back to article Solaris, Java have vulns that let users run riot

Oracle's emitted its quarterly patch dump. As usual it's a whopper, with 308 security fixes to consider. Oracle uses the ten-point Common Vulnerability Scoring System Version 3.0, on which critical bugs score 9.0 or above. The Register counts 30 such bugs in this release. Not all can be laid at Oracle's door. For example, a …

  1. ptribble

    It seems a little odd to call the CDE calendar server problem a Big Red boo-boo. That code comes from *way* back.

    Besides, nobody competent would actually have that running. Although I suppose that leaves a fairly big opportunity.

    The Java scores look scary, but the list and scores aren't terribly helpful. Apart from telling you not to run Java in the browser, which is a message people should have gotten many many times already.

    1. Nick Ryan Silver badge

      True, however unfortunately many places still use Java exposed to the Internet, either as an application or as a plugin within the browser.

      In short, not permitting Java, Flash, Silverlight or ActiveX in the browser will help reduce your risks considerably.

      1. John Riddoch

        Calendar manager has been a security screwup for at least 10 years and I remember switching it off across all our servers many moons ago. I doubt many desktop Solaris users even use CDE these days (Gnome being preferred) so it should have been switched off/uninstalled.

        As for Java, yeah, the vast majority relate to "untrusted code" which basically means "code run in the browser" in the majority of cases. Another reason I don't install Java browser extensions and I haven't missed them in ages.

        1. Alistair Silver badge
          Windows

          @John Riddoch:

          HPUX - sadly still defaults to CDE. Mind you anyone running *all* DT services on their HPUX hosts needs a LART upside the head.

  2. LeoP

    At least Oracle's customers can be sure

    Not only are they sort of raped on prices every time Larry wants a new Island, Yacht or America's Cup winner, they are also quite sure to get products that are very risky to actually use.

    We do things rather easy here: If 'Oracle' is written on it, don't use it.

  3. Maventi
    Holmes

    Seriously though, who in their right mind still uses Oracle Java SE when we have OpenJDK?

    1. PhilDin

      Quite a few people in their right mind use Oracle Java SE. OpenJDK is basically the open source distribution of Oracle Java SE. I'm guessing most of the vulnerabilities relate to browser integration so unless OpenJDK excludes that, it will have the same vulnerabilities as Oracle Java.

      1. Bucky 2

        I'm guessing most of the vulnerabilities relate to browser integration

        Nowhere does the article mention the word "browser" or "applet," so I'm pretty sure we can rule in-browser java out completely as the source of any of these vulnerabilities.

      2. Maventi
        Coat

        Fair call. I did a cursory search for such vulns and found nothing obvious, but subsequently see what a number of these appear in OpenJDK too. Humble pie time for me.

  4. Gis Bun

    Oh just ban Java. It is worse than Flash when it comes to vulnerabilities.

    1. Anonymous Coward
      Anonymous Coward

      I would really love to see you try to use your cellphone without Java.

      1. barbara.hudson

        Hint - Android does not run Java. Neither does an iPhone. So yes, phones work fine without Java.

        1. Anonymous Coward
          Anonymous Coward

          Oh?

          Google UICC.

  5. DougMac

    > Hint - Android does not run Java.

    Wha? Most Android Apps are written in Java, and the ADK has mostly Java interfaces, how does Android not run Java?

    Perhaps you mean Java Applets which has long been a dead thing?

    1. Maventi

      "Most Android Apps are written in Java"

      Java is simply a language. Oracle Java SE is a well-known example of a Java VM or runtime environment that is also colloquially referred to as 'Java'.

      "and the ADK has mostly Java interfaces"

      Google copied Sun's Java API in their own implementation of the language and runtime. This is the basis of the infamous Oracle lawsuit.

      "how does Android not run Java?"

      Android runs ART, which in turn replaced Dalvik found in older Android versions. These are both Google's own creations and are unrelated to Oracle's JVM products mentioned above.

      The poor security reputation for Java largely stems from the browser plugin included with the desktop versions of Oracle's JVMs (and it is pretty bad), but this has unfortunately extended across much of the industry to tarring anything remotely involving the name 'Java' with the same brush. That said, this latest run isn't helping. :)

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019