Oracle 'fesses up: Java security flaws more than storm in teacup
Oracle has broken its silence to admit there are security issues with Java in web browsers - but it insists the tech is solid on servers and within mobile and desktop apps. In a blog post published on Friday, Oracle noted the "media firestorm" around the recent Java vulnerability, admitting users may have been left "frustrated …
This topic is closed for new posts.
Is there a more secure VM?
Could users replace Oracle Java with IBM Java or some other version for a more secure experience?
Re: Is there a more secure VM?
Maybe they could license Dalvik from Google.
Re: Is there a more secure VM?
The vulnerabilities are not in Java VM (hotspot). The vulnerabilities are in the Java security policy system, that runs on top of the VM, as normal Java code.
The policy system works like this
- any operation provided by Java that accesses the resources or the environment of the host computer, or various sensitive operations within the Java runtime, are considered privileged
- programs always see and try to invoke those operations
- but the implementation of the operation queries the policy system, and checks if the operation is allowed
This is no different from what the operating system does. It provides all operations to all applications, but when the operations are called, the system policy checks whether the operation is actually allowed.
By default, for desktop applications, the Java policy allows all actions.
Now, when code is run inside the browser plugin, a very strict security policy is in place. It denies operations such as accessing local files, opening network connections, and so on. And what's important, it also denies operations that attempt to modify the security policy.
The vulnerabilities are in the policy system it self. The holes allow java code to turn off the policy system, and thus gain access to all privileged operations.
Unbreakable Bullshit
"The plan for Java security is really simple: it's to get Java fixed up, number one, and then, number two, to communicate our efforts widely."
Talk like a politician. Confuse goals and the way and means to attain them. Mix in some "communication efforts". Probably raise taxes down the line...
Crapware Payload
Oracle's Ask,com crapware payload is even more malignant than standard - if you accidentally leave the defaults enabled, you can't just go to CP - Add/Remove and uninstall. The installer routine is coded to wait ten minutes before inserting the entry on the Control Panel list.
It's clearly intended to prevent moderately experienced Windows users from undoing their errors when they clicked too fast through the installer defaults.
Oracle should be ashamed of associating itself wih such utterly scummy pracitces. It stinks.
Re: Crapware Payload
Any user of Oracle products is used to their practices. There are times that they make CA seem good.
Re: Crapware Payload
That's ok. Oracle gave you Virtual Box so you can mess up a VM and then throw the whole polluted mess away and start again, older but wiser.
Re: Crapware Payload
Any user of Oracle products is used to their practices. There are times that they make CA seem good.
A friend of mine worked for CA, and he said that they aspired to be as evil as Oracle, but weren't competent enough to manage it.
Working for them was not a happy experience either. The saddest part was the people who left CA (possibly only joining after their company was bought out), and were in a company that CA subsequently also bought.. Then got made redundant. There were people who'd been through this cycle more than once.
Re: Crapware Payload
To be fair, if memory serves, the practice of bundling crap with the Java installer started with Sun.
Re: Crapware Payload
The developer version of Java SE / JRE doesn't come with the crapware stuff. In fact, I learned about the crapware only after the ZDNet article that mentioned it.
"Oracle needs to take a leaf out of Microsoft's book and play nice with researchers."
Yeah right, the only thing Oracle plays nice with, is Ellison's egotism, sociopathy,vindictiveness and bank account.
how many servers require JRE installed...
http://msisac.cisecurity.org/advisories/2013/2013-008.cfm
Re: Oracle
Yeah, I prefer the femaleware pushers - far tastier!
Re: Oracle
But in the end one is left with gaping holes either way.
Re: Oracle
Gahhh! Goatse flashback!! Curse you DAM, now I'll have to downvote you for the mental image.
I am and will continue to recommend uninstalling Java where it is not used or needed.
Bag of shite
Come back Oracle when you can actually code a taskbar updater widget that works when run as a non-admin user (without the hopeless "Failed to download update" bollocks)!
Oracle
Is just evil. From closing down the OpenSolaris project to aggressive corporate purchases to their almost complete disregard for their non-enterprise DB customers, they're evil to the bone. I used to think they were just incompetent, but it almost looks like deliberate negligence at this point.
On my wishlist then...
is a JRE without any browser plugins (and of course no crapware).
Re: On my wishlist then...
JRE is Java Runtime Environment (the interpretter), which can run on a number of devices, most commonly phones .e.g. JAR files, possibly even COD/ALX coded files? Just as SQLite appears to be a standard these days for phone databases?
Servers would, presumably, require the JRE in order to serve it to a client? :-/
Re: On my wishlist then...
Sadly, in my organization the primary reason we install java is because somebody else's web based application requires it to run. And frequently requires a hideously outdated version at that.
Oracle strangeness
Oracle seem to know how to wind people up. They're responsible for Java and they're making a bit of a pigs ear of it. Systems that use their cash cow, the Oracle DBMS tend to be written in Java, they need to wise up a bit methinks.
Anyone believe Oracle these days?
I don't believe a singe thing Oracle says about any of its Sun acquisitions.
Nor will I ever use Java again.
I think that's probably the safest approach :)
Java
Okay lets get one thing straight. All the smart devs know that Java shops turn out shite. I could earn quite a bit as a Java dev but I don't want to be involved with actively making the world a worse place.
Re: Java
Java or the JVM? If you can tolerate the latter then you might want to look at Scala. It's on my to-do list and it looks *nice*
Re: Java
> All the smart devs know that Java shops turn out shite.
Just what the fuck? /b/ is over there.
Re: Java
Don't get me wrong I am no fan of managed code (and neither is Microsoft based on their strategy going forward) but slagging off on all Java devs is bad form even for a troll.
somewhere
Adobe has to be breathing a slight sigh of relief. There for awhile it was looking like they were the undisputed pariah of basic security best practices but now they have some serious competition.
Re: somewhere
Don't get me wrong I am no fan of managed code (and neither is Microsoft based on their strategy going forward) but slagging off on all Java devs is bad form even for a troll.
Re: somewhere
And the joke falls flat because saying companies x security practice sucks is much different than saying all developers of a product are idiots. Do you really want me to post all the drive by critical CVEs found in Adobe's products even in the last year? Pretty significant list and these days is even longer than Microsoft's which is bad when they make the OS and the good portion of the software on most desktops.
Do you want me to post all the drive by critical CVEs found in Adobe's products in the last year?
Go ahead. I could use a little gallows humour.
Re: Do you want me to post
Here ya go. Lazy way out but still. This is an incomplete list obviously as it only covers two products but its still pretty impressive.
http://www.cvedetails.com/vulnerability-list/vendor_id-53/product_id-497/Adobe-Acrobat-Reader.html
http://www.cvedetails.com/vulnerability-list/vendor_id-53/product_id-6761/Adobe-Flash-Player.html
We listened so that you don't have to. You're welcome
Thank you!
Loose journalism ?
This line caught my eye, as a juicy bit of grade-A whining:
'He criticised the media for putting out the "loose" message to
uninstall Java while admitting there was a security issue with the
runtime in web browsers.'
Journalists can be scummy and inaccurate but in this case they reported
accurately. Java security is broken. Maybe one day it'll be fixed. Until then,
you can sidestep a whole boatload of grief by uninstalling it.
What's loose about that, Oracle?
Crapware
"... Oracle's much-criticised practice of bundling third-party crapware - such as a web search toolbar - with Java security updates..."
YES!
Cut this shit out! I can't stress that nearly enough.
It's getting worse
The irony was that Microsoft's unofficial version of Java, once bundled with Windows, was generally OK. Then Sun sued Microsoft and the result is that we have to use the bloated, insecure, crapware-laden official version (anything that adds itself to the system tray and creates pop-up reminders is a fail in my eyes). I never install it when building a machine, and if a website requires it, I decide that I don't require that website.
The current irritation is that the latest release of Firefox prompts me to install an updated version of Java whenever I start it (on Windows, anyway - it's OK on Linux Mint). One day the wife or kids are going to do what FF asks and I'll have a crapware-infested system. Hopefully them being "limited users" will prevent this.
This topic is closed for new posts.
