How many of these machines are running Microsoft's long abandoned java variant? I was surprised to see the option still being offered in Windows 7 installs.
Are you in charge of a lot of biz computers? Got Java on them?
Java security vulnerabilities - exploited to hack Apple and Facebook this month - are rife across business computers worldwide, according to new research. The overwhelming majority (94 per cent) of PCs and other endpoints running Java software and surveyed by Websense are vulnerable to at least one Java runtime exploit, …
-
-
-
-
Tuesday 26th March 2013 22:56 GMT M Gale
"there's some major UK retailers whose entire EPOS solution is written in Java."
And amusingly, it's called "Eclipse".
Was fun when Bunsfield blew up and the whole damn system had to operate with its head cut off, too. Ever tried to work in a store when even internal stock-checks don't work and card payments take anything from 60 to 180 seconds or more to go through? That was... an experience.
Ex-DSGi employee and not regretting the "ex" part one bit.
-
Wednesday 27th March 2013 13:10 GMT Anonymous Coward
@M Gale
Oh, there's more than Eclipse. Retail J is embedded with a few very big retailers, and the quickest of web searches will name them.
If wide enough that search might also throw up the fact that the founder of Retail J has not long come out of clink for a £1.6m fraud. So not only are the users enjoying the secure high quality platform that is Java, but their core point of sale money and stock system was designed and built by a fraudster. In about two months time we'll know if the Torex 4 are sent down, and if they are, then we will also be able to say that Retail J was sold by a further gang of convicted fraudsters.
-
-
-
-
-
Tuesday 26th March 2013 15:12 GMT NumptyScrub
Upgrading from JRE 1.6
Yeah thanks Oracle, Just let me know when your E-Business suite actually supports either an up to date JRE, or even an up to date browser, and I'll get patched right up.
According to the devs, clients need to be using 6 series JRE and have to be on IE8, because neither the 7 series JRE or IE9+ are certified yet. That's one Java and 2 browsers behind the times for their flagship enterprise product. Either the devs are lying, or Oracle is being sanctimoniously 2 faced in their "you should just upgrade, problem solved" stance.
Srsly ORCL, please to fix? >.<
-
Tuesday 26th March 2013 23:38 GMT Simon Brady
Re: Upgrading from JRE 1.6
To be fair to Oracle, EBS has been certified with JRE 7 since December:
https://blogs.oracle.com/stevenChan/entry/jre_7_certified_with_oracle
The Metalink notes say they also support IE9 and Firefox ESR 17 on Win7. I have a lot of gripes about how Oracle handles certification and patching in general, but in this case the criticism isn't justified.
-
Wednesday 27th March 2013 08:39 GMT Anonymous Coward
Re: Upgrading from JRE 1.6
Have you actually looked at that patch though? It along with a mighty flock of prerequisites amounts to a full upgrade in all but name. Our customization footprint is relatively minimal, but even so we're going to have to budget a couple hundred hours in consultant and high-level staff time to properly vet and install it. Bloody mess, really.
-
-
-
Tuesday 26th March 2013 15:21 GMT Richard 31
Backwards compatibiliy
A lot of the reason machines and servers end up with old versions of Java is the lack of proper backwards compatibility. All to often there are programs that will only work with a particular version of one particular JVM. As someone who has to deal with this, i do get rather frustrated with Java. My arse is more backwards compatible than this.
-
Tuesday 26th March 2013 15:34 GMT Anonymous Coward
Re: Backwards compatibiliy
Do you get frustrated with <insert instruction set here> when a certain chip behaves slightly differently, has bugs/different bugs or triggers unwanted behaviour because some code depending on an undocumented feature that it doesn't have? Backwards compatibility is nice to have but there isn't going to be a system in existence that has 100% perfect backwards compatibility.
-
Tuesday 26th March 2013 17:10 GMT Anonymous Coward
@Daniel Palmer
There is backwards compatibility, and backward compatibility.
I have binaries compiled on Solaris 2.1 which still run 20 years later on Solaris 11.
I have Java apps tested for 1.6_0_20 that won't run on 1.6_0_21. Write once debug everywhere has long since stopped being just a funny joke.
-
Tuesday 26th March 2013 17:26 GMT Anonymous Coward
Re: @Daniel Palmer
I have some really old Java code that runs on 1.4 up to the latest openjdk6 and 7 releases.. I'm sure the is code out there that will run on all of those and embedded jvms. There is a lot of C code out there that only compiles and runs correctly on a vendors build of GCC from a specific snapshot. Python seems to break apps with each point release. This is a common issue all the way through the stack all the way down to the hardware.
-
Tuesday 26th March 2013 18:05 GMT Androgynous Cupboard
Re: @Daniel Palmer
I have Java apps tested for 1.6_0_20 that won't run on 1.6_0_21. Write once debug everywhere has long since stopped being just a funny joke.
Do you really? 1.6.0_21 was a pretty minor changeset. Or are you picking revisions randomly to underline a general point?
For what it's worth we have customers running our software on every platform and revision from 1.4 on, and - although there are notable exceptions to this - in general, things work fairly consistently from release to release and from vendor to vendor, particularly within the same major revision (eg Java 6). The only exceptions I can think of to this are changes to the JavaScript environment included with Java 6 - for obvious reasons, Oracle have made some major incompatible changes here relatiing to classloading, in 1.6.0_7 and again in 1.6.0_28, which buggered things up for us.
(this message is not in any way intended to defend Oracles cackhanded performance in other areas of Java)
-
Wednesday 27th March 2013 09:38 GMT Anonymous Coward
@Androgynous Cupboard
> 1.6.0_21 was a pretty minor changeset. Or are you picking revisions randomly to underline a general point?
Yeah, it might not have been those precise versions, but it was certainly that level of micro-release. I'd not be surprised to see some small breakage/obsolescence between, say, 1.5 and 1.6, but I'd expect everything to work within a given minor release.
Sadly I suspect this is symptomatic of the same coding quality that has led to all the security issues, the sort of "it compiles, ship it" attitude that occurs all too often with the self-trained web 2.0 development kiddies. Proper design and testing is just too much hard work when they can be hacking cool stuff.
-
-
-
-
Tuesday 26th March 2013 15:38 GMT Anonymous Coward
Re: Backwards compatibiliy
Don't be too harsh on Java. There are two layers to this "compatibility" thing.
The first is not technical, but merely a means of making support easier for the vendor. They simply don't want to test the app under every combination of JRE and OS since Windows XP days, so they simply test under what is more comfortable for them and that is what becomes "officially supported" In summary, the app will happily run on "unsupported" OSes, JRE versions, and browsers, but just don't call us if it does not.
The second is technical, but is entirely the fault of the application developer, because it flags reliance on platform specific behavior, for example external programs (such as Office), .so modules in Linux, or whatever. I have -and there are still around some- web applets written for Java 1.0 that work perfectly under the latest Java version, so if your program depends on OCXs or other artifacts and you were sold on Java because of its platform independence you can claim your money back.
Oh, well, there is a third reason: hardcoding a version and environment check at the start of the program, but that really is done to implement one of the above.
-
-
Tuesday 26th March 2013 15:24 GMT Ian Yates
Updates
It doesn't help that the updater is such an annoying little **** and seems to always have a new to apply. If I accidentally accept it, I'm then bombarded with UAC prompts at random intervals.
At some point (for me, years ago) people choose to be blind to the constant nagging and just ignore it.
-
Tuesday 26th March 2013 15:44 GMT Anonymous Custard
Re: Updates
And isn't the Java updater the one that also tries to spam you with things like the Ask toolbar and other crap that you don't want, but that it will merrily add if you just click-through rather than remembering to untick the various boxes first?
Of course it also will ask every damn time, rather than remembering that I've said no to the last dozen times it's asked me if I want to weigh down my browser with unwanted junk in the vain hope that I might suddenly want it this time.
Come on, just patch the holes, make it compatible and get it to work without all the nagging and backdoor installs, then we may keep up better.
-
Monday 1st April 2013 11:46 GMT Wzrd1
Re: Updates
Never noticed that problem.
But then, I download the update and push it out from the server, never get such nonsense.
Now, Adobe patches, those are known to ignore the hell out of their command line switches. Minor things, like no reboot...
Between Adobe and Oracle, they're a combined cause of premature aging of information security types.
-
-
Tuesday 26th March 2013 15:56 GMT Narlaquin
Re: Updates
Worse yet, it can get in a state where it can't download the update, so just prompts and prompts.
And "hiding" the Ask Toolbar in the installer to trip up the parental types who have been told^H^H^H^H trained to always update Java whenever it asks, to prevent a recurrence of last years embarrassing outbreak of Browser hijacking with porn links.
-
Tuesday 26th March 2013 16:01 GMT Anonymous Coward
@Ian
Ignoring is one thing, I tend to disable it first chance I get.
Its another total fail in the whole process IMO. I mean; sure, for home scenario's I can see why they chose for an updater. But what about JDK installations? Those environments don't need to be treated like children; developers usually know very well which versions to use and which to ignore.
But no; it needs to be automatically updated... Preferably with Google and Tumbler and god knows what kind of toolbars and mal- or spy ware.
-
Tuesday 26th March 2013 18:25 GMT Anonymous Coward
Re: Updates
It's not just their updater. In theory we have centralized management to push new versions of Java to systems. Sometimes it works. Sometimes it doesn't. Sometimes when it doesn't you can't install the update manually because a file is missing or damaged. If that happens chances are you can't uninstall because the same file is missing or damaged. I've even had one recently where Programs and Features listed 6.35 and when I ran the uninstaller the banner read 6.32 and then it failed for a missing or corrupt file.
I'll grant there were problems even under Sun but never like now (and most of our issues were self-inflicted wounds because the damn app programmers wouldn't move off 5.16 even 2 years after Sun was no longer supporting it).
-
Wednesday 27th March 2013 00:44 GMT david 12
Re: Updates
The updater program has a /different name/ for every version. The executable is renamed every time.
This means that I can't give a fixed exemption in our firewall, which means that on locked machines -- the ones used for banking which require Java in the browser -- I have to go around, turn off the firewall, run the update downloader, apply the update, and re-enable the firewall.
What is the recomended solution for this problem?
-
-
Tuesday 26th March 2013 15:44 GMT Anonymous Coward
It always amazes me when people manage to make their Java code reliant on a specific version of the runtime. You have to go out of your way - using classes in the sun.com hierarchy or coding in a home brewed version check - to fuck it up, but so many people do. It's down to the general incompetence of the typical developer frankly, and ironically Oracles's are some of the worst (SQL Developer, I'm looking at you).
-
Tuesday 26th March 2013 15:48 GMT Anonymous Coward
Sweet revenge
So when I was massively downvoted for posting "Thanks Oracle, for showing us how to fix security issues" I was actually right in how to fix the problem? "Looking at this from another angle, we have to thank Oracle. This is the same "fix" I've applied to all my home computing environment. Only I've taken it a bit further, simply removing the Java plugin, all versions, from all the installed browsers, fixes completely this and any future security issues Java may have."
So they are now recommending exactly the same, unless you absolutely need it, then in that case keep a standalone browser installed just for that.
Come on, start thumbing up and remember where you read it first. And post apologies below. I was right. As always, by the way (those that did not see the irony at the time and the dismissal of the "business environments", please refrain)
-
-
Tuesday 26th March 2013 17:49 GMT Anonymous Coward
Re: Sweet revenge
Good point. I use Linux at home, so Adobe is not needed as there are plenty of PDF readers. You're right that both Chrome and Firefox have many more vulnerabilities, but you're forgetting that they get upgraded much more often.
No piece of software is 100% provably secure (halting theorem and all that), and even if it were the human component (that's me) is provably insecure. In the end, security is a trade off. If you want to be 100% secure, don't plug anything into your computer, be it ethernet cable, USB dongle, WiFi connection or anything else.
Beyond that level of security (assuming of course that you keep your machine in a safe enough box, etc) it is just a matter of balancing risk versus utility.
Linux with Firefox may some day be exploited, but so far is pretty safe, to the point of you being able to browse the intertubes with a fairly high level of confidence. Certainly safer than Windows, and safer than IE, if only because those are much more attractive targets in terms of ROI for the bad guys.
-
-
-
-
Tuesday 26th March 2013 16:38 GMT swampdog
Re: SSL Cert error anyone?
Same here. Was forced to install latest java last month for some daft work purpose only (a) to have the updater screw up this month (b) when I grabbed the full download have the (also for me, longstanding) ssl cert error back. Bye -bye java for good this time. Turned out I didn't even need it for work.
-
-
Tuesday 26th March 2013 15:56 GMT Anonymous Coward
We're in the process of dumping it...
Its the funniest thing; when I was still deeply involved with Java development I always (lightly) criticized several Linux distributions for defaulting to OpenJDK instead of Sun's own native JDK. Now I really welcome it ;-)
Even so; we maintained some EE (in-house) projects as well as some Java build software but we're getting ready to move it all away into .NET. Not claiming that this is the better of the two platforms, but when your customers start asking questions about your Java-build software, even though they're pretty computer illiterate, you really need to take the hint.
Esp. if you're a small firm which can't maintain a "Microsoft-like attitude" (the "we know what's best for you" approach) :-)
And the less I have to deal with Oracle, the better it is IMO.
Even so I think this is a really sad development. Oracle does a great job in totally destroying the Sun legacy, great going you guys. I'm just glad that Sun managed to release several projects into the open source scene before going tits up, thus allowing others to keep those safe from the "great leadership" of Oracle (here's looking at OpenJDK and ZFS for example).
-
Tuesday 26th March 2013 16:13 GMT joeW
"The exception rather than the rule"
How very true. When all this came out last month I decided, "OK, better disable Java in my browser then, be on the safe side". When I went to do so, it turned out it already was disabled - and must have been since this machine was set up two years ago. In that time, it never made a jot of difference to a single website I've used.
-
Tuesday 26th March 2013 16:36 GMT ecofeco
Bad News
Many large corps use Java and in fact, it is required to do a lot of daily business computing from Oracle (thanks Larry) to accessing vendor websites and various bits of misc middleware.
It gets better: not all versions of Java works for all vendors/middleware/Oracle. An upgrade may break something else. Yeah I know it's not supposed to, but yet, it does.
Brilliant!
So yeah, uninstall is NOT an option.
(Did I forget to thank Larry again?)
-
Tuesday 26th March 2013 17:03 GMT Pat 11
Multiple computers, multiple users, multiple browsers, what an arse
Just disabling it on the browsers of one home pc has taken me 15 mins.
[Iron, Firefox and IE] * [5 home users] * [4 home PCs] is going to take forever. Bloody Minecraft, if it wasn't for that I would just delete Java altogether.
-
Tuesday 26th March 2013 20:03 GMT asdf
SNOracle fail.
For being the crown jewels SUN sure rode a very shitty JVM implementation quite a ways. Then Oracle took over and with their typical fecal King Midas like touch add more crap without fixing basic implementation flaws. Java will prosper and live on but only as under Dalvik the way things are going.
-
This post has been deleted by its author
-
Tuesday 26th March 2013 22:42 GMT asdf
Re: SNOracle fail.
>Written by a guy with no server-side / enterprise knowledge, obviously.
Actually yes I do have but so far been lucky enough to work in shops smart enough to avoid the write once debug everywhere fiasco that is Java. I will admit though it does much better in this important but less visible space than the desktop where it absolutely falls flat on its face not only because its insecure but because its one of the cludgier multi-platform GUI solution available.
-
-
-
Tuesday 26th March 2013 20:35 GMT irm
Re: Multiple computers, multiple users, multiple browsers, what an arse
@GameCoder
You can install the JDK rather than the JRE. The former comes both with its own JRE (that will be local to the folder you install it) and a system wide JRE - that's the one that ends up in the browsers - but critically it can be deselected at install time.
Whether Minecraft can be made to work with it I wouldn't know, but can't hurt to try...
-
Tuesday 26th March 2013 20:40 GMT The Original Steve
Fucking awful
Always used Oracle Forms and Reports as the backend of our ERP is 10g. Used JInitiator until 4 years ago as it never ran on Vista so naturally moved to full JRE and it's nothing short of bollocks.
Deploying SCCM 2012 in the next week or so and spent today putting the latest version in the application catalogue rather than deploy as part of the image. Anything to reduce our Java footprint. We're in the throws of moving to .Net for the client and middle layers and it can't come soon enough.
Of course our only Oracle DBA/Java dev left a year ago so moving from 6 u26 to 7 u14 will be fun...
-
Wednesday 27th March 2013 04:43 GMT Philip Lewis
Denmark - painful
For the poor citizens of denmark, almost every bank requires Java to use their online banking.
What is bettr/worse (depending on how you see it), the national secure identity system (nem-id) used for online interaction with government agencies is based on Java. There is a very strong push from government to use this when secure interaction is requied, perticularly for signing legal documents such as land transfers etc.
Nem-id is constantly down, crashes in use with alarming regularity and in my experience never seems to work when I am physically outside of denmark (maybe that is a design feature). The idea of the system is not so bad actually. My criticism is with the seriously bozo implementation and apparent poor code quality.
-
Wednesday 27th March 2013 12:03 GMT Christian Berger
BTW, if you are looking for something for local GUI applications try Lazarus
Lazarus is a Delphi clone without the pain of Delphi. It's platform independent and you can designs your forms graphically or algorithmically (in any combination). It even has a nice system to automatically resize forms in a sensible way. (just like what you are used to from modern GUI toolkits)
Seriously I could understand someone making the error of choosing Java back in the 1990s. It was popular and supported. It even looked as if it could become an universal standard for binary executables, a bit like what ASCII was for text. Now it's essentially dead.
.net however seems like the benchmark for bad business decisions. It's _less_ portable than native win32 applications and has a noticeable performance impact. It's also harder to deploy than win32 applications, and there are literally thousands of better solutions, from old Visual Basic versions to OOPascal and probably even TCL/Tk.