back to article Oracle slaps critical patch on insecure Java

Oracle has issued a critical update patch for Java as the database giant works to shore up confidence in the widely used code. The security update fixes 42 security flaws, 19 of which merit a 10 (most severe) rating acording to the CVVS metric the company uses to evaluate the software. Along with this, Oracle has also sought …

COMMENTS

This topic is closed for new posts.
  1. This post has been deleted by its author

  2. Anonymous Dutch Coward
    Go

    Indictometer? I like it!

    "plugin more clearly telegraph to users when it could potentially be dangerous to let Java code be executed in their browsers (not all the time? – Ed)."

    Ed (talking horse or editor... or both[1]?) is right I think ;)

    So they went to the trouble of installing pretty lights that indicate the level they indict their own product security. Amusing, but worthless, I'd say, given their stellar track record of Java "security" in the browser.

    PS: The wording of could potentially leaves a bit to be desired in the weasel words department. Fortunately, The Reg is definitely not Wikipedia though...

    [1] Yes, lame. Excuse: not enough coffee - not that that necessarily improves things but this is the only excuse I can come up with right now.

    1. Anonymous Coward
      Anonymous Coward

      Re: Indictometer? I like it!

      > Ed (talking horse or

      That's Mister Ed to you, sonny...

  3. Phil O'Sophical Silver badge

    serendipitous

    I was in the middle of reading this article when I got a popup from the Java updater telling me that update 21 was available.

  4. Charlie Clark Silver badge
    Stop

    Stop the FUD

    The patch comes at a time when many security pros are questioning the value of Java, with many seeing its presence in user's browsers as a liability rather than a benefit.

    While it might have been true 10 years or more ago, when Java provided better services and encryption than could be guaranteed by browsers, but apart from some web-based conferencing software (Cisco's WebEx still uses Java in some environments) I can't remember coming across Java in the browser for a very long time. Perpetuating the myth of this threat detracts from the real risks associated with Java or similar frameworks. The browser may be one way to launch attacks but there are plenty of other ways to do so. Of course, the vulnerabilities are another nail in the coffin of things like Java FX for mobile phones.

    Java is still installed on many people's machines and used by various software packages not least because Java still has probably the best database drivers of any programming language out there. Good to see that Oracle has finally got its arse in gear and established a distribution mechanism comparable to that of Microsoft and Adobe.

    1. Brewster's Angle Grinder Silver badge

      Re: Stop the FUD

      Some European banks (especially in Scandinavian countries) require Java in the browser.

      1. Steve K
        Boffin

        Re: Stop the FUD

        ..and rather amusingly some of Oracle's own software (in full current support) needs earlier versions of Java to work (Essbase Admin Console - I'm looking at you...)

    2. Dan 55 Silver badge
      Thumb Down

      Re: Stop the FUD

      Last time I looked Microsoft and Adobe didn't punt the Ask Toolbar, didn't wait anything up to a month to download and install the update after detecting that one's available, and didn't re-enable the browser plugin after the update despite you specifically disabling it.

      1. I ain't Spartacus Gold badge

        Re: Stop the FUD

        Well Adobe do try and punt some sort of McAfee thingamijig, but only when you go to their website for Flash. Then again, the last 2 times I've used the Flash auto-updater, it's not actually downloaded the patch, but taken me to their website to download it - and then I've had to untick the bloody McAfee box. Still Flash has improved a lot, so I suppose I shouldn't complain too much... Otherwise your point stands.

        Certainly Oracle need to sort out Java patching. Whenever I come to look at a friend's PC (if I've not already uninstalled Java for them), there's always that orange square in the system tray with a pending Java update in it. Don't know whether that's because they never update it, or just it's always being bloody patched.

        El Reg must have a macro now for headlines and half the story of Oracle issues millions of Java updates, desktop Java really sucks for security etc.

    3. Irongut

      Re: Stop the FUD

      "Java still has probably the best database drivers of any programming language"

      Bull. Delphi has the best database drivers and has done since before James Gosling even concieved Java.

      I had to enable my Java plugin for something yesterday. I disabled it straight after but I will need it again in a few weeks. Whilst I no longer need Java in the browser at home there are still tools that require it at work. I no longer install Java on people's home machines, except my own where I need it for programming.

    4. Anonymous Coward
      Anonymous Coward

      Re: Stop the FUD

      Well, here's one: Oracle's webconferencing app, which you need to use if you want them to get live support from them on some of their products, uses Java.

      I know, because I had an open ticket with them after I removed Java-on-the-browser after the last Java mess and I had to put it back in.

      Happy?

  5. Yag

    Coincidence?

    Received a corporate mail yesterday announcing that Java & Flash will be blocked by the internet gateway on the 22th.

    Our IS team FINALLY seems to figure out security issues, as they just banned IE6 a few month ago.

    1. EJ
      Pint

      Re: Coincidence?

      Let me know how that Flash ban goes. I foresee pitchforks and torches-wielding crowds outside someone's cubicle.

  6. amanfromMars 1 Silver badge

    What they don't want to tell you is fabulous about fabless Java

    Java for NINJA Operations is not a weakness to be patched, it is a utility for further quiet anonymous development with ruthless exploitation of browser dependent instruction sets and interindependent SCADA systems of proxy control being but one invisible advantage to export to players in such fields of …….. well, CyberIntelAIgent Defense and Attack are both sides of the same coin and purloined vehicle to master pilot and driver with novel content and advanced intelligence.

    Stop wasting your time, Oracle, the genie is out of the bottle and delivering wishes.

    * …. Networks InterNetworking JOINT Operations.

  7. David 155
    WTF?

    Java 6

    Thought Java 6 had its final update in Feburary? Now they've released update 45.

    1. Robert Carnegie Silver badge

      Re: Java 6

      I think the Java 6 update costs extra, or something? If you really can't use Java 7... mind you, the guy at work who knows about Java doesn't like 7, at least not when we discussed it last.

  8. BornToWin

    Getting as bad as Microsucks products

    Consumers are getting raped by the crapware being sold or otherwise offered to the public.

  9. Tom 13
    Flame

    Re: high-risk apps will be indicated by either an exclamation mark within a yellow triangle

    Great! One more opportunity to train my users to ignore software warning because I'm sure that damned piece of corporate crapware accounting uses won't be signed.

  10. g00se
    WTF?

    Untrusted?

    >>

    The majority of these exploits apply to client Java deployments, and can only be exploited through untrusted Java Web Start applications, and untrusted applets.

    >>

    Hmm. So that means *trusted* code can't use the vulns? That sounds counter-intuitive to say the least. What's more, Web Start apps and applets ordinarily can only become trusted by the user allowing them to run.

  11. Anonymous Coward
    Stop

    Money needs to talk

    Poor Oracle. Thought they were getting one of Sun's crown jewels and it turns out to be made of paste. I feel sorry for them.

    Either Java security is fundamentally broken (in the architectural sense), which I doubt, or the implementation is just really bad, or it is just old - 10 years behind the current vanguard of threats. I suspect the latter.

    That being so, things will not improve until some Very Large Commercial Entity - ie someone who is paying Oracle *tons* of money to license Java -- publically announces that they intend to junk it because of these issues. The prospect of losing bid ol' chunks of revenue might wake them up.

    Separate thread: have we all now given up on any write-once run-anywhere model? .Net was never a contender (mono notwithstanding) and Java seems to have an outbreak of security-herpes every month. Is there nothing else out there?

    1. amanfromMars 1 Silver badge

      Re: Money needs to talk like the masses are listening, lest there be unnecessary unquiet

      Yes, there is , and there's mountains or more in there, too, for everyone, everywhere from here .... http://forums.theregister.co.uk/forum/1/2013/04/18/one_way_mars_one_big_brother/#c_1797049

This topic is closed for new posts.

Other stories you might like