installation time.

Re:

[RaceProUK]

The JRE installer is 16 megabytes. That really, really isn't a big complicated code base.

1. The offline installer is at least twice that

2. Compiled size is not a reliable predictor of codebase size/complexity - a 'Hello World' in a managed language will compile to more code than it would in C, and that's before you start talking about libraries.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[semi-extrinsic]

It's simple. Java was teh hawtness roughly ten years ago. It took four years for university CS departments to catch on, then four years for the first Java-loving graduates to start "entrepreneuring", and then two years for this to significantly influence Java usage. It's a basic convolution-type feedback.

Re:

[zixxt]

What sucks is after years of watching Java disappear from the consumer desktop its fucking making a comeback, ARGH! Why is it coming back? Damned Java games like fricking Minecraft that's why. Why oh why did the game designers suddenly decide to start using Java again,is it because of Android? if so the person who came up with Android needs to be shot because this is a fricking nightmare! To give geeks a better understanding imagine if after all these years suddenly IE 6 made a major comeback, wouldn't you want to scream? For the love of God it was almost dead on the desktop! /walks away muttering and sobbing/

Troll much?

Java is the best cross platform language in the world. Billions more devices and computer run Java than Windows. Java is making a comeback because it never went anywhere. If I want my application to reach as many people as possible I use Java.

Re:

[RaceProUK]

"Java is the best cross platform language in the world"

If you had a clue, you knew that C++ and cross-platform libraries such as WxWidgets, Qt, STL, boost and so on are the "best" cross-platform stuff.

Depends on the application. If it's a line-of-business app (stock tracking, payroll, etc), Java's probably better, as it abstracts away enough details that you just get on with developing a useful program. However, if you're making something that requires heavy lifting (CAD/CAM, games, 3D modelling etc), then C++ is better, as you can squeeze more performance out of it at the expense of some ease-of-development.

Re:

[DMUTPeregrine]

Firefox 19. Tools -> Options -> Security:
Warn me when sites try to install add-ons checkbox. Exceptions button.
Block reported attack sites checkbox.
Block reported web forgeries checkbox.
Passwords section.

Nothing to allow disabling Java.
Chrome has no "Security" panel or section of its options.
So, which browser are you using, or are you too much of a "stupid twat" to know that two of the top three browsers (at least, I don't have IE installed) don't have the option you're describing in the location you'

Re:

[GodfatherofSoul]

Because Oracle don't give a shit about Java. They snagged Sun probably thinking they'd get Google by the balls. No doubt, the board at Sun had some hand in convincing them of that.

Re:why they don't

[hjf]

I'm a hobby microcontroller programmer. I've made stuff with PICs that runs flawlessly. Written in C and assembly. One is a fan controller (switches 5 different relays and shows the output on a 7-segment display), and it's been running for probably 8 years non stop (well, the fan stops but the controller never does).
Another project was a simple "street block counter" for taxis, which I sold to a friend and he's made hundreds if not thousands of them (i should have asked more money!).

And tens of little projects that more or less work as supposed.

For all those projects, it's easy to validate all inputs and outputs, and follow all code. Since they're simple to understand. Right now my project is a weather station with ethernet and data logging. It's simple on the outside but it's so hard when you realize how much sanitizing you need for all values, and when you test it for different values of VDD and start getting weird readings, and when you deal with a memory chip which can (and will) be interrupted mid-write with a power outage and your data will be corrupted. It's really incredibly hard how you find more and more potential flaws after just a few hundred lines of code (and reasoning).

So while i understand your point, comparing java to a few small systems isn't really fair. Java is a huge monster with a target painted on its back. No system is really secure, and even Mac OS (which was claimed "secure") was proved to be as flawed as anything else. Mac OS used to be something no one cared about, but now that it's gaining a user base, it's being targeted more and more. It's the same with java. And it could be the same with any other language, tool (PDF), OS, SCADA, PLC, anything.

Any system that accepts uncontrolled (by the user) inputs is subject to exploiting.

Re:

[Almost-Retired]

I'm a hobby microcontroller programmer. I've made stuff with PICs that runs flawlessly. Written in C and assembly. One is a fan controller (switches 5 different relays and shows the output on a 7-segment display), and it's been running for probably 8 years non stop (well, the fan stops but the controller never does).
Another project was a simple "street block counter" for taxis, which I sold to a friend and he's made hundreds if not thousands of them (i should have asked more money!).

And tens of little projects that more or less work as supposed.

For all those projects, it's easy to validate all inputs and outputs, and follow all code. Since they're simple to understand. Right now my project is a weather station with ethernet and data logging. It's simple on the outside but it's so hard when you realize how much sanitizing you need for all values, and when you test it for different values of VDD and start getting weird readings, and when you deal with a memory chip which can (and will) be interrupted mid-write with a power outage and your data will be corrupted. It's really incredibly hard how you find more and more potential flaws after just a few hundred lines of code (and reasoning).

So while i understand your point, comparing java to a few small systems isn't really fair. Java is a huge monster with a target painted on its back. No system is really secure, and even Mac OS (which was claimed "secure") was proved to be as flawed as anything else. Mac OS used to be something no one cared about, but now that it's gaining a user base, it's being targeted more and more. It's the same with java. And it could be the same with any other language, tool (PDF), OS, SCADA, PLC, anything.

Any system that accepts uncontrolled (by the user) inputs is subject to exploiting.

I can't make a serious argument that disagrees with that. The major point being that the individual programmer is at the library's author(s) mercy, and in spite of his best efforts, 95% or more of his 10 megabyte masterpiece written in Java, will be spent, not in his code, but in the interpreter which he has no control over.

All they can do, after exercising due diligence, is go ahead and wear the Java T-shirt, the one with the target rings on the back. They have managed to have a working app in 25% of th

Boohoooooo

[Fuzzums]

And how frelling dare anyone out there make fun of Java after all she's been though!
Leave Java Alone!
Please...

And this matters ...

[stevez67]

N.O.T. All software has vulnerabilities. No system if safe from hacking and attack, especially spear-fishing. So, it's news every time some dipswitch downloads pr0n and gets infected? Or opens an unsolicited email attachment and installs malware? Please ... post something that's actually news and stop the "bashing every company just because" merry-go-round. Who's next to be bashed incessantly?

Firefox and Android not vulnerable

[Anonymous Coward]

Firefox now turns off the plug-in and you have to enable it when you visit a site that uses it. Each time BTW, it asks me every site, every time I open the browser.

Android doesn't permit Java in webpages at all, even though it uses Davlik itself (a Java engine) internally.

In the wild

[arnodf]

In the wild, is that the same as in cyberspace?

Why does this VM have so many vulnerabilities?

[Anonymous Coward]

I'm not a Java developer, but I do have a strong interest in engineering and reliability, and the reason for all these Java faults puzzles me. Could an experienced Java developer please explain (or at least suggest) why this particular virtual machine has suffered so many vulnerabilities?

In principle, a virtual machine is just the implementation of a specific FSM, very tightly constrained and therefore fairly easy to program for total correctness, unlike most other applications. Such correctness has clear

Re:

[Wookie Monster]

Primary reason: Punching holes in the security sandbox. A lot of the code in the JVM itself needs to grant itself "privileged access", but upon doing so it may have accidentally done so for user code as well. This is the greatest flaw in the Java security architecture, not because it doesn't work, but because it's hard to use correctly.

Re:Why does this VM have so many vulnerabilities?

[Tobia Conforto]

AFAIK all these issues are not in the VM.

The JVM has been stable for many years and is the foundation of countless information systems: websites, money exchange, traffic control, you name it they all run server-side software on the JVM, which by itself is rock-solid.

The issue is with the "sandboxing" feature of the Java browser plugin. The plugin was engineered to allow executing arbitrary, untrusted JVM bytecode, which would include outward calls to Java's extensive standard library, while still preserving some high-level definition of isolation between the untrusted code and the host OS. Given that Java's standard library is full of classes that do very insecure things by design (including running native code, opening network sockets, and so forth) this security model has proven to be a complete nightmare. They will keep finding sandbox-related bugs in the Java standard library for as long as it exists.

Oracle should do one of these things:

• – just dismiss the damned plugin altogether, or
• – severely restrict it to running signed code or some other kind of host-based whitelist, for the few companies that still need it, or
• – write a new standard library from scratch that does not include any unsafe code.

Re:

[gtall]

Oracle cannot dismiss the damned plugin altogether, they have too much that relies on it, Oracle Forms for one. I'm unsure how that relates to their databases. Are they storing mobile code in their databases for use in their OF crap? OF seems particularly brain dead and I wouldn't mind them blowing it away and replacing it with native apps...but then they'd probably only produce them for MS's rinky-dink OS or Linux which doesn't have much use on the desktop.

Re:

[_xeno_]

AFAIK all these issues are not in the VM.

If you read the article, this is a buffer overflow in the VM itself, overwriting internal VM structures. In previous cases you'd be correct, but this is an actual JVM flaw.

The issue is with the "sandboxing" feature of the Java browser plugin.

The sandboxing feature isn't unique to the Java plugin. It's a built-in part of the Java runtime. Any Java code can place other Java code into a security context and enable the Java sandbox for that code. It's just that about the only place you'll ever actually see this done is for applets.

Re:

[amorsen]

If you read the article, this is a buffer overflow in the VM itself, overwriting internal VM structures. In previous cases you'd be correct, but this is an actual JVM flaw.

It is likely that there are similar vulnerabilities in other VMs. People generally do not worry about them, because they are not made for untrusted code. You can crash the Python VM with python -c "from ctypes import string_at; string_at(0xDEADBEEF)". That is fine, because Python does not have sandboxing.

Re:

[putaro]

The sandbox was designed back in the mid '90's. I don't think anyone realized just how hard securing things really is. One of my friends worked with Ed Felten at CMU back then and that team showed a number of exploits for the sandbox. When he showed me how some of them worked I was impressed - because my mind doesn't bend into pretzels that way to figure out exploits.

The best thing Oracle could do at this point would be to just shoot applets in the head (probably not going to happen). Second place would

Enough

[zieroh]

That's it. I'm done with Java. For good.

Re:

[smash]

FInd me something else that has had 65 vulnerabilities patched and a zero day in the wild within 30 days, AFTER several months of exploits in the wild, and I'll shit-can that software too.

Java? Isn't that a drink? Or a place?

[pubwvj]

I've kept Java turned OFF on all of our computers for a long, long time. It's a pig. It hogs computer resource units. I have not not once run into anything that requires it. Just say no to Java.

Re:

[DMUTPeregrine]

I use Java for Wuala, Falstad's circuit simulator, Freenet, Minecraft, Minecraft Structure Planner, and Enigma's LoL Item Changer. 3 of those are games or related to games, so not totally necessary. Freenet I run out of a sense of patriotism/civic duty as a US citizen, Wuala could be replaced by Spideroak or similar, and Falstad's circuit sim is just for helping people learn about circuits without needing to teach them LTSPICE or similar first.

I use the Java plugin for absolutely nothing. I've not once run

This would never happen

[Lawrence_Bird]

with the COBOL plugin.

Oracle is losing their class

[abirdman]

I was entertained that Larry Ellison attached crapware to their security updates, which have to be specifically turned off in the installation, and their stupid toolbar turns off popup windows, but that disables Oracle's Discoverer product, and it works differently than the IE popup blocker, by not looking for user configurable exceptions. So for pennies per user, Oracle collects from the toolbar makers for every installation. And they're alienating IT departments. I hate working with them-- they're more ma

Re:

[bargainsale]

C is "secure" now?
Surprise, surprise indeed ...

Re:Surprise Surprise

[pipatron]

Yes, C is secure. You can however use C to write buggy software, for example a java virtual machine.

Re:

[dkf]

Yes, C is secure. You can however use C to write buggy software, for example a java virtual machine.

The JVM is actually written in C++. Just sayin'

Re:Surprise Surprise

[sjames]

The JVM is actually written in C++. Just sayin'

That explains a lot...

Re:

[Billly Gates]

Yes, C is secure. You can however use C to write buggy software, for example a java virtual machine.

Ok explain why a simple string can buffer overflow? Maybe the latest Gnu C libraries have fixed that now, but damn that is bad as 10 years ago you could! The apis had to be practically rewritten to watch for these like these which explains why it is litered in secure versions of standard function calls.

The problem is you can't really write secure in C unless you know assembly. My simple "give me 2 numbers and I will add them" 10 line program will not look insecure but it is underneath after being compiled (

Re:

[FlyingGuy]

Please show your work eg: int foo(int x,y){ return x+y};

Re:

[ByteSlicer]

I'm pretty sure the semicolon should come before the closing curly brace...

Re:

[FlyingGuy]

Yeah I noticed that right AFTER I hit submit. Yet another /. non-feature, even though I do understand why.

Re:

[phantomfive]

Strings don't overflow in C, unless you use them wrong.

And you never know, there might be a vuln in the Java string library. Unless you've audited it, I wouldn't say there isn't, since it seems there are vulnerabilities everywhere else.

Re:

[sjames]

Cars don't crash unless you drive them wrong...

Re:

[phantomfive]

The obvious question is how are you using your strings that makes it so difficult to avoid overflows? It's not hard once you know how to do it.

Re:

[sjames]

It is perfectly possible to use strings safely in C, but at the same time, there are functions in libc that invite disaster, in some cases with an engraved invitation and a bottle of champagne. Gets, for example, needs to go. So much so that I wouldn't mind it's use being promoted from warning to error unless you use the switch --goatse-me.

Even if you use the right functions but screw up passing the allocated size to the functions, you can get in trouble, just like if you fiddle with the radio when you shou

Re:

[phantomfive]

Yes, but how often do you screw up passing the allocated size? I'm not sure that happens often.

If it's something you are really having trouble with, you can declare a struct with the size and buffer together, then create wrapper functions around the standard library functions that use your struct. Then you only have to verify that your passing is correct within those wrapper functions, and not mess with the size anywhere else.

Re:

[sjames]

Really, I don't have a problem with it, however, the most common source of problems in general is probably the off by 1 thinko. Like forgetting to count the terminating null. Next up is probabvly cases where the programmer forgets that there are circumstances where the trailing null might NOT get written.

Re:

[phantomfive]

Next up is probabvly cases where the programmer forgets that there are circumstances where the trailing null might NOT get written.

Yeah, that one's really annoying. strcat() has a lot of special cases that are annoying as well. I usually encapsulate that one into a custom function where I only have to deal with all that once because it's so bad. Although it's not the most commonly used function.

Re:

[sjames]

I have always thought that in cases where n is exceeded, [n-1] should get the null terminator. I usually do that explicitly just to be safe. I don't like unterminated strings.

Re:

[phantomfive]

agreed

Re:

[sjames]

The difference is that C CAN be secure if you code it right. In Java, even the most trivial thing you write remains dependent on the JVM to be actually secure.

That doesn't mean your C code WILL be secure, but if it's not it is your fault and entirely up to you to fix it.

Re:

[smash]

You're still relying on the C library to be secure. Many/most are not.

Re:

[sjames]

I have done projects that did NOT include libc.

Re:

[smash]

This is an exceedingly small percentage of development.

Re:

[DMUTPeregrine]

Your C code still relies on the standard library and your compiler to be secure.

Re:

[sjames]

It CAN (and usually does) rely on libc, but doesn't have to. The compiler mis-compiling the code is quite a different class of problem, but since you have the source, you can validate the results.

In the bad old days, I actually debugged a case where the compiler mis-compiled the code.

Re:

[sjames]

I don't know that I'd say inhumanly difficult, but it's fair to say it is challenging and failures are plenty.

Re:

[marcosdumay]

Hum... No, a simple string can not buffer overflow. You a word here or what?

Also, of course you must know how computers work to program in C. It's a shame that people think they don't need to learn that for coding in other languages (they do, but they'll build a lot of rope before they discover they are just hanging themselves).

Re:

[CODiNE]

You know that just tells me that javac isn't self-hosting and they never bothered to bootstrap their own compiler. I wouldn't blame C for that.

Re:

[Murdoch5]

Just to quote the EXCELLENT comment below, it really is the most true statement I've heard in a while.

Yes, C is secure. You can however use C to write buggy software, for example a java virtual machine.

Re:

[Anonymous Coward]

> Yes, C is secure.

The comment is nonsensical. Security is about vectors. The language itself, is really not "secure" because it has to operate within an environment. By integration, it's no more or less secure than the environment AND the program the language was used to write. You really don't understand the implications of the discussion if you think that comment was "excellent".

Re:

[etash]

you must be trolling or you are clueless. C is secure ? you guy serious ?

Re:

[amiga3D]

He probably means that you actually have to have a little knowledge to exploit C while Java is just one big sieve.

Re:Surprise Surprise

[putaro]

Well, then you would both be wrong. C doesn't have a security model to exploit. The security model for loading untrusted code into your C application is "Don't do that" which isn't such a bad idea, really. However, if you remove the stupid idea of trying to run untrusted code in a sandbox within your application, Java is quite secure which is why people write server code in Java. No buffer overflows to start with (a classic exploit of server code written in C)

Re:

[sourcerror]

The point is that buffer overflows are an easy mistake to make. Using languages that prevent it is like using a seat belt.

Re:Surprise Surprise

[DarkOx]

I would say discussion of if a Turing complete is secure or not is off base. You can express any computable algorithm and if you get it wrong it may or may not behave in undesired ways when presented with input you did not anticipate.

Now if you want to discuss topics if interpreters (byte code or otherwise) that enforce certain memory management contracts, so you don't have to express them as part of your program ultimately offer better security or just move the problems that might be a valid topic.

Java is not insecure; security is not even an attribute you could put a value on with regard to Java. The browser plugins that ship with the most popular interpreter and runtime implementation might be insecure. There may be bugs in the interpreter where it does not properly enforce contracts making otherwise correct programs under it vulnerable. One little mistake in a C/C++ programs might result in the same thing though. The traditional argument is whats more likely to result in the best outcome: every programmer our there writes good code or a team of skilled programs writes a universal memory manager, and set of libraries that are solid so other programers don't have to get some of that hard stuff right?

I guess the issue is we are finding out more often than not even teams of very skilled developers are bound to slip here and there with something as large and complex as the Java runtime.

Re:

[marcosdumay]

I would say discussion of if a Turing complete is secure or not is off base. You can express any computable algorithm and if you get it wrong it may or may not behave in undesired ways when presented with input you did not anticipate.

No computer is as restricted as a turing machine. For one thing, a turing machine doesn't do IO.

In fact, information security has no relevance for turing machines, as they can't compromisse any kind of information.

Re:Surprise Surprise

[cbreak]

No, honestly, writing evil code in C is easy. You can open files without restrictions, modify them without restrictions, and so on, all with the power of the running user. Executing untrusted C code is NOT SECURE.

Re:Surprise Surprise

[egr]

I think what he means is that C-security is solely dependent on your code, while Java-security is depended on JVM security in addition to your code security. And the developer has no control over JVM security.

Re:Surprise Surprise

[gtall]

And who writes their whole program in using just their own code? We have massive C libraries because we cannot reinvent the wheel every time. And it isn't possible to exhaustively check the code in those libraries due to time constraints and sheer complexity.

Re:

[smash]

A lot more secure. Linux and the BSDs have holes found in them all the time, along with everything else. Pascal would be a lot more secure than C.

Re:Surprise Surprise

[cbreak]

Executing random C code from somewhere on the net in a Browser is even dumber than doing the same with Java. Java at least has a security model, even if it's broken anew every week, and has more holes than a sieve. C on the other hand has nothing. It really is more or less like a portable Assembly Language as it was developed for.

Re:

[Murdoch5]

I agree but I'm a little confused if your agreeing or disagreeing with me. C gives you the power to do what you want, Java on the other hand assumes.

Re:

[dkf]

I agree but I'm a little confused if your agreeing or disagreeing with me. C gives you the power to do what you want, Java on the other hand assumes.

He's not exactly disagreeing or agreeing with you, as you're so thoroughly confused that you manage to say things that aren't cleanly true or false.

C has no security model. At all. This lets you write things that are totally unsafe. For example, you couldn't have browser exploits with either Flash or Java or any other plugin if it wasn't for the NPAPI [wikipedia.org], which is a C interface! O! M! G!

Java does have a security model; it tries to segregate untrusted code away from trusted code and ensure that the untrusted co

Re:

[AmiMoJo]

All the major browsers have click-to-play for plug-ins now, so even if you have it installed you should be safe from drive-by infections if you have it enabled.

Actually I don't know if IE10 supports click-to-play, but surfing the net with IE is like licking the toilet seat down the pub - inadvisable at best.

Re:Surprise Surprise

[erroneus]

I think the people exploiting Java has a LONG list of vulternabilities in queue. With each update of Java, fixing the last known holes, they just update their exploit code to utilize the next vulnerability in their queue. This could go on for a long, long time.

And where I work, we have to use Documentum Webtop which requires Java. Now they have us pushing Java updates all the time.

Oracle needs to pay out a bounty for Java vulnerabilities so collect as many as possible so the next fix(es) will be better.

Re:

[Murdoch5]

Nice post :-)

Re:

[AmiMoJo]

It's a shame there isn't a really good open source alternative to Oracle's JVM that people could switch to. At least with the endless stream of Adobe Reader vulnerabilities you can just witch to Sumatra PDF or one of the many other free viewer applications.

As far as I can can tell most of the free JVMs are either abandoned or don't run on Windows.

Re:

[bill_mcgonigle]

The JVM might be wonderful but, empirically, the browser plugin is a pile of junk, at least in terms of code quality.

Could somebody, e.g. Apache, incubate a project to replace the Oracle Java web plugin? I don't use Windows but imagine if each company was willing to pay $2/user/year for a better plugin for their mission critical apps. The IcedTea plugin on Linux seems to be in a decent state these days, after quite a rough start - perhaps it could be a basis for a new Windows Java plugin.

Re:Surprise Surprise

[putaro]

Unfortunately there is no "stupid" moderation. The issue is the Java sandbox which has the goal of letting you run untrusted code (e.g. applets) on your system without any worries. Unfortunately the attack surface of the sandbox is huge because there are so many different API's that are usable and all it takes is a bug in one of them to give you an exploit.

Turn off Java in your browser and you'll be a happy camper. Stop spreading FUD. The Linux kernel still has exploits (http://www.zdnet.com/linux-kernel-exploit-gets-patched-7000011844/).

Oh, and I spent 10 years as a kernel developer in C and another 10 years as a Java developer so I guess I'm a Real Hipster Programmer.

Re:

[dkf]

Turn off Java in your browser and you'll be a happy camper.

It would be nice if we could have the JRE as a completely separate product from the plugin. I could happily live without the plugin (and do!) but the JRE itself is useful for other apps.

Re:

[Curupira]

It would be nice if we could have the JRE as a completely separate product from the plugin. I could happily live without the plugin (and do!) but the JRE itself is useful for other apps.

After this horrible sequence of 0-day exploits, I've finally disabled the Java plugin in ALL my browsers. There you are, instructions [ibm.com] for removal of the Sun (or IBM) Java browser plugin on Windows, without removing the JRE. :)

Re:

[Trogre]

Recent builds (since around about JRE 1.7u11) add a checkbox in the Security tab in the Control Panel applet (control.exe C:\Windows\System32\javacpl.cpl) titled, "Enable web content in browser". Uncheck that and never see another Java applet again.

about:plugins in your browser's location bar will verify Java isn't there.

Re:

[putaro]

I never mentioned about the Linux kernel being non exploitable, but if it was writen in Java it would be much more exploitable.

All this statement proves is that you aren't qualified to have a opinion on this subject. I brought up Linux kernel exploits because the Linux kernel is coded in C. The Java exploits that I have seen are all related to breakouts from the sandbox. The kernel and the Java sandbox are equivalent because both are supposed to be able to run untrusted code and keep that untrusted code from doing things it is not supposed to. If you wrote a POSIX compliant kernel using Java you would not use the sandbox to kee

Re:

[putaro]

I never said a C programmer can't make a mess of code, I also never still never mentioned anything about the Java sandbox or the Linux kernel.

No, what you said is:

I never mentioned about the Linux kernel being non exploitable, but if it was writen in Java it would be much more exploitable.

The reason I mention the sandbox is because that is where the exploits are. Would you care to bring up another Java language feature that's a security hole?

I've also done enough Java programming to know I'm never going back to it.

You're welcome to use the tools you like. And you're welcome to criticize the tools I like, if your criticism is based on facts. All I ask is that you not spread falsehoods.

Re:

[geekmux]

Java fails yet again, and really who is surprised. Java was and is a flawed language from the ground up and all of these exploits just help prove it. If you want a good secure system / language just look to C, it does everything you can think of or want, has little to no overhead and runs on almost every device in the world. Real programmers use C, hipster wantabe's use Java.

The only failure I see here is your rather ignorant attitude that every language cannot be made just as vulnerable in the hands of the inexperienced.

Re:

[craznar]

The main difference between C and Java, is that in C you code the bugs personally - in Java, that functionality is baked into to the JVM.

Comes down to who's programmers you trust more - your own, or Oracle's ?

Re:

[catchblue22]

Java fails yet again, and really who is surprised. Java was and is a flawed language from the ground up and all of these exploits just help prove it. If you want a good secure system / language just look to C, it does everything you can think of or want, has little to no overhead and runs on almost every device in the world. Real programmers use C, hipster wantabe's use Java.

What do you think the JVM is written in?

Yeah, C and probably C++.

Grow a brain, you twerp.

I've heard it argued that Java is insecure because too much of it is written in C++, poor quality code no doubt. It would have been more secure if a core of commands was written in C++, and the rest was written in Java. Then, more effort could be put into making the core secure.

Re:

[History's Coming To]

These days it's about using as many different languages as possible, ideally in the wrong place. Big desktop application? JavaScript hosted on a remote server sounds ideal! Website to display a list of your mobile phone apps? Show off your 1337 Java skillz by making the whole thing a plugin! A quick script to verify the format of an email address? To the Assembler!

Re:

[aahzmandius]

The tipping point is the many, many, many devices that probably aren't running other anti-virus (smartphones and tablets).

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:

[sourcerror]

Some browsers now have a white-list regarding the Java plugin (Chrome does it, not sure about Firefox), as it always should have been. (And it should be that way with Flash too.)

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[erroneus]

A few things are different:

1. People dislike Oracle as a company
2. The purposes/reasons for exploiting have shifted significantly
3. Sun was likely more friendly to people presenting information about bugs to be fixed.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[smash]

Same reason Firefox doesn't support DHCP based WPAD despite having patches submitted for such support in 2006.

Re:

[RaceProUK]

I am going to fucking kill Java! I destroyed Larry Ellison before and I will do it again! (throws chair across room) Posting again because I messed up the previous post, sent from a smartphone (my first /. post ever from one).

Ballmer? Is that you? :P

Re:

[RaceProUK]

I know it's a joke, hence I made one of my own :P