Feeds

back to article Are you in charge of a lot of biz computers? Got Java on them?

Java security vulnerabilities - exploited to hack Apple and Facebook this month - are rife across business computers worldwide, according to new research. The overwhelming majority (94 per cent) of PCs and other endpoints running Java software and surveyed by Websense are vulnerable to at least one Java runtime exploit, …

COMMENTS

This topic is closed for new posts.

Page:

How many of these machines are running Microsoft's long abandoned java variant? I was surprised to see the option still being offered in Windows 7 installs.

5
0
Anonymous Coward

My copy of Visual J still on the shelves. But it is so old that I had forgotten that completely until I read your comment. Was not aware that it was still an option in W7. There has to be some big, fat VJ program in some big corporate intranet to justify keeping something that old around.

1
0
Anonymous Coward

"There has to be some big, fat VJ program in some big corporate intranet to justify keeping something that old around."

Never mind that, there's some major UK retailers whose entire EPOS solution is written in Java. So presumably as ugly and retro as Minecraft.

1
0
Anonymous Coward

Some IBM stuff

A certain large bank, operating on various countries is stuck with the Microsoft JVM in their employee's PCs. Why? Because the IBM 3270 terminal emulator offered on the intranet site is Java-based, but it will only work with the Microsoft JVM.

Ouch.

1
0
Anonymous Coward

At least the Microsoft one is easily patched without breaking anything....

0
0
Silver badge

"there's some major UK retailers whose entire EPOS solution is written in Java."

And amusingly, it's called "Eclipse".

Was fun when Bunsfield blew up and the whole damn system had to operate with its head cut off, too. Ever tried to work in a store when even internal stock-checks don't work and card payments take anything from 60 to 180 seconds or more to go through? That was... an experience.

Ex-DSGi employee and not regretting the "ex" part one bit.

0
0
Anonymous Coward

@M Gale

Oh, there's more than Eclipse. Retail J is embedded with a few very big retailers, and the quickest of web searches will name them.

If wide enough that search might also throw up the fact that the founder of Retail J has not long come out of clink for a £1.6m fraud. So not only are the users enjoying the secure high quality platform that is Java, but their core point of sale money and stock system was designed and built by a fraudster. In about two months time we'll know if the Torex 4 are sent down, and if they are, then we will also be able to say that Retail J was sold by a further gang of convicted fraudsters.

1
0
Bronze badge

Upgrading from JRE 1.6

Yeah thanks Oracle, Just let me know when your E-Business suite actually supports either an up to date JRE, or even an up to date browser, and I'll get patched right up.

According to the devs, clients need to be using 6 series JRE and have to be on IE8, because neither the 7 series JRE or IE9+ are certified yet. That's one Java and 2 browsers behind the times for their flagship enterprise product. Either the devs are lying, or Oracle is being sanctimoniously 2 faced in their "you should just upgrade, problem solved" stance.

Srsly ORCL, please to fix? >.<

23
0

Re: Upgrading from JRE 1.6

To be fair to Oracle, EBS has been certified with JRE 7 since December:

https://blogs.oracle.com/stevenChan/entry/jre_7_certified_with_oracle

The Metalink notes say they also support IE9 and Firefox ESR 17 on Win7. I have a lot of gripes about how Oracle handles certification and patching in general, but in this case the criticism isn't justified.

0
0
Anonymous Coward

Re: Upgrading from JRE 1.6

https://blogs.oracle.com/stevenChan/entry/java_jre_1_7_03 ?

0
0
Anonymous Coward

Re: Upgrading from JRE 1.6

Have you actually looked at that patch though? It along with a mighty flock of prerequisites amounts to a full upgrade in all but name. Our customization footprint is relatively minimal, but even so we're going to have to budget a couple hundred hours in consultant and high-level staff time to properly vet and install it. Bloody mess, really.

1
0
Paris Hilton

Backwards compatibiliy

A lot of the reason machines and servers end up with old versions of Java is the lack of proper backwards compatibility. All to often there are programs that will only work with a particular version of one particular JVM. As someone who has to deal with this, i do get rather frustrated with Java. My arse is more backwards compatible than this.

7
0
Bronze badge

Re: Backwards compatibiliy

Do you get frustrated with <insert instruction set here> when a certain chip behaves slightly differently, has bugs/different bugs or triggers unwanted behaviour because some code depending on an undocumented feature that it doesn't have? Backwards compatibility is nice to have but there isn't going to be a system in existence that has 100% perfect backwards compatibility.

1
8
Anonymous Coward

Re: Backwards compatibiliy

Don't be too harsh on Java. There are two layers to this "compatibility" thing.

The first is not technical, but merely a means of making support easier for the vendor. They simply don't want to test the app under every combination of JRE and OS since Windows XP days, so they simply test under what is more comfortable for them and that is what becomes "officially supported" In summary, the app will happily run on "unsupported" OSes, JRE versions, and browsers, but just don't call us if it does not.

The second is technical, but is entirely the fault of the application developer, because it flags reliance on platform specific behavior, for example external programs (such as Office), .so modules in Linux, or whatever. I have -and there are still around some- web applets written for Java 1.0 that work perfectly under the latest Java version, so if your program depends on OCXs or other artifacts and you were sold on Java because of its platform independence you can claim your money back.

Oh, well, there is a third reason: hardcoding a version and environment check at the start of the program, but that really is done to implement one of the above.

3
1
Anonymous Coward

@Daniel Palmer

There is backwards compatibility, and backward compatibility.

I have binaries compiled on Solaris 2.1 which still run 20 years later on Solaris 11.

I have Java apps tested for 1.6_0_20 that won't run on 1.6_0_21. Write once debug everywhere has long since stopped being just a funny joke.

5
0
Bronze badge

Re: @Daniel Palmer

I have some really old Java code that runs on 1.4 up to the latest openjdk6 and 7 releases.. I'm sure the is code out there that will run on all of those and embedded jvms. There is a lot of C code out there that only compiles and runs correctly on a vendors build of GCC from a specific snapshot. Python seems to break apps with each point release. This is a common issue all the way through the stack all the way down to the hardware.

1
1

Re: @Daniel Palmer

I have Java apps tested for 1.6_0_20 that won't run on 1.6_0_21. Write once debug everywhere has long since stopped being just a funny joke.

Do you really? 1.6.0_21 was a pretty minor changeset. Or are you picking revisions randomly to underline a general point?

For what it's worth we have customers running our software on every platform and revision from 1.4 on, and - although there are notable exceptions to this - in general, things work fairly consistently from release to release and from vendor to vendor, particularly within the same major revision (eg Java 6). The only exceptions I can think of to this are changes to the JavaScript environment included with Java 6 - for obvious reasons, Oracle have made some major incompatible changes here relatiing to classloading, in 1.6.0_7 and again in 1.6.0_28, which buggered things up for us.

(this message is not in any way intended to defend Oracles cackhanded performance in other areas of Java)

2
0
Anonymous Coward

@Androgynous Cupboard

> 1.6.0_21 was a pretty minor changeset. Or are you picking revisions randomly to underline a general point?

Yeah, it might not have been those precise versions, but it was certainly that level of micro-release. I'd not be surprised to see some small breakage/obsolescence between, say, 1.5 and 1.6, but I'd expect everything to work within a given minor release.

Sadly I suspect this is symptomatic of the same coding quality that has led to all the security issues, the sort of "it compiles, ship it" attitude that occurs all too often with the self-trained web 2.0 development kiddies. Proper design and testing is just too much hard work when they can be hacking cool stuff.

2
0
Flame

Updates

It doesn't help that the updater is such an annoying little **** and seems to always have a new to apply. If I accidentally accept it, I'm then bombarded with UAC prompts at random intervals.

At some point (for me, years ago) people choose to be blind to the constant nagging and just ignore it.

7
0
Silver badge

Re: Updates

And isn't the Java updater the one that also tries to spam you with things like the Ask toolbar and other crap that you don't want, but that it will merrily add if you just click-through rather than remembering to untick the various boxes first?

Of course it also will ask every damn time, rather than remembering that I've said no to the last dozen times it's asked me if I want to weigh down my browser with unwanted junk in the vain hope that I might suddenly want it this time.

Come on, just patch the holes, make it compatible and get it to work without all the nagging and backdoor installs, then we may keep up better.

20
0

Re: Updates

"At some point (for me, years ago) people choose to be blind to the constant nagging and just ignore it."

Me too. And mostly, people see that UAC popup and think that it is a virus instead of something legitimate. (And I use the word legitimate loosely when talking about Java)

0
0
Pint

Re: Updates

Worse yet, it can get in a state where it can't download the update, so just prompts and prompts.

And "hiding" the Ask Toolbar in the installer to trip up the parental types who have been told^H^H^H^H trained to always update Java whenever it asks, to prevent a recurrence of last years embarrassing outbreak of Browser hijacking with porn links.

3
0
Silver badge
Facepalm

@Ian

Ignoring is one thing, I tend to disable it first chance I get.

Its another total fail in the whole process IMO. I mean; sure, for home scenario's I can see why they chose for an updater. But what about JDK installations? Those environments don't need to be treated like children; developers usually know very well which versions to use and which to ignore.

But no; it needs to be automatically updated... Preferably with Google and Tumbler and god knows what kind of toolbars and mal- or spy ware.

3
0
Anonymous Coward

Re: Updates

It's not just their updater. In theory we have centralized management to push new versions of Java to systems. Sometimes it works. Sometimes it doesn't. Sometimes when it doesn't you can't install the update manually because a file is missing or damaged. If that happens chances are you can't uninstall because the same file is missing or damaged. I've even had one recently where Programs and Features listed 6.35 and when I ran the uninstaller the banner read 6.32 and then it failed for a missing or corrupt file.

I'll grant there were problems even under Sun but never like now (and most of our issues were self-inflicted wounds because the damn app programmers wouldn't move off 5.16 even 2 years after Sun was no longer supporting it).

0
0
Silver badge
Megaphone

Re: Updates

Then the fun one where it will nag a standard user to update, only to fail because they don't have admin privileges.

If you go into the Java control panel to disable automatic updating so that it will stop pissing off users, you get blasted by a popup for being an unsafe bastard.

3
0
Bronze badge

Re: Updates

The updater program has a /different name/ for every version. The executable is renamed every time.

This means that I can't give a fixed exemption in our firewall, which means that on locked machines -- the ones used for banking which require Java in the browser -- I have to go around, turn off the firewall, run the update downloader, apply the update, and re-enable the firewall.

What is the recomended solution for this problem?

1
0
Bronze badge

Re: Updates

Never noticed that problem.

But then, I download the update and push it out from the server, never get such nonsense.

Now, Adobe patches, those are known to ignore the hell out of their command line switches. Minor things, like no reboot...

Between Adobe and Oracle, they're a combined cause of premature aging of information security types.

0
0
Bronze badge

It always amazes me when people manage to make their Java code reliant on a specific version of the runtime. You have to go out of your way - using classes in the sun.com hierarchy or coding in a home brewed version check - to fuck it up, but so many people do. It's down to the general incompetence of the typical developer frankly, and ironically Oracles's are some of the worst (SQL Developer, I'm looking at you).

12
0
Anonymous Coward

Sweet revenge

So when I was massively downvoted for posting "Thanks Oracle, for showing us how to fix security issues" I was actually right in how to fix the problem? "Looking at this from another angle, we have to thank Oracle. This is the same "fix" I've applied to all my home computing environment. Only I've taken it a bit further, simply removing the Java plugin, all versions, from all the installed browsers, fixes completely this and any future security issues Java may have."

So they are now recommending exactly the same, unless you absolutely need it, then in that case keep a standalone browser installed just for that.

Come on, start thumbing up and remember where you read it first. And post apologies below. I was right. As always, by the way (those that did not see the irony at the time and the dismissal of the "business environments", please refrain)

4
1
Anonymous Coward

Re: Sweet revenge

Did you also remove Chrome, Firefox and Adobe reader since each one of those has 3-5 times more security flaws than Java.

3
2
Anonymous Coward

Re: Sweet revenge

Good point. I use Linux at home, so Adobe is not needed as there are plenty of PDF readers. You're right that both Chrome and Firefox have many more vulnerabilities, but you're forgetting that they get upgraded much more often.

No piece of software is 100% provably secure (halting theorem and all that), and even if it were the human component (that's me) is provably insecure. In the end, security is a trade off. If you want to be 100% secure, don't plug anything into your computer, be it ethernet cable, USB dongle, WiFi connection or anything else.

Beyond that level of security (assuming of course that you keep your machine in a safe enough box, etc) it is just a matter of balancing risk versus utility.

Linux with Firefox may some day be exploited, but so far is pretty safe, to the point of you being able to browse the intertubes with a fairly high level of confidence. Certainly safer than Windows, and safer than IE, if only because those are much more attractive targets in terms of ROI for the bad guys.

2
0
FAIL

SSL Cert error anyone?

Does everyone else get a certificate error from the updater? I gave up installing updates ages ago as it complained about the ssl cert. As it's a simple dev box I figured I'd wait for the certificate to be fixed, that was well over a year ago.

2
0

Re: SSL Cert error anyone?

Same here. Was forced to install latest java last month for some daft work purpose only (a) to have the updater screw up this month (b) when I grabbed the full download have the (also for me, longstanding) ssl cert error back. Bye -bye java for good this time. Turned out I didn't even need it for work.

0
0
Silver badge
Mushroom

We're in the process of dumping it...

Its the funniest thing; when I was still deeply involved with Java development I always (lightly) criticized several Linux distributions for defaulting to OpenJDK instead of Sun's own native JDK. Now I really welcome it ;-)

Even so; we maintained some EE (in-house) projects as well as some Java build software but we're getting ready to move it all away into .NET. Not claiming that this is the better of the two platforms, but when your customers start asking questions about your Java-build software, even though they're pretty computer illiterate, you really need to take the hint.

Esp. if you're a small firm which can't maintain a "Microsoft-like attitude" (the "we know what's best for you" approach) :-)

And the less I have to deal with Oracle, the better it is IMO.

Even so I think this is a really sad development. Oracle does a great job in totally destroying the Sun legacy, great going you guys. I'm just glad that Sun managed to release several projects into the open source scene before going tits up, thus allowing others to keep those safe from the "great leadership" of Oracle (here's looking at OpenJDK and ZFS for example).

5
0
Bronze badge

"The exception rather than the rule"

How very true. When all this came out last month I decided, "OK, better disable Java in my browser then, be on the safe side". When I went to do so, it turned out it already was disabled - and must have been since this machine was set up two years ago. In that time, it never made a jot of difference to a single website I've used.

1
0

This post has been deleted by a moderator

FAIL

Re: Swap the words Java with MS Windows - pretty much the same story

"We’re sorry you didn’t like this post."

Don't be sorry for me downvoting a post. Be sorry for allowing the idiot of said post to continue posting.

7
6
Thumb Down

EPIC DOWNVOTE FAIL

While I frequently disagree with the extremes to which Eadon's opinions carry him, they at least involve more thought than the act of labelling him as an idiot simply because you disagree with him. Ad hominem attacks come across as nothing more than childish petulance (although your decision to not hide your rant behind AC saved it from a downvote).

3
0
Anonymous Coward

Re: Swap the words Java with MS Windows - pretty much the same story

« Don't be sorry for me downvoting a post. Be sorry for allowing the idiot of said post to continue posting. »

Respect and be respected. That name-calling was totally uncalled for.

If you can't make your point with a modicum of civility, perhaps it's you who should not continue posting.

3
1

This post has been deleted by a moderator

Anonymous Coward

Re: Swap the words Java with MS Windows - pretty much the same story

Well, at least something written for ASP.NET 2.0 still works the same even after installing .NET 4.5.

2
0
Silver badge
FAIL

Bad News

Many large corps use Java and in fact, it is required to do a lot of daily business computing from Oracle (thanks Larry) to accessing vendor websites and various bits of misc middleware.

It gets better: not all versions of Java works for all vendors/middleware/Oracle. An upgrade may break something else. Yeah I know it's not supposed to, but yet, it does.

Brilliant!

So yeah, uninstall is NOT an option.

(Did I forget to thank Larry again?)

2
1

This post has been deleted by a moderator

Bronze badge
FAIL

Re: Bad News

I'm trying to understand how a platform that consistently breaks programs based on prior releases, is demonstrably proven to be full of security holes, insists on installing unrelated toolbar crap with every update, is recommended by well known security bodies to at least be disabled if not completely uninstalled and whose 3rd party Eco system is a daily developer frustration due to incompatibilities in common libraries can under any guise be called "superb".

I worked with java in the early days when Netscape and Microsoft were updating their browsers *weekly* with JVM fixes. I spent 4 months trying to get a simple 5 form app to work before giving up when what should have been yet another minor updated completely invalidated the layout api. I subsequently dumped java and knocked it out with ColdFusion in a week.

At that time it was obvious the devs tested nothing before release.

8 years ago, I tried using it again. We had an app 80% done but one of the 3rd party libraries we depended on had a bug. They fixed it quickly but the fix required a particular JVM update. That update broke two other 3rd party libraries. At that point I scrapped 12 months of development and we switched to C# and finished the project only 1 month over the original schedule. Since that time I've stuck with C# and have never run into a single issue with a MS update killing my apps.

Tldr; java from day one was built by people who thought testing was something the end users did; this attitude has apparently never changed. Never more.

0
0

Might be nice if the JRE installer replaced older versions by default, rather than installing alongside!

1
0
Silver badge
Coffee/keyboard

but that would break everything.

I, on the other hand, don't appreciate the fact that every version of IE I uninstall uncovers a previous version.

Apparently, there is no escape.

1
0

Multiple computers, multiple users, multiple browsers, what an arse

Just disabling it on the browsers of one home pc has taken me 15 mins.

[Iron, Firefox and IE] * [5 home users] * [4 home PCs] is going to take forever. Bloody Minecraft, if it wasn't for that I would just delete Java altogether.

0
0

Re: Multiple computers, multiple users, multiple browsers, what an arse

Agreed. Is it possible to install Java as something local to a folder, so I can just point e.g. Minecraft at it? When I install it, its seems to spread its tentacles everywhere - startup, IE, environment etc.

1
0
Silver badge
FAIL

SNOracle fail.

For being the crown jewels SUN sure rode a very shitty JVM implementation quite a ways. Then Oracle took over and with their typical fecal King Midas like touch add more crap without fixing basic implementation flaws. Java will prosper and live on but only as under Dalvik the way things are going.

3
2

This post has been deleted by its author

Page:

This topic is closed for new posts.