Patch up warmly this winter if you’re running Java. That’s the advice from .NET shop Microsoft, which reckons Oracle’s platform is the single biggest target for hackers. Java proved the single most popular target in the 12-month period to the end of June, according to Microsoft’s latest Security Intelligence Report has found …
So the sandbox model didn't quite work, then?
Shame on MS
Issues like this would have been practically non-existent had MS implemented a software distribution tool that is as inclusive to 3rd party software as for example those found in Debian-derived operating systems such as Ubuntu. Most competitors have had this sorted ages ago. I'd be embarrassed if I had to sell or promote the Windows operating system.
I'm sure someone would have found an anti-trust angle if they had
But, then again, it might be coming with an appstore in Windows 8.....
They have a distribution tool that can distrubute any kind of update you want. Look up: System Center Updates Publisher.
What makes you think that the likes of Oracle or Adobe want to hand responsibility for their updates to Microsoft?
And can you imagine the shitstorm of criticism that Microsoft would receive if it only supported updates from big software companies, and didn't include updates from your favourite bit of software? Or if they allowed every software developer on earth to use their infrastructure to deploy patches, can you imagine the complaints about how Microsoft was gathering all this information about who had what software installed.
I can see the benefit of a universal updater - but I can see why Microsoft doesn't want the hassle.
MS only needs to create a framework
There's no reason why MS would need to handle the updates. They just need to create a framework (extended onto Windows Installer for example) that allows software vendors to include their own update servers into the daily Windows Update schedule. The systems used by most Linux distros do this - the distro supplies a list they support, but users can add extra software distribution services to the list to check.
That would do away the with abominations other vendors have created to reinvent this wheel, and would mean we don't need to have 3 or 4 different software updaters running on every computer, meaning less crap running in the background, and giving us all slightly faster computers (and less annoying popups at logon).
Microsoft has other things to do
>>They just need to create a framework (extended onto Windows Installer for example)
Microsoft is busy doing Android patent infringement trolling, lobbying their updater-less products to schools, universities, governmental institutions, and coercing their OEM partners to sell no non-windows PC's.
Sounds good. Why don't you go out and get all those vendors to cooperate with such a plan? I'll wait, but I won't hold my breath.
Really? Making 3-d parties' software more competitive would snare anti-trust authorities? Yeah, when schools, universities, OEMs are overwhelmed with 0-competition out there? MS behaves like a gangster with smaller companies (alleged Android patent infringement)...
Quite the opposite. Just proves yet again, that Microsoft Windows is an expensive, user-unfriendly and insecure crap.
my sympathies to the Windows users...
So, what is the problem with my Debian GNU/Linux?I always get security ( and simple bugs fix) updates from the Debian repositories, be it Linux kernel, open ssh , or a flashplayer update. Any major distro and *BSD has it.
Quod erat demostrandum, amici mei: proprietary non-free software is a big expensive piece of crap, indeed.
If they impIemented that, I reckon it would take about 0.00002 seconds for it to become the favoured attack vector.
All you need to do is get the user to accept your seemingly perfectly innocent piece of software and the huge pack of shite hiding in its associated "update repository" gets privilege for installation come first update run.
I've often thought that a moody 3rd party repo would be the obvious choice for a route into Linux, if it were ever to get the low-hanging fruit who click the "accept" button without thinking on board on numbers.....
Updating java has loads of problems, applications that don't fully support new versions are common in the enterprise environment. Older versions of java were installed side by side I've seen computers where the update program has installed several versions of 5 and 6. The new 6 installer will uninstall older versions of 6 but not anything prior to that.
The updater is also very poor, on newer versions of windows with UAC enabled it pops a UAC request before telling you there's an update available. This happens for administrators and non admin alike. It's so annoying that I would imagine the java updater is simply disabled on most peoples computers.
If it weren't for the occasional app that I want to run that needs the JRE, I would uninstall it all together. I don't even let my browsers talk to it. I will not be sad when Java is dead.
Why is it that whenever there's a well intentioned "platform", which sits on top of the user's OS and is intended to provide multi-platform support for coders, the invariable result is a bug-riddled security nightmare?
PS: The company who gave us active-x really should keep their security commentary to themselves.
You make the common mistake of assuming hypocrisy to be the worst thing ever.
You are wrong.
Turn off java in your browsers
The issue with Java is that client side java has a limited set of roles
-Java tooling for server-side development
-Sandboxed runescape gameplay
-malware breaking out of browser sandboxes
Java is just as bad as flash here, but unlike flash, even easier to live without in your browser.
Disable it in the browser; if you don't need real java apps, remove the JDK
... and Windows
>>Turn off java in your browsers
Better use firefox + noscript extension and flash blocker (adds blocker is indispensable as well), chrome(mium) might also have all of these You can always turn an app back on if need be...
For best results.... turn off MS Windows too, jusrt dual boot to something more secure.
So, RPC and Windows file permissions model are also part of Java? 10 million of victimized machines come to mind....
It is interesting to hear such moralistic speeches from best of the sinners :)
They would know all about making software that's easy to hack!
Oh, the irony
Microsoft taking others to task for shipping insecure software? The irony almost made my brain explode.
Is this suprising?
Not news worthy IMO because it's logical that hackers target whatever that can cause the most damage. Java runs on all OSes, and now that Flash is on a decline. It's only natural?
Let me know if Steve Job's ghost comes back and tells us that Java is the next in line to be shot. (Though they have tried before you know...)
Much ado about nothing...
I would recommend everybody to follow the links in the article.
I, for one, followed the blog link and saw a very upset guy there. Would you be upset if you contender runs on 3 billion devices?
What Microsoft is talking about - many attack attempts (25 million) using few Java vulnerabilities.