back to article Rotten hackers feast on mouldy Java flaws

Most enterprise networks are riddled with vulnerable Java installations, according to a new study whose release coincides with the discovery of another 0-day Java flaw. Less than one per cent of organisations are running the latest version of Java, according to a study by security software firm Bit9. The most frequently …

COMMENTS

This topic is closed for new posts.
  1. Anonymous Coward
    Anonymous Coward

    So glad we .Net instead of this garbage...

    1. AMB-York Silver badge
      Coat

      Sandbox

      Shurely, nothing to worry about - Java's sandbox protects the host?

      OOPS?!?

    2. lansalot

      Not keeping on top of your dotnet updates then? Can't remember how many updates we've had to that...

      1. nichomach
        Thumb Down

        @lansalot

        Well, yes, but the difference is that they *are* updates - they get rid of the code that has a problem when they install, unlike Java, which installs the new code but leaves the old and vulnerable stuff there to be exploited.

  2. Anonymous Coward
    Anonymous Coward

    Bad written software = old versions needed = vulnerable systems

    A week ago while dining at an airport I overheard a group of people working for a large company complaining about the new security policies. They upgraded Windows OSes and removed all Java versions but the latests. They were complaining because they had some needed applications which no longer run on newest OSes and Java. The issue is always the same - there are too many applications which are written so badly they run only on a given OS or Java version (I still need to run - in a separate VM - Java 1.5 because the application the Italian tax agency gives you to send them signed files runs only with it...!).

    Instead of updating (or getting rid of) those applications, user and IT prefer to keep older versions around, often without understanding the security implications and act accordingly. Yet, whatever Microsoft and Java could do to improve and secure their software, they can do little against lazy, naive and incompetent developers who write software withouth any clue how it should be written properly.

    1. James 51

      Re: Bad written software = old versions needed = vulnerable systems

      Thankfully I work for an org that rewrites the software when this happens. However I know that a lot of places don't see the point in paying to rewrite software that 'works', even if it does leave a big security hole.

      1. Anonymous Coward
        Anonymous Coward

        Re: Bad written software = old versions needed = vulnerable systems

        In my experience, the software doesn't usually need a rewrite. The justification for sticking with an older runtime is more often down to a company only certifying their software for a specific version, and then being incredibly conservative (or lazy). In over ten years of professional Java development I've never had a problem moving codebases from one major version of Java to another. Moste recently, it was a move from 1.6 to 1.7, and the only change were a few more warnings about generics that were gardually removed package by package. The only Java software I've used from third parties that would only run on a specific version of Java was a "rich text editor" widget used in a CMS, which was fixed by upgrading to a later version that was (appears that the vendor had the presence of mind to test against a pre-release version of Java 1.7 and fixed their naugthty use of undocumented class from the sun.com hierarchy).

        1. Anonymous Coward
          Anonymous Coward

          Re: Bad written software = old versions needed = vulnerable systems

          (off topic)

          Christ, my proof reading's gone to shit.

    2. ecofeco Silver badge

      Re: Bad written software = old versions needed = vulnerable systems

      ^ THIS is exactly the problem.

    3. 02X7Cm
      Facepalm

      Re: Bad written software = old versions needed = vulnerable systems

      It is possible to write codes that are backward compatible, but it's impossible to write codes that are future-proofed indefintely no matter how elite one is...

      Your lazy blanket statement doesn't seem to consider how softwares are made and the dependencies that are involved from top to bottom or how often organisations tries to cheap out on maintenance contracts or don't want to buy newer versions that works on the latest and greatest.

      1. Anonymous Coward
        Anonymous Coward

        Re: Bad written software = old versions needed = vulnerable systems

        Not sure what "codes" you're talking about. The codebases that I'm talking about from personal experience range from several hundred thousand LOC to millions.

        As for future proofing, as long as you don't use star imports then you're unlikely to get naming collisions from new classes in existing packages of the class library. Sun were very good about backwards compatability. So much so, that features from 1.0 that were deprecated in 1.1 are still there. The only thing I can think of that changed in a way that would break your code was the 1.1 move to a different event model in the AWT classes - and that was over fifteen years ago.

    4. Kevin McMurtrie Silver badge

      Re: Bad written software = old versions needed = vulnerable systems

      The performance tuning is different in each version of Java. For example, String.substring() was changed in Java 7 to perform very differently. That's an extremely heavily used method and the change is not welcome to many. Parsers need to stop using the String class to regain performance! Another resistance to change is that it has usually taken several years for each new Java GC to be free of critical bugs on extremely large applications.

  3. Anonymous Coward
    Anonymous Coward

    Re: The average enterprise has more than 50 versions of Java installed across its PCs and servers

    LOL. I quite literally spat on my monitor when I read that. LOL.

    1. jason 7

      Re: The average enterprise has more than 50 versions of Java installed across its PCs and servers

      I love cleaning off about 14 defunct versions from machines. Nice way to free up some space on the HDD.

  4. srochford

    Name the guilty parties!

    Up until a few months ago, Oracle were one of the writers of the badly written software that needed an older version of Java. I think it was about March this year that their e-business system was finally certified for Java 1.7.

    If the people at Oracle who write Java wouldn't talk to the people at Oracle who write the e-business system then what hope does anyone else have?

    1. Alan W. Rateliff, II
      Paris Hilton

      Re: Name the guilty parties!

      Anyone who still uses Cisco PIX will run into this problem when trying to use the web interface. It absolutely refuses to run in anything newer than Java 5 (v1.5.) Running an old version of ColdFusion? Yeah, you have to stick with something older than Java 6 Update 13 (IIRC.)

  5. Destroy All Monsters Silver badge
    Holmes

    Released together with Windows 95? One would think there is no useful stuff that runs on Java Beta or that the power supply on the i486 box blew up at some point in time...

    Epic Freud Stuff of the Week:

    "Oracle is yet to respond to Gowdiak's discovery, so it's unclear if and when a fix might become available. The security giant last released..."

    Tell me more about your security...

  6. DJ 2

    I've removed all trace of Java from my home machines.

    I only had one application that used java and that I used very rarely.

    The number of versions that were installed was just staggering, I deleted about 20 different versions each taking up a huge chunk of disk. The upgrades should be in place and not in a new folder.

    1. I ain't Spartacus Gold badge

      Re: I've removed all trace of Java from my home machines.

      I remember when Sun first gave Java a 'proper' update mechanism, and being pleased - and hoping Flash would soon follow suit. Only to look at my PC one day, and realise that I currently had about 10 versions of Java all installed at once. What a shit updater that was.

      Now my machines are all Java-free, after two drive-by downloads that I was amazed my virus checker actually stopped without dying. Although paranoia still forced me to waste ages scanning the system with proper tools to make sure. I now uninstall it wherever I find it.

      Sadly Flash now have an auto-updater. But it only ever did it without manual intervention once. I think it must be because they're so desperate to make you download that shitty McAfee toolbar/scanner thingy, so they make you do a fresh download each time, with an extra bonus chance to forget to untick that fucking box. I wonder if I installed it, whether Flash would then update properly like it's supposed to?

  7. Ambivalous Crowboard

    I've never understood Java

    1. Discovers a security problem requiring an update to protect the machines running on

    2. Deploys the update (using the most annoying updater software ever - UAC prompt before consent? Yuck)

    3. Leaves old version with security hole in place

  8. Anonymous Coward
    Anonymous Coward

    SMEs get one over on corporate bounders

    Rather smug that as an SME IT manager I have removed every trace of Java from all PCs except for the latest version in Finance (does any banking software NOT use Java?) and Projects / Engineering who use a Project tool that needs it…

    I didn’t realise there had been 100+ versions of Java. I must be getting old.

  9. malfeasance

    Java isn't secure, but then nothing ever is.

    Let's be honest now, the only vulnerable system with java installed is one that has the public JRE runtime (which I think will install the browser plugin) installed.

    I have java installed (after all i am a java developer); and with *just the JDK* installed, and no browser plugins, there isn't an attack vector other than programs that I explicitly download and run (there will be no getting around my stupidity).

    So the question isn't that java is "insecure"; it is, but then so's every complex computer program that's even been written; the problem is the *shit* that Oracle chooses to bundle with it and how Oracle chooses to deal with that...

  10. tom dial Silver badge

    The ones that annoyed me as an administrator were those bundled with a commercial product and never updated as part of the product maintenance. I've lost touch since retiring but think Oracle DBMS (the installer) and EMC (Documentum) were offenders here, but not the only ones. Staffing limitations and absent or poor vendor documentation can make it a bit difficult to get rid of them.

  11. Alan W. Rateliff, II
    Paris Hilton

    Java 7 removing Java 6

    I just did a Java 7 update on a computer last week and it uninstalled Java 6 in the process. It surprised me at first and I thought I had accidentally downloaded a Java 6 update (however possible that would be,) but then it continued on with the 7 installation.

  12. Carl

    sigh

    I started using java in 1996.

    It was kinda cool. Nice and tight, not too much to learn.

    You could do guis, listen on sockets, compute stuff. It was OK, and with 1.1 I could talk to DB and my world was complete.

    And then... oh dear.

    So I sit here today at my desk and Java (or rather JEE) is a bloated mess of a language with all kinds of crap I dont need, buzzwords, frameworks, annotations, black boxes, conventions, wierd gotchas and general broken-ness. And to cap it all the black hats are now a step or two ahead at all times.

    Utter, utter garbage. It's turned into C++. The only people in love with it are up-their-own-arse propellorheads. And this is coming from a guy who, compared to the general population IS an up-his-own-arse propellorhead.

    1. Destroy All Monsters Silver badge
      Mushroom

      Fracking Bullshit I call you on!

      So I sit here today at my desk and Java (or rather JEE) is a bloated mess of a language with all kinds of crap I dont need, buzzwords, frameworks, annotations, black boxes, conventions, wierd gotchas and general broken-ness. And to cap it all the black hats are now a step or two ahead at all times.

      Yeah, Mr "propellorhead". It's your arse that is a bloated mess. Hint train incoming:

      1) You can leave JEE out if you just want SE. Do you know what I'm saying? Notze that you will have to pull in Hibernate or write your SQL queries through JDBC when you want persistent storage, which you will want pretty quickly.

      2) If you want Spring, Groovy or soem other non-JEE API or framework building on SE, you know where to find it.

      3) JEE is not "bloated" in any particular way. It is just what it is: an environment in which to write server-side applications. And it's pretty elegant, too. Compare with J2EE which was the wrong approach.

      4) wierd gotchas and general broken-ness ... care to be precise?

      "Black boxes"? What? "Annotations"? Do you prefer XML markup in side-dish files? "Conventions"? Yeah, these are bad, right?

      Are you actually sure about what you are talking about? Because you sure don't sound like it.

      gb2 your pseudo-assembler fail.

  13. Grogan Silver badge

    I'm so sick of Java that unless I know that someone is actually using it (even most silly things on the web that used to use java use flash now... Pogo Games still has a lot of Java based games, for one notable exception) I remove all versions of it outright. They can get it again if they need it and at least it will be the latest version (which I don't really trust not to have more unfixed vulnerabilities)

    No banking or government sites use it here (that's a common story I read... "my bank requires Java" etc.

    I'm tired of cleaning rootkits on my customers' computers and finding the original vectors in the Java deployment cache.

    It's time for Java to die as a Web technology. (the biggest problem is its use as a web plugin) Relegate it to a runtime environment for those who insist on having programs written in that language.

  14. Michael Wojcik Silver badge

    Reflection in Java

    Reflection API (application programming interface), a technology that debuted in Java 7 SE

    Eh? Java has had support for reflection since Java 1.1, which introduced the java.lang.reflect package. There were changes to reflection support in Java 7, but reflection is not "a technology that debuted in Java 7".

This topic is closed for new posts.

Other stories you might like