Feeds

back to article Oracle to lop off Java's least secure bits to save servers

Oracle has acknowledged Java's recent security problems and outlined three new security initiatives to set things to rights. The first may not please everyone, as the company has committed to including Java updates among the quarterly Oracle Critical Patch Update it provides for all its products, as of the October 2013 update. …

COMMENTS

This topic is closed for new posts.
Thumb Up

Group Policy

Well. Where credit is due having control over which sites are able to run Java through Group Policy will definitely make some people sleep better at night.

It's bloody annoying having to install this heap of junk just for that one website which requires it.

And quite a few of us should be more than familiar enough with such a scenario.

However... this is of course Oracle we're talking about and it really wouldn't surprise me to see a vulnerability surface which could either tamper or circumvent the trusted hosts lists.

3
0
Anonymous Coward

Re: Group Policy

All good, all very good indeed.

So I can look forward to being able to use this in about 4 years when the websites for which we are forced to install java finally update to a version of Java for which the new security features are enabled. (1 year for Oracle to have a working product + 3 year for our guys. Based on past history for our guys, WAG for Oracle.)

0
0
Silver badge
Trollface

Removing unnecessary libraries?

Was that not one of the sins Google committed when it wrote its own implementation of the java language, thus causing fragmentation of the language and irreparable harm to Oracle's IP?

5
2
Anonymous Coward

Re: Removing unnecessary libraries?

I wonder if Google are going to sue them for stealing their innovative additions to the Java infrastructure. Oracle are clearly infringing on Googles rights here.

2
1

This post has been deleted by a moderator

Bronze badge

Re: Removing unnecessary libraries?

in the JVM???

3
0

This post has been deleted by a moderator

Bronze badge

Re: Removing unnecessary libraries?

I am sure you meant to say trim it from the JRE as opposed to the JVM...

3
0
Coat

I guess this will solve all of their problems, eventually. Anyone starting a pool on what version number they will be at when they ship a secure product? If so put me down for Java version 8 to the power of 142,857!

1
0
Thumb Up

They should add some more toolbars to Java. Nothing says reliable, trustworthy software like toolbars. So they should add some more of them.

14
1

Re: @jerry 4 (toolbars)

I was hoping that the "removal of certain libraries" was a reference to that...

0
0
Bronze badge

Bad idea

So now Java2EE is going to be java2EE lite? because they can't make it right?

0
2
Thumb Up

Re: Bad idea

Much Java enterprise development is completing its move away from JEE now.

Servlets are the last bit thats not been replaced. Most Java web frameworks are removing them, and so a reliance on tomcat or its ilk, or have done already.

May it moulder in pieces.

1
2
Flame

Please Apple

I really don't like Apple, but they've done us all a big favour by starting the death of Flash.

Wish they'd do the same with client side Java.

Maybe MS and Apple could agree on something, and just block Java installs?

1
1

This post has been deleted by a moderator

Anonymous Coward

Re: Please Apple

That's funny, as most serious use of Java is on the server, serving webpages. Java windowing was always atrocious, past tense.

0
0
Bronze badge

having the ability to only run java on trusted hosts is a good thing, the couriers we use (city-link) need Java installed to print the shipping labels and no other websites we need it for so we have chromium installed with java enabled just for that website and the rest of the time use firefox without java for day to day surfing

1
0
Boffin

Too many naive, maybe dotNots, and I bet even more insecure web platform trolls here.

Lots of sites use Java somewhere because it is very powerful; these issues have only become a problem because the crackers don't find Windows as easy any more, so they are finding the oversights, which are in-part caused by still lacking or unhelpful security in browsers, filesystems, OSs, web protocols, and other network protocols.

Flash is far far worse than Java for Security issues, so comparing Java to Flash is a bit rich! Yes, I'd like to see Flash gone too; it is near as bad as Active-X!.

Ruby on Rails, PHP, and many other web facing products still have nasty security issues, so this rather a lop-sided discussion.

It is now up to Oracle to do this properly and flexibly enough that it is possible to easily lock down only what needs to be locked down, so that this does not cause practical problems which cause vulnerabilities to be left exposed.

1
0
This topic is closed for new posts.