Oracle patches Java 0-day, goes to Defcon 2 Oracle has patched the latest Java nasty, suggesting users of the increasingly-flaw-prone product visit java.com pronto to download a new version of the software that addresses the flaw and stops malicious websites gaining control of compromised computers. In a blog post describing the fix, Oracle's Eric P. Maurice may just …
.NET isn't more secure, it's actually on par with Java on some stuff. On others, Java is better. And .NET is stuck with Active Directory; trying to use a true LDAP for authentication/authorization means you'll have to roll out your own implementation for MembershipProvider and RoleProvider.
Yeech!
@stretch - Enterprises use Java, it's not dying, .NET is not more secure - although you could argue that it is harder to exploit since the compiler is less holey and a lot less portable - but the third statement "Enterprises use .NET" is pretty accurate.
Companies tend not to be fanbois so they don't have religious objections to technology on the grounds that they love something else. They just use whatever works. There are many situations where Java works and many where .NET works.
Desktop Java is pretty horrendous though.
At Java 0day Mass Exploit Distribution
One of the best statements that I have seen in regards to the fairly impractical "just uninstall it" approach was presented by one of the handlers at the ISC Storm Center in today's issue of SANS NewsBites: "Editor's Note ([Mat] Honan): It seems each time a zero day exploit is found in software, be that Java or otherwise, the industry pundits recommend that people stop using that software. New vulnerabilities will always be discovered in the software we use. If our best defence to a threat is to cause a denial-of-service on ourselves then this in the long term is a no-win strategy for us as an industry. We need to be looking at better ways to defend our systems and data, one good place to start is the 20 Critical Security Controls http://www.sans.org/critical-security-controls/
This post has been deleted by its author
so why so much excitement over once in a 3 months with java applets, which is risky IF you are cruising on warez and crackz sites ?
Java in the browser is almost never used anymore anyway.....
?? Surely no one turned off the IE browser because MS will fix it once more at 14th january (today) ?
my coat, plz.....
it's just annoying to have to update Java all the time when you don't actually use it. I also don't use IE unless forced to, so no IE, no java.
I know Firefox, Chrome, and Safari have security problems, but typically less severe. If it's not needed, then turn it off. I've removed it from all computers which don't need it where I work (and that's most of us). One less attack vector for users who are not technically savvy, or might click 'yes'
those technologies were designed in the 1990s, the decade nobody cared about actual security and people were happy enough if their systems ran for a day without a crash! Newer incarnations of the same ideas might be more secure, but then again we now understand why Flash, ActiveX and Java were bad ideas.
of one of our most used tools. They are switching to a browser interface with Java apps from native clients. The reason is fairly easy to see, it's a single platform to work on rather than lots of possibles. It doesn't matter if there are others, it's the one the vendor has selected and it would be a major task to change the product.
That said it's only accessible internally (at the moment) so PC's accessing are controlled.
Speaking as a vendor who products applets, we hate them even more than the customer. The user experience should be the same as our application, but it's not: it's slower, the screen refresh is worse, the delay while starting the VM is way to large (at least we now have that option, rather than being lumped into one VM with no control over heap size) and deployment is a nightmare of changing goalposts on different platforms - you think you have it bad on Windows; try OS X.
Then of course you have the SecurityManager obstacle if you want to do anything useful, which appears to offer fine grained restrictions from the API - not so! To give one example, Jars can be signed with multiple signatures which should allow you to build an applet from a combination of components at different trust levels. Yes? No. All Jars deployed as part of an applet must be signed by the same signature - a new restriction in 1.6.0_16 that broke all our existing deployments.
Java has matured into a very fine language, despite some obvious missteps, but Sun and now Oracle's handling of it on the Desktop, and particularly on the web, has been nothing short of disastrous and the user experience of applets now is roughly the same as it was in 1999, to wit: shite.
If I were your vendor I'd be moving to HTML5 myself - JS frameworks are even worse than Swing for GUIs, but at least they're improving.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
