Nearly nine out of ten security vulnerabilities in Windows computers last year were the fault of popular third-party applications, as opposed to Microsoft's own software. That's according to security biz Secunia, which analysed flaws found in the most-used 50 Windows programs - 29 from Microsoft (including its operating system …

COMMENTS

House rules Send corrections

This topic is closed for new posts.

Page:

Friday 15th March 2013 09:05 GMT Anonymous Coward

Delete Java

It has no business being installed on a client PC, it's home is a server.

Java UIs are as ugly as sin, buggy in general (never mind security exploits) and platform specific, bloated monstrosities. The only place to have Java is off on a server somewhere doing heavy lifting for business processing. And even then, there's good argument to not use it as there are other, much more flexible and scalable options.

8 16
1. Friday 15th March 2013 09:11 GMT Anonymous Coward
  
  Re: Delete Java
  
  Yet another, well I don't need it idiot...
  
  Ok I'll listen to you and delete Java,
  
  Then put my feet up as I cant do a huge chunk of my job. I'll tell the directors that our multi-million pound contracts can't be supported, but's it ok as I've been told I don't need it.
  
  21 6
  1. Friday 15th March 2013 09:23 GMT Grant 5
    
    Re: Delete Java
    
    Maybe change that to "If at all possible delete that sh$t" I've not had it installed for years and have never missed it, unfortunately it is still required in places.
    
    4 0
  2. Friday 15th March 2013 09:53 GMT Anonymous Coward
    
    Re: Delete Java
    
    You could port it to .Net and ditch all of those security and performance headaches...
    
    2 9
    1. Friday 15th March 2013 10:40 GMT Anonymous Coward
      
      Re: Use .Net
      
      >> ditch all of those security and performance headaches.. <<
      
      and get some new ones....
      
      11 1
      1. Friday 15th March 2013 10:45 GMT Anonymous Coward
        
        Re: Use .Net
        
        "and get some new ones...."
        
        But far fewer of them.
        
        1 6
        
        Saturday 16th March 2013 18:58 GMT Anonymous Coward
        
        Re: Use .Net
        
        More likely they get patched quicker as Microsoft is on the ball, Oracle don't give a toss.
        
        0 1
      2. Friday 15th March 2013 11:53 GMT VaalDonkie
        
        Re: Use .Net
        
        Or maybe some of us just want to finish a project before Jesus returns. See, the reason companies choose C# or Java over C++ is that by the time you've finished arguing over the right memory-management policy, we've already prototyped most of the project and are relaxing at the pub. It's a question of productivity.
        
        5 3
        
        Friday 15th March 2013 12:04 GMT Anonymous Coward
        
        Re: Use .Net
        
        ". See, the reason companies choose C# or Java over C++ is that by the time you've finished arguing over the right memory-management policy, we've already prototyped"
        
        Ah , the old memory management meme. If you knew anything about C++ you'd know that these days you hardly need to do manual memory management at all if you don't want to if for example you use the STL, Boost or even just plain old stack based automatics for your object creation and destruction. And when you do use a pointer manually its usually to do something faster and quicker than Java can manage.
        
        6 3
    2. Friday 15th March 2013 12:07 GMT wikkity
      
      Re: ditch all of those security and performance headaches
      
      What security/perfomrance issues? Only java security issues are in applets, a legacy technology that should be avoided where economically possible. If you experience performance issues that is nothing to do with java but the developers.
      
      3 0
  3. Friday 15th March 2013 11:12 GMT Anonymous Coward
    
    Re: Delete Java
    
    "Then put my feet up as I cant do a huge chunk of my job. I'll tell the directors that our multi-million pound contracts can't be supported,"
    
    If your directors had a brain they wouldn't have any large scale projects written in java in the first place. Its a bloated memory hog and its only promoted by 2nd division developers who find C++ too difficult.
    
    2 16
    1. Friday 15th March 2013 13:57 GMT sabroni
      
      Re: 2nd division developers who find C++ too difficult.
      
      And C++ is just for third rate engineers who can't do assembler properly.
      
      Choose the right language for the job. C++ is good for some things but if you need your app to be device independent then something that runs on a virtual machine makes much more sense. No language is the best for every job. A first rate engineer would know that....
      
      6 3
      1. Friday 15th March 2013 15:45 GMT Anonymous Coward
        
        Re: 2nd division developers who find C++ too difficult.
        
        "And C++ is just for third rate engineers who can't do assembler properly."
        
        Actually modern x86 assembler is virtually impossible for a human to use properly, not only because there are so MANY instructions now, but because you'll constantly having to be second guessing the pipelining and caching. Leave it to a compiler.
        
        "Choose the right language for the job. C++ is good for some things but if you need your app to be device independent then something that runs on a virtual machine makes much more sense. "
        
        C++ with high enough level libraries is portable between systems. And yes, java is device independant, but its not JVM version independant so it simply exchanges one set of portability problems for another.
        
        1 0
      2. Sunday 17th March 2013 03:08 GMT Mikel
        
        Use the right language
        
        The Tao gave birth to machine language. Machine language gave birth to the assembler.
        
        The assembler gave birth to the compiler. Now there are ten thousand languages.
        
        Each language has its purpose, however humble. Each language expresses the Yin and Yang of software. Each language has its place within the Tao.
        
        But do not program in COBOL if you can avoid it.
        
        - The Tau of Programming
        
        1 0
    2. Friday 15th March 2013 14:57 GMT Slawek
      
      Re: Delete Java
      
      And these second division developers will write their Java code quicker and with less bug than you will with your C++ :-)
      
      1 0
2. Friday 15th March 2013 15:19 GMT BillG
  
  Re: Delete Java
  
  In the computers I'm responsible for all problems including infections were traced to Java.
  
  Last November we uninstalled Java on all laptops except those doing Android programming, and on those Java was disabled in all browsers. My God, I haven't had one problem since.
  
  0 0
3. Friday 15th March 2013 15:30 GMT Anonymous Coward
  
  Re: Delete Java
  
  And the other vulnerabilities? If you look at 'Vulnerabilities in the 50 most used programs (including Windows)', Java is in fifth place. Here's the top 10:
  
  291 - Google Chrome
  
  257 - Mozilla Firefox
  
  243 - Apple iTunes
  
  67 - Adobe Flash Player
  
  66 - Oracle Java JRE SE
  
  56 - Adobe Air
  
  50 - Microsoft Windows 7
  
  43 - Adobe Reader
  
  41 - Microsoft Internet Explorer
  
  29 - Apple Quicktime
  
  4 0
  1. Friday 15th March 2013 20:49 GMT Anonymous Coward
    
    Re: Delete Java
    
    I dont know how you can blame user space programs such as Adobe Reader for generating security vulnerabilities in the OS. The OS should be secure enough to not be hijacked by Adobe Reader or a third party app going via Adobe Reader.
    
    4 1
    1. Saturday 16th March 2013 20:50 GMT Davidoff
      
      Re: The OS should be secure enough
      
      "...to not be hijacked by Adobe Reader or a third party app going via Adobe Reader."
      
      Yeah, right, because application vulnerabilities are no problem on other operating systems like Linux or OS X. Oh wait, they are.
      
      I guess that all operating systems are fails then.
      
      1 4
4. Saturday 16th March 2013 18:56 GMT Anonymous Coward
  
  Re: Delete Java
  
  Unless you're a Java developer or want to play Minecraft or you need it for your online banking.
  
  0 0
5. Monday 18th March 2013 03:38 GMT Andrew Williams
  
  Re: Delete Java
  
  And while you're at it delete everything. Everything is bollocks. The only thing left for you to do might be to go dance naked on the M1.
  
  0 0
Friday 15th March 2013 09:25 GMT Anonymous Coward

Paging Mr Eadon

Soooo, anything to say? Mmm? We're listening...

5 1
1. Friday 15th March 2013 10:00 GMT Anonymous Coward
  
  Re: Paging Mr Eadon
  
  On previous form, I'd imagine that what he'll say will be along the lines of:
  
  "Of course, if M$ had written the underlying operating system properly in the first place, these apps wouldn't be able to create a security vulnerability..."
  
  Then there would be an extended rant about how terrible Microsoft are, he'll probably say that educating children about a user interface he doesn't like (the ribbon) is actually child abuse. Then there will be an obligatory caps lock accusation of "fail".
  
  8 2
  1. Friday 15th March 2013 12:22 GMT Boris the Cockroach
    
    Re: Paging Mr Eadon
    
    "Of course, if M$ had written the underlying operating system properly in the first place, these apps wouldn't be able to create a security vulnerability..."
    
    Damn I was just about to wright that too.
    
    3 0
2. Friday 15th March 2013 12:11 GMT TeeCee
  
  Re: Paging Mr Eadon
  
  I doubt you'll get a response.
  
  He's probably in a coma from the total brain meltdown caused by finding out that his beloved MS swiss cheese security is mostly everyone else's swiss cheese security.
  
  Either that or the first case of spontaneous human explosion has just occurred under a rock somewhere.
  
  3 2
  1. Friday 15th March 2013 15:05 GMT 1Rafayal
    
    Re: Paging Mr Eadon
    
    I am not a betting man, but I would lay a fiver on at least one of those AC posts above being from our much tolerated Eadon.
    
    0 0
    1. Friday 15th March 2013 15:13 GMT RyokuMas
      
      Re: Paging Mr Eadon
      
      Nah, Eadon doesn't post under AC - or so he claims...
      
      0 0
      1. Friday 15th March 2013 15:26 GMT 1Rafayal
        
        Re: Paging Mr Eadon
        
        "...Nah, Eadon doesn't post under AC - or so he claims..."
        
        lolololol
        
        Its either that or his "second" account then ;)
        
        0 0
        
        Friday 15th March 2013 16:20 GMT eulampios
        
        Let me try...
        
        The Danish biz added that sysadmins must not forget to roll out updates for all installed code rather than just Microsoft's and the few "usual suspects from other vendors".
        
        Sorry... got confused about the point? Doesn't it happen all at once? Your update manager pops up, you click on the button, enter you password and every single piece of software that has an update ready is updated (you could also choose to defer an update for any individual item there). Oops...my bad... I thought they were talking about GNU/Linux systems. No 3d party software, everything is #1.
        
        1 1
        
        Saturday 16th March 2013 00:41 GMT Anonymous Coward
        
        Re: Let me try...
        
        Well, I did a "yum update" on my netbackup master server and some of our DB2 and Oracle database servers the other day and none of the commercial software was updated, so I'm going to go with: No, it doesn't happen all at once, if you work in the real world.
        
        We also have problems that we need to keep certain versions of certain bits of software we use at a fixed level, doing a "yum update" (from an Internet hosted repo) would actually take out some key servers due to updates breaking some features we use. Again: In the real world it turns out to be more complicated than updating everything at the same time.
        
        Linux is great, patching from repos is great, but it's not a panacea, you get some control running your repo locally, but it's not as easy as all that. Likewise, if I setup an MS WSUS server I can update everything from a single operation, assuming I've put all the updates that I want onto the WSUS sever.
        
        1 1
        
        Saturday 16th March 2013 02:10 GMT eulampios
        
        Re: Let me try...
        
        You're trying to be a pessimist and an optimist in the same bottle, I see, hence an AC mask.
        
        ..DB2 and Oracle database servers the other day and none of the commercial software was updated
        
        Wow, what a surprise? Maybe you should be using something like PostgreSQL, MariaDB or similar. Proprietary stuff is a pain in the arse. At the same time, some GNU/Linux distros provide important (or so they say) updates for binary-only proprietary stuff, like flashplayer.
        
        if I setup an MS WSUS...
        
        So, you yourself have to set this up first (manually,right?) how convenient,. And every Windows user is so delighted to do just that... or not.
        
        Anyways, you stay with MS and Windows, I'd rather not, thanks.
        
        1 0
        
        Saturday 16th March 2013 21:14 GMT Anonymous Coward
        
        Re: Let me try...
        
        No, what I'm saying is that Linux has a great update model, but it has some significant problems. Primary would be the lockstepping of installed software to the version of the other packages installed, unless you go to great hassle to make it not so.
        
        Suggesting that running PostgreSQL or MariaDB suggests that you don't really know much about databases, even if we could just change from Oracle or DB2 to FOSS databases most of them - good as they are - just aren't up to the standards of the big commercial databases. I notice that you can't cite a FOSS backup server.
        
        You obviously don't really know what a WSUS server is, otherwise you would realise that your comment doesn't make sense.
        
        Then you suggest that I'm a Windows user, the implication being that I can't also be a linux user. This is tired old crap that gets trotted out again and again by the fanboys. It's possible to know both criticise both and praise both where appropriate. To paint either system as a panacea is just simplistic and tribal.
        
        2 0
        
        Sunday 17th March 2013 02:18 GMT eulampios
        
        Re: Let me try...
        
        Primary would be the lockstepping of installed software to the version of the other packages installed, unless you go to great hassle to make it not so.
        
        Not sure, what you mean by that exactly. apt, yum and others have a pretty good dependency logic (especially aptitude). You still can force whatever you want , things can break though this way. No alternative on Windows for that.
        
        ...just aren't up to the standards of the big commercial databases.
        
        I know enough about databases to discern that this is bullshit. First, even if that was true in 99% of the cases DB2 (and even more so) Oracle databases in industry are used where even sqlite would easily suffice.
        
        You obviously don't really know what a WSUS server is...
        
        I looked at this guide and imagined how many buttons I would have to press, folders to open, tickmarks to check, uncheck and click to make it do (with all vendors or just a few?) what I could do with one click or command and maybe one edited line in the /etc/apt/sources.list. Interesting to note here, that it only took MS (2011) ... 14 years years to do partially similar to the Debian apt system.
        
        0 2
Friday 15th March 2013 09:32 GMT John Smith 19

I'm amazed "how to create security holes" is not a part of *every* CS course.

Because it seems to be one thing developers across the industry manage quite well.

You've got to wonder, is it them? Is it the pressure to produce something now? Or are the vulns in the libraries their using that are not being fixed?

0 0
1. Friday 15th March 2013 09:53 GMT Anonymous Coward
  
  Re: I'm amazed "how to create security holes" is not a part of *every* CS course.
  
  I'd say it's probably a failure to clean up after themselves.
  
  You create library v1, then you build on it and make v2, v3 v4 etc etc. By that point you have v5 changing a pointer created in v4 which was to an object created for v3, which was extended from a different object which had been created in v2 which originally came from v1.
  
  v6 comes around, you need to fix bug A, to do this you change the object from v1, and suddenly the enitre chain is incorrect, you have memory being misallocated etc etc. Your simple fix of changing that long to a uShort has suddenly caused a cascade of bullshit which flows downhill like a mountain of the brown stuff.
  
  All the while you have a backend structure several tens of thousands of lines long, most of which is supersceded or no longer used, and could probably be replaced with a few hundered lines of code which do the same job faster more securely and are easier to read.
  
  But because the code 'works' anyway execs will never give the go ahead to improve / rewrite it because they're too stupid to see the porential benefits even when they're stodd in their face slapping them with a trout.
  
  9 1
2. Friday 15th March 2013 10:28 GMT Neil B
  
  Re: I'm amazed "how to create security holes" is not a part of *every* CS course.
  
  Because software development, maintenance, and support in an enterprise environment is subject to a million things out of your control, and f***ing hard.
  
  0 1
3. Friday 15th March 2013 19:44 GMT Ken Hagan
  
  Re: I'm amazed "how to create security holes" is not a part of *every* CS course.
  
  Cutting corners (and introducing security holes) saves developers (or their employers) money and gets them to market ahead of their competitors. The costs are borne by the customers. The customers can only move to a better supplier if the better supplier hasn't yet been eliminated from the market (owing to their higher development costs).
  
  Any developer with half a clue can write shit in any language. Bugs have nothing to do with programmers, languages or education. It's all economics.
  
  0 0
Friday 15th March 2013 09:50 GMT Andrew Baines

Surely

Isn't it the job of the OS to prevent bugs in applications being security holes?

8 1
1. Friday 15th March 2013 10:00 GMT Anonymous Coward
  
  Re: Surely
  
  Like the way Linux prevents all of those exploits in third party apps you mean? Oh, wait.... http://www.youtube.com/watch?v=DhpTdiEKq_0
  
  2 4
  1. Friday 15th March 2013 10:43 GMT Anonymous Coward
    
    Re: Surely
    
    See! It's not the OS's job to do this because Linux has problems too! That's not actually an argument, it's the same problem on another OS....
    
    4 0
2. Friday 15th March 2013 12:19 GMT JDX
  
  Re: Surely
  
  If you want to allow applications to do something useful then they have to be able to do stuff on the system - modify/delete files for instance.
  
  Of course you could have an OS with different permissions "modify files outside own directory" etc but it won't help because everyone will accept the permissions.
  
  2 2
  1. Friday 15th March 2013 12:58 GMT Anonymous Coward
    
    Re: Surely
    
    @JDX - Or you could just setup your filesystem and Registry ACLs correctly and not run with an account that has inappropriate privilege levels - or at least, not bitch about it if you run as administrator and everything goes wrong.
    
    3 1
  2. Friday 15th March 2013 16:04 GMT Tom 13
    
    Re: with different permissions "modify files outside own directory" etc
    
    Actually, there were some old OSes that did that very well. OS space cleanly segmented from data space so while the data space still needed to be protected, it was nearly impossible to compromise the OS space.
    
    It's just our current OS matrix that jumbles them together.
    
    0 0
    1. Friday 15th March 2013 16:51 GMT Anonymous Coward
      
      Re: with different permissions "modify files outside own directory" etc
      
      @Tom13 - the problem is that it's really the data space that I'm interested in protecting, I don't care about the OS, the worst that could happen is that I spew out spam or someone otherwise steals my bandwidth - if people get my data they could destroy it, they could corrupt it (you'll only notice if you try to use it and you'd better hope you notice before your backups go out of retention) or get personal details that may be stored there.
      
      0 0
    2. Sunday 17th March 2013 06:35 GMT Jamie Jones
      
      Re: with different permissions "modify files outside own directory" etc
      
      FreeBSD, you mean?
      
      0 0
Friday 15th March 2013 09:50 GMT g.marconi

9 out of 10 ???

Surely 21 out of 50 would be 42% not 90%.....or has maths changed so much since I was at school?

0 1
1. Friday 15th March 2013 09:54 GMT Anonymous Coward
  
  Re: 9 out of 10 ???
  
  I think you are confusing #applications with #'vulnerabilities, or has English changed since you were at school?
  
  0 0
2. Friday 15th March 2013 09:57 GMT David Ward 1
  
  Re: 9 out of 10 ???
  
  its English you should be worried about, not maths.
  
  0 4
  1. Friday 15th March 2013 10:20 GMT Adam 1
    
    Re: 9 out of 10 ???
    
    It's "it's"
    
    6 0
    1. Friday 15th March 2013 10:41 GMT mmm mmm
      
      Re: 9 out of 10 ???
      
      No, it's "It's".
      
      2 0