Oracle Fixes 42 Security Vulnerabilities In Java

wiredmikey writes "Oracle released its quarterly Critical Patch Update (CPU) for April, which addressed a whopping 128 security issues across multiple product families. As part of its update, Oracle released a Java SE Critical Patch Update to plug 42 security holes in Java, 19 with base CVE score of 10 (the highest you can go) and 39 related to the Java Web Start plugin which can be remotely exploited without authentication. According to security analyst Wade Williamson, organizations need to realize that Java will continue to pose a significant risk. 'The first step is for an organization to understand precisely where and why Java is needed,' Williamson wrote. 'Based on the rate of newly discovered vulnerabilities, security teams should assume that Java is and will continue to be vulnerable.' Organizations should to take a long, hard look at Java and answer for themselves if it's worth it, Williamson added. Due to the threat posed by a successful attack, Oracle is strongly recommending that organizations apply the security fixes as soon as possible."

Re:I only drink coffee

[binarylarry]

Few sites use Java applets (which is what you uninstalled).

Far more sites use Java to power the site on the server side (Google, Amazon, Ebay, etc).

Re:still with the java?

[Anonymous Coward]

It's highly integrated all over the place and is leading the way as the language of choice for everything from big-data processing a'la MapReduce frameworks in Hadoop to Mom & Pop shops just looking for a new college grad to put together something for their needs.

Yes! COBOL all the way!

Re:v1.6 is forgotten but most use that

[viperidaenz]

What are you smoking? 1.6 update 45, released a few days ago contains all these fixes.

Re:Naive question

[Anonymous Coward]

What's the deal with people saying Java is a major source of insecurity?

Does that mean compared to C++? Are they comparing (Java + all its libraries) to (C++ plus one instance of each library which is needed to match Java's standard libraries)? Insecurity of the JVM itself, compared to native object code?

I honestly can't tell.

Really, none of the above. Of those, "Insecurity of the JVM itself" is closest to the truth.

The big problem with Java is the browser plugin.

For the most part, these vulnerabilities (I'm generalizing) are in the parts of the JVM that are used by the Java browser plugin, or in the plugin itself.

It's actually one of the great ironies of Java. The Java language, and the JVM, were actually pretty well designed with regards to security; things like strong typing and garbage-collected memory management go a long way toward preventing ordinary bugs from becoming security issues. Unfortunately, long ago, Sun figured Java was so safe that there would be no risk with running Java code ("applets") off the Internet, right in your browser. So they built in a sandbox into the JVM, and created the Java applet embedding browser plugin that depended on that sandbox to prevent applets from harming your computer.

And in doing that, they overreached, especially as they began adding features* that made the sandboxing of code from the Web harder and harder to enforce.

Get rid of the browser plugin, and Java is no worse than any other language/platform. Probably better than some.

C++ doesn't have this problem, because there is no equivalent browser plugin that allows random bits of C++ code from the web to get onto your comptuer.

* I have heard that JVM support for dynamic languages in the version 7 JVM is a big reason for the growth in security vulnerabilities. I'm not educated enough to say whether this is true or nonsense, but it seems plausible

Re:You're using it wrong

[viperidaenz]

Yes. That's exactly what I'm doing at my current job. Java back end, Java thick client.

Re:I only drink coffee

[Anonymous Coward]

it only take 15 lines of code to say "Hello World!"

lolwut?

if you need 15 lines of java to do a 'hello world', then the problem is with the person in the mirror.

for all its faults, the browser plugin being the most obvious, java for apps is freakin awesome. None of the obtuse BS of C and C++ but all the ability...not to mention all the free libs. Frankly, if it weren't for Java, I'd be sleeping on the streets.

Warning: ask.com toolbar

[icknay]

Suppose that when you first run the java installer, it asks you if you wan to install the ask.com toolbar, naturally you select No Ask.com Malware button, and everything installs nicely. Now later on, for each security update that comes along, there's a nice Install Important Update button .. and what do you suppose that does? It installs the Ask.com toolbar! I know Oracle is supposed to be aggressive with their practices, but I cannot believe they abuse security updates this way to get a few pennies out of Ask.com which is basically a search-result-spam engine.

The reason you have not heard about this more, is that Macs and Firefox/Chrome (not sure about IE) resist the Ask.com installer, so you just don't see it, but the crappy Oracle behavior is in fact going on each time. The result is that naive users are getting this toxic thing installed and it really messes up their whole internet experience.

Hey Oracle: you're pissing away tons of Java goodwill in exchange for pennies form the Ask.com spammers. Who on the heck thought that was a good trade? Like what techie who learns of this behavior is ever going to install Java anywhere? Aren't you trying to make JavaFX into a real client thing?

See http://www.zdnet.com/a-close-look-at-how-oracle-installs-deceptive-software-with-java-updates-7000010038/ [zdnet.com] for lots of details on how the Ask.com installer tries to trick the users and hide itself. It's kind of interesting arms race between the spamming toolbar and the browser vendors.

These are NOT JAVA vulnerabilities

[coder111]

These are java APPLET or BROWSER PLUGIN vulnerabilities. Completely different thing.

Slashdot should stop with this misinformation. Java the LANGUAGE is OK. Java Virtual Machine is OK. Servers using Java as server-side language are OK. Java desktop applications are OK.

Java the BROWSER PLUGIN is vulnerable. But Java Browser plugin should never have happened in the first place and should be killed with fire.

So stop with the whole bashing of Java in general. Java is a very good and mature language, with the fastest JVM on planet today, lots of open source 3rd party libraries, servers, frameworks and tools. It's very very good for server-side development.

--Coder

Re:Fix the model. Chicken wire isn't watertight

[lister king of smeg]

GCC may not be patches that often but you OS is. Java is not just a language it is a VM that the compiled Java code runs in, a jit compiler that compiles the Java code, a language and a web plug-in. all collectively referred to as Java. Javas big problem is it is used in unsafe ways (via web plug-in). the main security problem is that the Java web plug in grabs arbitrary code and runs it in the same vm as Java app's and it can be abused to take control. You would never run a just any random binary you found on the Internet but you do anytime a page has Java on it.

Re:Ask

[SeaFox]

I've decided that must be the only reason they haven't created an auto-update system for Java. I mean, my AV software can update its own definitions, my web browser can update itself, yet I still have to click the stupid message every time Oracle farts.

My mom has been complaining about it too. The frequency of these updates are encouraging people to ignore them or turn them off like the classic boy who cried "Wolf!".

If the Java system could update itself they'd lose the opportunity to trick people into not unchecking the Ask Toobar, McAfee Security Scan, etc shovel-ware. And as people get frustrated with the constant updates they get sloppier about what they're clicking as they go though them.