Feeds

back to article Oracle patches Java 0-day, goes to Defcon 2

Oracle has patched the latest Java nasty, suggesting users of the increasingly-flaw-prone product visit java.com pronto to download a new version of the software that addresses the flaw and stops malicious websites gaining control of compromised computers. In a blog post describing the fix, Oracle's Eric P. Maurice may just have …

COMMENTS

This topic is closed for new posts.
Anonymous Coward

You hardly need Java for anything these days - it's a dying technology as most enteprises use .Net - which is far more secure. Just uninstall it.

3
29

I don't know the last time I found the need to install Java RE on a computer. The default desktop image should really exclude it these days.

2
13
Anonymous Coward

Easier said than done on Ubuntu, which comes installed with this scourge by default!

http://askubuntu.com/questions/84483/how-to-completely-uninstall-java

Phew what a palava!

1
6
FAIL

I wouldn't be too quick to side with the .Net framework...

Only runs on Windows, they can't work out which UI framework to settle on (WinForms? Nope. WPF? Nope. XAML? Yes, for the time being, HTML 5? Maybe) and the mobile platform runs on about 2% of the world's mobile devices.

15
1

This post has been deleted by a moderator

Silver badge
FAIL

I found the MS shill!

.NET isn't more secure, it's actually on par with Java on some stuff. On others, Java is better. And .NET is stuck with Active Directory; trying to use a true LDAP for authentication/authorization means you'll have to roll out your own implementation for MembershipProvider and RoleProvider.

Yeech!

1
1
Silver badge
Thumb Down

RICHTO, please stop posting as Anon, you are not doing yourself any favors.

4
0
FAIL

There are still stupid Java bastions left - online meeting software, browser based VPNs, and a whole bunch of stuff in banking.

2
3
Silver badge
FAIL

Re: .NET has been officially killed by Microsoft

All very well, except that .NET is alive, C# has been extended and Java has always been a pile of buggy old crap for poorly educated children who think C++ is hard.

Eadon, your ignorance is horrifying. The fact that you trumpet it so often is hilarious, though.

9
10
Silver badge
Trollface

Re: .NET has been officially killed by Microsoft

> poorly educated children who think C++ is hard

Either you are trolling soundly or one of the people who are limping around with both feet (and possibly their dick) blown off.

In any case, care to explain why C# exists?

1
2
Silver badge
FAIL

Ubuntu uses OpenJDK by default, not the Oracle JDK.

1
0
Silver badge
Boffin

Re: .NET has been officially killed by Microsoft

care to explain why C# exists?

I doubt anyone who didn't commission it could say for sure but Anders Hjelsberg is on record as saying he wanted to create a version of Java that didn't suck.

There are oddities in C#, sure, but it doesn't suck. And yes, I was partially trolling because Eadon is unbearable little prick who will even use a vulnerability in Java to tell the world how horrible Microsoft (and all its works bar none, not one, nothing they have ever done remotely redeems them) are.

When faced with that kind of dribbling fuckwittery, one sometimes gets exasperated.

11
2
Bronze badge
FAIL

"You hardly need Java for anything these days - it's a dying technology as most enteprises use .Net - which is far more secure."

lol. 4 statements here. all absolutely opposed to reality.

2
0
Facepalm

Re: .NET has been officially killed by Microsoft

.Net isn't dead, it's still an option used to write Windows Phone 8 / Windows 8 apps and will continue to be well supported platform for writing web applications.

Java's way behind C# too, as a developer who moved from C# to Java I miss so many of the cool features in Java - such as LINQ, Lambdas, Closures, etc...

2
1
Silver badge

@stretch - Enterprises use Java, it's not dying, .NET is not more secure - although you could argue that it is harder to exploit since the compiler is less holey and a lot less portable - but the third statement "Enterprises use .NET" is pretty accurate.

Companies tend not to be fanbois so they don't have religious objections to technology on the grounds that they love something else. They just use whatever works. There are many situations where Java works and many where .NET works.

Desktop Java is pretty horrendous though.

3
1

Re: .NET has been officially killed by Microsoft

Why, just the other day my PC downloaded new patches for critical vulnerabilities in every version of .NET Framework there has ever been, several for each. Well, I exaggerate there, but it's clearly alive, and wonky. By the way, what is it?

0
0
Anonymous Coward

got a nasty at work - we think it came in via java in browser

A head's up... it hit us hard and I spent a while taking it off machines + we'll have a full security review now the boss has (I hope) woken up to it.

0
1
Happy

Re: got a nasty at work - we think it came in via java in browser

now the boss has (I hope) woken up...

ftfy!

0
0
Bronze badge
Holmes

I tried turning it off.

That worked.

1
0

What! Do you think I am CRAZY??

Man, it has a check box to install McAfee. Maybe I am paranoid, but not THAT paranoid. Will it recognize Java as malware?

0
0
Anonymous Coward

Security by Self-Delusion

What does McAfee say about this? See

http://blogs.mcafee.com/enterprise/cso-risk-management/security-by-self-delusion

1
0
Anonymous Coward

CVE-2013-0422

Recent extenders of java have lost sight that the VM is capabilities based, or perhaps rely on that too naively.

Maybe its time to rethink the VM if closures and anonymous methods are the way of the future.

1
0

This post has been deleted by a moderator

Anonymous Coward

Out of the sandbox and into the flames

with the JMX classes...

0
0
Silver badge
Holmes

Kaspersky has this to say...

At Java 0day Mass Exploit Distribution

One of the best statements that I have seen in regards to the fairly impractical "just uninstall it" approach was presented by one of the handlers at the ISC Storm Center in today's issue of SANS NewsBites: "Editor's Note ([Mat] Honan): It seems each time a zero day exploit is found in software, be that Java or otherwise, the industry pundits recommend that people stop using that software. New vulnerabilities will always be discovered in the software we use. If our best defence to a threat is to cause a denial-of-service on ourselves then this in the long term is a no-win strategy for us as an industry. We need to be looking at better ways to defend our systems and data, one good place to start is the 20 Critical Security Controls http://www.sans.org/critical-security-controls/

6
0

This post has been deleted by its author

Flame

I rather fucking drink my Java than use it!

Turned it off last week a day before the press got a clue on everything in our house. Not a problem reported at all, thus validating the extreme uselessness of even having it installed anymore!

Goodbye Java!

2
2
Coat

happens 3 times a month with IE .....

so why so much excitement over once in a 3 months with java applets, which is risky IF you are cruising on warez and crackz sites ?

Java in the browser is almost never used anymore anyway.....

?? Surely no one turned off the IE browser because MS will fix it once more at 14th january (today) ?

my coat, plz.....

2
1

Re: happens 3 times a month with IE .....

it's just annoying to have to update Java all the time when you don't actually use it. I also don't use IE unless forced to, so no IE, no java.

I know Firefox, Chrome, and Safari have security problems, but typically less severe. If it's not needed, then turn it off. I've removed it from all computers which don't need it where I work (and that's most of us). One less attack vector for users who are not technically savvy, or might click 'yes'

0
1

Naming

With Hindsight, the naming of the technology is a big problem. Had about half a dozen customers call up, after disabling JAVASCRIPT, then noticing almost all their websites stopped working...

Perhaps a Java VM Rename could help it dodge it's current reputation, and reduce confusion...

0
0

Re: Naming

We were here first. Get them to disable ECMAscript instead.

0
0
Alert

Any client-side binary tech exposed to the www is dangerous

PDF, Flash, ActiveX, or Java (and of course, the browser itself). You cannot predict possible future exploits for any of these. Firefox with the NoScript add-on is one answer.

4
0
Silver badge

Yes, but in those cases...

those technologies were designed in the 1990s, the decade nobody cared about actual security and people were happy enough if their systems ran for a day without a crash! Newer incarnations of the same ideas might be more secure, but then again we now understand why Flash, ActiveX and Java were bad ideas.

0
0

Tell the vendors

of one of our most used tools. They are switching to a browser interface with Java apps from native clients. The reason is fairly easy to see, it's a single platform to work on rather than lots of possibles. It doesn't matter if there are others, it's the one the vendor has selected and it would be a major task to change the product.

That said it's only accessible internally (at the moment) so PC's accessing are controlled.

1
0
Anonymous Coward

Re: Tell the vendors

Speaking as a vendor who products applets, we hate them even more than the customer. The user experience should be the same as our application, but it's not: it's slower, the screen refresh is worse, the delay while starting the VM is way to large (at least we now have that option, rather than being lumped into one VM with no control over heap size) and deployment is a nightmare of changing goalposts on different platforms - you think you have it bad on Windows; try OS X.

Then of course you have the SecurityManager obstacle if you want to do anything useful, which appears to offer fine grained restrictions from the API - not so! To give one example, Jars can be signed with multiple signatures which should allow you to build an applet from a combination of components at different trust levels. Yes? No. All Jars deployed as part of an applet must be signed by the same signature - a new restriction in 1.6.0_16 that broke all our existing deployments.

Java has matured into a very fine language, despite some obvious missteps, but Sun and now Oracle's handling of it on the Desktop, and particularly on the web, has been nothing short of disastrous and the user experience of applets now is roughly the same as it was in 1999, to wit: shite.

If I were your vendor I'd be moving to HTML5 myself - JS frameworks are even worse than Swing for GUIs, but at least they're improving.

0
0
Gold badge
WTF?

default security level

"Oracle has also changed Java-in-a-browser's default security level to “High”. "

Er, sorry? You mean the default level for *in-browser* applets hasn't been "maximum" for the last 15 years?

0
1
Anonymous Coward

Perhaps people would update a bit more often if it wasn't about 20 clicks to install the updates, and didn't try to ram the shitty ask toolbar and search default down your throat every f'ing time.

5
0
This topic is closed for new posts.