Feeds

back to article Oracle trowels more plaster over flawed Java browser plugin

Oracle has issued a rare emergency patch to address two vulnerabilities in the Java plugin for web browsers that the company says are being actively exploited. "Due to the severity of these vulnerabilities, and the reported exploitation of CVE-2013-1493 'in the wild,' Oracle strongly recommends that customers apply the updates …

COMMENTS

This topic is closed for new posts.
Anonymous Coward

Java7 Update #17 ? i'm too exhausted to upload again

When wil Oracle get it right?

1
1

Re: Java7 Update #17 ? i'm too exhausted to upload again

Around dinnertime.

Not sure what year, but it'll be around dinnertime...

0
0
Silver badge

And when Oracle manage to sort their certificates out so I know what I'm downloading, I might download it.

Until then, browser plugin disabled.

3
1
Silver badge

The certificate messages don't even mention Java but they do have some badly drawn icons of the same type as 'A virus has just infected your PC!'

Which as it's Java is quite possibly true. Would you trust malware not to drive a truck through Oracle's new shiny security settings?

0
0
Bronze badge
Alert

What is the latest version, Kenneth?

I sure hope that for 64-bit Windows 7 the current version is 21. How could things get any worse?

0
0

Too bad hackers don't know to stick to Oracle's patch schedule. That's just rude.

4
0
Big Brother

You will be assimilated

... by a neverending stream of updates, until you all have started to love the ask.com toolbar.

10
0
Bronze badge

last java 6 update?

I think I saw this link posted on slashdot

http://java.com/en/download/faq/java_6.xml

"After February 2013, Oracle will no longer post updates of Java SE 6 to its public download sites. All Java 6 releases up to and including 6u43 will be moved to the Java Archive on the Oracle Technology Network, where they will remain available but not receive updates."

Would be nice if El Reg could get some confirmation.

1
0

Re: last java 6 update?

It said that after 6u41 so who knows when the actual last version of 6 will happen.

0
0
Anonymous Coward

Re: last java 6 update?

Yeah, they may have INTENDED to not release updates after Feb 2013, but I think the negative feedback they'd get for not fixing the security [insert salty sailor language here] they've had would pretty much kill any hopes they have of converting the Java 6 developer community to Java 7.

0
0
Alert

What options are left?

I feel like maybe Oracle should publish an ultra minimal subset of java, redesigned from scratch, focusing on solid design, and progressively build up and out until it catches up with the current featureset, while allowing the current, unstable branch to grow feature wise, so the language doesn't TOTALLY die out in the interim.

1
0
Silver badge
WTF?

An Old Fart Remembers the Good Old Days

I remember when Java was originally launched (around the time of lots of ActiveX exploits) and much was made of its (Java's) super-duper sandbox security model that would keep us safe forever.

How did that work out then?

4
0
Facepalm

The process is tiresome

1. Install new update after it bugs me incessantly for several days in a row.

2. Tell it that I do not want the farking Ask.com toolbar for the 17th time.

3. Re-disable the plugin in my browser, again for the 17th time.

If I didn't need Eclipse and the Android SDK, this piece of trash would be banned from my systems. :P

5
0
Mushroom

Re: The process is tiresome

Oracle Sievemaster Sisyphus, just keep rolling that stone!

One day it may stay up there at the top of the hill, somewhere around the heat death of the universe.

0
0
Anonymous Coward

Java is a mess

You know when the latest O'Reilly "Nutshell" book for Java is nearly 3" thick that something has gone completely awry.

1
0
Bronze badge

Re: Java is a mess

It's that big as they pad it out with API documentation that is available elsewhere.

> something has gone completely awry.

Eh, because it has a such a wide ranging API something has gone awry? Personally I would have thought that is one of the reasons it is such a common choice of language.

0
0
Silver badge

Re: Java is a mess

It's a bit like the horsemeat scandal: all those APIs that are the reason its a common choice of language represent programmers who are prepared to trust that some complete stranger "upstream" has done their job correctly and their code can simply be called without fuss.

In fact, just as it turned out that our "from the shelf to the field" food tracking system of trust was bogus, the API chain often (in any language) turns out to be full of holes, patches, and just plain bad programming. Oracle's struggle to fix this is exactly analogous to what happened in the wake of the first revelations about the horsemeat - someone went to fix what they thought was an isolated problem and discovered the rotting systemic mess behind that outbreak.

I'm not saying this is a specifically Java problem - if anything it's an inherent problem in the culture of Object Oriented Programming: the idea that you can have "shrink-wrapped" components from vendors you can trust (I know the concept also appears in pre-/non-OOP systems too). But at the end of the day, why do you actually think you can trust someone else's code? I can barely trust my own, to be honest.

That 3" think Nutshell book represents 3" of APIs that someone is asking you to take on trust. Is that a good idea, regardless of how common it is that programmers do in fact accept it?

2
0
Bronze badge

Re: complete stranger "upstream" has done their job correctly

> and their code can simply be called without fuss.

No, that is what testing is for

0
0
Anonymous Coward

Disable Java

It has no business being in a browser anyway, or installed on a client.

It's barely serviceable on a server these days.

It's time for Java to die.

1
6
Bronze badge

Re: Disable Java

> It has no business being in a browser anyway,

Ideally you are right, users of legacy enterprise apps may disagree.

> or installed on a client. It's barely serviceable on a server these days.

If you use you name you can use the troll icon you know

0
0
FAIL

Ask Toolbar?

And on top of the relentless security fixes, we have to constantly fight off the installer's attempts to install the Ask Toolbar. I don't want the bloody Ask Toolbar! Oracle, you suck...

6
0
Gold badge
Mushroom

Oracle?

Keep digging, we can still see your heads.

3
0
Bronze badge

Only 6 users left?

> which urged all six Java users who have not yet disabled the plugin

0
0
Facepalm

What a load of pointless fuss

So Java is rubbish because the browser plugin has the odd vulnerability or two (which could in fact be due to integration with the browser rather than anything fundamental to Java itself). Chrome and Firefox seem to get patched every five minutes and no one bats an eyelid. Known M$ vulnerabilities can hang around for months before they get fixed.

Anyone would think that someone has got it in for Java. Maybe it's Oracle that is spreading all this FUD and hatred?

Personally, I love Java and hate Oracle. I don't want the Ask toolbar, and it would be nice if the documentation didn't have lots of broken links to the Sun websites, or pointless links to top-level pages. However, I think the language is great, and is still a brilliant way to produce functional cross-platform applications (client or server) using a proper strongly-typed OO language.

4
0
Silver badge
Happy

Thank You, Firefox

Any Reg readers checking their Options will discover that Mozilla 'nuked' Java, with as much as a request.

I'm thankful, as both my wife and daughter, undoubtedly like many others, haven't a clue on how to disable Java.

What of Internet Explorer?

0
0
Silver badge
Unhappy

No thank You, Firefox

Screw you, Firefox. Stop disabling addons without telling me first, and offering me the option of leaving them enabled.

3
0
Bronze badge
FAIL

When a software supplier....

...has versions numbered 10.2.5471.2.15.26 (or whatever), you just KNOW there is some inherent problem.

I remember when having to provide support for Oracle apps, it was ESSENTIAL to get EXACTLY the right version of Oracle (which was always a PAIN to install), because there seemed to be no onwards/backwards compatibility with Oracle and, of course, no "Oracle Update" as per Windows.

If we ever got a new Oracle application to support, we knew support costs were going to be MUCH higher than comparable non-Oracle apps.

0
0

The other side of the story

So I guess its no big deal that most of the popular browser have had recent critical security exploits:

http://www.theregister.co.uk/2013/03/05/google_chrome_pre_pwn2own_update/

or that Windows is still riddled with security exploits

http://mobile.theverge.com/2013/2/13/3983846/googlers-found-over-50-percent-of-the-bugs-in-microsofts-massive-update

It is my opinion that Java/JavaFX kicks HTML5's butt when it comes to performance, capability and maintainability:

http://download.oracle.com/otndocs/products/javafx/2.2/samples/Ensemble/index.html

http://jfxtras.org/resources/java/Ensemble.jnlp

http://goworldwind.org/demos/

(Of course, many of you won't be able to see these demos since you have been manipulated into disabling Java.)

The truth is that any software that is exposed to the network may have a critical security vulnerability. Every time that software is touched, another vulnerability may be exposed. (Remember how a simple buffer overrun exploit was used in the Unix "finger" program to bring down the internet in the 80s'?)

At least Java was designed for security from the beginning and has more of a chance of being secure than most other networked applications. Java 7 was a big change from Java 6 and will have some short term hiccups. The nice thing about Java is that it is open source so the vulnerabilities will be discovered quickly as thousands of hackers, developers and security firms probe through the source code. (i.e. Java doesn't rely on security through obscurity.)

2
2
Silver badge
Pint

Poetic Justice

...and the exploiters become the exploited.

0
0
This topic is closed for new posts.