Oracle has issued a critical update patch for Java as the database giant works to shore up confidence in the widely used code. The security update fixes 42 security flaws, 19 of which merit a 10 (most severe) rating acording to the CVVS metric the company uses to evaluate the software. Along with this, Oracle has also sought to …
Indictometer? I like it!
"plugin more clearly telegraph to users when it could potentially be dangerous to let Java code be executed in their browsers (not all the time? – Ed)."
Ed (talking horse or editor... or both?) is right I think ;)
So they went to the trouble of installing pretty lights that indicate the level they indict their own product security. Amusing, but worthless, I'd say, given their stellar track record of Java "security" in the browser.
PS: The wording of could potentially leaves a bit to be desired in the weasel words department. Fortunately, The Reg is definitely not Wikipedia though...
 Yes, lame. Excuse: not enough coffee - not that that necessarily improves things but this is the only excuse I can come up with right now.
Re: Indictometer? I like it!
> Ed (talking horse or
That's Mister Ed to you, sonny...
I was in the middle of reading this article when I got a popup from the Java updater telling me that update 21 was available.
Stop the FUD
The patch comes at a time when many security pros are questioning the value of Java, with many seeing its presence in user's browsers as a liability rather than a benefit.
While it might have been true 10 years or more ago, when Java provided better services and encryption than could be guaranteed by browsers, but apart from some web-based conferencing software (Cisco's WebEx still uses Java in some environments) I can't remember coming across Java in the browser for a very long time. Perpetuating the myth of this threat detracts from the real risks associated with Java or similar frameworks. The browser may be one way to launch attacks but there are plenty of other ways to do so. Of course, the vulnerabilities are another nail in the coffin of things like Java FX for mobile phones.
Java is still installed on many people's machines and used by various software packages not least because Java still has probably the best database drivers of any programming language out there. Good to see that Oracle has finally got its arse in gear and established a distribution mechanism comparable to that of Microsoft and Adobe.
Re: Stop the FUD
Some European banks (especially in Scandinavian countries) require Java in the browser.
Re: Stop the FUD
Last time I looked Microsoft and Adobe didn't punt the Ask Toolbar, didn't wait anything up to a month to download and install the update after detecting that one's available, and didn't re-enable the browser plugin after the update despite you specifically disabling it.
Re: Stop the FUD
Well Adobe do try and punt some sort of McAfee thingamijig, but only when you go to their website for Flash. Then again, the last 2 times I've used the Flash auto-updater, it's not actually downloaded the patch, but taken me to their website to download it - and then I've had to untick the bloody McAfee box. Still Flash has improved a lot, so I suppose I shouldn't complain too much... Otherwise your point stands.
Certainly Oracle need to sort out Java patching. Whenever I come to look at a friend's PC (if I've not already uninstalled Java for them), there's always that orange square in the system tray with a pending Java update in it. Don't know whether that's because they never update it, or just it's always being bloody patched.
El Reg must have a macro now for headlines and half the story of Oracle issues millions of Java updates, desktop Java really sucks for security etc.
Re: Stop the FUD
"Java still has probably the best database drivers of any programming language"
Bull. Delphi has the best database drivers and has done since before James Gosling even concieved Java.
I had to enable my Java plugin for something yesterday. I disabled it straight after but I will need it again in a few weeks. Whilst I no longer need Java in the browser at home there are still tools that require it at work. I no longer install Java on people's home machines, except my own where I need it for programming.
Re: Stop the FUD
..and rather amusingly some of Oracle's own software (in full current support) needs earlier versions of Java to work (Essbase Admin Console - I'm looking at you...)
Re: Stop the FUD
Well, here's one: Oracle's webconferencing app, which you need to use if you want them to get live support from them on some of their products, uses Java.
I know, because I had an open ticket with them after I removed Java-on-the-browser after the last Java mess and I had to put it back in.
Received a corporate mail yesterday announcing that Java & Flash will be blocked by the internet gateway on the 22th.
Our IS team FINALLY seems to figure out security issues, as they just banned IE6 a few month ago.
Let me know how that Flash ban goes. I foresee pitchforks and torches-wielding crowds outside someone's cubicle.
What they don't want to tell you is fabulous about fabless Java
Java for NINJA Operations is not a weakness to be patched, it is a utility for further quiet anonymous development with ruthless exploitation of browser dependent instruction sets and interindependent SCADA systems of proxy control being but one invisible advantage to export to players in such fields of …….. well, CyberIntelAIgent Defense and Attack are both sides of the same coin and purloined vehicle to master pilot and driver with novel content and advanced intelligence.
Stop wasting your time, Oracle, the genie is out of the bottle and delivering wishes.
* …. Networks InterNetworking JOINT Operations.
Thought Java 6 had its final update in Feburary? Now they've released update 45.
Re: Java 6
I think the Java 6 update costs extra, or something? If you really can't use Java 7... mind you, the guy at work who knows about Java doesn't like 7, at least not when we discussed it last.
Getting as bad as Microsucks products
Consumers are getting raped by the crapware being sold or otherwise offered to the public.
Re: high-risk apps will be indicated by either an exclamation mark within a yellow triangle
Great! One more opportunity to train my users to ignore software warning because I'm sure that damned piece of corporate crapware accounting uses won't be signed.
The majority of these exploits apply to client Java deployments, and can only be exploited through untrusted Java Web Start applications, and untrusted applets.
Hmm. So that means *trusted* code can't use the vulns? That sounds counter-intuitive to say the least. What's more, Web Start apps and applets ordinarily can only become trusted by the user allowing them to run.
Money needs to talk
Poor Oracle. Thought they were getting one of Sun's crown jewels and it turns out to be made of paste. I feel sorry for them.
Either Java security is fundamentally broken (in the architectural sense), which I doubt, or the implementation is just really bad, or it is just old - 10 years behind the current vanguard of threats. I suspect the latter.
That being so, things will not improve until some Very Large Commercial Entity - ie someone who is paying Oracle *tons* of money to license Java -- publically announces that they intend to junk it because of these issues. The prospect of losing bid ol' chunks of revenue might wake them up.
Separate thread: have we all now given up on any write-once run-anywhere model? .Net was never a contender (mono notwithstanding) and Java seems to have an outbreak of security-herpes every month. Is there nothing else out there?
Re: Money needs to talk like the masses are listening, lest there be unnecessary unquiet
Yes, there is , and there's mountains or more in there, too, for everyone, everywhere from here .... http://forums.theregister.co.uk/forum/1/2013/04/18/one_way_mars_one_big_brother/#c_1797049
- Elon Musk's LEAKY THRUSTER gas stalls Space Station supply run
- Windows 8.1, which you probably haven't upgraded to yet, ALREADY OBSOLETE
- FOUR DAYS: That's how long it took to crack Galaxy S5 fingerscanner
- Batten down the hatches, Ubuntu 14.04 LTS due in TWO DAYS
- Did a date calculation bug just cost hard-up Co-op Bank £110m?