Is there a more secure VM?
Could users replace Oracle Java with IBM Java or some other version for a more secure experience?
Oracle has broken its silence to admit there are security issues with Java in web browsers - but it insists the tech is solid on servers and within mobile and desktop apps. In a blog post published on Friday, Oracle noted the "media firestorm" around the recent Java vulnerability, admitting users may have been left "frustrated …
The vulnerabilities are not in Java VM (hotspot). The vulnerabilities are in the Java security policy system, that runs on top of the VM, as normal Java code.
The policy system works like this
- any operation provided by Java that accesses the resources or the environment of the host computer, or various sensitive operations within the Java runtime, are considered privileged
- programs always see and try to invoke those operations
- but the implementation of the operation queries the policy system, and checks if the operation is allowed
This is no different from what the operating system does. It provides all operations to all applications, but when the operations are called, the system policy checks whether the operation is actually allowed.
By default, for desktop applications, the Java policy allows all actions.
Now, when code is run inside the browser plugin, a very strict security policy is in place. It denies operations such as accessing local files, opening network connections, and so on. And what's important, it also denies operations that attempt to modify the security policy.
The vulnerabilities are in the policy system it self. The holes allow java code to turn off the policy system, and thus gain access to all privileged operations.
"The plan for Java security is really simple: it's to get Java fixed up, number one, and then, number two, to communicate our efforts widely."
Talk like a politician. Confuse goals and the way and means to attain them. Mix in some "communication efforts". Probably raise taxes down the line...
Oracle's Ask,com crapware payload is even more malignant than standard - if you accidentally leave the defaults enabled, you can't just go to CP - Add/Remove and uninstall. The installer routine is coded to wait ten minutes before inserting the entry on the Control Panel list.
It's clearly intended to prevent moderately experienced Windows users from undoing their errors when they clicked too fast through the installer defaults.
Oracle should be ashamed of associating itself wih such utterly scummy pracitces. It stinks.
Any user of Oracle products is used to their practices. There are times that they make CA seem good.
A friend of mine worked for CA, and he said that they aspired to be as evil as Oracle, but weren't competent enough to manage it.
Working for them was not a happy experience either. The saddest part was the people who left CA (possibly only joining after their company was bought out), and were in a company that CA subsequently also bought.. Then got made redundant. There were people who'd been through this cycle more than once.
Is just evil. From closing down the OpenSolaris project to aggressive corporate purchases to their almost complete disregard for their non-enterprise DB customers, they're evil to the bone. I used to think they were just incompetent, but it almost looks like deliberate negligence at this point.
JRE is Java Runtime Environment (the interpretter), which can run on a number of devices, most commonly phones .e.g. JAR files, possibly even COD/ALX coded files? Just as SQLite appears to be a standard these days for phone databases?
Servers would, presumably, require the JRE in order to serve it to a client? :-/
And the joke falls flat because saying companies x security practice sucks is much different than saying all developers of a product are idiots. Do you really want me to post all the drive by critical CVEs found in Adobe's products even in the last year? Pretty significant list and these days is even longer than Microsoft's which is bad when they make the OS and the good portion of the software on most desktops.
Here ya go. Lazy way out but still. This is an incomplete list obviously as it only covers two products but its still pretty impressive.
http://www.cvedetails.com/vulnerability-list/vendor_id-53/product_id-497/Adobe-Acrobat-Reader.html
http://www.cvedetails.com/vulnerability-list/vendor_id-53/product_id-6761/Adobe-Flash-Player.html
This line caught my eye, as a juicy bit of grade-A whining:
'He criticised the media for putting out the "loose" message to
uninstall Java while admitting there was a security issue with the
runtime in web browsers.'
Journalists can be scummy and inaccurate but in this case they reported
accurately. Java security is broken. Maybe one day it'll be fixed. Until then,
you can sidestep a whole boatload of grief by uninstalling it.
What's loose about that, Oracle?
The irony was that Microsoft's unofficial version of Java, once bundled with Windows, was generally OK. Then Sun sued Microsoft and the result is that we have to use the bloated, insecure, crapware-laden official version (anything that adds itself to the system tray and creates pop-up reminders is a fail in my eyes). I never install it when building a machine, and if a website requires it, I decide that I don't require that website.
The current irritation is that the latest release of Firefox prompts me to install an updated version of Java whenever I start it (on Windows, anyway - it's OK on Linux Mint). One day the wife or kids are going to do what FF asks and I'll have a crapware-infested system. Hopefully them being "limited users" will prevent this.