Oracle Fixes 42 Security Vulnerabilities In Java 211
wiredmikey writes "Oracle released its quarterly Critical Patch Update (CPU) for April, which addressed a whopping 128 security issues across multiple product families. As part of its update, Oracle released a Java SE Critical Patch Update to plug 42 security holes in Java, 19 with base CVE score of 10 (the highest you can go) and 39 related to the Java Web Start plugin which can be remotely exploited without authentication. According to security analyst Wade Williamson, organizations need to realize that Java will continue to pose a significant risk. 'The first step is for an organization to understand precisely where and why Java is needed,' Williamson wrote. 'Based on the rate of newly discovered vulnerabilities, security teams should assume that Java is and will continue to be vulnerable.' Organizations should to take a long, hard look at Java and answer for themselves if it's worth it, Williamson added. Due to the threat posed by a successful attack, Oracle is strongly recommending that organizations apply the security fixes as soon as possible."
#1 web error (Score:4, Interesting)
So all in all where Java is it will probably stay and I doubt that these security concerns will damage that audience much. What reports like this will certainly do is to dissuade many potential adopters of Java based technologies.
Re: (Score:2, Interesting)
What reports like this will certainly do is to dissuade many potential adopters of Java based technologies.
Which is a shame, because these vulnerabilities (which, for the most part, are either in the web plugin itself, or in aspects of the JVM that are only exploitable through the web plugin) have no bearing on Java's suitability for its most popular uses.
The best move Oracle could make to rectify Java's public perception is to un-bundle the goddamn web plugin from the JRE. It's like a festering, oozing sore smack dab on the middle of the face of the platform.
Make it optional, part of a separate download, and bu
Re: (Score:2)
Re: (Score:2)
giving me a browser plugin that the vast majority of sites don't legitimately use along with the runtime that's needed to make desktop/background apps run is nutty
Unfortunately, that's not the situation for many people.
In reality, a lot of very popular web sites and applications do run Java applets, even if you personally happen not to use any of them. Common examples in these kinds of discussions are a few major banks, some national government web sites, some teleconferencing/screen sharing tools widely used in businesses, a few games, etc.
Meanwhile, many people at home have no use for Java for desktop/background applications at all. Relatively little end user softw
Re:#1 web error (Score:4, Insightful)
Speaking as someone who does Release Engineering professionally, and thus tends to see all the technologies that a company uses in deploying modern systems, Java is still #1 by a long shot, and I continue to see new development done all the time.
It's all middleware, though. And, frankly, for pretty much any reasonably scalable system which has some sort of a front end web-ish part, a middleware "business logic" part, and a DB backend, Java is not only the leader, but its essentially one of two choices: .Net is the other.
Standalone apps don't much exist in Java anymore (the few that do are mostly legacy). It's also almost completely disappeared as part of the Frontend portion of content delivery (i.e. not in the dynamic content being served to the end user, nor in the "web server" portion of the infrastructure).
But in terms of middleware, well, only .Net is a serious competitor in terms of enterprise requirements. Java's got all the nice library and code support, plus plugins and stuff for all the build/deployment/test infrastructure. C++ doesn't even come close, and python/ruby/perl aren't even in the running. Now, there are architectures where there IS no middleware, and the frontend system actually is a python program which both serves content and has business logic in it, but I see them far less commonly, and they have serious scalability issues.
And, frankly, the middleware tier is also the place which minimizes Java's deficiencies, and maximizes its strengths.
As far as the future goes, I desperately wish Oracle would quit expanding the featureset of Java, and just spend all the time cleaning up the codebase. Java (the language) is more than feature-full at this time, and there's really very little need to keep adding stuff to the language. The codebase, on the other hand, needs at least couple of years of full-on cleanup. The JVM itself is still pretty solid, but everything else is suffering from neglect pretty badly.
Re:#1 web error (Score:4, Interesting)
Trust me, as an implementor, there are plenty of new enterprises lining up moving to Java from C/C++/legacy. The alternatives are hodge podge languages which will most likely not work for supporting large number of diverse product categories, or you go with C/C++ and pay a crap load more money for developers & more time spent. Or, you can go with .NET which is fine if you're an all MS shop (less and less) or you rely on Mono for your non-windows systems (tough sell).
Where's the panacea of general programming environments where:
1. You can integrate it with -practically anything- (whatever the customer's currently plugged into -- protocol/socket, old DB's, all those queue systems, email, batch tools, clustering(scale), etc..) with little development overhead
2. Easy access to developers with varying degrees of cost / performance
3. 100% support on mainstream deployment platforms of choice
If you're not answering these three questions, most non-dev centric businesses won't be playing ball.
"but I don't think it is where the cool kids are"
Yes, there's a big difference between what some people want to develop in, and what people actually write useful code in. Joe rock-star could do all his work in Scala/Groovy/Ruby/Python/langoftheweek, but without super unsexy long term support from competent developers, that software will crumble and die with the company forced to move their platform to something more standard just to find people to keep it alive.
Re: (Score:2)
Java is the only choice for things like that. It is quite nice, actually.
Re: (Score:2)
Yeah, Perl and Python nowadays. Ruby is getting there, and Javascript entered the run lately, but it's nearer the starting point than that goal. And of course, there are the JVM alternatives that can use any Java lib, but also share its vunerabilities. And also, that's just one kind of development shop. Other kinds may be best served with something more powerful like Haskel, or nearer to the metal, like C.
Now, if "Easy access to developers with varying degrees of cost / performance" means "We'll hire incomp
Naive question (Score:5, Insightful)
What's the deal with people saying Java is a major source of insecurity?
Does that mean compared to C++? Are they comparing (Java + all its libraries) to (C++ plus one instance of each library which is needed to match Java's standard libraries)? Insecurity of the JVM itself, compared to native object code?
I honestly can't tell.
Re:Naive question (Score:4, Informative)
What's the deal with people saying Java is a major source of insecurity?
Does that mean compared to C++? Are they comparing (Java + all its libraries) to (C++ plus one instance of each library which is needed to match Java's standard libraries)? Insecurity of the JVM itself, compared to native object code?
I honestly can't tell.
Really, none of the above. Of those, "Insecurity of the JVM itself" is closest to the truth.
The big problem with Java is the browser plugin.
For the most part, these vulnerabilities (I'm generalizing) are in the parts of the JVM that are used by the Java browser plugin, or in the plugin itself.
It's actually one of the great ironies of Java. The Java language, and the JVM, were actually pretty well designed with regards to security; things like strong typing and garbage-collected memory management go a long way toward preventing ordinary bugs from becoming security issues. Unfortunately, long ago, Sun figured Java was so safe that there would be no risk with running Java code ("applets") off the Internet, right in your browser. So they built in a sandbox into the JVM, and created the Java applet embedding browser plugin that depended on that sandbox to prevent applets from harming your computer.
And in doing that, they overreached, especially as they began adding features* that made the sandboxing of code from the Web harder and harder to enforce.
Get rid of the browser plugin, and Java is no worse than any other language/platform. Probably better than some.
C++ doesn't have this problem, because there is no equivalent browser plugin that allows random bits of C++ code from the web to get onto your comptuer.
* I have heard that JVM support for dynamic languages in the version 7 JVM is a big reason for the growth in security vulnerabilities. I'm not educated enough to say whether this is true or nonsense, but it seems plausible
Re: (Score:2, Insightful)
There was ActiveX, which was a fancy name for "let's download DLLs from websites and execute them in the browser process". We all know that bombed massively, especially because rogue website could launch (e.g.) HP's dlls inside their HTML code. They would then proceed to exploit the buffer overflows in the HP DLLs.
ActiveX was a security nightmare based on downloaded C++ dlls.You see, mankind enumerates all possible ways of crap until it decides to limit itself to the less dangerous crap (JS).
Re: (Score:3)
What's the deal with people saying Java is a major source of insecurity?
Does that mean compared to C++? Are they comparing (Java + all its libraries) to (C++ plus one instance of each library which is needed to match Java's standard libraries)? Insecurity of the JVM itself, compared to native object code?
I honestly can't tell.
Yes. The design of the stack based language traded speed for size. When run as an interpreted language pure Java is very secure. However, now that it has JIT compilation you're basically just taking data, flagging that as code, then running it. That's what's inherently insecure. Not only do you have to worry about defects in the applications and library code, but also the virtual machine itself, which lowers the bar for malicious data to get itself marked as code, and executed. Combine that with the f
Re: (Score:2)
Re: (Score:2)
Don't get stars in your eyes just based on the company name.
Oh come on... (Score:5)
It's been worrying me that the tagline "News for nerds, stuff that matters" has been removed from Slashdot (except in the source code, but gets replaced on any/all page loads), but this story is coming behind both TFA and the actual patches being available for two full days prior.
It's no "Preskill mocks Stephen Hawking" quote from 2012, like the other article, but maybe this could've ended up -slightly- higher priority given that it fixes 1-2 remote unauthenticated exploits in Java, and IIRC 3 in Oracle DB.
Re: (Score:2)
It's been worrying me that the tagline "News for nerds, stuff that matters" has been removed from Slashdot (except in the source code, but gets replaced on any/all page loads), but this story is coming behind both TFA and the actual patches being available for two full days prior.
It's no "Preskill mocks Stephen Hawking" quote from 2012, like the other article, but maybe this could've ended up -slightly- higher priority given that it fixes 1-2 remote unauthenticated exploits in Java, and IIRC 3 in Oracle DB.
Nerds submit the news here. This is the stuff they think matters. If it's not prioritized the way you like, then promote the things you like and firehose the other submissions down. Perhaps there are just more nerds that don't give a frack about Java vulns than you think. E.g: None of my 8 home Linux boxes, or the 20 I manage for my day job have that pox installed -- Then again, the only "Enterprise" things I do are related to science fiction. Guess I'm not nerd enough if I'm using Xen VMs to virtuali
You're using it wrong (Score:5, Insightful)
Java isn't evil, Browser plugins are.
Leave Java on the server side and be done with it.
Re:You're using it wrong (Score:5, Insightful)
Leave Java on the server side and be done with it.
Or learn to use Java properly on the client side, which means stop using it as a browser plugin. Java makes an excellent desktop application development platform, but an absolutely lousy browser plugin.
Re:You're using it wrong (Score:5, Informative)
Yes. That's exactly what I'm doing at my current job. Java back end, Java thick client.
Re: (Score:3)
You may like Java as a developer, but Java fails to integrate properly with any of the desktops; Java desktop apps are a nightmare.
Re: (Score:3)
You may like Java as a developer, but Java fails to integrate properly with any of the desktops; Java desktop apps are a nightmare.
I've seen a lot of nice Java desktop apps and a lot of bad ones.
Re: (Score:3)
Whether they are "nice" or not in and of themselves isn't the point. They fail to integrate with the desktop, they don't behave like native apps, and they don't look like native apps either.
Re: (Score:2)
Whether they are "nice" or not in and of themselves isn't the point. They fail to integrate with the desktop, they don't behave like native apps, and they don't look like native apps either.
Maybe that depends on the desktop? Could it actually be that some (read whatever you are using) desktops are seriously limiting how different kinds of applications can be integrated degrading the user experience? Bashing the apps might be the wrong way around, as the problem is on the desktop environment.
Re: (Score:2)
It's not the apps that I bash, it's the Java platform: it set out to deliver a great cross platform experience and it failed, because what it attempted to do is impossible. The only way you can get a good experience on each platform is to customize your app for each platform.
Re: (Score:2)
Citation? I thought not.
Re: (Score:2)
Better than a citation: just download desktop Java apps and run them on OS X or Gnome or KDE.
Re: (Score:2)
GUI toolkits that promises cross-platform compatibility stick to the lowest common denominator of native features and then build on it. Java does a pretty good job of integrating with most desktops without the burden of cross compiling for every single target environment. Qt and Gtk applications do not look native on all desktops either.
The main factor affecting desktop integration is the amount of effort a developer will put into programming the GUI. This can be said for all libraries.
Re: (Score:2)
Java makes an excellent* desktop application.
* Excellent is defined here as "slow, ugly and memory hungry."
Re: (Score:2)
Java makes an excellent* desktop application.
* Excellent is defined here as "slow, ugly and memory hungry."
Reminds me of this joke:
"Knock, knock"
"Who's there?"
...
...
...
...
"Java."
Re: (Score:2)
ORACLE FIXED SOMETHING?! (Score:2)
Fix the model. Chicken wire isn't watertight (Score:3)
It really looks like someone trying to use chicken wire fencing to build a dam, and they keep patching each little hole. Instead, they need to ditch the porous chicken wire and use something watertight for the barrier between VM and system.
Re: (Score:2)
Re: (Score:2, Informative)
GCC may not be patches that often but you OS is. Java is not just a language it is a VM that the compiled Java code runs in, a jit compiler that compiles the Java code, a language and a web plug-in. all collectively referred to as Java. Javas big problem is it is used in unsafe ways (via web plug-in). the main security problem is that the Java web plug in grabs arbitrary code and runs it in the same vm as Java app's and it can be abused to take control. You would never run a just any random binary you found
Ask (Score:4, Insightful)
Re:Ask (Score:4, Informative)
I've decided that must be the only reason they haven't created an auto-update system for Java. I mean, my AV software can update its own definitions, my web browser can update itself, yet I still have to click the stupid message every time Oracle farts.
My mom has been complaining about it too. The frequency of these updates are encouraging people to ignore them or turn them off like the classic boy who cried "Wolf!".
If the Java system could update itself they'd lose the opportunity to trick people into not unchecking the Ask Toobar, McAfee Security Scan, etc shovel-ware. And as people get frustrated with the constant updates they get sloppier about what they're clicking as they go though them.
Great. Headaches ahead. (Score:4, Funny)
Every time they release one of these my companies IT department insists on the new version being mandatory and installs it on every PC without any testing.
This then breaks one (or more) of our externally provided and supported, business critical, small user base, Java client/server systems. After a few days of frantic phone calls and manual un-installs of the new Java version (which have to be done by IT support due to security lockdown remoting into PCs, after senior signoff) we have to keep doing to combat the overnight updates) we end up with an emergency change to install a very alpha version of the client/server system.
The updated client is normally so full of bugs that it gets several further emergency updates over the next 3 months and is just about stable and almost bug free in time for Oracle to release another patch...
Re: (Score:2)
And what are IT supposed to do? Leave a known vulnerable version with dozens of critical flaws - including the HIGHLY exploitable browser plugin - on business critical PCs across the org, including the business critical ones of that small group?
Who's neck would it be if those machines got remote rooted by some chinese hacker driveby? I'm betting not yours.
Perhaps a dialog with IT where you don't install the browser plugin at least, and firewall the group off from the rest of the network in exchange for a te
Warning: ask.com toolbar (Score:5, Informative)
The reason you have not heard about this more, is that Macs and Firefox/Chrome (not sure about IE) resist the Ask.com installer, so you just don't see it, but the crappy Oracle behavior is in fact going on each time. The result is that naive users are getting this toxic thing installed and it really messes up their whole internet experience.
Hey Oracle: you're pissing away tons of Java goodwill in exchange for pennies form the Ask.com spammers. Who on the heck thought that was a good trade? Like what techie who learns of this behavior is ever going to install Java anywhere? Aren't you trying to make JavaFX into a real client thing?
See http://www.zdnet.com/a-close-look-at-how-oracle-installs-deceptive-software-with-java-updates-7000010038/ [zdnet.com] for lots of details on how the Ask.com installer tries to trick the users and hide itself. It's kind of interesting arms race between the spamming toolbar and the browser vendors.
Re: (Score:2)
What about Flash? That installs a google toolbar and McAfee and doesn't even give me a choice. Where's the rage? I guess cause it's a google toolbar it's OK then?
These are NOT JAVA vulnerabilities (Score:5, Informative)
Slashdot should stop with this misinformation. Java the LANGUAGE is OK. Java Virtual Machine is OK. Servers using Java as server-side language are OK. Java desktop applications are OK.
Java the BROWSER PLUGIN is vulnerable. But Java Browser plugin should never have happened in the first place and should be killed with fire.
So stop with the whole bashing of Java in general. Java is a very good and mature language, with the fastest JVM on planet today, lots of open source 3rd party libraries, servers, frameworks and tools. It's very very good for server-side development.
--Coder
Re: (Score:2)
are you sure about that - check where the vulnerabilities were found. How many were in the plugin, how many in the JVM.
The fast that the code that executes in the plugin is Java code that runs in a JVM sandbox seems to have passed you by, of course the plugin in a good attack vector as its so readily accessible, but there's nothing stopping the same attack code from running in your desktop or server programs, its just harder (but not impossible) for the attacker to get their code there.
So, no, Java is not s
I wouldn't 'Ask' (Score:2)
Ballanced? (Score:4, Insightful)
DROBO WARNING!!!!!! (Score:2)
If you install this on your Mac and you are using a Drobo iscsi device, then you are no longer using your iscsi device. This java update breaks Drobo's iscsi initiator.
42 (Score:2)
Out of how many? 42? 420? 69105? 10^42?
Re: (Score:2)
Re: (Score:2, Funny)
Its also used for terribly engineered front end software and to slow down the most powerful supercomputer to a crawl because the guys that used it were too lazy to learn c++ and proper coding.
Oh... developed for Object Oriented Programming you say? Well hell yeah... it only take 15 lines of code to say "Hello World!"
WWWWEEEEEEEEEEEEEEE!!!!!
Re: (Score:3, Informative)
it only take 15 lines of code to say "Hello World!"
lolwut?
if you need 15 lines of java to do a 'hello world', then the problem is with the person in the mirror.
for all its faults, the browser plugin being the most obvious, java for apps is freakin awesome. None of the obtuse BS of C and C++ but all the ability...not to mention all the free libs. Frankly, if it weren't for Java, I'd be sleeping on the streets.
Re: (Score:2)
Oh boy....
Have you heard about JEE?
Besides could you give us your reasons why C++ would be a better choice?
Re: (Score:2)
In the hands of an experienced and disciplined professional, the C++ compiler can generate extremely efficient and secure(*) code, while even the very best Java developer will be inhibted by
Like the developers working on browsers and operating systems? Extremely efficient and secure?
Thank you!
Re: (Score:2)
If you're looking for a language that will always produce extremely efficient and secure code, well, I think you'll need to incorporate unicorn farts into the compiler and linker both. If you're looking for a language that can produce extremely efficient and secure code when written by a non-expert, that's maybe slightly more achievable. If you're looking for a language that can produce extremely efficient and secure code when written by experts (and this includes knowing which features of the language t
Oh please (Score:2)
Oh yeah (Score:2)
Re: (Score:2)
You sadistic dad :) Just apply the patch. Make your son happy.
Re:I only drink coffee (Score:5, Informative)
Few sites use Java applets (which is what you uninstalled).
Far more sites use Java to power the site on the server side (Google, Amazon, Ebay, etc).
Re:I only drink coffee (Score:5, Interesting)
I need to use java interfaces every day, Cisco, EMC, Brocade, HP, IBM, Dell all use java for their management consoles, and I have to keep at list 6 different installers to be able to use them properly as periodic updates to java tend to break access to them if the client hasn't been keeping up with their firmware updates(which is pretty much everyone)
It can be frustrating when you need 3 different versions of java to complete one job.
Re: (Score:2)
Re: (Score:3)
* where available, void where prohibited, quantities limited, some restrictions may apply, batteries not included.
Re:I only drink coffee (Score:5, Funny)
* I can't take original credit for this. I read it somewhere and thought it was very funny.
Re: (Score:2)
Re: (Score:2)
One example: Groovy code compiled with JDK 6 will throw exceptions when running in JRE 7. It is indeed a design flaw in Groovy, not in Java:
http://blog.proxerd.pl/article/how-to-fix-incompatibleclasschangeerror-for-your-groovy-projects-running-on-jdk7 [proxerd.pl]
Re: (Score:3)
Java language evolution has been cosmetic, not substantive; Sun and Oracle have refused to fix things at the VM level. As a result, Java has fallen behind more and more over the years.
Re: (Score:2)
Nice troll.
Re: (Score:2)
No, just truth.
Re: (Score:2)
Citation? I thought not. Try harder.
Re:And this is where Oracle is failing... (Score:5, Insightful)
Languages need to keep up with the times, or they become an albatross.
Unless through being steeped in the art and basic principles and with an eye toward the future the authors built their language in such a way that it could be timeless art that stood for all time, like for example Brian Kernighan and Dennis Ritchie's "C".
Go ahead and learn ALGOL, FORTRAN, BASIC, SNOBOL, APL, ADA, brainfuck, R, LISP and dozens of others like I did if that's your nerd thing. It's fun. After you've done that you'll come to the same conclusion I did: programming languages are syntactic sugar. They are constructs for interpreting your ideas into references to libraries that instantiate the desired result in predictable ways.
C is. It stands like the Oedipus trilogy as a distillation of all prior art and a foundation of all subsequent art. It is beautiful and timeless in the same way. Learn this one thing and all else becomes easy. Unfortunately, like the Tau, it is not possible to really understand C until you don't need to do so any more. When you have learned enough about C to know why it is a fool's game you will have become ready to launch your own inferior language.
Did you C the light? (Score:2)
Sorry, bad pun :o)
But I agree, K&R really nailed it with C. Sophisticated enough to do any major task required of it - eg linux kernel - but simple enough for a beginner to write basic apps in even if he doesn't quite understand for example the subtle difference between pointers and arrays yet.
Sure its not the best language now for a lot of things but as a general purpose language that will let you program virtually anything it can't be beaten.
Re: (Score:2)
C was a great language for its time, but from a security point of view it is still a nightmare. Unfortunately, whatever theoretical equivalence they might have, in practice different programming languages are not just syntactic sugar.
C is the language that introduced many of us to terms like "buffer overrun" and "access violation" and "null pointer dereference" and "off by one error". These are kinds of programmer error that everyone makes sometimes if they have the chance, even world class programmers who
Re:And this is where Oracle is failing... (Score:4, Interesting)
C doesn't have safety belts and airbags, that's your complaint? They gave you the framework to create those things if you need them. If you can't be bothered to check your work and your inputs, to consider pathological cases and data, no linguistic tool is going to make your work stable and secure.
Languages are syntactic sugar. When you have implemented the basic stacks of OO, heap, stack, garbage collection, array transforms, list and set processing, the dually-linked-list-dancing-btree-with-bucket-hash, the things that other languages give as algorithms in C then you know you can implement them as C libraries properly once and be done with them. Things like inheritance, soft-typing and operator overloading are a distraction and a menace to predictability, readability and debugging. When you encounter a new problem with no lib you can just write an algorithm that can transform the datastructure in the desired way, make it a lib and call it. The usages of the various languages add nothing but orientation hurdles to get the C programmer into the language developer's state of mind. The states of mind of language developers can be sometimes interesting, but sometimes they are mad. This is not high art. This is fingerpainting. There is a guy here on /. (not me) who designs sorting algorithms that dynamically optimize on processor cache size, in 1KB of code and competes with the world's best. There is another who designed a procedurally generated FPS with unlimited terrain in 4KB. THAT is high art. Once you have mastered the use of your programming tools, you can begin to explore what art can be made with them.
Admittedly some languages have some rapid development potentials and usages where the programmer need not know his programming art, but that is "tools for fools", not real work. Even at their most obtuse, these are almost always implemented in C. Windows is almost entirely C, as is Linux, BSD, of course Unix, every game engine and of course all of the libraries and drivers. It is all C. Even the C++ compilers are more than 90% C.
Other languages, like LOGO, are for children who can't be bothered to learn their Wirth before they make the turtle draw.
Re: (Score:3)
C doesn't have safety belts and airbags, that's your complaint?
Your car analogy is poor. You're talking about whether the language is good for safety, and safety belts and airbags save lives.
If you can't be bothered to check your work and your inputs, to consider pathological cases and data, no linguistic tool is going to make your work stable and secure.
That's an absolute argument in a relative world.
I don't need to check that I'm not dereferencing a NULL pointer everywhere if my programming language's type system means there is no NULL value in that context. The entire class of mistakes is removed.
I don't need to check for an off-by-one error updating a loop counter if I'm using a loop control structure in my programming language
Re: (Score:2)
Why your bank? They're using Java because it isn't going anywhere soon. It's highly integrated all over the place and is leading the way as the language of choice for everything from big-data processing a'la MapReduce frameworks in Hadoop to Mom & Pop shops just looking for a new college grad to put together something for their needs.
Dislike your bank because they're not treating you like their most important customer, not because they're using Java. =)
Re: (Score:2)
Java is "the language of choice" for programming in roughly the same way that the military is "the method of choice" for dealing with diplomatic problems.
Re: (Score:2)
you mean in your country it is?
Re: (Score:3)
In Scandinavia we have to use a java applet called BankID for login to our bank account. This has for the past few months become REALLY frustrating for people who really don't know what Java is. Even technicians who has a basic understanding of what a computer is, has problems keeping Java up to date(they don't know where to download it, and therefore accidentally download something they shouldn't) and all the them are infected with that Oracle search toolbar malware.
Re: (Score:3)
In Scandinavia we have to use a java applet called BankID for login to our bank account. This has for the past few months become REALLY frustrating for people who really don't know what Java is. Even technicians who has a basic understanding of what a computer is, has problems keeping Java up to date(they don't know where to download it, and therefore accidentally download something they shouldn't) and all the them are infected with that Oracle search toolbar malware.
I'm in Scandinavia and don't need to use any java applets...
Have you considered that there are tens of banks in Scandinavia, and only a handful require java support in browsers? I would be surprised if such banks did not exist outside Scandinavia too. Just switch to something else (at least for day to day banking if you can't move loans).
Re: (Score:2)
FWIW, the only "major" bank in Scandinavia which requires java applets is AFAIK Danske Bank, and they are set to introduce a java-free banking site sometime this summer.
Re: (Score:2)
Why your bank? They're using Java because it isn't going anywhere soon. It's highly integrated all over the place and is leading the way as the language of choice for everything
Sure ... but is it necessary for me to install it in my machine just so I can log into their web site? (Thus exposing me to every other malicious site on the web)
Same for all those government web sites, etc., that require Java. Not necessary just for a login.
In reality I only access those web sites via IE and use Firefox for general surfing, but how many ordinary people do that?
Re:still with the java? (Score:5, Insightful)
Re: (Score:3)
I'm getting tired of this Java bashing in the media due to security issues. Java isn't inherently more insecure than any other platform. On the contrary, it has a sophisticated, built-in security system that most other platforms lack. But of course there are bugs and holes, just like with any other software. The only reason why Java is being exploited and making headlines so much recently is because Java is so widely adopted now that it makes a big target. It's what hackers have their sights on at the momen
Yes, it's an industry-wide problem (Score:3)
I agree wholeheartedly. Almost the entire software development industry is rotten, and Java is just an easy target to pick on because of the browser plug-in vulnerabilities.
Certainly security is a difficult thing to get right, but that's no excuse for using tools and techniques that are horribly inadequate for writing secure code. Take a look at how many critical vulnerabilities get patched in every major browser in a year and you see they're no shining beacons of security virtue either. A substantial propo
Re:Yes, it's an industry-wide problem (Score:5, Interesting)
A substantial proportion of our core infrastructure is still written in error-prone, bug-friendly languages like C and C++
A good programmer can write secure code with C++.
A good programmer cannot write secure code with Java - he's at the mercy of the JVM.
Java was sold to the world as a secure platform and has completely failed to deliver. Only a handful of websites need it (usually unnecessarily, and mostly for basic things like authentication) yet the huge all-singing-and-dancing API exposes you on every single web site that you visit. Does anybody really need all those Java multimedia APIs, etc.?
It's become a cancer on the computing world, it needs:
a) To be removed (recommended).
b) To be reduced - bank logins only need a subset of Java 1.1.
(PS: You can still use it for back-end work if you want, but keep it out of the browsers...)
Re:Yes, it's an industry-wide problem (Score:5, Insightful)
How many good programmers actually exist who are capable of writing secure code in C++? And out of them, how many will still make simple errors like an occasional buffer overrun? Even if you're a "good" programmer there will be lapses in judgement or things that are just overlooked.
I do largely agree with your comment about keeping it out of the browsers though.
Re: (Score:2)
How many good programmers actually exist who are capable of writing secure code in C++? And out of them, how many will still make simple errors like an occasional buffer overrun? Even if you're a "good" programmer there will be lapses in judgement or things that are just overlooked.
If you're using std::vector then buffer overruns can't happen. Same for std::string, etc.
(nb. Modern C++ compilers enable range checking on operator[] by default...)
If you're using smart pointers then all pointers will either be valid or null (they also make garbage collection moot - two birds with one stone).
If you're not doing those two things in a security sensitive app. then you're doing it wrong.
Done right, C++ can be every bit as easy/safe as Java is claimed to be.
Re: (Score:3)
Well, I don't accept your premise about good programmers writing secure C++ code. The evidence just doesn't support your position: there are plenty of vulnerabilities found in software written in C++, just like every other language in widespread industrial use today. Often they just come in the form of library vulnerabilities that your unsuspecting C++ linked into his application, but they're still out of his control unless he wants to rewrite his security library, which I hope we would all agree is a Reall
Re: (Score:2)
how is someone supposed to write secure C++ and then run it in someone else's browser accessed over the web without posing a security risk to the remote user?
Why is that ever necessary?
The whole premise of foreign code having direct access to my machine seems broken to me.
Re: (Score:2)
The whole premise of foreign code having direct access to my machine seems broken to me.
I agree entirely. That's why there's a need for technologies that can run remote code in a sandbox with limited access to the host system, which is exactly why tools like Flash and Java applets have been useful.
The danger comes when the code in the sandbox isn't quite as isolated as it's supposed to be, as we see all too often. On the other hand, not having a sandbox at all doesn't so much solve the problem as remove the entire possibility of running remote code on a local host, which is a useful thing to d
Re: (Score:2)
If you write a program in C++ and happen to write a buffer overflow, this quite easily can allow a remote exploit. The Java JVM protects against this kind of errors
Maybe you could try using std::vector/std::string instead of C arrays...
Re: (Score:2)
What I find interesting is that Java security problems were almost a non-issue until Sun was bought by Oracle.
Re: (Score:2)
Re: (Score:2)
The only reason why Java is being exploited and making headlines so much recently is because Java is so widely adopted now that it makes a big target.
But there's nothing wrong with examining whether Java in the browser should be widely adopted. After the last merry-go-round of critical updates I deleted the Java plugin and haven't noticed a difference. The only site I encountered since then that used any embedded Java was the Taiwan Ministry of Education using it for some unimportant news ticker (which sums up browser applets in general: a distant reminder of Geocities and Livejournal). Even before then, Firefox intermittently would disable Java plugins
Re: (Score:2)
True. I suppose a third of the people with Java installed don't really need Java. Another third probably don't want or need the browser plugin. It should be an optional part of the installation. The final third are the professional or educated users who know what they are doing, probably need Java and are savvy enough to disable the browser plugin, if they don't need it.
The main problem of IT security is always that most users just don't know better.
Re:NOT correct (Score:5, Insightful)
With a C++ program it is up to me, the programmer to make sure there are no exploits.
Which is why of course all those ActiveX controls running in IE, mostly written in C++ were so immune to exploitation. The security exceeded everybody's wildest expectations.
Re: (Score:2)
With a C++ program it is up to me, the programmer to make sure there are no exploits.
Guess how many programmers are adequately up to that task... And when I say "many", I actually mean "few".
Re: (Score:2)
Also, in C++, I'm also constrained by the libraries I have to use. Much of the stuff that's in Java standard libraries just isn't in C++ standard libraries (although C++11 improved that a lot, and Boost is very useful for what it covers). It's a lot easier to write secure code in C++ than in C, but (as a C++ fan) I'm not at all convinced it has advantages over Java.
Re: (Score:3)
I don't blame Java
Re:v1.6 is forgotten but most use that (Score:4, Informative)
What are you smoking? 1.6 update 45, released a few days ago contains all these fixes.
Re:Repeat after me (Score:5, Insightful)
yeah, it should read: 3 Java security vulnerabilities (2 are client only) and 39 Java Web Start vulnerabilities fixed.
Re: (Score:2)
Re: (Score:3)
the point is that they just patched 39 vulnerabilities that were not know about last week... how many are still in there that we just haven't discovered yet? That's why we criticise them, because they've found so many vulns, there's a good chance there's a load more waiting to be discovered.