Feeds

back to article 'Silent but deadly' Java security update breaks legacy apps - dev

An application developer reports that the latest Java 7 update "silently" deletes Java 6, breaking applications in the process. Java 7 update 11 was released two weeks ago to deal with an unpatched vulnerability which had gone mainstream with its incorporation into cybercrook toolkits such as the Blackhole Exploit Kit in the …

COMMENTS

This topic is closed for new posts.

Page:

Silver badge
Trollface

No comment

No comment

0
3
Jad
Happy

Re: No comment

Oracle's "SQLDeveloper" requires Java 6 to be installed to work ... (most recent version Nov 2012)

I still find it funny that I have to manipulate their scripts to get it to work with :)

0
0

This post has been deleted by its author

Anonymous Coward

Re: Duh, perhaps there are too many bugs in Java 6 and it's time for an update?

I'm sure you'd be saying that if your business depended on an application that required Java 6.

12
2
Bronze badge

Re: Duh, perhaps there are too many bugs in Java 6 and it's time for an update?

You word it as though there were no choice but to stay on Java 6. That would be partly valid for a while if it was a customer, but this is a developer speaking.

The application does not require Java 6; it requires an update so it will work with Java 7.

The developer should update it.

As for customers stuck with lazy developers, after a period of time (say the time it takes for 11 releases to come out) they should start looking for new a vendor.

4
15
Anonymous Coward

Re: Duh, perhaps there are too many bugs in Java 6 and it's time for an update?

"but this is a developer speaking"

Yes, about a Java update that could get applied to a company without Java developers who run Java software: "several of their customers had updated their Java 7 and our customer’s product had stopped working"

Imagine, you're a small company, you've paid for an application to be developed and do not have in-house developers. You've been happily using said application for years when this update removes Java 6 and in an instant, your business grinds to a halt. The answer to that is not "QwitcherBitchin" as you seem to support.

If you'd developed that application, would you drop everything to update the application before the business goes bankrupt? I don't think so. Forcibly deleting an old version of something like Java is not a good idea given the known version dependence of Java applications. It's the equivalent of rolling an OS upgrade out without any prior testing.

12
2

This post has been deleted by its author

Re: Duh, perhaps there are too many bugs in Java 6 and it's time for an update?

When you have a runtime environment that existing applications rely on, you have to back port fixes to it so you don't disrupt your customers. Either that or you have to always ensure backwards compatibility. One thing you don't do, is remove things at your whims and break functionality, even if you're going to stop maintaining the old version after time.

Otherwise, who would invest time and money building software using fragile environments?

This is what Microsoft does with their compiler runtimes (MS Visual C++, Visual Basic) and .Net Framework. They have to maintain several versions of these, if they are installed, because new versions are not drop-in, backwards compatible.

You evidently don't know much about software, but don't let that stop you from admonishing others.

12
1
Bronze badge
Boffin

Re: Duh, perhaps there are too many bugs in Java 6 and it's time for an update?

@Dan Paul - read for comprehension!

The article specifically said the software works fine under java 7, simply that it has a pointer to the java executable, which got invalidated when the installer, for no good reason, removed java 6 which the software was pointing too. Solution was simple, but it had no reason to be necessary.

Oracle seems pretty clueless about how to manage products they didn't internally develop. You KNOW they're doing something wrong when you start looking wistfully at the days when sun was a bedraggled, drooling zombie, but at least it was STILL THERE.

3
0
Silver badge

Re: Duh, perhaps there are too many bugs in Java 6 and it's time for an update?

I realise that this is extremely bad practice on the part of Oracle but as somebody who has to do occasional web development, part of me really wishes MS would do this with old versions of IE.

3
0
Silver badge
Boffin

Re: Duh, perhaps there are too many bugs in Java 6 and it's time for an update?

I do distinctly remember having problems a couple of years ago running an app that did an RMI/IIOP connection to WebLogic Server 8.1 (which runs on J2EE 1.4) from a client running Java 6. Autoboxing breaks something server-side, as it tries to send a Boolean to a boolean. However, this can be fixed by simply doing

java -version:1.4 -jar MyClientApp.jar

which makes Java run in something akin to a compat mode. Of course, the problem referred to in this article isn't a compat issue, but more of the exe no longer being where the scripts expect them to be. I'd add that usually these out of place JRE/JDKs might have some extra libraries in lib/ext that aren't in the "updated" JRE, which might end up breaking the apps when they start using the new JRE...

1
0
Anonymous Coward

Re: Duh, perhaps there are too many bugs in Java 6 and it's time for an update?

"As for customers stuck with lazy developers, after a period of time (say the time it takes for 11 releases to come out) they should start looking for new a vendor."

I quite agree. Ironically, the big enterprise systems that we have that don't work with Java 7 and, for the foreseeable future seem to require Java 6, are produced and under active support by Oracle.

3
0

Re: Duh, perhaps there are too many bugs in Java 6 and it's time for an update?

@Daniel B.

"However, this can be fixed by simply doing

java -version:1.4 -jar MyClientApp.jar"

Nott quite. It causes the Java launcher to locate and use a1.4 JRE. This only works if one is installed and (obviously) will not work if the new installer has removed all old versions.

1
0
Silver badge

Re: they should start looking for new a vendor.

Yes, but I'm the lowly helpdesk dude at the bottom of the food chain. And somewhere up the food chain is somebody with what is effectively the force of law behind him saying we have to keep using the crap from that vendor. And no, it's not a minor program off in a basement office somewhere. Almost all the folks in the executive suite (or it would be the executive suite if it weren't government) have it (probably hate it too) and use it on a regular basis (at least once a week, with a fair number (more than 50%) living in the app).

0
0
Silver badge

Re: remove things at your whims and break functionality

I agree with you, but you do need to remember this is LARRY ELLISON we're talking about.

1
0
Silver badge

Re: part of me really wishes MS would do this with old versions of IE.

Umm...

If you run Automatic Updates, that's pretty much EXACTLY what MS does with old versions of IE. To the point that it's a royal biatch to be able to compatibility test for multiple versions.

What messes you up is that MS also released hotfixes that took the updates off the patching list and users never undid the hotfixes. Possibly because they run software that still relies on those versions we all wish were dead.

0
0
FAIL

JavaFX has been Integrated

Bad uninstall procedures if you ask me, given older versions of JavaFX is listed separately under the installer id's

Since they incorporated java FX updates within the JRE now!

1
0
Bronze badge
Devil

Just one more thing....!

Please help me understand why Java and .NET really need so many damn versions and different libraries to begin with? Why should I have Dot Net 1.1, 2, 3.5 and 4

For example, when Version One gets superseded by Version Two, should not all of the previous parts of One be part of Version Two , just revised?????

No, that shit would just make too much sense.

5
6
Bronze badge
Stop

Re: Just one more thing....!

Because for at least .NET, I think some of the versions are actually unrelated to each other despite the naming scheme used.

6
0

Re: Just one more thing....!

Trouble is Java 7 isn't quite ready for prime time on the Mac. We need Java at work because the applications SAP provides for platforms other than Windows are written in Java, and many other businesses and large organisations are in the same situation. We also have internal business Java applications that use JOGL (the OpenGL API - JSR-231) while doesn't work on Java 7 on the Mac yet, which kills all 3D applications (and 3D games) that use Java. Now Java applets in web browsers are another matter, however in Scandinavia, where I live, many banks require Java for their net bank solutions as its used as part of the authentication project, so killing Java applets basically stops our net bank access from working (!). This basically risks leaving us reliant on running Windows on Parallels or VirtualBox in order to keep using our Macs...

2
0
Thumb Down

Re: Just one more thing....!

> Please help me understand why Java and .NET really need so many damn versions and different libraries to begin with? Why should I have Dot Net 1.1, 2, 3.5 and 4

Because API designers (especially those for the sprawling, monolithic frameworks that are the current de rigueur) don't seem to give a shite about backwards compatibility.

10
2
Bronze badge

Re: Just one more thing....!

Apple is not particularly friendly to other developers products.

If people want to get a Mac they should understand that and not make themselves dependent on other software.

There is a reason most companies use PCs. The code is more tested, more of the vulnerabilities have been found and fixed, but also it is far more open and accepting to third party apps and languages.

2
1
Bronze badge
Stop

Re: Just one more thing....!

Because runtime environments are complex? It's easy to understand, and apparently also easy to complain about when lacking that understanding.

0
1

Re: Just one more thing....!

Trouble is Java 7 isn't quite ready for prime time on the Mac.

This. I can't believe just how broken Java 7 is on the Mac when it comes to UIs. Even sticking with plain old AWT and Swing, I find cases where <code>drawShape()</code> just doesn't, graphics contexts get flipped, images don't quite render correctly, etc. This is why I still have Java 6 on my MacBook.

And, yes, that does make me cringe. There are features in 7 I'd love to use in my code, but can't.

1
0
Anonymous Coward

Java

People still use java?

2
12
Anonymous Coward

Re: Java

Write once, debug everywhere.

10
6
Silver badge
Headmaster

Re: Java

Would the ACs please refrain from shitposting?

13
1

Re: Java

No Java is dead, there are only about 10 million developers and many 100's of millions of users. /s

2
0
FAIL

Re: Java

People still ashamed to log in under a name?

2
0
Silver badge
Coat

Versions: does anyone remember Lenny Henry ...

years ago, he commented on the difficulty in buying a record[1] ...

"Do you want the 12", the the extended 12", the club mix, the extended club mix, the club house mix, the 12" club house mix featuring Sir Skankalot, the dub house mix ....."

"Just give me the one where they got it right."

[1]Ask your parents. Or their parents.

8
0

DLL Hell, anyone?

That's the problem with JRTs. It's effectively a DLL without any of the version control mechanisms most OSes have for real DLLs.

2
0
Anonymous Coward

Pretty sure this is exactly what %JAVA_HOME% should be used for...

2
0
Bronze badge
FAIL

WRONG, because then your software crashes if the user installs a version of Java you're not supporting yet.

Since Java specifically supports multiple versions being present, and lets customers clean up old ones as they retire apps needing older ones, Oracle had NO business doing this. Should you still be using apps dependent on java 6? Probably not, but that's not any of oracle's business.

3
0

Or registry

Yeah, or finding out what java versions are installed and where from the Windows registry.

I once wrote a native Windows app that embedded Java installation. The first step I did was to read the installation path of the latest Java version from registry.

This is not Oracle's problem, rather it seems that the JNBridge product is just being lazy and it assumes it can find java from a fixed location.

As for Enterprise desktop apps, where tried and tested versions of all components are important, just bundle a preinstalled JRE with your product. Don't rely on the desktop JRE, which can be any version. Been there, done that also.

2
0
Silver badge

Losing credibility ?

Can't speak for other firms and environments of course but it seems to me as if Java, as platform, is losing quite a bit of credibility with nonsense like this. Apart from being mentioned in mainstream media as having security issues (which in the days of Sun would have been described as a nightmare scenario since Sun really took great pride in keeping Java safe), the way things are being rolled out also leaves me with question marks.

Its good practice not to jump onto the latest bandwagon but sit it out for a while. Its also the main reason why my company still utilizes Java SE 6 and are looking into Java 7. But if you look at recent history then it seems only to have gone downhill when 7 got out.

Because not too long after its release date we started hearing stories about major flaws. And in the beginning those flaws only involved SE 7, like this one.

So I'm pretty sure that will make a lot of people wonder how feasible it really is to upgrade to 7. For a first major "Oracle release" I for one am not quite impressed with 7 so far. It has a good feature set, sure, but has also build up quite the legacy. Some people are tied into Java so to speak, so they'll just have to "go with the flow". But I can't help wonder how many people will eventually start looking for alternatives. That might even boost C# acceptance.

3
2
Anonymous Coward

Thanks Oracle, for showing us how to fix security issues

Looking at this from another angle, we have to thank Oracle. This is the same "fix" I've applied to all my home computing environment. Only I've taken it a bit further, simply removing the Java plugin, all versions, from all the installed browsers, fixes completely this and any future security issues Java may have.

I did the same a few years ago to fix the Windows security issues. I replaced it with Linux and since then I don't have to worry about these.

So thanks Oracle, for following the perfect example of how to deal with a product with a long history of security issues. Simply remove it. End of the problem.

(chorus follows trying to explain how they need Java for this and that and they cannot remove it from their browsers. Sorry folks, this is my home PC environment and enterprisey applications or banking contraptions written ten years ago don't apply)

2
8
Bronze badge

Re: Thanks Oracle, for showing us how to fix security issues

Yes right, now you have Linux security issues. But since Linux is not popular you don't read about these on the front pages of magazines and newspapers and what you do not know about does not bother you.

1
6

Re: Thanks Oracle, for showing us how to fix security issues

Linux on the desktop is not popular, true, but Linux on the server most certainly is very popular. Desktop environments may have security vulnerabilities that aren't too well-documented or known, but most of the security vulnerabilities in the Linux and GNU subsystems themselves are quickly patched as soon as they're discovered. That said, recent versions of Windows can be configured to be nearly as secure as the Unix-based and Unix-like systems nowadays. Most security issues tend to be Trojan horses nowadays, no matter the platform.

3
1

Re: Thanks Oracle, for showing us how to fix security issues

@AC 17:19

Yeah, sure, that's how you can "fix" the problem on your home PC, but this article is about its impact on enterprise environments, not home PCs. You can't just remove software from or change functionality on an enterprise system without testing how it affects your workflow, unless you simply want to gamble your institution's ability to conduct business.

As I see it, you appear to have read an article about enterprise software, commented about your own home situation, and followed up with a clause in parentheses indicating that you don't care about enterprise software. Did I miss something?

4
0
Silver badge
Boffin

Re: Thanks Oracle, for showing us how to fix security issues

"(chorus follows trying to explain how they need Java for this and that and they cannot remove it from their browsers. Sorry folks, this is my home PC environment and enterprisey applications or banking contraptions written ten years ago don't apply)"

If the Enterprise were no longer writing stuff in Java, I'd probably be out of work. *New* stuff is being made in Java. And Mexico's SAT (the taxman, that is) uses Java for sending in stuff, as everything you send is signed with a private key you register with SAT. The whole signing/validation thing is done by ... an applet. So disable Java, and you can't send your stuff to the taxman!

Oh, that app I'm talking about? Made in 2010.

1
0
Anonymous Coward

Re: Thanks Oracle, for showing us how to fix security issues

<quote>Did I miss something?</quote>

The irony perhaps?

0
0
Anonymous Coward

Re: Thanks Oracle, for showing us how to fix security issues

So according to you, the Linux landscape is filled with compromised zombie machines nobody except you knows about? Methinks you could make a small fortune explaining this to the rest of the world... care to share your knowledge?

3
0
Anonymous Coward

Re: Thanks Oracle, for showing us how to fix security issues

2010 and they use an applet to sign and validate files sent to the server? How ironic, they surely have heard of SSL and certificates, but clearly they are not aware that the browser can authenticate and validate POST requests using browser installed certificates? Have they developed one of those lovely proprietary ActiveX/Windows-only "contraptions"?

Don't get me started on those government mandated things. And don't make it specific to Mexico. All over the world, there are many many examples of systems commissioned with public money that are simply terribly designed. We could make a "hall of shame" with examples all across the world.

0
1
Anonymous Coward

"While consumers ought to be running the latest version of Java,"

I thought that the general advice was that consumers should disable all versions of java even if they applied the update.

0
0
DJM
Facepalm

D'oh indeed!

According to the documentation from Oracle (last updated 27/11), which JNBridge also referenced in their blog, this behaviour is by design (Check out the FAQ section): http://www.oracle.com/technetwork/java/javase/documentation/autoupdate-1667051.html

"The Java auto-update process updates the latest version of Java on a user’s Windows machine. During the automatic update from JRE 6 to JRE 7, if a user only has one version of Java 6 the auto-update process will replace that JRE 6 with the latest version of JRE 7 leaving only JRE 7 in the system."

This begs the question; did someone miss the memo?

Anyway, what person in their right mind would ever choose to use Java Auto-Updates in an enterprise? It's near impossible to roll out a Java update in an enterprise environment without something breaking, so if you allow auto-updates (and I assume you also give your users admin rights since auto-updates needs this) you're bound to come a cropper very quickly.

5
1
Bronze badge

Re: D'oh indeed!

He missed the memo. He wants the release memos to appear in the update pop-up, as if anyone is going to read them there.

And apparently he did not do a small scale test before rolling out the Java update to his customers.

2
3
Thumb Up

Re: D'oh indeed!

@DJM

I *knew* I'd seen mention of this somewhere; my first reaction on reading this item was "hang on, isn't this feature mentioned explicitly in the JRE docs?"

Aside from which, if you've got an application (or are selling an application) which has explicitly defined version dependencies for runtimes, you should be telling your support team/customer base that this is important and explain why this means that they can't just patch to the latest release without testing or customising the install procedure.

I understand this makes life difficult for some folks (particularly smaller businesses), but its occurence demonstrates a failure in their processes. Given that the workaround is *gasp* reinstall the required JRE, I think that volubly complaining about a problem that only manifests due to either badly-documented software version dependencies or a support process that ignores said dependencies won't do anyone any favours. Certainly if I were a customer of a developer who did this, I'd be giving them the hairy eyeball and reconsidering future support agreements...

1
0
Go

s/Oracle/Microsoft: What would happen indeed?

What would happen if Microsoft automatically removed .NET version 3 when the user installed a security update to .NET version 4?

They would (and have) include(d) .NET 4.0 functionality in .NET 4.5. And the .NET 3.5 component on Windows 8 and Server 2012 includes previous frameworks back to .NET 2.0.

It's a tough call for me. As much as I dislike Oracle, my experience says vendors should have tested with Java 7 twelve revisions ago (meaning back when it was in Beta). The same thing happened in the 5 -> 6 transition but I haven't found a Java 5 application that broke on 6, or wasn't addressed with a subsequent update to 6.

4
1
Thumb Up

No good reason to be on 6 anyway. Quit writing crap.

3
7
Bronze badge

Java 6 is insecure, of course it needs to be deleted

Java 7 in one version 11.

How long is this guy going to make his users keep insecure old Java 6 around for?

Time to get with it. No more insisting customers have insecure software.

1
2

Page:

This topic is closed for new posts.