back to article Oracle knew about critical Java flaws since April

The critical Java vulnerabilities that have security experts cautioning users to disable Java in their browsers are not new discoveries, a security firm claims. On the contrary, Oracle has known about them for months, and it has probably had a patch ready since before an exploit was discovered in the wild. Security …

COMMENTS

This topic is closed for new posts.
  1. Anonymous Coward
    Anonymous Coward

    I don't think patch cycles are tenable.

    Sit on it for four months so that enterprises get them all in one go and sit on them another few months while "testing"? It leaves everybody who isn't slow as a dinosaur out in the cold. Oh, and does open those enterprises up to targeted attacks they don't even know existed (because the vendor is sitting on the security notes as well, for their convenience), too. Because, let's face it, if you go out on the black market to buy exploits, you have a target in mind. Like, oh, oil companies or something.

    The point is that one-size-fits-all patch releasing in fact doesn't fit all but does come back to bite everyone. Time for a re-think then.

    Personally I'd want to have a server that I can trust sitting somewhere, that fetches all the patches and updates for all the operating systems and applications I have deployed, along with (readable, actually containing useful descriptions of what the patches do, looking at you here, redmond) release notes for each patch. And no, that server won't be running any commercial OS, thank you, but open source of my choosing. And then I want to be able to selectively push the patches out to the test bank first, then to group this, group that, and so on, with the ability to partially or fully roll-back at the first sign of trouble.

    This obviously doesn't fit Joe Average User, who cannot be trusted to update --for a variety of reasons, and not all of them are poor Joe's fault, not by a long shot-- so various bits of software just phone home and update without permission or much notification at all. But quite a lot of pointless nagging to make up for it.

    Why do so many parties insist on reinventing the wheel? What about an open standard for distributing patches, that supports both models above, and more to boot? Independent of OS, so you can pick any server OS to run your patches server for any other OS? How hard can it be? All it requires is that various vendors get their heads out of their arses and... oh right, n'mind then. Carry on.

    1. Anonymous Coward
      Anonymous Coward

      Re: I don't think patch cycles are tenable.

      The update is now available for download, they don't stick to the update cycles for critical fixes.

  2. nuked
    Megaphone

    Oracle's behaviour is disgusting.

    That is all.

    1. Anonymous Coward
      Anonymous Coward

      Re: Oracle's behaviour is disgusting.

      Why?

      Java is open source software, why don't you fix it yourself? You're not exactly paying Oracle to support it are you?

      The current sense of entitlement in IT is shocking.

      1. Anonymous Coward
        Anonymous Coward

        Re: Oracle's behaviour is disgusting.

        I do hope you were being sarcastic, otherwise you are a complete tool!

        1. Anonymous Coward
          Anonymous Coward

          Re: Oracle's behaviour is disgusting.

          Typical schoolyard bully, no real argument so moves to name calling. Come back when your balls drop kid.

          1. Anonymous Coward
            Anonymous Coward

            Yep

            The IcedTea OpenJDK fork already fixed this bug. You may want to look into that before moaning.

            1. Hans 1
              Boffin

              Re: Yep

              Yes, I would love to, if it could load other Java applets than the standard test applet on java.com.

      2. Frumious Bandersnatch

        Re: Oracle's behaviour is disgusting.

        The current sense of entitlement in IT is shocking.

        It's has nothing to do with "our" sense of entitlement and everything to do with Oracle's moral responsibility. Think of Java as being like a teenager going out into the world and Oracle being its guardian. It's up to Oracle to ensure that their brat isn't going to become a public menace. A very large software ecosystem is built around Java and people need to be able to depend on it. At this rate Java is sure to end up hanging around with Flash, and that definitely won't end well.

        1. Anonymous Coward
          Anonymous Coward

          Re: Oracle's behaviour is disgusting.

          As an ex Sun staffer - its unsurprising really!

          Oracle have always treated customers as really just a pain in the backside - who needs them.....??

          With all the money they have coming in from licence fees and extortionate contracts why bother with common sence and spending 1 cent more than has to be spent.....

          Oracle ARE NOT SUN....Oracle cant be bothered unless theres a buck or two billion involved - they dont care, are not interested in anyone or anything unless its BOTH in their plans anyways AND makes lots and lots of the green stuff.....

          1. asdf
            FAIL

            Re: Oracle's behaviour is disgusting.

            >Oracle ARE NOT SUN

            Well they shared one thing in common. They both maintained a really shitty reference vm implementation. Notice even the open source fork didn't have the flaws.

            1. asdf
              FAIL

              Re: Oracle's behaviour is disgusting.

              Granted its dated but not a lot has changed.

              http://www.advogato.org/article/624.html

              and

              http://en.wikipedia.org/wiki/Criticism_of_Java#Security

      3. Levente Szileszky
        Thumb Down

        Re: Oracle's behaviour is disgusting.

        "The current sense of entitlement in IT is shocking."

        Ehh? Anonymous corporate shills like you are a lot more shocking, stupid troll.

  3. dullboy
    WTF?

    Different Java editions

    Why not push the patch for different Java editions? For example, have the Java EE people wait and patch Java SE that people have on their workstations... Doesn't see so complicated to me.

    1. A Non e-mouse Silver badge

      Re: Different Java editions

      The difference between Java SE & Java EE are the bundled libraries. The JVM is the same.

      From a quick glance at the Security Explorations website, it seems that the exploits they've discovered involve escaping the JVM sandbox - which is a core part of the JVM.

      1. Kevin McMurtrie Silver badge
        FAIL

        Re: Different Java editions

        It's about escaping the security layer by having trusted JVM classes run your code in their environment. Normal Java applications have no security layer or any need for it. The security layer is critical for auto-loading applets and multi-application web servers, though. Not only are web surfers at risk, but also the big corps funding Oracle's paychecks with those bloated multi-function Java Enterprise Edition server deployments. This hole means that almost any employee can hijack a corporate Java web server and the web server's role with a little malicious JSP code. (Smarter businesses running single function servers with no security layer have nothing to fear here.)

  4. Sam Liddicott

    CIA?

    Do the CIA pay Oracle to leave these bugs in?

    How easy to intercept a plain http stream and insert the right Oracle back door...

    1. ici.chacal

      Re: CIA?

      Perhaps it's Microsoft who is paying them, in an attempt to discredit Java even further and attract more developers over to their own dot.Crap stuff. Oracle clearly no longer gives a damn about Java or its user base...

      1. Trevor_Pott Gold badge
        Megaphone

        Re: CIA?

        I am tempted to downvote you on principle. Your post implies that Oracle has in the past cared about Java or its user base. Or for that matter that Oracle may have at some point during its existance cared about the user base of any of its technologies.

        I have yet to be exposed to evidence of this. Even third or fourth hand. Does anyone know a guy who knew a guy that Oracle cared about? Anyone?

        ...guys?

        1. Arbee
          Devil

          Re: CIA?

          Larry Ellison?

        2. dotdavid

          Re: CIA?

          "Does anyone know a guy who knew a guy that Oracle cared about? Anyone?"

          I always thought being 'cared about' by Oracle was a little like being 'cared about' by some of the bigger inmates in prison....

        3. Anonymous Coward
          Joke

          @Trevor

          "Does anyone know a guy who knew a guy that Oracle cared about?"

          Well, I know this guy who knew this bunch of sunny guys which Oracle really cared for leaving the company asap, does that count?

          Oh wait a sec...

        4. Matt Bryant Silver badge
          Boffin

          Re: Re: CIA? @ Trevor Pott

          I think the problem is that Oracle as a business is used to working with corporates and not with the consumer market.

          1. This post has been deleted by its author

      2. Mad Chaz
        Childcatcher

        Re: CIA?

        "Oracle clearly no longer gives a damn about Java or its user base..."

        Oracle as never given a damn about Java, except to use it to sue people. As for it's user base, considering how "wonderful" PAYING support is from them, what do you expect for a free product?

        Any compagny that as reps that ask "why should I help you with your problem?" when you call the million dollars a year support line shouldn't be expected to give a shit.

      3. dlc.usa
        Boffin

        Re: CIA?

        Most likely it's M$ via the CIA. ;-)

  5. Trevor_Pott Gold badge

    Oracle

    giving no fucks since the beforetime.

  6. Anonymous Coward
    Anonymous Coward

    It would work if "enterprises" hadn't users with web browsers...

    Sure, releasing a patch each quarter could help some companies avoid troubles with their badly written outsourced or offshored Java applications - if they hadn't users navigating with web browsers here and there too. Sure, they may have proxies and firewall and AV and IDS and whatever, but how many are properly updated, configured and managed? How many allows navigation only to a subset of allowed sites?

    At least MS releases patches each month, Oracle must understand Java is not its database server, and requires more frequent updates - otherwise they just put a big question mark over their security practices.

    1. Anonymous Coward
      Anonymous Coward

      Re: It would work if "enterprises" hadn't users with web browsers...

      "At least MS releases patches each month"

      Which you paid for. How much did Java cost you?

      1. zooooooom
        Facepalm

        Re: It would work if "enterprises" hadn't users with web browsers...

        "How much did Java cost you?"

        Putting widely used software out there comes with a resposniibility. If you aren't prepared to take that responsibility, then you should hand over custodianship to someone who will. Its got nothing to do with how or who pays for it.

        1. Anonymous Coward
          Anonymous Coward

          Re: It would work if "enterprises" hadn't users with web browsers...

          "Software not fit for any purpose, no warranty at all" rings any bells? OpenJDK has been fixed, use that.

      2. Anonymous Coward
        Anonymous Coward

        @AC

        Here is the official product page for Java SE. Would you care to show us El Reg readers where Oracle has put up the option to get a support license for Java ?

        Sorry to burst the obvious bubble right away: that "licensees" link doesn't provide support like this.

        And yes; there is a commercial brand of Java (Java SE Advanced and/or Oracle Java Suite). Guess what? Those are mainly aimed at continuing to provide updates for versions which have been long time EOL'd (Java 1.4.2 and SE 5).

        And well, licensing Java per processor only opens the cash register starting at E 5000,- / year. Very reasonable price indeed for your average smaller firm or hobbyist who only wants to keep up to date.

        At those prices people are better of migrating to other solutions IMO.

      3. NumptyScrub

        Re: It would work if "enterprises" hadn't users with web browsers...

        quote: "How much did Java cost you?"

        6 figures a year in licensing and support for the ERP Suite, which uses Java for the application tier and therefore requires the JRE installed on clients.

        Luckily though, it doesn't support the 1.7 branch (it literally fails if a client has 7uX installed), so all our users are stuck having to use 6u34. We're only vulnerable to all the existing 6u34 exploits, not these new zero-days :)

        For our 6 figures a year :(

        I agree with Mr. Pott, Oracle does indeed give no fucks, whatsoever. They know they have a better lock-in than Apple, since our Finance department would shit themselves if they had to learn a brand new system. We're stuck cleaning up the mess either way :'(

  7. mark l 2 Silver badge

    Oracle were obviously so busy with law suits against Google claiming copywrite infringement that they forgot to fix their own buggy software.

  8. Dave Bell

    OK, that's Java deleted from my system.

    1. whitespacephil
    2. Anonymous Coward
      Anonymous Coward

      Wish I could

      To simply access various ILO and netKVM devices, I need both the 32bit AND the 64bit version installed. Would be nice if I could have better servers that didn't rely on java* for maintenance, however indirectly, but there you have it.

      * Or other proprietary plugins, sheesh.

    3. Anonymous Coward
      Anonymous Coward

      Windows is still on it, though ... ;-)

  9. Peter 26

    According to this wiki article there was 6 releases last year and 4 so far this year:

    http://en.wikipedia.org/wiki/Java_version_history

    It is perfectly reasonable for a standard software company to need this long to resolve the issues, creating bug reports and assigning developers to fix them in the next release cycle.

    But when your software runs in the worlds browsers and is constantly exposed you are no longer a standard software company, you need to take that into account and have a process in place to fix issues ASAP. If you can't then maybe you aren't responsible enough to be in everyone's browsers.

  10. Test Man
    Thumb Down

    I hate these scheduled updates. I don't see the point - just release the fixes when they are ready. Enterprises are more than capable of creating their own patch schedule - so why force EVERYONE to wait till the next day rolls around?

    1. Ken Hagan Gold badge

      Re: creating their own patch schedule

      Indeed, Microsoft even ship a free point-and-click tool to let them do it. The concept of Patch Tuesday is the single biggest weakness in Windows.

    2. Anonymous Coward
      Anonymous Coward

      There is a reason for that..

      .. and that reason is Microsoft.

      If you look at the time before patch Tuesday became a standard there was practically no week in which there wasn't a new patch released for yet-another-security-problem of Windows.

      This had as benefit that zero-day exposure was kept as short as possible, but it had two major disadvantages:

      - any outfit that wanted to test a patch could not plan for it. The wisdom of testing patches before enterprise-wide release needs no further discussion, but that gets hard when you don't know when you're going to be hit next.

      - the above argument was used by Microsoft as excuse for the real reason for patch Tuesday: getting rid of the bad marketing. Before patch Tuesday you were reminded every day by the sheer stream of updates that you were running software that was at best beta level quality, and would never really be any better. This is also why most companies bought upgrades: the sheer hope that this time it would actually work - and why that bubble burst with Windows Vista.. With patch Tuesday you get a blob and a list of where they screwed up this time - much easier to manage from a marketing perspective. Everyone wins: enterprises can keep control over the resources needed to manage the never stemming flow of attempts to patch things, Microsoft gets to bleat about how wonderful they are without every patch proving otherwise and Windows fans can point at this as evidence that they are using a product which is suitable for business. I have my own opinion about that - the very fact that they chose this method to manage the product's image tells me enough..

  11. PassiveSmoking
    FAIL

    Everything Oracle touches turns to shit. The contempt they show to their customers and developers alike is incredible.

    Their ex-SUN assets seem to get it even worse, if not for The Document Foundation their utterly incompetent stewardship of the OpenOffice project would have killed it off.

    (protip: Java is an ex-SUN asset)

    1. fch
      Headmaster

      <quote>(protip: Java is an ex-SUN asset)</quote>

      Need to correct you there. Java is an ex-Sun liability. It might've been an asset for Oracle and/or IBM. Never really for Sun ...

  12. Anonymous Coward
    Anonymous Coward

    Anyone recommend a good method for turning Java on and off

    We need it to access some systems.

    Disabling it rather than uninstalling/reinstalling between uses would be a better idea.

    Any helpful hints?

    1. I ain't Spartacus Gold badge
      Happy

      Re: Anyone recommend a good method for turning Java on and off

      I find sticking Larry Ellison's balls in a vice helps.

      Oh sorry, you were after the answer to a different question entirely. Sorry, can't help you there. My solution does remedy many other problems though...

    2. Ilgaz

      CERT

      Instructions at CERT:

      http://www.kb.cert.org/vuls/id/636312

      I suggest subscribing to their technical alerts too.

  13. Anonymous Coward
    Anonymous Coward

    Just uninstall it

    No one uses it front end except hackers anyway.

  14. Anonymous Coward
    Anonymous Coward

    Unworthy suspicion...

    Ever since I heard about this exploit - and all the more since I heard that Oracle have already known about it for months - I have been struggling with the thought that a better way of discouraging Java use would be hard to imagine.

    In accordance with the fine old adage "follow the money", I ask myself:

    1. "How (much) does Oracle profit from Java?"

    2. "How would Oracle gain from putting an end to Java?"

  15. This post has been deleted by its author

  16. asdf
    FAIL

    Oracle security hahah

    Remember this post as I will actually praise Micro$oft. I do have to admit you seldom read articles about .Net vulnerabilities remaining unpatched for long so Oracle really has no excuses. In fact that the only company out there with worst security and practices is Adobe and even that is questionable at this point

  17. 4ecks
    Holmes

    Oracle ... did not respond when contacted for comment by The Reg.

    Oracle PR Dept. outgoing voicemail announcement :- "La la lah! We can't hear you!"

  18. Anonymous Coward
    Anonymous Coward

    Dalvik ?

    If Google supposedly ripped-off so much of Java for Dalvik, does this mean that Andriod/Dalvik is also vulnerable?

    Just asking 'cos I'll admit I know SFA about Java apart from the fact it gets everywhere.

  19. Shannon Jacobs
    Big Brother

    What should I do?

    Oh, so Oracle has panicked and released an update for this? Usually the Java updates announce themselves, but so far this one hasn't. Sometimes I have triggered it manually by using the plugin updates from my browser (usually Firefox). So far neither of those update paths seems to be working, and I don't trust the Oracle website enough for a more manual approach...

    When I run the update check for the plugins, it shows three Java-related plugins. However, there is no option to update any of them. Instead, the only option it is current offering is to disable them. If I do that, I suspect my computer will be at least partially crippled, even more than it currently is (partly by my security software).

    Should I wait for the update to appear? Should I disable? If I disable, will that also disable the update when it does appear?

    In conclusion, I always hated Oracle, and now I hate them more and with better reason. If I knew that a website or company was using Oracle products, I would count that as a strong reason to avoid that website or to avoid doing ANY business with that company.

    Way to go, Oracle. How's that purchase of Sun working out for you? It's certainly screwing with the rest of us.

  20. Hans 1
    Boffin

    The future of Java

    OpenJDK is the reference implementation for Java 7. What this means is that OpenJDK, the open source code of the Oracle JDK, will be maintained by the open source community with fixes. You should, I think, use OpenJDK for your JVM.

    Oracle has thus killed of GNU ClassPath ( waste of time), Harmony (an embarassment for Oracle).

    Both IBM and Oracle are working together on OpenJDK, it is the future.

    Unfortunately, icedtea is a pile of crap of a web browser plugin, or better was, last time I tested it.

    So, please, stop your diatribe on Oracle, please ... jealousy gets you nowhere.

This topic is closed for new posts.

Other stories you might like