Feeds

back to article Oracle blocks security hole with quick, hot 'n' premature Java update

Oracle has brought forward the timetable of an upcoming Java security update by two weeks in order to block off an in-the-wild security hole. The update, originally scheduled for 19 February, was released a fortnight early on Friday because of "active exploitation 'in the wild' of one of the vulnerabilities affecting the Java …

COMMENTS

This topic is closed for new posts.
Go

If Java were a boat

I'd feel much safer sailing in a paper mache colander that a java boat as the leaks are easier to plug.

1
0
Gold badge
Coat

Re: If Java were a boat

Yes, but your Java boat could sink in any ocean, sea, lake, river, stream, brook or pond anywhere in the world.

11
0
Anonymous Coward

Re: If Java were a boat

> Yes, but your Java boat could sink in any ocean, sea, lake, river, stream, brook or pond anywhere in the world.

Float once, sink anywhere?

18
0
Thumb Up

Re: If Java were a boat @AC 12:08

Nice, upvote

0
0
Bronze badge
Go

Re: If Java were a boat

If crap were music, Java would be a symphony.

1
0

Anyone else get a 'invalid certificate' fail on trying to install this update?

wondered if it was just me

0
0

Re: Anyone else get a 'invalid certificate' fail on trying to install this update?

My install failed with the message it's already up to date (it's not).

0
0
Silver badge
Headmaster

Re: Anyone else get a 'invalid certificate' fail on trying to install this update?

Recommending to uninstall the old versions.

Then log in as admin.

THEN install. Oracle/Sun still haven't fixed the bug from ... 2011 or so whereby installation won't proceed by User Account Control only.

3
0
Silver badge

Re: Anyone else get a 'invalid certificate' fail on trying to install this update?

"Recommending to uninstall the old versions"

I did that weeks ago, and haven't missed it since. So I can't agree with all of your recommendations.

0
1

Re: Anyone else get a 'invalid certificate' fail on trying to install this update?

@DAM

Yeah, it's an utter ballache. Hypothetically it should silently install when invoked with /s, but that fails more often than not, usually with no helpful indication as to why in the logfile.

I'm at the point now where I grab the MSI file from %TEMP% and batch up a silent install routine that uses the GUID of previous versions to ensure that old versions don't remain in place. They claim that as of Update 11 the /STANDALONE switch will render this unnecessary, but I'll believe that when I see have repeatedly tested it.

(I'd be happy to get rid of the bastard thing altogether at this point, given that I got hit by the vuln over Christmas courtesy of a compromised advertising network serving ads on a forum I frequent - hours of misery trying to clean it up for experimental purposes, prior to giving up and restoring from a known clean image - , but happily for me we've just rolled out a new service which requires Java at the client. Deep joy...)

1
0

Re: Anyone else get a 'invalid certificate' fail on trying to install this update?

Make sure your date and time are correct.

0
0

Re: Anyone else get a 'invalid certificate' fail on trying to install this update?

This update will fix my Java, if it will ever install. Hopeless. Which is it anyway? JavaFX JDK, JRE, Javawas?

0
0
Silver badge
Headmaster

Herp Derp!

I can only point the commentariat to the Sophos post indicated in the original article before they make the usual noises. It clearly explains what's what. (More so than stuff that appeared in IEEE Computer Mag as I mentioned somewhat earlier.)

1
0
Go

I'd much rather prefer it being 2 weeks premature, than 2 weeks after infection!

1
0
Anonymous Coward

So that will be another 50 vulnerabilities for OS-X then - Well over 1800 now!

0
0
Silver badge
Trollface

java rules

Write once infect everywhere. Even on OS's that usually don't get targeted as heavily. Platform independence rules (even if with Java the only way to do so is without GUI elements)!

0
0
Silver badge

I think the damage has already been done

First the most obvious part; reputation. Back in the Sun days Java had a reputation of being secure, you could also see some "proof" of this due to several banks and financial institutions building their solutions based on Java SE and EE. Deserved or not is something I can't tell, it does strike me as odd that some current exploits also manage to target SE5 and the likes (which, in all honesty, was EOL'd before the Oracle invasion) but the fanboy in me (I'll be honest here) can't help wonder; most of those SE5 exploits target the latest 5u22 update. Is that still a pristine Sun release or has Oracle added some of their "cosmetic only" changes into it ?

I'd check this for myself weren't it for the fact that you can't download these versions any longer without an Oracle account. Needless to say; I don't have one, even demanded that they'd remove it (I did used to have a Sun / SunSolve account).

Now that reputation took a blow, which shouldn't be underestimated IMO. For many people in my surroundings Java used to be somewhat of a "vague environment" which "obviously was robust". Those opinions will clearly have shifted with Java exploits hitting global media.

But the second part could be much more dire: competition.

When taking a look at some of the competitors in the field you'll quickly notice that in some cases competitors provide solutions which can do the same by using far less code. Less code by definition also means quicker results, whether for good or worse. But which could very well make it suddenly much more appealing to jump ships.

Sure; this development has been going on for quite some time now, people even used to criticize Sun because they were very reluctant with adding specific new developments to the Java core engines.

But back then Java wasn't openly criticized in the media for being insecure and something people should be careful with. Would you tell your customers that "Our website was build on Java, robust as it can get!" in these days ? Not sure, but I don't think it'll have the positive effects you may have hoped for.

0
0
Silver badge
Megaphone

Re: I think the damage has already been done

>which can do the same by using far less code. Less code by definition also means quicker results, whether for good or worse.

Without getting into the fallacy of less code means quicker results as a C++ developer I have seen plenty of quicker results end up costing a few orders of magnitude more in maintenance than development. I have also seen plenty of quicker results that were impossible to scale including even the en vogue at the time technology the solution was written on. Last of all, managed code has its place but its telling that Microsoft is moving away from managed code in their commercial products including Metro.

0
0
Bronze badge

Re: I think the damage has already been done

> Our website was build on Java, robust as it can get

And how do these exploits change this? Other than in the minds of people who do not understand what these exploits are and how they relate to the java platform.

These only affect applets, a tiny % of java , that technology that should have been forgotten about many years ago.

0
0
Bronze badge

Re: I think the damage has already been done

These only affect applets, a tiny % of java

Some have now been shown to permit remote exploitation of RMI servers as well. Having an open RMI server is pretty dumb, but it's no longer true that the recent bout of exploits is completely confined to applets (and other programs running in a restricted security context).

More generally, though, it's true that much of the wailing and teeth-gnashing is unnecessary, and the danger to most production Java systems is small to negligible.

0
0
Go

http://www.securityfocus.com/bid/57681/info

I hope this latest update from Oracle, auto uninstalls the older JavaFX (from control panel) which was integrated in the later updates? and users remove previous versions if they dont need them!

0
0
This topic is closed for new posts.