back to article Oracle patches Java 0-day, goes to Defcon 2

Oracle has patched the latest Java nasty, suggesting users of the increasingly-flaw-prone product visit pronto to download a new version of the software that addresses the flaw and stops malicious websites gaining control of compromised computers. In a blog post describing the fix, Oracle's Eric P. Maurice may just …


This topic is closed for new posts.
  1. Anonymous Coward
    Anonymous Coward

    You hardly need Java for anything these days - it's a dying technology as most enteprises use .Net - which is far more secure. Just uninstall it.

    1. Paul Anderson

      I don't know the last time I found the need to install Java RE on a computer. The default desktop image should really exclude it these days.

    2. Anonymous Coward
      Anonymous Coward

      Easier said than done on Ubuntu, which comes installed with this scourge by default!

      Phew what a palava!

      1. A J Stiles

        Ubuntu uses OpenJDK by default, not the Oracle JDK.

    3. Anonymous Coward

      I wouldn't be too quick to side with the .Net framework...

      Only runs on Windows, they can't work out which UI framework to settle on (WinForms? Nope. WPF? Nope. XAML? Yes, for the time being, HTML 5? Maybe) and the mobile platform runs on about 2% of the world's mobile devices.

    4. Daniel B.

      I found the MS shill!

      .NET isn't more secure, it's actually on par with Java on some stuff. On others, Java is better. And .NET is stuck with Active Directory; trying to use a true LDAP for authentication/authorization means you'll have to roll out your own implementation for MembershipProvider and RoleProvider.


    5. Destroy All Monsters Silver badge
      Thumb Down

      RICHTO, please stop posting as Anon, you are not doing yourself any favors.

    6. justincormack

      There are still stupid Java bastions left - online meeting software, browser based VPNs, and a whole bunch of stuff in banking.

    7. Stretch

      "You hardly need Java for anything these days - it's a dying technology as most enteprises use .Net - which is far more secure."

      lol. 4 statements here. all absolutely opposed to reality.

      1. dogged

        @stretch - Enterprises use Java, it's not dying, .NET is not more secure - although you could argue that it is harder to exploit since the compiler is less holey and a lot less portable - but the third statement "Enterprises use .NET" is pretty accurate.

        Companies tend not to be fanbois so they don't have religious objections to technology on the grounds that they love something else. They just use whatever works. There are many situations where Java works and many where .NET works.

        Desktop Java is pretty horrendous though.

  2. Anonymous Coward
    Anonymous Coward

    got a nasty at work - we think it came in via java in browser

    A head's up... it hit us hard and I spent a while taking it off machines + we'll have a full security review now the boss has (I hope) woken up to it.

    1. Blitterbug

      Re: got a nasty at work - we think it came in via java in browser

      now the boss has (I hope) woken up...


  3. Anonymous Coward

    I tried turning it off.

    That worked.

  4. Tree

    What! Do you think I am CRAZY??

    Man, it has a check box to install McAfee. Maybe I am paranoid, but not THAT paranoid. Will it recognize Java as malware?

  5. Anonymous Coward
    Anonymous Coward

    Security by Self-Delusion

    What does McAfee say about this? See

  6. Anonymous Coward
    Anonymous Coward


    Recent extenders of java have lost sight that the VM is capabilities based, or perhaps rely on that too naively.

    Maybe its time to rethink the VM if closures and anonymous methods are the way of the future.

  7. Anonymous Coward
    Anonymous Coward

    Out of the sandbox and into the flames

    with the JMX classes...

  8. Destroy All Monsters Silver badge

    Kaspersky has this to say...

    At Java 0day Mass Exploit Distribution

    One of the best statements that I have seen in regards to the fairly impractical "just uninstall it" approach was presented by one of the handlers at the ISC Storm Center in today's issue of SANS NewsBites: "Editor's Note ([Mat] Honan): It seems each time a zero day exploit is found in software, be that Java or otherwise, the industry pundits recommend that people stop using that software. New vulnerabilities will always be discovered in the software we use. If our best defence to a threat is to cause a denial-of-service on ourselves then this in the long term is a no-win strategy for us as an industry. We need to be looking at better ways to defend our systems and data, one good place to start is the 20 Critical Security Controls

  9. This post has been deleted by its author

  10. s. pam Silver badge

    I rather fucking drink my Java than use it!

    Turned it off last week a day before the press got a clue on everything in our house. Not a problem reported at all, thus validating the extreme uselessness of even having it installed anymore!

    Goodbye Java!

  11. boatsman

    happens 3 times a month with IE .....

    so why so much excitement over once in a 3 months with java applets, which is risky IF you are cruising on warez and crackz sites ?

    Java in the browser is almost never used anymore anyway.....

    ?? Surely no one turned off the IE browser because MS will fix it once more at 14th january (today) ?

    my coat, plz.....

    1. an it guy

      Re: happens 3 times a month with IE .....

      it's just annoying to have to update Java all the time when you don't actually use it. I also don't use IE unless forced to, so no IE, no java.

      I know Firefox, Chrome, and Safari have security problems, but typically less severe. If it's not needed, then turn it off. I've removed it from all computers which don't need it where I work (and that's most of us). One less attack vector for users who are not technically savvy, or might click 'yes'

  12. David Austin


    With Hindsight, the naming of the technology is a big problem. Had about half a dozen customers call up, after disabling JAVASCRIPT, then noticing almost all their websites stopped working...

    Perhaps a Java VM Rename could help it dodge it's current reputation, and reduce confusion...

    1. Androgynous Cupboard Silver badge

      Re: Naming

      We were here first. Get them to disable ECMAscript instead.

  13. David Martin

    Any client-side binary tech exposed to the www is dangerous

    PDF, Flash, ActiveX, or Java (and of course, the browser itself). You cannot predict possible future exploits for any of these. Firefox with the NoScript add-on is one answer.

    1. Christian Berger

      Yes, but in those cases...

      those technologies were designed in the 1990s, the decade nobody cared about actual security and people were happy enough if their systems ran for a day without a crash! Newer incarnations of the same ideas might be more secure, but then again we now understand why Flash, ActiveX and Java were bad ideas.

  14. Tweetiepooh

    Tell the vendors

    of one of our most used tools. They are switching to a browser interface with Java apps from native clients. The reason is fairly easy to see, it's a single platform to work on rather than lots of possibles. It doesn't matter if there are others, it's the one the vendor has selected and it would be a major task to change the product.

    That said it's only accessible internally (at the moment) so PC's accessing are controlled.

    1. Anonymous Coward
      Anonymous Coward

      Re: Tell the vendors

      Speaking as a vendor who products applets, we hate them even more than the customer. The user experience should be the same as our application, but it's not: it's slower, the screen refresh is worse, the delay while starting the VM is way to large (at least we now have that option, rather than being lumped into one VM with no control over heap size) and deployment is a nightmare of changing goalposts on different platforms - you think you have it bad on Windows; try OS X.

      Then of course you have the SecurityManager obstacle if you want to do anything useful, which appears to offer fine grained restrictions from the API - not so! To give one example, Jars can be signed with multiple signatures which should allow you to build an applet from a combination of components at different trust levels. Yes? No. All Jars deployed as part of an applet must be signed by the same signature - a new restriction in 1.6.0_16 that broke all our existing deployments.

      Java has matured into a very fine language, despite some obvious missteps, but Sun and now Oracle's handling of it on the Desktop, and particularly on the web, has been nothing short of disastrous and the user experience of applets now is roughly the same as it was in 1999, to wit: shite.

      If I were your vendor I'd be moving to HTML5 myself - JS frameworks are even worse than Swing for GUIs, but at least they're improving.

  15. Ken Hagan Gold badge

    default security level

    "Oracle has also changed Java-in-a-browser's default security level to “High”. "

    Er, sorry? You mean the default level for *in-browser* applets hasn't been "maximum" for the last 15 years?

  16. Anonymous Coward
    Anonymous Coward

    Perhaps people would update a bit more often if it wasn't about 20 clicks to install the updates, and didn't try to ram the shitty ask toolbar and search default down your throat every f'ing time.

This topic is closed for new posts.

Other stories you might like