back to article Oracle 'fesses up: Java security flaws more than storm in teacup

Oracle has broken its silence to admit there are security issues with Java in web browsers - but it insists the tech is solid on servers and within mobile and desktop apps. In a blog post published on Friday, Oracle noted the "media firestorm" around the recent Java vulnerability, admitting users may have been left "frustrated …

COMMENTS

This topic is closed for new posts.

Is there a more secure VM?

Could users replace Oracle Java with IBM Java or some other version for a more secure experience?

1
0
Anonymous Coward

Re: Is there a more secure VM?

Maybe they could license Dalvik from Google.

3
0

Re: Is there a more secure VM?

The vulnerabilities are not in Java VM (hotspot). The vulnerabilities are in the Java security policy system, that runs on top of the VM, as normal Java code.

The policy system works like this

- any operation provided by Java that accesses the resources or the environment of the host computer, or various sensitive operations within the Java runtime, are considered privileged

- programs always see and try to invoke those operations

- but the implementation of the operation queries the policy system, and checks if the operation is allowed

This is no different from what the operating system does. It provides all operations to all applications, but when the operations are called, the system policy checks whether the operation is actually allowed.

By default, for desktop applications, the Java policy allows all actions.

Now, when code is run inside the browser plugin, a very strict security policy is in place. It denies operations such as accessing local files, opening network connections, and so on. And what's important, it also denies operations that attempt to modify the security policy.

The vulnerabilities are in the policy system it self. The holes allow java code to turn off the policy system, and thus gain access to all privileged operations.

2
0
Silver badge
Facepalm

Unbreakable Bullshit

"The plan for Java security is really simple: it's to get Java fixed up, number one, and then, number two, to communicate our efforts widely."

Talk like a politician. Confuse goals and the way and means to attain them. Mix in some "communication efforts". Probably raise taxes down the line...

6
0

Crapware Payload

Oracle's Ask,com crapware payload is even more malignant than standard - if you accidentally leave the defaults enabled, you can't just go to CP - Add/Remove and uninstall. The installer routine is coded to wait ten minutes before inserting the entry on the Control Panel list.

It's clearly intended to prevent moderately experienced Windows users from undoing their errors when they clicked too fast through the installer defaults.

Oracle should be ashamed of associating itself wih such utterly scummy pracitces. It stinks.

50
0

Re: Crapware Payload

Any user of Oracle products is used to their practices. There are times that they make CA seem good.

4
0
Silver badge
Happy

Re: Crapware Payload

That's ok. Oracle gave you Virtual Box so you can mess up a VM and then throw the whole polluted mess away and start again, older but wiser.

0
0
Gold badge

Re: Crapware Payload

Any user of Oracle products is used to their practices. There are times that they make CA seem good.

A friend of mine worked for CA, and he said that they aspired to be as evil as Oracle, but weren't competent enough to manage it.

Working for them was not a happy experience either. The saddest part was the people who left CA (possibly only joining after their company was bought out), and were in a company that CA subsequently also bought.. Then got made redundant. There were people who'd been through this cycle more than once.

11
0
Headmaster

Re: Crapware Payload

To be fair, if memory serves, the practice of bundling crap with the Java installer started with Sun.

4
0
Silver badge

Re: Crapware Payload

The developer version of Java SE / JRE doesn't come with the crapware stuff. In fact, I learned about the crapware only after the ZDNet article that mentioned it.

0
0
Facepalm

"Oracle needs to take a leaf out of Microsoft's book and play nice with researchers."

Yeah right, the only thing Oracle plays nice with, is Ellison's egotism, sociopathy,vindictiveness and bank account.

2
0
FAIL

how many servers require JRE installed...

http://msisac.cisecurity.org/advisories/2013/2013-008.cfm

0
0
Anonymous Coward

Oracle

Nasty little maleware pushers

0
0
Anonymous Coward

Re: Oracle

Yeah, I prefer the femaleware pushers - far tastier!

12
0
Silver badge
Trollface

Re: Oracle

But in the end one is left with gaping holes either way.

2
1

Re: Oracle

Gahhh! Goatse flashback!! Curse you DAM, now I'll have to downvote you for the mental image.

1
0
Thumb Down

I am and will continue to recommend uninstalling Java where it is not used or needed.

2
2
Bronze badge
FAIL

Bag of shite

Come back Oracle when you can actually code a taskbar updater widget that works when run as a non-admin user (without the hopeless "Failed to download update" bollocks)!

10
0
Anonymous Coward

Oracle

Is just evil. From closing down the OpenSolaris project to aggressive corporate purchases to their almost complete disregard for their non-enterprise DB customers, they're evil to the bone. I used to think they were just incompetent, but it almost looks like deliberate negligence at this point.

7
0
Anonymous Coward

On my wishlist then...

is a JRE without any browser plugins (and of course no crapware).

0
0
Facepalm

Re: On my wishlist then...

JRE is Java Runtime Environment (the interpretter), which can run on a number of devices, most commonly phones .e.g. JAR files, possibly even COD/ALX coded files? Just as SQLite appears to be a standard these days for phone databases?

Servers would, presumably, require the JRE in order to serve it to a client? :-/

0
0
Silver badge
Unhappy

Re: On my wishlist then...

Sadly, in my organization the primary reason we install java is because somebody else's web based application requires it to run. And frequently requires a hideously outdated version at that.

1
0

This post has been deleted by a moderator

Anonymous Coward

Anyone believe Oracle these days?

I don't believe a singe thing Oracle says about any of its Sun acquisitions.

Nor will I ever use Java again.

I think that's probably the safest approach :)

0
0

Java

Okay lets get one thing straight. All the smart devs know that Java shops turn out shite. I could earn quite a bit as a Java dev but I don't want to be involved with actively making the world a worse place.

2
3
Silver badge

Re: Java

Java or the JVM? If you can tolerate the latter then you might want to look at Scala. It's on my to-do list and it looks *nice*

0
0
Silver badge
Facepalm

Re: Java

> All the smart devs know that Java shops turn out shite.

Just what the fuck? /b/ is over there.

2
1
Silver badge
Facepalm

Re: Java

Don't get me wrong I am no fan of managed code (and neither is Microsoft based on their strategy going forward) but slagging off on all Java devs is bad form even for a troll.

0
1
Silver badge
FAIL

somewhere

Adobe has to be breathing a slight sigh of relief. There for awhile it was looking like they were the undisputed pariah of basic security best practices but now they have some serious competition.

7
1
Anonymous Coward

Re: somewhere

Don't get me wrong I am no fan of managed code (and neither is Microsoft based on their strategy going forward) but slagging off on all Java devs is bad form even for a troll.

0
1
Silver badge
FAIL

Re: somewhere

And the joke falls flat because saying companies x security practice sucks is much different than saying all developers of a product are idiots. Do you really want me to post all the drive by critical CVEs found in Adobe's products even in the last year? Pretty significant list and these days is even longer than Microsoft's which is bad when they make the OS and the good portion of the software on most desktops.

0
0

Do you want me to post all the drive by critical CVEs found in Adobe's products in the last year?

Go ahead. I could use a little gallows humour.

0
0
Silver badge

Re: Do you want me to post

Here ya go. Lazy way out but still. This is an incomplete list obviously as it only covers two products but its still pretty impressive.

http://www.cvedetails.com/vulnerability-list/vendor_id-53/product_id-497/Adobe-Acrobat-Reader.html

http://www.cvedetails.com/vulnerability-list/vendor_id-53/product_id-6761/Adobe-Flash-Player.html

2
0
Bronze badge
Pint

We listened so that you don't have to. You're welcome

Thank you!

3
0
Thumb Down

Loose journalism ?

This line caught my eye, as a juicy bit of grade-A whining:

'He criticised the media for putting out the "loose" message to

uninstall Java while admitting there was a security issue with the

runtime in web browsers.'

Journalists can be scummy and inaccurate but in this case they reported

accurately. Java security is broken. Maybe one day it'll be fixed. Until then,

you can sidestep a whole boatload of grief by uninstalling it.

What's loose about that, Oracle?

0
0
Anonymous Coward

Crapware

"... Oracle's much-criticised practice of bundling third-party crapware - such as a web search toolbar - with Java security updates..."

YES!

Cut this shit out! I can't stress that nearly enough.

0
0

Is this the beginning of the end for Java?

0
0
FAIL

It's getting worse

The irony was that Microsoft's unofficial version of Java, once bundled with Windows, was generally OK. Then Sun sued Microsoft and the result is that we have to use the bloated, insecure, crapware-laden official version (anything that adds itself to the system tray and creates pop-up reminders is a fail in my eyes). I never install it when building a machine, and if a website requires it, I decide that I don't require that website.

The current irritation is that the latest release of Firefox prompts me to install an updated version of Java whenever I start it (on Windows, anyway - it's OK on Linux Mint). One day the wife or kids are going to do what FF asks and I'll have a crapware-infested system. Hopefully them being "limited users" will prevent this.

0
0
This topic is closed for new posts.

Forums