back to article Oracle issues emergency patch for Java on Windows

Oracle's fired off an out-of-cycle emergency Java patch to plug a during-installation vulnerability on Windows platforms. Dubbed CVE-2016-0603, the bug is complex, in that an attacker would have to trick a user into visiting a compromised Website before installing Java 6, 7 or 8. However, a successful attack results in a “ …

  1. Anonymous Coward
    FAIL

    Out, damned spot! Out, I say!

    Peeps still have Java on their machines? In 2016?

    1. egeria

      Re: Out, damned spot! Out, I say!

      Oracle apps demand it.

      1. Dan 55 Silver badge
        Meh

        Re: Out, damned spot! Out, I say!

        Eclipse demands it...

        Disabled in the browser though.

        1. Yag
          Trollface

          Oracle apps demand it. / Eclipse demands it...

          Two more reasons to get rid of it.

    2. LDS Silver badge

      Re: Out, damned spot! Out, I say!

      Dell's iDRAC remote console demands it.... through Java web start from a browser :-(

      Or tools like SmartSVN/SmartGIT.

      And, above all, how do you believe you develop apps for Android with the official SDK?

      1. Anonymous Coward
        Anonymous Coward

        Re: Out, damned spot! Out, I say!

        Cisco UCS servers require Flash *and* Java for remote management :-(

    3. Anonymous Coward
      Anonymous Coward

      Re: Out, damned spot! Out, I say!

      Peeps still have anything from Oracle on their machines? In 2016?

      1. DJV Silver badge
        Unhappy

        @AC

        "Peeps still have anything from Oracle on their machines? In 2016?"

        Yeah, I've got VirtualBox - bloody wish Oracle didn't own it, though...

    4. Valerion

      Re: Out, damned spot! Out, I say!

      Minecraft demands it, too.

      1. TheVogon Silver badge

        Re: Out, damned spot! Out, I say!

        "Minecraft demands it, too."

        No it doesn't. Microsoft ported it to .Net so no need for Java anymore (it's also much faster).

        1. Dan 55 Silver badge

          Re: Out, damned spot! Out, I say!

          Out of the frying pan into the fire...

        2. Anonymous Coward
          Anonymous Coward

          Re: Out, damned spot! Out, I say!

          "Microsoft ported it to .Net so no need for Java anymore."

          Really? Link please? I can't find any information on that at all. Unless it's an internal build?

          1. desht

            Re: Out, damned spot! Out, I say!

            That would be the Minecraft Windows 10 edition, which is basically the same codebase as MCPE, the pocket edition. It does not have the same functionality as the PC version, and any kind of modding is a non-starter. It's really only of interest to kids who are happy with purely vanilla functionality, and a feature set that lags behind the current 1.8 Java version (and way behind the upcoming 1.9 version). If you have any interest in modding, forget it.

            http://minecraft.gamepedia.com/Windows_10_Edition

            1. TheVogon Silver badge

              Re: Out, damned spot! Out, I say!

              "That would be the Minecraft Windows 10 edition, which is basically the same codebase as MCPE, the pocket edition"

              It's NOT the same as the Pocket Edition. See https://mojang.com/2016/02/check-out-the-minecraftnet-beta/

              1. desht

                Re: Out, damned spot! Out, I say!

                Yes, it *is* the same as MCPE. That "minecraft.net" beta you linked to is the beta of the http://minecraft.net/ website. You're confusing domain names and software platforms.

                There's the Java version of Minecraft which runs on Windows/Mac/Linux, and there's C++ Windows 10 edition which runs on Windows and (I think) Mac, and is an adaptation of MCPE: http://minecraft.gamepedia.com/Windows_10_Edition. And that is all.

                1. TheVogon Silver badge

                  Re: Out, damned spot! Out, I say!

                  "and is an adaptation of MCPE"

                  So it's NOT the same thing as i said. Lots more features are coming - which likely wont all make the pocket edition. It's way faster on the same hardware than the Java version so i expect Microsoft will deprecate that.

                  1. desht

                    Re: Out, damned spot! Out, I say!

                    Fine, it's not the same code line for line, but the gameplay is identical to MCPE, and it's multiplayer compatible with MCPE, and not the Java version. It's MCPE on a (Windows-only) PC for all intents and purposes.

                    My point, though, was in reply to your original statement of "no need for Java anymore". That simply isn't true for anyone in the very sizeable modding community that exists today, regardless of whether MS discontinue it or not. Minecraft Win10/MCPE has no modding support at all, and if it ever does get modding support, you can bet that it will be 1) a locked-down and limited API, completely incompatible with Forge, Bukkit, Sponge or any existing API, and 2) probably encourage paid-for mods via an app-store arrangement. In other words, crap. Oh yeah, and no Linux support, because, you know, this is MS we're talking about.

                    So yeah, there's still very much a need for Java, thanks.

                    1. TheVogon Silver badge

                      Re: Out, damned spot! Out, I say!

                      "but the gameplay is identical to MCPE, and it's multiplayer compatible with MCPE, and not the Java version."

                      Because they have had to start from scratch porting it to better performing and more modern architecture. They are as it states building on this going forwards. I would expect that development will eventually cease on the Java version.

                      "Oh yeah, and no Linux support"

                      I doubt MS care too much about ~ 1% of PCs.

                      1. desht

                        Re: Out, damned spot! Out, I say!

                        "I doubt MS care too much about ~ 1% of PCs."

                        Perhaps, but you're conveniently ignoring server numbers where Windows is in the small minority: http://mcstats.org/global/#Operating+System

                        And as you also continue to conveniently ignore, Win10/MCPE version is an irrelevance to the modding community, so even if MS/Mojang cease Java development, it won't die anytime soon. Mods add more to the game every day than the official game gets in a year and the current 1.8 platform has the potential to go for many years.

                        So, once again: the Java Minecraft version isn't going away anytime soon. Your precious MCPE game is fun for young kids and MS research projects (Hololens integration admittedly has a cool factor), but that's about it. Doesn't matter how well it performs or how modern its architecture is; if the game is limited to Minecraft vanilla or ends up with a crappy locked-down modding API, it has nothing on a fully moddable Java platform.

                      2. Anonymous Coward
                        Anonymous Coward

                        Re: Out, damned spot! Out, I say!

                        "I doubt MS care too much about ~ 1% of PCs."

                        Depends where you get your stats; some appear to put Linux at over double that: http://www.w3counter.com/globalstats.php. In fact over a quarter of the number of machines running Windows 10. Considering it's not pre-loaded in shops or forced upon existing Windows users, that's a pretty impressive feat.

          2. TheVogon Silver badge

            Re: Out, damned spot! Out, I say!

            "Really? Link please?"

            Minecraft (.Net version) has been in the Windows Store for months. Since before Windows 10 was released.

        3. This post has been deleted by its author

        4. Not That Andrew

          Re: Minecraft

          I think you are thinking of the version that MS deliberately limited to Win10, which almost certainly doesn't use .Net as it is based on Pocket Edition.

        5. desht

          Re: Out, damned spot! Out, I say!

          In case you're wondering where all the downvotes came from: the MS port is of the pocket edition, *not* the PC/Java game, and it's neither compatible with nor a replacement for the Java version.

          So yes, the Minecraft that everyone runs on their PC today still very much demands Java, and so will the upcoming 1.9 release.

    5. Def Silver badge

      Re: Out, damned spot! Out, I say!

      Peeps still have Java on their machines? In 2016?

      Unfortunately.

      Actually, I only have it on one of my machines now and that's basically because the Android Dev Kit needs it.

    6. Anonymous Coward
      Anonymous Coward

      Re: Out, damned spot! Out, I say!

      The Spanish Tax Office (La Hacienda) enforces the use of Java to create and submit their tax forms online - and the 'pure' Oracle version at that - OpenJDK won't do. A new download needed for each year as the forms change. The user interface is horrible. It's buggy - but less buggy than a couple of years ago. On Linux it has to be installed via a clumsy shell script run as root. And I hate to think what the security quality is in the background. But since there's a minimum €75 fine for every missing or late tax form...

  2. Pascal Monett Silver badge
    Trollface

    "a suitably inept end user"

    Well it's not like those are a dime a dozen now is it ?

    Oh, wait . . .

  3. Anonymous Coward
    Anonymous Coward

    Damn, and here I was hoping it was the Ask toolbar involved...

  4. Anonymous Coward
    Anonymous Coward

    Perhaps if Oracle spent less time cosying up to the scumbags at Ask

    They may have a little more resource to throw at writing software.

  5. Just Enough

    Just kill it already

    Java was lovely... 15 years ago. Now it is a constant embarrassment.

    Like a few here, I only have Java on my computer because I have to for certain applications. It is not the easiest of tools to manage and I would be more than happy to be done with it. Not having the constant oops-another-security-hole-please-upgrade nags would be good for a start.

    1. Sandtitz Silver badge

      Re: Just kill it already

      It was never lovely. It was slow to use. Applets took ages to run and launching the JRE took its toll in Y2K iron (Pentium 2 with 256MB or some such).

      Like today, compatibility wasn't guaranteed between versions. I have some obsolete hardware that refuse to work with any recent v6-7-8 Java versions. Oh, and I know a few companies that had a PBX/SIP gateway (Boscom) that could ONLY be configured with MS Java...!

      Java - the idea is great but for most uses the same applet could have been compiled to native binaries that would have worked faster, better.

      1. Dan 55 Silver badge

        Re: Just kill it already

        Jwz did a blog entry about how Java was four things in one, three of which weren't very good. He came to the same conclusion that it should have been a compiled language. It would still have been portable.

    2. HmmmYes

      Re: Just kill it already

      Yeah. Java was never lovely. At its best it was not too buggy but slow.

      It promised a lot, a bit like a binary version of a 70 YO plumber in a Thai bar.

      All it delivered was STDs - software transmitted deceases.

  6. This post has been deleted by its author

  7. smackbean

    The 'Java sucks' brigade...

    Thanks for the unformed commentary again on a Java related story. What world do you guys inhabit? Now let's see..

    "vulnerability on Windows platforms"

    Yes, windows.

    "an attacker would have to trick a user into visiting a compromised Website before installing Java 6, 7 or 8"

    Um.. ok

    "Getting an attack to work would be very difficult"

    oh right...

    "people with an existing clean install of Java ... don't have to worry"

    Ah.

    And finally:

    "Peeps still have Java on their machines? In 2016?"

    Java the most used software development language in the world for 15 years and counting...

    http://www.tiobe.com/index.php/content/paperinfo/tpci/index.html

    But I'm sure you know better!

    1. Anonymous Coward
      Anonymous Coward

      Re: The 'Java sucks' brigade...

      Java the most used software development language in the world for 15 years and counting...

      http://www.tiobe.com/index.php/content/paperinfo/tpci/index.html

      This is the same crowd that's been saying Go hasn't seen any adoption either.

      Tiobe isn't exactly a source of reliable information.

    2. Mpeler
      Holmes

      Re: The 'Java sucks' brigade...

      Unformed?

      Anyway, perhaps "Java Sucks" isn't the problem. Oracle Sucks, and they've taken Java into their bug barn... 'orrible, indeed.

      Stanford University Networks (where "the network is the computer"), gone, but not forgotten...

      1. Anonymous Coward
        Anonymous Coward

        Re: The 'Java sucks' brigade...

        A bit unfair, since all the Java bugs Oracle has had to fix were written by Sun. It was a great hardware company, but never really got its head around making software.

        1. asdf

          Re: The 'Java sucks' brigade...

          Yep Java the concept was decent but SUN's absolute garbage implementation continued up to today really limited it's use on the desktop. Microsoft did a good job of showing how to do a managed language environment but then came to the conclusion that the concept was not fit for purpose for developing its own products (a few token examples aside which tended to be flaky and slow).

  8. TeeCee Gold badge
    Meh

    Overly wordy?

    ...a suitably inept end user...

    Just "user" would have done.

    1. ecofeco Silver badge

      Re: Overly wordy?

      Precisely.

  9. Richy Freeway

    Sounds like it might be something to do with this.

    http://news.softpedia.com/news/dll-hijacking-issue-plagues-products-like-firefox-chrome-itunes-openoffice-500060.shtml

  10. Bugs R Us

    Here we go again

    Took long enough to kill Flash. It's gonna take a lot longer to kill off Java. Well, at least it is almost gone from browsers.

  11. a_yank_lurker Silver badge

    We have malware but we also have suckware. Suckware is a class of software that is not intended to be malicious but is so badly written it is a firehose spewing malware with abandon obliterating what use they have. Classic examples of suckware are Flash and Java.

  12. ecofeco Silver badge

    oh ffs

    Really? Dammit. Really?

  13. Anonymous Coward
    Anonymous Coward

    First thing I do

    When I get to a new workstation/laptop I haven't used before is:

    - remove Adobe Flash

    - remove Adobe Reader

    - remove Java

  14. Mark 85 Silver badge

    Time Machines run on Java?

    From the Oracle, it was thus spoken: "...should discard these old downloads and replace them with 6u113, 7u97 or 8u73 or later”. How else would one get a later version since 8u73 (Windows) is the latest? Or is there another version coming out in the next several hours/day?

  15. Hans 1 Silver badge
    WTF?

    They have fixed something in the installer that prevents somebody from injecting code into the binary that gets run when the installer is started. Great!

    But anybody can design an installer that looks like the Oracle Java installer, and installs teamviewer or you name it .... you can do that to any software downloaded from the interwebs ... In Window cleaner and Sufarce expert land, this is common practice, the main vector of ad&malware.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2020