Java is required to anything greater than plain text, to upload a file, to use HTML, etc. on one of our university's two brands of coursework discussion sites. It does not surprise me in the least that the New York Times hack was vectored through infected university servers. For all the computer nerdiness in so many of their faculties, they seem the least prepared for security. I shut off Java some time ago, but very few other people even seem to be paying attention.
Apple blocks Java on the Mac over security concerns
It's been a rough couple of weeks for Java. Security issues are dogging the code, the latest fix may cause almost as many problems as it solves, and now Apple has decided to block Java completely. French blog MacGeneration originally picked up the blockade, noticing that an update to Apple's XProtect now blocks all versions of …
-
-
Friday 1st February 2013 19:19 GMT Anonymous Coward
Hmm.
"Java is required to anything greater than plain text, to upload a file, to use HTML, etc."
I don't know, is it? A lot of anybody and everybody is stuck on it because it seemed to people who weren't programmers like the "future language"...10 years ago. Now for those with relations to the JVM are, for the lack of a better word, stuck.
I'm really not informed on the current state of things that can and can't be done in Java. However, with the push of the HTML 5 spec, companies letting C code (newlib) in as a plugin, JavaScript optimizations on all browsers all the time, and lastly, the push for better battery life on apparently everything, where does the future let room for the JVM?
Consider the "The Java trap." How will Oracle reinforce those trap doors? Apparently not through security.
-
This post has been deleted by its author
-
Friday 1st February 2013 03:21 GMT koolholio
Apple, ooh Apple!
How many will have upgraded or even noticed Quicktime 7.7.3 was released recently! New Apple TV and iOS revisions? with all this finger pointing at Java and Flash, since Apple kits are supposedly 'exempt' from vulnerability? --- the common fanboi attitude -- perhaps even a misconception?
At least Apple are trying to take a proactive approach! I'll give them kudos for that! But not for the prior TIFF bugs!
Although, He who throw stones in glass houses be a little silly? Since no company could ever be perfect and it is unrealistic to believe so. Issac Newtons law of gravity isn't it? Or is it Murphy's law?
-
Friday 1st February 2013 05:11 GMT ThomH
Re: Apple, ooh Apple!
Apple hasn't said anything on the record, it's merely blocked some software with known security issues. You seem to be implying that to do so is criticism and that Apple should be allowed to criticise only if its own software is perfect but if that's the standard then surely none of can criticise Apple unless we've written only flawless software?
-
Friday 1st February 2013 12:56 GMT JohnsonVonJohnson
Re: Apple, ooh Apple!
Apple is just a company. You are investing too much emotion in something you supposedly despise.
People like products, it doesn't define who they are, and there are always people who are enthusiastic for almost any platform/product. Something doesn't suck, just because you don't like it. Kids these days.
Java is a cockup on every platform. Apple, and any other company that can do so, SHOULD block it. It is not a little bug, buddy, this is such a HUGE clusterfap that Oracle needs to get on. Oracle needs to stop screwing around and fix it, or shut it down. Chances are high that they CANNOT fix it, due to the cross-platform and backwards compatibility built into java.
-
-
This post has been deleted by its author
-
-
Friday 1st February 2013 08:23 GMT Wyrdness
My Mac was Java-free for years. I only installed it because Libre Office moans constantly (with annoying pop-ups) if it's not installed. I'd be very happy if Libre Office could remove it's dependency on Java.
I refuse to allow Firefox to have a java plug-in though, despite Outlook webmail also moaning about it not being installed.
-
Friday 1st February 2013 09:57 GMT Wensleydale Cheese
But you can run LibreOffice without Java
@Wyrdness
"My Mac was Java-free for years. I only installed it because Libre Office moans constantly (with annoying pop-ups) if it's not installed. I'd be very happy if Libre Office could remove it's dependency on Java."
I caught an indication a few months ago somewhere on the LIbriOffice site that they were working on removing the Java dependency.
The latest release didn't give me the nag messages about the lack of Java the first time i ran it, and where the previous release moaned when creating a new Text document, I haven't seen that in the latest release either.
I haven't had any problems actually running LO without Java, of course with the caveat that I don't use the database side of LO.
-
-
-
-
Saturday 2nd February 2013 15:41 GMT Daniel B.
Indeed
It is the browser plugin of Java. Though 1.7.13 is out, so it might actually be a matter of Apple putting the dependency *before* Oracle put out the update, not actually blocking Java intentionally.
The JRE itself isn't blocked, attested by me being able to use LdapBrowser and NetBeans. :)
-
Friday 1st February 2013 06:41 GMT Mark Simon
AusKey
If you run a business and need to deal with certain Government services, such as paying your tax, you need AusKey, which is their authentication system. AusKey runs on Java, which, if you’re trying to do this on a Mac is getting harder and harder.
I have lodged a complaint that the Australian government therefore requires you to compromise your machine, and that this certainly disenfranchises people who do not have the technical experience to install, maintain and monitor Java. Still waiting on a resolution.
Java is a nice idea, but it has proven to be flaky, impractical, antiquated insecure. Somewhat like the Australian Government, or at least its IT services.
-
Friday 1st February 2013 08:43 GMT Anonymous Coward
Re: AusKey
"Still waiting on a resolution."
Be careful what you wish for. The solution is more likely to be a Windows only .NET application than anything else.
"Java is a nice idea, but it has proven to be flaky, impractical, antiquated insecure."
Java works very well for cross-platform desktop applications, but as a browser plugin where any malicious site can interact with it, well, it's scary. The only people who would call it antiquated are non-(Java) devs IMO, since they likely have no idea of the benefits of Java 7 over Java 5 etc.
-
-
-
-
Friday 1st February 2013 10:43 GMT Anonymous Coward
Re: :(
doesn't run perfectly abap wd (SAP). besides, i keep my vm's as thin as possible, so i don't install what I don't need.
and now I get it, what's wrong with Firefox on mac. Well let's say it doesn't have a good fame - i have a bad opinion about it (initially it scored very badly for vulnerabilities). Being of non-apple conception, it probably doesn't have yet the right mechanics (as I noticed with Opera - bad gestures and animations that go with it). I will test it at some point - but that will take months to try and test firefox again. I tried firefox in one of the first versions, and after that my experience is limited to what I saw while colleagues were using it - maybe I'll be pleasantly surprised.
-
-
Friday 1st February 2013 15:55 GMT Dan 55
Re: :(
Because it wasn't obvious from the first post that he also had to use some horrible IE-only SAP-driven abomination? Whatever the complaints about Mac Firefox (and to be honest I have the same amount of complaints about Mac Firefox as I do Windows Firefox), it's certainly more integrated with Mac OS than IE running in a VM is.
-
-
-
-
This post has been deleted by its author
-
Friday 1st February 2013 10:32 GMT @chriswhocodes
Fixable by editing XProtect.meta.plist
I'm not 100% sure this wasn't done accidentally by Apple.
They've updated the required version of Java to be 1.7.11 build 22 when the release build from Oracle is actually release 21
type java -version
result:
java version "1.7.0_11"
Java(TM) SE Runtime Environment (build 1.7.0_11-b21)
Java HotSpot(TM) 64-Bit Server VM (build 23.6-b04, mixed mode)
Edit the plugin whitelist file using
sudo nano /System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/XProtect.meta.plist
and change
<string>1.7.11.22</string>
to
<string>1.7.11.21</string>
Java will now work again in Safari.
-Chris
-
Friday 1st February 2013 16:21 GMT jubtastic1
Re: Fixable by editing XProtect.meta.plist
It's not an accident, raising the minimum allowed version to an increment of the current version is how Apple disables java*, because when the next release comes out it will work without having to undo anything, well assuming oracle have fixed it, but if they haven't Apple will just increment the minimum allowed version again.
* not the first time this has happened.
-
Friday 1st February 2013 11:21 GMT Bronek Kozicki
this raises a number of questions
I think we can conclude that Java in browser is in death throes. Only clueless, careless and those without choice continue to use it.
However, is there a future for Java in server environment? On one hand, in this environment no one will try to load a random applet picked from random web site, since all the code is either 3rd part libraries or own. On the other hand, both JVM and 3rd party libraries do have to be occasionally patched, and if Oracle or 3rd parties are not forthcoming this makes Java less viable proposition. Since Oracle started automatically removing JVM version 6 installation when patching JVM version 7 this would point that they no longer want to support version 6. What will Oracle with version 7 when number 8 rolls out?
Also, given that Java seems to be "the language of choice" in many computer science classes I do wonder what future graduates will do? The fact of the matter is that currently CS graduates are ill-prepared for real world computer programming anyway, so I suppose if the language of choice for learning is slipping into irrelevance probably won't make much of the difference anyway. Academia will notice this eventually, though, and switch to something else (Scala? Python? C++?) . It would be in everyone interest if graduates knew more than one language, too.
I would not be surprised if Java succumbed to death by a thousands cuts in the next 10 years.
-
Friday 1st February 2013 12:13 GMT Anonymous Coward
Re: this raises a number of questions
"I would not be surprised if Java succumbed to death by a thousands cuts in the next 10 years."
IMO Java is the biggest con perpetrated upon the IT industry in decades. The language itself is less powerful and less flexible than C++ (not that C++ is a shining beacon of how a language should be designed but i digress..) that it was supposed to replace, still generally runs slower and uses more memory than an equivalent C++ binary, requires the correct JVM to be installed before it'll work (write once run anywhere? Do me a favour!). and the JVM as we know is subject to security holes not to mention bugs.
If java ever had a purpose its rapidly losing it. My personal opinion is C++ will regain ground on unix server side development along with python and for windows C# will - if it hasn't already - kill java stone dead in the years to come. Assuming MS can get its act together. As for the web , forget it, java died there long ago. It might limp on for a few more years on android until they realise the pointlessness of double compilation but even that will stop eventually.
-
Friday 1st February 2013 12:47 GMT Ken Hagan
Re: this raises a number of questions
"If java ever had a purpose its rapidly losing it."
Java's original purpose was to provide a provably secure sandbox for running untrusted applets. (If you have to trust the app, you might as well run native code.) It is debatable whether the implementation was ever good enough to realise that noble aim, but it certainly isn't today.
No matter. In order to achieve that, it had to provide safe equivalents to enough of the native API to be useful. Consequently, it acquired a secondary purpose of "write once run anywhere". This is now its sole purpose. Java is therefore an alternative to frameworks like Qt.
Given some effort, one presumably *could* resurrect the "provably secure" aspect and that would be of interest to a lot of people. Clearly, however, neither Sun nor Oracle could/can be bothered and as long as Oracle have a final veto on what one can call "Java", their lack of support makes "secure Java" impossible. The best possible outcome, therefore, is for Oracle to throw a hissy fit and discard Java altogether, only for it to be picked up by freetards who are actually willing to do justice to the original design.
-
Monday 4th February 2013 16:00 GMT Michael Wojcik
Re: this raises a number of questions
Java's original purpose was to provide a provably secure sandbox for running untrusted applets.
No, Java's original purpose was as a language for embedded software. Gosling designed it to replace C as the (then) language of choice for embedded applications on hardware powerful enough to want something more than bare metal or a minimal monitor. The idea was to provide a language with high-level constructs (OO, type safety, a framework for common tasks) to reduce development costs; avoid dangerous constructs to improve software quality in embedded environments where patching software could be more difficult; and simplify porting to new hardware by making the application code itself portable.
This is widely documented; look into the history of Sun's "Green Project" and the Oak language, the precursor to Java. See this (PDF) for example, or this bit from the Java Programming Wikibook.
While it's debatable how well Java has achieved its design goals, it certainly has been successful in embedded applications.
When set-top boxes and fancy remote-control units - the original demonstration platforms for Oak/Java - turned out to be underwhelming and of relatively little interest in the market, Sun recognized the growing interest in graphical web browsers (spawned by NCSA Mosaic) and in 1995 introduced the HotJava browser, which was written in Java and was the first to support Java applets. Since browsers did not then have scripting languages (LiveScript appeared later that year), developers seized on Java applets as a way to cram additional (some would argue unnecessary) functionality into browser-based UIs.
-
-
-
-
-
Friday 1st February 2013 12:54 GMT Bronek Kozicki
"... effectively Java" is not the same as "actually Java". It is different VM , different bytecode and different compiler. Google decided to reuse Java syntax and API for its own platform, effectively forking Java. If Google are forced by courts (as Oracle is trying to do) they might change s/java/dalvik/g (or any other name, I particularly like Espresso and Mocha).
Of course if a sense, Dalvik is Java, and (if names of Dalvik APIs remains unchanged) in 10 years time, it might be the only Java. It would be very interesting example of evolution of a programming language by forking and survival.
-
Monday 4th February 2013 16:14 GMT Michael Wojcik
There's also a tremendous amount of Java code running enterprise back-office applications, some as POJOs but much of it J2EE components and JSP. Anyone who understands enterprise software knows that isn't going anywhere any time soon either. Corporations are still running COBOL apps written in the 1960s, many of which they aren't even trying to update to newer COBOL syntax (even though that would likely reduce future maintenance costs). There is no compelling economic driver for those organizations to rewrite those Java applications either. Security flaws in the applet container are utterly irrelevant.
People like Bronek who are predicting "the end of Java" should look at how successful similar predictions have been over the years. We heard a lot about the end of the mainframe starting in the 1980s with the rise of personal computing; mainframes are still going strong. There have been several cycles of "the end of Microsoft Windows", "the end of UNIX", etc - they're all still around. Since I work for the major COBOL vendor, I'm more than familiar with "the end of COBOL" - our own CEO at the time announced in public that COBOL was dead in 1999 - but we're selling more of it than ever. Entrenched IT technologies generally take a long time to die. There are arguably a few exceptions (eg Token Ring, 8-bit PCs), but in those cases the replacement had compelling advantages.
As for C++ replacing Java - it hasn't even managed to replace C.
-
-
-
Monday 4th February 2013 16:30 GMT Michael Wojcik
Re: wasted opportunity
Developers who can't write decent ECMAScript[1] probably wouldn't be able to write decent Java either.
It's true that there are problems with ECMAScript for writing non-trivial programs, notably the lack of a real type system. (Prototype-based OO languages, it turns out, just don't work as well as class-based ones once the number of distinct types gets significant; remembering constraints is simply too hard for developers.) But most of the problems with ECMAScript are because most of the people writing it - particularly including self-anointed "experts" like Resig[2] - can't be bothered to actually learn the language or write correct code.[3]
The root problem is that the vast majority of software is crap. It will continue to be crap for the foreseeable future, since few developers or development organizations show any real interest in improving quality. And while there have been innumerable proposals for improving software quality, few have seen widespread attempts at adoption, and it's very probable that, as Fred Brooks and others argued, there is no silver bullet anyway.
[1] "Javascript" refers either to the now-obsolete ancestor (originally named "LiveScript") of ECMAScript, or one implementation of ECMAScript. If people can't even get the name right, I suppose it's no wonder they can't get the code right.
[2] Original author of the popular, execrable jQuery library.
[3] As of a few years ago, jQuery still contained erroneous constructs such as "typeof x == 'array'" (which is always false). More damning was Resig's public hissy fit when Google's correct implementation didn't behave the way he wanted it to, with regard to iterating over properties; his code was based on a schoolboy error that anyone with even glancing familiarity with the ECMAScript spec would have spotted, but Resig insisted it was correct because it worked in most implementations. Someone with that attitude shouldn't be writing software at all.
-
Friday 1st February 2013 16:19 GMT Elmo Fudd
50% Java - This SUCKS!
I keep a laptop on he kitchen table so I can check out the news over breakfast - My Firefox browser is set to open with 6 tabs as a home page- My local (Calgary) newspapers home page, Google news, my online brokerage home page, The Register, Gmail and my Digital newpaper subscription (Postmedia).
This morning I shut off Java script to see what would happen.
Calgary Herald website - Can't see any problems, so far so good.
Google news- Works but the formatting is off- text overlaps images slightly.
RBC Direct- Some graphics appear but site is totally nonfunctional- cannot log in.
El Reg - Works fine- no problems.
Gmail- Blank screen - wants java turned back on - offers HTML only version.
Postmedia- Top header appears- otherwise screen is blank - No login available.
50% of my home pages are totally gone, one is affected and two work fine.
I suspect that many of you would have the same problems - lets hear from you.
Java is back on! I can't run without it.