Feeds

back to article Here we go again: Critical flaw found in just-patched Java

Security Explorations, the Polish security startup that discovered the Java SE 7 vulnerabilities that have been the targets of recent web-based exploits, has spotted a new flaw that affects the patched version of Java released this Thursday. The company would not disclose specific details on the nature of the new vulnerability …

COMMENTS

This topic is closed for new posts.

Page:

Silver badge

Re: It may be reluctant to do so again,

& we may be reluctant to trust it again if it doesn't.

15
1

This post has been deleted by its author

Silver badge
WTF?

Re: It may be reluctant to do so again,

trust it again ?

3
0
Silver badge

2 birds with one stone

So it may decrease Java usage AND it annoys Oracle?

I'm just glad I'm not one of the poor chaps who will have to rewrite heaps of bad code in another, less retarded language.

Unfortunately the CS classes all around the world will probably continue to consist mostly of Java for several years.

10
10
Silver badge

Re: 2 birds with one stone

Unfortunately the CS classes all around the world will probably continue to consist mostly of Java for several years.

Surely the job of a programming course is to teach the fundamentals of programming, etc. The language(s) used are likely to be choosen to make teaching those fundamentals easier.

Do you really think students will finish a programming course and never learn another language ever again ?

9
0
Silver badge

Re: 2 birds with one stone

"Surely the job of a programming course is to teach the fundamentals of programming, etc. The language(s) used are likely to be choosen to make teaching those fundamentals easier.

Do you really think students will finish a programming course and never learn another language ever again ?"

While it may be true on paper, in reality every language has its quirks and oddities and the first laguage you learn does have an influence on how you think about problems, and how you solve them. Of course you can learn new languages, and perhaps shift views as a result, but it's certainly far from instant and one could argue that you will never completely lose the reflexes induced by your first language. I have this co-worker, when reading his code in any language you can just see that he is trying to emulate GOTO every couple tens of lines or so. Yes, that's a pain. But who am I to judge? My code probably has a lot of quirks that annoy him as well.

Also, when virtually everyone knows a language it tends to be used, regardless of the merits of said language. And when students have spent the past couple years programming almost exclusively in java, what language do you think they'll pick for a new project (if given the choice)?

9
2

Re: 2 birds with one stone

If one language really leaves such a deep mark, then there are problems with the programmer. My teacher used to say: you're supposed to pick up a new language in two weeks tops. She was wrong about many things but not on this.

On the other hand, I haven't seen any details on why you think Java is a retarded language. Why and compared to what?

3
2
Silver badge

Re: 2 birds with one stone

Its not just a problem with the language - <when I was a kid> none of the languages had the features that modern languages like C and Pascal offer but we were aware of the techniques that they used and implemented them in different ways. We didn’t have unit testing but we threw shit at subroutines to see if they held together or made sure they didn’t get fed shit.

If you found some new problem you worked out a way to prevent it happening again. I used to use several different languages to create tests over huge trees of code. Even with state of the art modern stuff like visual C 4 we used to do software management outside of it. Using the command line on the Vax cos DOS couldn’t do jack!!!

Most of the whippersnappers I've worked with since MS infiltrated colleges cant seem to work without their toys and don’t seem capable of bootstrapping the things they need.

The revolution will not be fixed in the next release. Its been available for 30 years. Java is NOT shit - its the fuckwits 'managing' and some coding in it that are giving that impression.

A bad workmen always blames his tools - notice how stonehenge built with antlers is still there and ask how long skyscrapers last. Making it easy to do things doesn’t mean they're the right thing to do.

</when I was a kid>

9
0
Silver badge

Re: 2 birds with one stone (@ Ignazio)

> If one language really leaves such a deep mark, then there are problems with the programmer.

Not really, no. Compare that to natural speech. Your mother thongue does shape your way of thinking. That's so deep that it's the main reason why deaf people have so much more trouble to adapt in society than blind people.

> My teacher used to say: you're supposed to pick up a new language in two weeks tops.

That's probably the most retarded thing in this thread. It takes years to really master a programming language, and everyone knows that. I'm of course not talking "hello world" here.

She was wrong about many things but not on this.

> Oh yes she was, and so are you.

> On the other hand, I haven't seen any details on why you think Java is a retarded language.

> Why and compared to what?

Interesting question really. It has nothing to do with the language actually. Java is quite good. Not stellar, but not too ugly. It just has an utterly broken governance system, which leads to the current situation where some of the most active contributors are just denied a license to use it, and the Big Boss can't be arsed to fix basic vulns.

Also, Java is basically a scripting language that is used -badly- by many where a compiled language would be needed. Of course that has nothing to do with the language itself, it's just a problem with the morons using it.

3
9
Silver badge
Meh

Re: 2 birds with one stone (@ Ignazio)

> Java is basically a scripting language

What the hell am I reading?

I think you took the wrong train; the JavaScript train is leaving on another platform.

If not, you may want to revise your basic assumptions about "scripting" and what "compilation" is about.

8
1
Unhappy

Re: 2 birds with one stone

By coincidence--probably not!--my university's CS department began looking at other languages because of concerns that Oracle might not be including our students' use of Java in their plan. In fact, it seemed to be quite uncertain what direction they have in mind.

1
0
Anonymous Coward

Re: 2 birds with one stone

"On the other hand, I haven't seen any details on why you think Java is a retarded language. Why and compared to what?"

Because it's not Lisp that is why :-) just a pretender to the throne like all others.

(anaphoric-if (figure-out *god*)

(format t "Figured out god is: ~a" it)

(format t "God remains a mystery."))

Nuff said.

2
0

Re: 2 birds with one stone (@ Ignazio)

You're funny, mate. Honestly, how long does it take you to learn a new language? I didn't say /master/ - as we all know, it takes about ten thousand hours to become a master in anything. I could fish a reference to studies which come up with this rule of thumb, but what's the point? you're going to tell me I'm wrong, instead of telling me why.

In order to get a basic grasp of PHP and Python, it took me a week total - nothing fancy, but I could read the code and make sense of what was supposed to happen - even make small changes, would you believe that. Granted, I haven't touched either for a year so now I've forgotten all of it. Just like spoken languages, now that ypou mention them. My French is not as good as it was when I was studying it, and my Spanish and German keep being very bad. On the other hand, I can pick up American very easily.

</warning: contains a joke>

Oh I see, now you backtrack and say Java is a scripting language, but it's quite good - when that was not exactly what you said before. Gonna pick a side?

1
1
Silver badge

Re: 2 birds with one stone (@ Ignazio)

No stake in the whole Jave is good/Java is terrible thing, but I do agree that learning one language tends to make learning other languages quite a bit easier. It applies equally to programming and spoken languages.

I learned Pascal at college (6th form, that is) over two years. When I left I learned PHP in... well yes, actually, about two weeks. After a couple of years I was a reasonably good amateur coder.

Yes, in PHP. Yes, I know, shut up.

At university I learned the basics of C in just a couple of lessons. Four or five hours to get from never having read the language to understanding (if not necessarily any sort of skill). Got top marks on that module because I tried something more advanced than merely replicating the tutor's instructions.

I wish I'd stuck with that, come to think of it...

1
0
Anonymous Coward

Re: 2 birds with one stone

AAAGH!! A Lisp developer!! Ya'll better watch out. They do come unhinged really easily (Is that an AK-47 under your coat sir?) Im just saying this because Ive never met a lisp developer that wasn't completely batshit crazy.

And whoever said it only takes two weeks to learn a new language is just as nuts. Might take you two weeks to learn the basics of whatever but its going to take much much longer to master anything, even Java.

Lots of insanity in this thread from what Ive read so far. All we need is that big stupid guy or whatever the fuck his name is, as well as amanfrommars, with Barry Shitpeas on the side as a substitution and its basically the El Reg insane asylum.

0
1
Coffee/keyboard

Re: 2 birds with one stone

"While it may be true on paper, in reality every language has its quirks and oddities and the first laguage you learn does have an influence on how you think about problems, and how you solve them. Of course you can learn new languages, and perhaps shift views as a result, but it's certainly far from instant and one could argue that you will never completely lose the reflexes induced by your first language."

I started with Pascal - can't remember any of it now. I do know Java, Python and a few other languages fairly well though ... Python and Java are quite distinct, and it does take at least 5 minutes to move from one mindset to the other.

0
1
Anonymous Coward

Re: Re: 2 birds with one stone

"My teacher used to say: you're supposed to pick up a new language in two weeks tops. She was wrong about many things but not on this."

The trouble is, there's a world of difference between "picking up" a language, and learning/mastering it. On a simple level, it is often possible to use a new language in a very similar way to the language you're used to. However, this isn't really learning the new language, and won't allow you to reap whatever benefits it offers when used by someone who actually understands, has mastered and can think in the language.

0
0
Anonymous Coward

Re: Re: 2 birds with one stone (@ Ignazio)

...and the world is full of 'programmmers' who have spent a week studying the syntax, can read the code and suddenly (consciously or subconsciously) think they know the language.

It may start with an unimportant small changes, but small changes pile up and if the programmer can't step back and consider the program as a whole, because they haven't mastered the language, then the program will slowly become a mess of gaffer tape.

As an analogy, it's like getting a man in to fix a hole in power plant component. Yes, he can see how you've used metal and weld a patch over this unwanted hole. However, you wouldn't then say, "This power station is basically made of metal, you appear to have mastered that, congratulations you have learned power stations", and set him loose to wander round making edits to your power station as he saw fit.

1
1
FAIL

Re: 2 birds with one stone

You obviously don't know what your talking about and that stement makes no sense, its the JVM not the language that is the issue, and then again only the bit used by applets. You might as well throw the same criticism at the dozen or so other languages that run on it. Additionally, it may only be oracles implementation of the JVM and not IBM's or Googles, or the many other open source implementations.

you might as well blame all windows virus's on C# or apple virus's on objective-C

1
2
Bronze badge
Pint

Re: 2 birds with one stone

Surely the job of a programming course is to teach the fundamentals of programming, etc. The language(s) used are likely to be choosen [sic] to make teaching those fundamentals easier.

You might think so, mightn't you. Unfortunately today's CS students seem to expect to be spoon fed a language that will enable them to find gainful employment on graduation without any further mental effort.

... oh, wait. That can't be right, they're learning Java!

Beer 'cos there's no coffee-cup icon!

1
1
FAIL

Re: 2 birds with one stone

I'm shocked to hear that Java is taught as a "first" language.

In my mind, the "problem" with Java is that most of the people that use it seem to have no appreciation of what happens "under to hood" (to use that dreadful American expression). As a result, they quite happily write a few lines of code that look cool and do the job in hand, but they completely fail to understand the massive complexity and (often) massive inefficiency going on behind the scenes. Because of this, their Java code might work and it might "do a job" but it does it in a hugely inefficient way.

If you learn something like plain old C, or assembler, then you (should!) never fall into this trap because the stark realities of what is going on is blindingly clear to you, and you are forced to think (or at least you should be) of efficient ways of doing stuff.

A related problem is that Java is simply too high level. You don't need to think about what's going on underneath to make it work, so you don't. And so you never actually learn the low level stuff. And without the low level knowledge, you can't hope to write good software that is fast, efficient, fully debugged, and stable. I quite like PHP (or I used to - I fear it's going down the same bloated path as Perl), but I would never consider using it for anything "serious".

Java is the Visual Basic of the modern age (not that it's that modern any more); yes, it works. Yes, it might "do a job", but it promotes some very very bad habits, and, quite frankly, crappy programmers, because they don't actually understand what they are doing, even if they think they do. It's the equivalent of doing one of those numpty courses to teach you how to use MS Word, and then declaring that you "can do computers". It's exactly why the industry is is constantly complaining that the quality of graduates is not good enough.

1
0
Silver badge
Devil

Re: 2 birds with one stone

"The language(s) used are likely to be choosen to make teaching those fundamentals easier."

Cough, sputter, sputter. Read this: http://www.joelonsoftware.com/articles/ThePerilsofJavaSchools.html

Java is one of the worst languages to teach fundamentals of programming because it has one too many failsafes. In fact in java you cannot teach even the most basic things like reference/dereference and pointer manipulation. It should be taught as an elective after (and on top of) basic CS material which uses something more low-level in which you can teach students basic data handling.

2
1
Bronze badge

Re: 2 birds with one stone

the first [programming language] you learn does have an influence on how you think about problems, and how you solve them

Evidence, please. Can you point to any methodologically-sound studies supporting this claim? Or is it just a belief founded on anecdote that you're parading as fact?

The first programming language I learned was BASIC on the Commodore PET. I defy you to demonstrate a single significant way in which it influences "how I think about problems" or "how I solve them", in general or in any of the code I've written in the past two decades. (Want examples of the latter? Search for my Usenet posts that contain code samples; I've been on Usenet since '92.)

0
1
Bronze badge

Re: 2 birds with one stone (@ Ignazio)

Compare that to natural speech.

Natural language use and programming are not comparable. They employ different mental facilities.

Your mother [tongue] does shape your way of thinking.

More vague handwaving.

That's so deep that it's the main reason why deaf people have so much more trouble to adapt in society than blind people.

Ah. Handwaving, unsupported assertion, irrelevant comparison, and offensive. That nicely sums up your entire argument.

0
1
Bronze badge

Re: 2 birds with one stone

its the JVM not the language that is the issue

No, actually, it's the Java Platform (Java's equivalent to C's Standard Library or the .NET Framework). At any rate, that was true for the first round of Security Explorations' Java vulnerability disclosure, and based on their statements about this round, it still appears to be the case.

While SE haven't released all the details, there's enough information in what they have published (on Bugtraq and elsewhere) to get this right.

and then again only the bit used by applets

I don't see anything to that effect in any of the SE postings I've read, and I don't see why that would be the case. The first vulnerability was due to an insufficiently-restricted elevated-privilege method in AWT, which is just as accessible from Java applications (or anything else that can call the Java Platform, which means any language that runs in the JVM) as it is from applets.

In short: the problem is not in the Java language. It is not in the JVM. It is in some of the code Oracle supply alongside Java, specifically in code for rendering GUIs (the AWT).

Which just goes to show that the real problem is GUIs, and if people would go back to using the command line then goodness and peace would reign o'er the earth. Lawn, kids, &c.

0
1
Bronze badge

Re: 2 birds with one stone

Read this: http://www.joelonsoftware.com/articles/ThePerilsofJavaSchools.html

That's a popular article, but it's entirely speculative; Spolsky admits in it that it's based on his anecdotal experience.

Show me a methodologically-sound study that supports his thesis, and you might have a point. But as it is, it's just as easy for someone to claim that it's best to teach starting with a "safe" language and moving to more "dangerous" ones, than in the other direction.

I'd argue (indeed have argued elsewhere) that the key is teaching students to move across levels of abstraction, in both directions. And no, I don't have a study to demonstrate that; but it's as good a claim as Spolsky's, and in fact I'd suggest it's a stronger one, since it's more general and doesn't rely on the purported special pedagogical properties of certain kinds of abstractions.

(The article also makes other, far more dubious claims - for example about MapReduce and functional programming. Personally, I've never seen why people like Spolsky are so impressed by MapReduce; I think the core concepts are pretty obvious to an experienced practitioner. Certainly they're not far from a number of algorithms I've implemented over the years, in school and industry. While I like functional languages, I think their educational benefits have been overestimated by some.)

0
1
Joke

Oh good

It's nice to know I won't have to update Java at work again for another six months.

0
1
Bronze badge
Megaphone

Stop slapping at symptoms!

It's time to disable Oracle on our planet!

14
1
Silver badge

Re: Stop slapping at symptoms!

I second that, but to be honest Java started to smell like a "resting" fish long before Oracle came in to liberally add another layer of fail to it.

(BTW the current situation is exactly why RMS and others were warning people against Java since the dawn of time, only to be seen as loonie zealots by too many people. Well, guess who was right -again!)

10
4
Bronze badge

Re: Stop slapping at symptoms!

It would interesting to compare the rate of vuln's accumulation from the Sun's time to the current one. What about the IcedTea? I am also curious, if anyone recalls a similar instance when people would wait 4 or so months for a fix?

0
1
Coat

Re: Stop slapping at symptoms!

It is theoretically possible to be both right and a loonie zealots at the same time.

Isn't it, Mr Assange?

6
1

Re: Stop slapping at symptoms!

You're still not presenting reasons why it smells, in your humble opinion.

2
3
Silver badge
WTF?

Re: Stop slapping at symptoms!

> RMS and others were warning people against Java since the dawn of time

RMS preaching in the desert, foretelling the Apocalypse of Sunacle via the Number of Larry, while Philistines give him the palestinian equivalent of the middle finger and program away on Java 1.0 stone tablets, -4000 AD or so? Sounds likely.

Still, what did they say?

0
0
FAIL

Buying Sun was...

Money well spent, no?

Joking aside it sounds like no amount of duct tape will patch this leaky sandbox. Are we going to have to run a VM inside a VM inside a VM inside a... err where was I?

5
1
Bronze badge
WTF?

Re: Buying Sun was...

Trying to find an alternative to Virtualbox?

0
1
Silver badge

Re: Buying Sun was...

"Trying to find an alternative to Virtualbox?"

if you are flush VMWare stuff is just much better than VirtualBox. Like, much, much, much better. They don't even compare. At the very least one order of magnitude difference in speed.

If you are short in cash but are using hardware that supports virtualisation QEMU comes reasonnably close to VirtualBox in terms of speed and ease of use. Certainly much closer than VirtualBox is to VMWare. I for one moved all my personnal VirtualBox machines over to QEMU the instant "VirtualBox" became "Oracle VirtualBox" (yes, I very much dislike Oracle and its habit to screw over customers. In that case Oracle's official roadmap including removal of a lot of base I/O features from the free version did it for me. They kept their word, too.). Not looking back so far.

1
1

Action needed by respected organisations (not users)

We should, soon find an alternative. Something works, Gnu/FSF or Apache should start something by talking to Intel and AMD.

Or, IBM with their one of true open source licenses.

Virtual box is doing fine because of initial codebase. Companies like oracle can spoil everything.

0
0
Anonymous Coward

VirtualBox vs QEMU (apples vs. oranges)

"f you are short in cash but are using hardware that supports virtualisation QEMU comes reasonnably close to VirtualBox in terms of speed and ease of use."

Maybe for simple tasks but not for demanding apps. Which is not surprising considering that QEMU is *NOT* virtualization, it's an emulator. VirtualBox (as the name says) on the other side is a true virtualization platform.

"I for one moved all my personnal VirtualBox machines over to QEMU the instant "VirtualBox" became "Oracle VirtualBox""

So why did you move from virtualization to an emulator, when there are many other alternatives to VirtualBox out there (i.e. VMWare Player)?

0
0
Anonymous Coward

Thanks Larry...

No Java = no internet banking for me.

5
3
Bronze badge
Happy

Re: Thanks Larry...

No Java = no internet banking for me.

No Java, none of YOUR internet banking for someone you don't even know :)

5
0
Meh

Re: Thanks Larry...

Change your bank.

2
1
Anonymous Coward

Re: Thanks Larry...

I still can't get my head around the idea that somebody thought security-nightmare java runtime and security-kindof-quite-important internet banking would make good bedfellows.

1
1
Anonymous Coward

Also, no Freenet.

I suppose the next thing we'll see is oppressive countries learning of these vulnerabilities and performing state-sponsored drive-by attacks to break into computers to break any Freenet installations it finds. OK, hypothetical, but no unreasonable, no?

3
1
Silver badge

Re: Also, no Freenet.

From what I understand these holes exist when running java code from a web browser. With Freenet you are essentially running a proxy, so your browser does't need to run any java code. Just disable java in the browser (or use a simple java-less browser like dillo or even w3m, linx etc). Although Freenet does suffer a lot from being written in Java (well, it's a pig to run to begin with).

4
0

Re: Also, no Freenet.

They don't need to bother with technical stuff. I am sure 90% of pedo/ terrorist content is uploaded/ maintained by governments to bad mouth it.

0
0
Anonymous Coward

As most security experts recommend...

...just remove Java for now unless you must have it to run a specific app. Maybe in a month or two Java will sort out their security issues?

1
3

Re: As most security experts recommend...

I would say "just disable applets" but thanks to win jungle like browsers configuration, I say the same thing. Remove it.

1
0
Anonymous Coward

Here we go again...

Oh I don't mean the Java bug. I mean another round of inevitable comments from people writing "who uses Java these days" and other such informed wisdom.

I think I'll write an app which automatically posts such a comment every time a story with the word "Java" is published. In Java.

5
5

This post has been deleted by its author

Trollface

Re: Here we go again...

Given the security vulnerabilities you could extend said app to make other peoples computers do it too.

3
0

Page:

This topic is closed for new posts.