Feeds

back to article Oracle knew about critical Java flaws since April

The critical Java vulnerabilities that have security experts cautioning users to disable Java in their browsers are not new discoveries, a security firm claims. On the contrary, Oracle has known about them for months, and it has probably had a patch ready since before an exploit was discovered in the wild. Security Explorations …

COMMENTS

This topic is closed for new posts.

Page:

Anonymous Coward

I don't think patch cycles are tenable.

Sit on it for four months so that enterprises get them all in one go and sit on them another few months while "testing"? It leaves everybody who isn't slow as a dinosaur out in the cold. Oh, and does open those enterprises up to targeted attacks they don't even know existed (because the vendor is sitting on the security notes as well, for their convenience), too. Because, let's face it, if you go out on the black market to buy exploits, you have a target in mind. Like, oh, oil companies or something.

The point is that one-size-fits-all patch releasing in fact doesn't fit all but does come back to bite everyone. Time for a re-think then.

Personally I'd want to have a server that I can trust sitting somewhere, that fetches all the patches and updates for all the operating systems and applications I have deployed, along with (readable, actually containing useful descriptions of what the patches do, looking at you here, redmond) release notes for each patch. And no, that server won't be running any commercial OS, thank you, but open source of my choosing. And then I want to be able to selectively push the patches out to the test bank first, then to group this, group that, and so on, with the ability to partially or fully roll-back at the first sign of trouble.

This obviously doesn't fit Joe Average User, who cannot be trusted to update --for a variety of reasons, and not all of them are poor Joe's fault, not by a long shot-- so various bits of software just phone home and update without permission or much notification at all. But quite a lot of pointless nagging to make up for it.

Why do so many parties insist on reinventing the wheel? What about an open standard for distributing patches, that supports both models above, and more to boot? Independent of OS, so you can pick any server OS to run your patches server for any other OS? How hard can it be? All it requires is that various vendors get their heads out of their arses and... oh right, n'mind then. Carry on.

11
0
Anonymous Coward

Re: I don't think patch cycles are tenable.

The update is now available for download, they don't stick to the update cycles for critical fixes.

0
0
Megaphone

Oracle's behaviour is disgusting.

That is all.

31
2
Anonymous Coward

Re: Oracle's behaviour is disgusting.

Why?

Java is open source software, why don't you fix it yourself? You're not exactly paying Oracle to support it are you?

The current sense of entitlement in IT is shocking.

4
43
Anonymous Coward

Re: Oracle's behaviour is disgusting.

I do hope you were being sarcastic, otherwise you are a complete tool!

6
6
Anonymous Coward

Re: Oracle's behaviour is disgusting.

Typical schoolyard bully, no real argument so moves to name calling. Come back when your balls drop kid.

0
21
Anonymous Coward

Yep

The IcedTea OpenJDK fork already fixed this bug. You may want to look into that before moaning.

9
1
Bronze badge

Re: Oracle's behaviour is disgusting.

The current sense of entitlement in IT is shocking.

It's has nothing to do with "our" sense of entitlement and everything to do with Oracle's moral responsibility. Think of Java as being like a teenager going out into the world and Oracle being its guardian. It's up to Oracle to ensure that their brat isn't going to become a public menace. A very large software ecosystem is built around Java and people need to be able to depend on it. At this rate Java is sure to end up hanging around with Flash, and that definitely won't end well.

13
0
Silver badge
Thumb Down

Re: Oracle's behaviour is disgusting.

"The current sense of entitlement in IT is shocking."

Ehh? Anonymous corporate shills like you are a lot more shocking, stupid troll.

5
0
Anonymous Coward

Re: Oracle's behaviour is disgusting.

As an ex Sun staffer - its unsurprising really!

Oracle have always treated customers as really just a pain in the backside - who needs them.....??

With all the money they have coming in from licence fees and extortionate contracts why bother with common sence and spending 1 cent more than has to be spent.....

Oracle ARE NOT SUN....Oracle cant be bothered unless theres a buck or two billion involved - they dont care, are not interested in anyone or anything unless its BOTH in their plans anyways AND makes lots and lots of the green stuff.....

4
0
Silver badge
FAIL

Re: Oracle's behaviour is disgusting.

>Oracle ARE NOT SUN

Well they shared one thing in common. They both maintained a really shitty reference vm implementation. Notice even the open source fork didn't have the flaws.

0
0
Silver badge
FAIL

Re: Oracle's behaviour is disgusting.

Granted its dated but not a lot has changed.

http://www.advogato.org/article/624.html

and

http://en.wikipedia.org/wiki/Criticism_of_Java#Security

0
0
Bronze badge
Boffin

Re: Yep

Yes, I would love to, if it could load other Java applets than the standard test applet on java.com.

0
0
WTF?

Different Java editions

Why not push the patch for different Java editions? For example, have the Java EE people wait and patch Java SE that people have on their workstations... Doesn't see so complicated to me.

0
0
Silver badge

Re: Different Java editions

The difference between Java SE & Java EE are the bundled libraries. The JVM is the same.

From a quick glance at the Security Explorations website, it seems that the exploits they've discovered involve escaping the JVM sandbox - which is a core part of the JVM.

1
0
Bronze badge
FAIL

Re: Different Java editions

It's about escaping the security layer by having trusted JVM classes run your code in their environment. Normal Java applications have no security layer or any need for it. The security layer is critical for auto-loading applets and multi-application web servers, though. Not only are web surfers at risk, but also the big corps funding Oracle's paychecks with those bloated multi-function Java Enterprise Edition server deployments. This hole means that almost any employee can hijack a corporate Java web server and the web server's role with a little malicious JSP code. (Smarter businesses running single function servers with no security layer have nothing to fear here.)

2
0

CIA?

Do the CIA pay Oracle to leave these bugs in?

How easy to intercept a plain http stream and insert the right Oracle back door...

1
3

Re: CIA?

Perhaps it's Microsoft who is paying them, in an attempt to discredit Java even further and attract more developers over to their own dot.Crap stuff. Oracle clearly no longer gives a damn about Java or its user base...

5
5
Gold badge
Megaphone

Re: CIA?

I am tempted to downvote you on principle. Your post implies that Oracle has in the past cared about Java or its user base. Or for that matter that Oracle may have at some point during its existance cared about the user base of any of its technologies.

I have yet to be exposed to evidence of this. Even third or fourth hand. Does anyone know a guy who knew a guy that Oracle cared about? Anyone?

...guys?

19
1
Devil

Re: CIA?

Larry Ellison?

2
0
Silver badge

Re: CIA?

"Does anyone know a guy who knew a guy that Oracle cared about? Anyone?"

I always thought being 'cared about' by Oracle was a little like being 'cared about' by some of the bigger inmates in prison....

10
0
Silver badge
Joke

@Trevor

"Does anyone know a guy who knew a guy that Oracle cared about?"

Well, I know this guy who knew this bunch of sunny guys which Oracle really cared for leaving the company asap, does that count?

Oh wait a sec...

1
0
Childcatcher

Re: CIA?

"Oracle clearly no longer gives a damn about Java or its user base..."

Oracle as never given a damn about Java, except to use it to sue people. As for it's user base, considering how "wonderful" PAYING support is from them, what do you expect for a free product?

Any compagny that as reps that ask "why should I help you with your problem?" when you call the million dollars a year support line shouldn't be expected to give a shit.

6
1
Silver badge
Boffin

Re: Re: CIA? @ Trevor Pott

I think the problem is that Oracle as a business is used to working with corporates and not with the consumer market.

0
1

This post has been deleted by its author

Boffin

Re: CIA?

Most likely it's M$ via the CIA. ;-)

0
0
Gold badge

Oracle

giving no fucks since the beforetime.

14
1
LDS
Silver badge

It would work if "enterprises" hadn't users with web browsers...

Sure, releasing a patch each quarter could help some companies avoid troubles with their badly written outsourced or offshored Java applications - if they hadn't users navigating with web browsers here and there too. Sure, they may have proxies and firewall and AV and IDS and whatever, but how many are properly updated, configured and managed? How many allows navigation only to a subset of allowed sites?

At least MS releases patches each month, Oracle must understand Java is not its database server, and requires more frequent updates - otherwise they just put a big question mark over their security practices.

4
0
Anonymous Coward

Re: It would work if "enterprises" hadn't users with web browsers...

"At least MS releases patches each month"

Which you paid for. How much did Java cost you?

2
15
Facepalm

Re: It would work if "enterprises" hadn't users with web browsers...

"How much did Java cost you?"

Putting widely used software out there comes with a resposniibility. If you aren't prepared to take that responsibility, then you should hand over custodianship to someone who will. Its got nothing to do with how or who pays for it.

13
0
Silver badge

@AC

Here is the official product page for Java SE. Would you care to show us El Reg readers where Oracle has put up the option to get a support license for Java ?

Sorry to burst the obvious bubble right away: that "licensees" link doesn't provide support like this.

And yes; there is a commercial brand of Java (Java SE Advanced and/or Oracle Java Suite). Guess what? Those are mainly aimed at continuing to provide updates for versions which have been long time EOL'd (Java 1.4.2 and SE 5).

And well, licensing Java per processor only opens the cash register starting at E 5000,- / year. Very reasonable price indeed for your average smaller firm or hobbyist who only wants to keep up to date.

At those prices people are better of migrating to other solutions IMO.

2
0
Bronze badge

Re: It would work if "enterprises" hadn't users with web browsers...

quote: "How much did Java cost you?"

6 figures a year in licensing and support for the ERP Suite, which uses Java for the application tier and therefore requires the JRE installed on clients.

Luckily though, it doesn't support the 1.7 branch (it literally fails if a client has 7uX installed), so all our users are stuck having to use 6u34. We're only vulnerable to all the existing 6u34 exploits, not these new zero-days :)

For our 6 figures a year :(

I agree with Mr. Pott, Oracle does indeed give no fucks, whatsoever. They know they have a better lock-in than Apple, since our Finance department would shit themselves if they had to learn a brand new system. We're stuck cleaning up the mess either way :'(

8
0
Anonymous Coward

Re: It would work if "enterprises" hadn't users with web browsers...

"Software not fit for any purpose, no warranty at all" rings any bells? OpenJDK has been fixed, use that.

0
0

Oracle were obviously so busy with law suits against Google claiming copywrite infringement that they forgot to fix their own buggy software.

18
2
Bronze badge

OK, that's Java deleted from my system.

7
4

ditto

4
2
Anonymous Coward

Wish I could

To simply access various ILO and netKVM devices, I need both the 32bit AND the 64bit version installed. Would be nice if I could have better servers that didn't rely on java* for maintenance, however indirectly, but there you have it.

* Or other proprietary plugins, sheesh.

1
0
Anonymous Coward

Windows is still on it, though ... ;-)

0
0

According to this wiki article there was 6 releases last year and 4 so far this year:

http://en.wikipedia.org/wiki/Java_version_history

It is perfectly reasonable for a standard software company to need this long to resolve the issues, creating bug reports and assigning developers to fix them in the next release cycle.

But when your software runs in the worlds browsers and is constantly exposed you are no longer a standard software company, you need to take that into account and have a process in place to fix issues ASAP. If you can't then maybe you aren't responsible enough to be in everyone's browsers.

12
1
Bronze badge
Thumb Down

I hate these scheduled updates. I don't see the point - just release the fixes when they are ready. Enterprises are more than capable of creating their own patch schedule - so why force EVERYONE to wait till the next day rolls around?

2
0
Gold badge

Re: creating their own patch schedule

Indeed, Microsoft even ship a free point-and-click tool to let them do it. The concept of Patch Tuesday is the single biggest weakness in Windows.

0
1
Anonymous Coward

There is a reason for that..

.. and that reason is Microsoft.

If you look at the time before patch Tuesday became a standard there was practically no week in which there wasn't a new patch released for yet-another-security-problem of Windows.

This had as benefit that zero-day exposure was kept as short as possible, but it had two major disadvantages:

- any outfit that wanted to test a patch could not plan for it. The wisdom of testing patches before enterprise-wide release needs no further discussion, but that gets hard when you don't know when you're going to be hit next.

- the above argument was used by Microsoft as excuse for the real reason for patch Tuesday: getting rid of the bad marketing. Before patch Tuesday you were reminded every day by the sheer stream of updates that you were running software that was at best beta level quality, and would never really be any better. This is also why most companies bought upgrades: the sheer hope that this time it would actually work - and why that bubble burst with Windows Vista.. With patch Tuesday you get a blob and a list of where they screwed up this time - much easier to manage from a marketing perspective. Everyone wins: enterprises can keep control over the resources needed to manage the never stemming flow of attempts to patch things, Microsoft gets to bleat about how wonderful they are without every patch proving otherwise and Windows fans can point at this as evidence that they are using a product which is suitable for business. I have my own opinion about that - the very fact that they chose this method to manage the product's image tells me enough..

4
2
FAIL

Everything Oracle touches turns to shit. The contempt they show to their customers and developers alike is incredible.

Their ex-SUN assets seem to get it even worse, if not for The Document Foundation their utterly incompetent stewardship of the OpenOffice project would have killed it off.

(protip: Java is an ex-SUN asset)

11
0
fch
Headmaster

<quote>(protip: Java is an ex-SUN asset)</quote>

Need to correct you there. Java is an ex-Sun liability. It might've been an asset for Oracle and/or IBM. Never really for Sun ...

1
1
Anonymous Coward

Anyone recommend a good method for turning Java on and off

We need it to access some systems.

Disabling it rather than uninstalling/reinstalling between uses would be a better idea.

Any helpful hints?

0
0
Gold badge
Happy

Re: Anyone recommend a good method for turning Java on and off

I find sticking Larry Ellison's balls in a vice helps.

Oh sorry, you were after the answer to a different question entirely. Sorry, can't help you there. My solution does remedy many other problems though...

0
0

CERT

Instructions at CERT:

http://www.kb.cert.org/vuls/id/636312

I suggest subscribing to their technical alerts too.

0
0
Anonymous Coward

Just uninstall it

No one uses it front end except hackers anyway.

0
2
Silver badge

Unworthy suspicion...

Ever since I heard about this exploit - and all the more since I heard that Oracle have already known about it for months - I have been struggling with the thought that a better way of discouraging Java use would be hard to imagine.

In accordance with the fine old adage "follow the money", I ask myself:

1. "How (much) does Oracle profit from Java?"

2. "How would Oracle gain from putting an end to Java?"

1
0

This post has been deleted by its author

Page:

This topic is closed for new posts.