Java surpasses Adobe kit as most attacked software
Oracle's Java framework has surpassed Adobe applications as the most attacked software package, according to a Microsoft researcher who warned she was seeing “an unprecedented wave of Java exploitation.” The spike began in the third-quarter of last year and has climbed steadily since, according to data reported on Monday by …
... yeah sure, apart from all the java apps, not to mention browser plugins.
I bet by the time this comment is posted, someone will be blaming Microsoft.
"The software has never lived up to many of the promises that Sun made about it. Chances are it can be uninstalled from most desktop machines and the user won't even notice. ®"
uhh, what?
oh sure, the average joe may not say "damnit, java isn't installed," but they will be making sailors blush over why their programs aren't working. I use java every day, and while some of my usage may be non-average, i would say the "chances" are fairly low.
"The software has never lived up to many of the promises that Sun made about it. Chances are it can be uninstalled from most desktop machines and the user won't even notice."
..and those promises would be what exactly? Ubiquity? Write once run anywhere? Usage in embedded devices?
Which of these has Java failed to live up to?
Ubiquity : http://langpop.com/
Write once : works for me on Linux, Windows, Unixs, AIX...
Embedded : yep it has those too.
References and clarification please, or else you are just spitting..
"Chances are it can be uninstalled from most desktop machines and the user won't even notice."
That's mostly wrong. I dislike Java as much as any sensible person should, but unfortunately quite a few applications are coded in Java. OpenOffice/LibreOffice springs to mind of course, but here we also have more "specialized" stuff written in Java (ImageJ, Jgraph and a few others). That's a pity as Python is much better as everyone knows.*
And I'm not even going to mention web-based applet or JavaWS as it's bad for my blood pressure.
Bottom line is, lots of people will notice if you take java away (which doesn't meant it shouldn't be done).
*icon for that statement; Python is orders of magnitude better, as far as high-level interpreted languages are involved.
Your statement about "...dislike Java as much as any sensible person should..." and "...Python is much better as everyone knows..." are just as unsubstantiated as the original posters' contention that a user probably wouldn't miss Java if it were uninstalled.
Python is better in some areas, Java is better in others. For every advantage you cite in favor of Python, I could point one out in favor of Java. It's a pointless activity without first considering the problem domain.
Your list of killer apps requiring Java is pretty weak. %99 of user also wouldn't notice a difference in OpenOffice without Java installed (which it runs fine without) in fact my guess is at least %90 of users wouldn't miss the java runtime at all. Don't get me wrong Java is invaluable for a lot of enterprise coding (especially middleware, backend work, etc) but on the desktop for the sheeple not so much. Most of their cute little web browser games run under flash instead.
Dan Goodin can be uninstalled from most desktop machines and the user won't even notice.
So there. :P
"The software has never lived up to many of the promises that Sun made about it."
You've got to be kidding! I know I'm sitting on the Java/Sunacle side of the fence here but it was bad enough this "research" came from a Microsoft source (who don't like Java - hence C# / .NET) but for El Reg to make such a mistake in it's reporting is unforgivable.
Many, many applications, as other posters have shown, require Java, whether it be in the browser or to support desktop applications.
Plus, if Java were not so widely needed, it wouldn't be installed on desktops and thus wouldn't be easy to attack!
FAIL!
Every new PC I get starts asking me to install Java very quickly. I didn't think Windows PCs came with Java pre-installed so if nobody uses it, why is it on all these PCs in the first place?
Or do they have an agreement to pre-install it?
What you're seeing is an attempt by the computer manufacturer to do a "value add" (the polite term for loading tons of software, some useful but most not) by installing a package into their factory software image that will become out of date very shortly afterwards. Java, of course, updates itself every time the direction of the wind changes. (To date, I don't know where any changelogs are stored, if they even exist.)
I know it takes more time, but the first thing I do upon receiving a new computer is run DBAN and install a clean version of the OS. (And I try to buy only from computer makers offering an un-fooled-around-with installation discs, making sure to request that option at build time.) Then you can install what you want to have and nothing else.
You could say the same about .NET with regards to security and usefulness to the average desktop user. Java is arguably more successful when it comes to enterprise, mobiles, and embedded.
Now if you don't mind me I've got to switch back to Eclipse...
People don't have to, it auto updates even on Windows. Sadly it refuses to do so quietly in the background and insists on asking Jo Sixpack a question they wont understand.
On newer systems, this is annoying because it requires UAC privilege escalation. But that one's a MS blooper, not Sun/Oracle's.
I find it curious that MS is bringing out the "alarm" ... they are directly competing with Java with their .NET thingy, which isn't that much safer. I'd like to see a report like this being put out by a proper security researcher, one that isn't biased on the MS or Java side.
Show me an app that requires Java and I'll show you an app I don't want anywhere near my machine.
I haven't had a JVM installed in many years*. The web doesn't need one. No non-enterprise/middleware software worth a damn needs one. (OpenOffice certainly doesn't need one.)
I've used (and written) some enterprise middleware using Java and that stuff is fine, as far as it goes (wouldn't be my personal choice of language but it does work so, sure, whatever). It simply is not needed on most machines, though.
(*With the exception of the JVM smuggled on to one of my machines for Blu-Ray playback, but that keeps to itself. And I'd rather it wasn't there, and that Blu-Rays just had movies on them without stupid interactive menus, but what can you do. :\ Blu-Ray is a trojan horse for java. :) )
Not surprising - the vulns are all JRE, not server-side Java. I'm always SO GRATEFUL that our org with its 250+ managed apps is strictly server-side.
Beer because gloating feels almost as good.
So, your server side Java doesn't require a JRE then?
I was asked which applications require Java;
OpenOffice (http://www.openoffice.org/dev_docs/source/sys_reqs_30.html)
Football Manager (http://www.computing.net/answers/gaming/football-manager-2007/10092.html)
Limewire
some more;
http://java.sun.com/products/jfc/tsc/sightings/
and some more
http://www.javalobby.org/java/forums/t90432.html
Plus the many, many business applications which are written in Java and require JREs installed on user PCs.
If you don't notice Java on your PC its because it's done it's job correctly, it allowed applications to be deployed with write-once, run-anywhere while not showing the user it is there.
The earlier point i tried to make is this article exhibits a great deal of bias. I don't mind it saying that Java is the most popular application to attack (fact) but statements such as "Chances are it can be uninstalled from most desktop machines and the user won't even notice" are not fact, they are opinions!
I think the title says it all - looks like Jobs was right after all. Oh well.
Java's got its strengths and weaknesses, like anything else. In any case, it's not going to be fading into the sunset anytime soon, and these religious wars aren't going to change that. The final slap aside, the article isn't about Java's worth; it's about its security issues.
Nearly all of Java's core is under GPL and the community, if it hasn't already, needs to get busy fixing these holes, as history shows such communities are wont to do, and promptly. I am a little surprised, actually, that Java has lagged behind on the security issue as much as it has--unless it's the sliver of it that's still proprietary (I think...) that has the problems.
(Ok, my own salvo: OOo will mostly run without a JVM, but some important parts won't. You need a JVM, for instance, to connect to an SQL server with JDBC. And let's forget ODBC. As a C/C++ type from way back (mostly the former), I like Java, but also admit that I haven't touched Python yet, so I can't compare the two.)
(Interesting observation: As I write this, I see a new headline pop up about a Linux vulnerability that allows local users to escalate privileges illegally. Article also says that the fix has been committed already, and has been. Seems to be the way things happen much of the time: open source projects fix their problems before they can even make it to print. Let's do that for Java now, too.)
Sign up, sign up for The Register's weekly IT security newsletter - click here
