Very reassuring that Java is being used in many banks (even online banking, customer facing) and other financial services....
Have Oracle been hibernating for a couple of years? The amount of remote-exploitable flaws just seems surreal.
Thought your Java security woes were behind you? Think again. Oracle is planning to release a Critical Patch Update on Tuesday that affects multiple versions of Java, and it's another doozy. According to Oracle's security announcement, the patch pack addresses 40 different vulnerabilities. All update levels of Java SE 5, 6, …
I disagree.
With modern Linux systems it's not unreasonable to not know every package on your system. My current ubuntu system has 2436 packages.
Unless you're specifically using Java systems, then Java's little different from any other dependency, such as .so/.dll library or something like that. In other words it's no different from the 2435 other packages.
In my experience (YMMV) Oracle's bug fixes & security patches follow the rule of a day late and a dollar short. Actually that's being way too kind, Oracle tend to be in the region of 8 months late and $1m short. If the Reporter has enjoyed a similar level of customer service and product quality I have, I would expect them to be a bit churlish because they will have been living with ball breaking defects in very expensive products for months or even years...
When I first got my hands on Java 1.1 I had a gut feeling that Java's huge runtime combined with people placing too much trust in the whole sandbox idea would end in tears. Having had the Java wonks insisting that Java is the safest and most secure language I should be feeling Schadenfreude. As it happens I'm feeling a mixture of anger and pity because their ignorance and complacency has contributed towards security holes being overlooked which in turn has caused real users real harm.
It's a pity because there are a few things I like about Java...
This report makes it sound like its in particular classes (or libraries, as we old folk call them).
But libraries that ship as part of the "core" platform, akin to a bug in libc or stdlib (but many times more complex as they're often working at a higher level of abstraction)
As to complaint about Java, show me a language and runtime/ ecosystem that haven't had a history of security bugs or, worse, caused lots of code to be written with security bugs. If you have one, explain why everyone isn't already using it...
I'm not sure if 'djb-ware' would count as an ecosystem, but while there might have been the occasional security issue, it doesn't have a 'history of security bugs'. He has developed some libraries to assist in this task that are not as susceptible to security bugs as the standard C library.
As for why people don't use it?
1: People are idiots.
2: DJB's original licencing was incompatible with software distributions, so his software wasn't included.
3: Some people have a negative opinion of DJB.
Javas transition to Open Source and the decline of Sun and the eventual purchase by Oracle, meant that Java was pretty much left to rot for 5 years. However over the past couple of years Oracle have been ramping up production of new features and security fixes, this is only a good thing. I suspect the security issues will eventually become less of an issue.
Although to be fair most of the security holes are due to piss poor sys admins who have no idea how to secure their networks from the outside world, than oracles fault at releasing too many patches. Of course the excessive moaning on the Reg forums would make most believe otherwise.
"However over the past couple of years Oracle have been ramping up production of new features and security fixes"
The only real security is to run your Java Virtual Machine from a read-only device, that way when you reboot, you end-up with a clean machine ..
Does it fix the major flaw that, whilst the JVM is an excellent piece of technology, the Java language is verbose and ponderous, and apart from the woefully implemented generics, hasn't evolved for 10+ years?
No, I thought not.
I'll stick with F# and Python.
AC, because you Java developers are somewhat... intense... with your views.
"Yes, go back to the .NET faggotry.."
Nice. As I wrote before:
AC, because you Java developers are somewhat... intense... with your views.
Thanks for so eloquently proving my point. You just run along and keep destroying those monsters until Mummy brings you your bedtime cocoa.
Considering the amount of time Java has been about, and considering the Java sandbox was designed to isolate the underling OS from untrusted java apps, why is it still so full of security holes.
..and then in the real world that choice often is not available due to some vendor software (some storage vendors come to mind and they're not alone) being written in Java. Larger corporations tend to have other corporate tools that require Java, so as much as the intelligent people might not want to have Java on their machines, that is not always possible.
At least Oracle are fixing these issues, given Sun staff were obviously too damned lazy to fix many bugs (some I reported), and were quite slow to add important new language features and APIs.
I hope that Oracle run PMD and FindBugs over the core source code soon, because it needs a serious code and interface cleanup, which Sun should have done before they released 1.5; a lot of this cruft is still in 1.7!
So there is supposed to be an update on the 18th June. It is now the 20th & I have have not received any update from Sun. Do they expect us to go to their site & download it? This is really a joke, were it not so serious.
Have they even released the update? My last update was on the 11-03-2013.
So off I go to take a look at the homepage from Java. It is not as though I have nothing better to do.
Update. I was on Javas website & although I have the update function on automatic I had to do it manually. I have checked & the settings were for automatic updates. So even that does not work properly.
So the motto of this experience is do it manually as in my case one can not depend upon Java/Oracle to automatically inform you of updates. Absolutely unbelievable.