back to article Are you in charge of a lot of biz computers? Got Java on them?

Java security vulnerabilities - exploited to hack Apple and Facebook this month - are rife across business computers worldwide, according to new research. The overwhelming majority (94 per cent) of PCs and other endpoints running Java software and surveyed by Websense are vulnerable to at least one Java runtime exploit, …

COMMENTS

This topic is closed for new posts.
  1. Enrico Vanni

    How many of these machines are running Microsoft's long abandoned java variant? I was surprised to see the option still being offered in Windows 7 installs.

    1. Anonymous Coward
      Anonymous Coward

      My copy of Visual J still on the shelves. But it is so old that I had forgotten that completely until I read your comment. Was not aware that it was still an option in W7. There has to be some big, fat VJ program in some big corporate intranet to justify keeping something that old around.

      1. Anonymous Coward
        Anonymous Coward

        "There has to be some big, fat VJ program in some big corporate intranet to justify keeping something that old around."

        Never mind that, there's some major UK retailers whose entire EPOS solution is written in Java. So presumably as ugly and retro as Minecraft.

        1. M Gale

          "there's some major UK retailers whose entire EPOS solution is written in Java."

          And amusingly, it's called "Eclipse".

          Was fun when Bunsfield blew up and the whole damn system had to operate with its head cut off, too. Ever tried to work in a store when even internal stock-checks don't work and card payments take anything from 60 to 180 seconds or more to go through? That was... an experience.

          Ex-DSGi employee and not regretting the "ex" part one bit.

          1. Anonymous Coward
            Anonymous Coward

            @M Gale

            Oh, there's more than Eclipse. Retail J is embedded with a few very big retailers, and the quickest of web searches will name them.

            If wide enough that search might also throw up the fact that the founder of Retail J has not long come out of clink for a £1.6m fraud. So not only are the users enjoying the secure high quality platform that is Java, but their core point of sale money and stock system was designed and built by a fraudster. In about two months time we'll know if the Torex 4 are sent down, and if they are, then we will also be able to say that Retail J was sold by a further gang of convicted fraudsters.

    2. Anonymous Coward
      Anonymous Coward

      Some IBM stuff

      A certain large bank, operating on various countries is stuck with the Microsoft JVM in their employee's PCs. Why? Because the IBM 3270 terminal emulator offered on the intranet site is Java-based, but it will only work with the Microsoft JVM.

      Ouch.

    3. Anonymous Coward
      Anonymous Coward

      At least the Microsoft one is easily patched without breaking anything....

  2. NumptyScrub

    Upgrading from JRE 1.6

    Yeah thanks Oracle, Just let me know when your E-Business suite actually supports either an up to date JRE, or even an up to date browser, and I'll get patched right up.

    According to the devs, clients need to be using 6 series JRE and have to be on IE8, because neither the 7 series JRE or IE9+ are certified yet. That's one Java and 2 browsers behind the times for their flagship enterprise product. Either the devs are lying, or Oracle is being sanctimoniously 2 faced in their "you should just upgrade, problem solved" stance.

    Srsly ORCL, please to fix? >.<

    1. Simon Brady

      Re: Upgrading from JRE 1.6

      To be fair to Oracle, EBS has been certified with JRE 7 since December:

      https://blogs.oracle.com/stevenChan/entry/jre_7_certified_with_oracle

      The Metalink notes say they also support IE9 and Firefox ESR 17 on Win7. I have a lot of gripes about how Oracle handles certification and patching in general, but in this case the criticism isn't justified.

      1. Anonymous Coward
        Anonymous Coward

        Re: Upgrading from JRE 1.6

        Have you actually looked at that patch though? It along with a mighty flock of prerequisites amounts to a full upgrade in all but name. Our customization footprint is relatively minimal, but even so we're going to have to budget a couple hundred hours in consultant and high-level staff time to properly vet and install it. Bloody mess, really.

    2. Anonymous Coward
      Anonymous Coward

      Re: Upgrading from JRE 1.6

      https://blogs.oracle.com/stevenChan/entry/java_jre_1_7_03 ?

  3. Richard 31
    Paris Hilton

    Backwards compatibiliy

    A lot of the reason machines and servers end up with old versions of Java is the lack of proper backwards compatibility. All to often there are programs that will only work with a particular version of one particular JVM. As someone who has to deal with this, i do get rather frustrated with Java. My arse is more backwards compatible than this.

    1. Anonymous Coward
      Anonymous Coward

      Re: Backwards compatibiliy

      Do you get frustrated with <insert instruction set here> when a certain chip behaves slightly differently, has bugs/different bugs or triggers unwanted behaviour because some code depending on an undocumented feature that it doesn't have? Backwards compatibility is nice to have but there isn't going to be a system in existence that has 100% perfect backwards compatibility.

      1. Anonymous Coward
        Anonymous Coward

        @Daniel Palmer

        There is backwards compatibility, and backward compatibility.

        I have binaries compiled on Solaris 2.1 which still run 20 years later on Solaris 11.

        I have Java apps tested for 1.6_0_20 that won't run on 1.6_0_21. Write once debug everywhere has long since stopped being just a funny joke.

        1. Anonymous Coward
          Anonymous Coward

          Re: @Daniel Palmer

          I have some really old Java code that runs on 1.4 up to the latest openjdk6 and 7 releases.. I'm sure the is code out there that will run on all of those and embedded jvms. There is a lot of C code out there that only compiles and runs correctly on a vendors build of GCC from a specific snapshot. Python seems to break apps with each point release. This is a common issue all the way through the stack all the way down to the hardware.

        2. Androgynous Cupboard Silver badge

          Re: @Daniel Palmer

          I have Java apps tested for 1.6_0_20 that won't run on 1.6_0_21. Write once debug everywhere has long since stopped being just a funny joke.

          Do you really? 1.6.0_21 was a pretty minor changeset. Or are you picking revisions randomly to underline a general point?

          For what it's worth we have customers running our software on every platform and revision from 1.4 on, and - although there are notable exceptions to this - in general, things work fairly consistently from release to release and from vendor to vendor, particularly within the same major revision (eg Java 6). The only exceptions I can think of to this are changes to the JavaScript environment included with Java 6 - for obvious reasons, Oracle have made some major incompatible changes here relatiing to classloading, in 1.6.0_7 and again in 1.6.0_28, which buggered things up for us.

          (this message is not in any way intended to defend Oracles cackhanded performance in other areas of Java)

          1. Anonymous Coward
            Anonymous Coward

            @Androgynous Cupboard

            > 1.6.0_21 was a pretty minor changeset. Or are you picking revisions randomly to underline a general point?

            Yeah, it might not have been those precise versions, but it was certainly that level of micro-release. I'd not be surprised to see some small breakage/obsolescence between, say, 1.5 and 1.6, but I'd expect everything to work within a given minor release.

            Sadly I suspect this is symptomatic of the same coding quality that has led to all the security issues, the sort of "it compiles, ship it" attitude that occurs all too often with the self-trained web 2.0 development kiddies. Proper design and testing is just too much hard work when they can be hacking cool stuff.

    2. Anonymous Coward
      Anonymous Coward

      Re: Backwards compatibiliy

      Don't be too harsh on Java. There are two layers to this "compatibility" thing.

      The first is not technical, but merely a means of making support easier for the vendor. They simply don't want to test the app under every combination of JRE and OS since Windows XP days, so they simply test under what is more comfortable for them and that is what becomes "officially supported" In summary, the app will happily run on "unsupported" OSes, JRE versions, and browsers, but just don't call us if it does not.

      The second is technical, but is entirely the fault of the application developer, because it flags reliance on platform specific behavior, for example external programs (such as Office), .so modules in Linux, or whatever. I have -and there are still around some- web applets written for Java 1.0 that work perfectly under the latest Java version, so if your program depends on OCXs or other artifacts and you were sold on Java because of its platform independence you can claim your money back.

      Oh, well, there is a third reason: hardcoding a version and environment check at the start of the program, but that really is done to implement one of the above.

  4. Ian Yates
    Flame

    Updates

    It doesn't help that the updater is such an annoying little **** and seems to always have a new to apply. If I accidentally accept it, I'm then bombarded with UAC prompts at random intervals.

    At some point (for me, years ago) people choose to be blind to the constant nagging and just ignore it.

    1. Anonymous Custard

      Re: Updates

      And isn't the Java updater the one that also tries to spam you with things like the Ask toolbar and other crap that you don't want, but that it will merrily add if you just click-through rather than remembering to untick the various boxes first?

      Of course it also will ask every damn time, rather than remembering that I've said no to the last dozen times it's asked me if I want to weigh down my browser with unwanted junk in the vain hope that I might suddenly want it this time.

      Come on, just patch the holes, make it compatible and get it to work without all the nagging and backdoor installs, then we may keep up better.

      1. Wzrd1 Silver badge

        Re: Updates

        Never noticed that problem.

        But then, I download the update and push it out from the server, never get such nonsense.

        Now, Adobe patches, those are known to ignore the hell out of their command line switches. Minor things, like no reboot...

        Between Adobe and Oracle, they're a combined cause of premature aging of information security types.

    2. stephajn

      Re: Updates

      "At some point (for me, years ago) people choose to be blind to the constant nagging and just ignore it."

      Me too. And mostly, people see that UAC popup and think that it is a virus instead of something legitimate. (And I use the word legitimate loosely when talking about Java)

    3. Narlaquin
      Pint

      Re: Updates

      Worse yet, it can get in a state where it can't download the update, so just prompts and prompts.

      And "hiding" the Ask Toolbar in the installer to trip up the parental types who have been told^H^H^H^H trained to always update Java whenever it asks, to prevent a recurrence of last years embarrassing outbreak of Browser hijacking with porn links.

    4. Anonymous Coward
      Facepalm

      @Ian

      Ignoring is one thing, I tend to disable it first chance I get.

      Its another total fail in the whole process IMO. I mean; sure, for home scenario's I can see why they chose for an updater. But what about JDK installations? Those environments don't need to be treated like children; developers usually know very well which versions to use and which to ignore.

      But no; it needs to be automatically updated... Preferably with Google and Tumbler and god knows what kind of toolbars and mal- or spy ware.

    5. Anonymous Coward
      Anonymous Coward

      Re: Updates

      It's not just their updater. In theory we have centralized management to push new versions of Java to systems. Sometimes it works. Sometimes it doesn't. Sometimes when it doesn't you can't install the update manually because a file is missing or damaged. If that happens chances are you can't uninstall because the same file is missing or damaged. I've even had one recently where Programs and Features listed 6.35 and when I ran the uninstaller the banner read 6.32 and then it failed for a missing or corrupt file.

      I'll grant there were problems even under Sun but never like now (and most of our issues were self-inflicted wounds because the damn app programmers wouldn't move off 5.16 even 2 years after Sun was no longer supporting it).

    6. Darryl
      Megaphone

      Re: Updates

      Then the fun one where it will nag a standard user to update, only to fail because they don't have admin privileges.

      If you go into the Java control panel to disable automatic updating so that it will stop pissing off users, you get blasted by a popup for being an unsafe bastard.

    7. david 12 Silver badge

      Re: Updates

      The updater program has a /different name/ for every version. The executable is renamed every time.

      This means that I can't give a fixed exemption in our firewall, which means that on locked machines -- the ones used for banking which require Java in the browser -- I have to go around, turn off the firewall, run the update downloader, apply the update, and re-enable the firewall.

      What is the recomended solution for this problem?

  5. Anonymous Coward
    Anonymous Coward

    It always amazes me when people manage to make their Java code reliant on a specific version of the runtime. You have to go out of your way - using classes in the sun.com hierarchy or coding in a home brewed version check - to fuck it up, but so many people do. It's down to the general incompetence of the typical developer frankly, and ironically Oracles's are some of the worst (SQL Developer, I'm looking at you).

  6. Anonymous Coward
    Anonymous Coward

    Sweet revenge

    So when I was massively downvoted for posting "Thanks Oracle, for showing us how to fix security issues" I was actually right in how to fix the problem? "Looking at this from another angle, we have to thank Oracle. This is the same "fix" I've applied to all my home computing environment. Only I've taken it a bit further, simply removing the Java plugin, all versions, from all the installed browsers, fixes completely this and any future security issues Java may have."

    So they are now recommending exactly the same, unless you absolutely need it, then in that case keep a standalone browser installed just for that.

    Come on, start thumbing up and remember where you read it first. And post apologies below. I was right. As always, by the way (those that did not see the irony at the time and the dismissal of the "business environments", please refrain)

    1. Anonymous Coward
      Anonymous Coward

      Re: Sweet revenge

      Did you also remove Chrome, Firefox and Adobe reader since each one of those has 3-5 times more security flaws than Java.

      1. Anonymous Coward
        Anonymous Coward

        Re: Sweet revenge

        Good point. I use Linux at home, so Adobe is not needed as there are plenty of PDF readers. You're right that both Chrome and Firefox have many more vulnerabilities, but you're forgetting that they get upgraded much more often.

        No piece of software is 100% provably secure (halting theorem and all that), and even if it were the human component (that's me) is provably insecure. In the end, security is a trade off. If you want to be 100% secure, don't plug anything into your computer, be it ethernet cable, USB dongle, WiFi connection or anything else.

        Beyond that level of security (assuming of course that you keep your machine in a safe enough box, etc) it is just a matter of balancing risk versus utility.

        Linux with Firefox may some day be exploited, but so far is pretty safe, to the point of you being able to browse the intertubes with a fairly high level of confidence. Certainly safer than Windows, and safer than IE, if only because those are much more attractive targets in terms of ROI for the bad guys.

  7. noboard
    FAIL

    SSL Cert error anyone?

    Does everyone else get a certificate error from the updater? I gave up installing updates ages ago as it complained about the ssl cert. As it's a simple dev box I figured I'd wait for the certificate to be fixed, that was well over a year ago.

    1. swampdog

      Re: SSL Cert error anyone?

      Same here. Was forced to install latest java last month for some daft work purpose only (a) to have the updater screw up this month (b) when I grabbed the full download have the (also for me, longstanding) ssl cert error back. Bye -bye java for good this time. Turned out I didn't even need it for work.

  8. Anonymous Coward
    Mushroom

    We're in the process of dumping it...

    Its the funniest thing; when I was still deeply involved with Java development I always (lightly) criticized several Linux distributions for defaulting to OpenJDK instead of Sun's own native JDK. Now I really welcome it ;-)

    Even so; we maintained some EE (in-house) projects as well as some Java build software but we're getting ready to move it all away into .NET. Not claiming that this is the better of the two platforms, but when your customers start asking questions about your Java-build software, even though they're pretty computer illiterate, you really need to take the hint.

    Esp. if you're a small firm which can't maintain a "Microsoft-like attitude" (the "we know what's best for you" approach) :-)

    And the less I have to deal with Oracle, the better it is IMO.

    Even so I think this is a really sad development. Oracle does a great job in totally destroying the Sun legacy, great going you guys. I'm just glad that Sun managed to release several projects into the open source scene before going tits up, thus allowing others to keep those safe from the "great leadership" of Oracle (here's looking at OpenJDK and ZFS for example).

  9. joeW

    "The exception rather than the rule"

    How very true. When all this came out last month I decided, "OK, better disable Java in my browser then, be on the safe side". When I went to do so, it turned out it already was disabled - and must have been since this machine was set up two years ago. In that time, it never made a jot of difference to a single website I've used.

  10. ecofeco Silver badge
    FAIL

    Bad News

    Many large corps use Java and in fact, it is required to do a lot of daily business computing from Oracle (thanks Larry) to accessing vendor websites and various bits of misc middleware.

    It gets better: not all versions of Java works for all vendors/middleware/Oracle. An upgrade may break something else. Yeah I know it's not supposed to, but yet, it does.

    Brilliant!

    So yeah, uninstall is NOT an option.

    (Did I forget to thank Larry again?)

  11. b166er

    Might be nice if the JRE installer replaced older versions by default, rather than installing alongside!

    1. Anonymous Coward
      Coffee/keyboard

      but that would break everything.

      I, on the other hand, don't appreciate the fact that every version of IE I uninstall uncovers a previous version.

      Apparently, there is no escape.

  12. Pat 11

    Multiple computers, multiple users, multiple browsers, what an arse

    Just disabling it on the browsers of one home pc has taken me 15 mins.

    [Iron, Firefox and IE] * [5 home users] * [4 home PCs] is going to take forever. Bloody Minecraft, if it wasn't for that I would just delete Java altogether.

    1. Anonymous Coward
      Anonymous Coward

      Re: Multiple computers, multiple users, multiple browsers, what an arse

      Agreed. Is it possible to install Java as something local to a folder, so I can just point e.g. Minecraft at it? When I install it, its seems to spread its tentacles everywhere - startup, IE, environment etc.

  13. asdf
    FAIL

    SNOracle fail.

    For being the crown jewels SUN sure rode a very shitty JVM implementation quite a ways. Then Oracle took over and with their typical fecal King Midas like touch add more crap without fixing basic implementation flaws. Java will prosper and live on but only as under Dalvik the way things are going.

    1. This post has been deleted by its author

      1. asdf

        Re: SNOracle fail.

        >Written by a guy with no server-side / enterprise knowledge, obviously.

        Actually yes I do have but so far been lucky enough to work in shops smart enough to avoid the write once debug everywhere fiasco that is Java. I will admit though it does much better in this important but less visible space than the desktop where it absolutely falls flat on its face not only because its insecure but because its one of the cludgier multi-platform GUI solution available.

  14. irm

    Re: Multiple computers, multiple users, multiple browsers, what an arse

    @GameCoder

    You can install the JDK rather than the JRE. The former comes both with its own JRE (that will be local to the folder you install it) and a system wide JRE - that's the one that ends up in the browsers - but critically it can be deselected at install time.

    Whether Minecraft can be made to work with it I wouldn't know, but can't hurt to try...

  15. The Original Steve

    Fucking awful

    Always used Oracle Forms and Reports as the backend of our ERP is 10g. Used JInitiator until 4 years ago as it never ran on Vista so naturally moved to full JRE and it's nothing short of bollocks.

    Deploying SCCM 2012 in the next week or so and spent today putting the latest version in the application catalogue rather than deploy as part of the image. Anything to reduce our Java footprint. We're in the throws of moving to .Net for the client and middle layers and it can't come soon enough.

    Of course our only Oracle DBA/Java dev left a year ago so moving from 6 u26 to 7 u14 will be fun...

  16. Anonymous Coward
    Anonymous Coward

    Moving from Java to .Net is probably the best thing our company ever did.

    Anyone who buys Oracle anything on a greenfield site these days must be retarded.....Solaris boxes are best used as boat anchors imo.

    1. asdf

      >Solaris boxes are best used as boat anchors imo.

      Only if they contain the painfully slow garbage architecture that is SPARC. Solaris on x86 last I used it was not great but light years better than anything on SPARC.

    2. Christian Berger

      Good luck

      Good luck in 10 years when you'll have serious problems finding hardware that still supports running some .net runtime environment.

  17. JaitcH
    Thumb Up

    Thanks, Firefox, for ...

    looking after users Java problems - it was disabled soon after all the troubles started.

    Pity MS doesn't steal a page from your book.

  18. Philip Lewis
    Unhappy

    Denmark - painful

    For the poor citizens of denmark, almost every bank requires Java to use their online banking.

    What is bettr/worse (depending on how you see it), the national secure identity system (nem-id) used for online interaction with government agencies is based on Java. There is a very strong push from government to use this when secure interaction is requied, perticularly for signing legal documents such as land transfers etc.

    Nem-id is constantly down, crashes in use with alarming regularity and in my experience never seems to work when I am physically outside of denmark (maybe that is a design feature). The idea of the system is not so bad actually. My criticism is with the seriously bozo implementation and apparent poor code quality.

  19. Christian Berger

    BTW, if you are looking for something for local GUI applications try Lazarus

    Lazarus is a Delphi clone without the pain of Delphi. It's platform independent and you can designs your forms graphically or algorithmically (in any combination). It even has a nice system to automatically resize forms in a sensible way. (just like what you are used to from modern GUI toolkits)

    Seriously I could understand someone making the error of choosing Java back in the 1990s. It was popular and supported. It even looked as if it could become an universal standard for binary executables, a bit like what ASCII was for text. Now it's essentially dead.

    .net however seems like the benchmark for bad business decisions. It's _less_ portable than native win32 applications and has a noticeable performance impact. It's also harder to deploy than win32 applications, and there are literally thousands of better solutions, from old Visual Basic versions to OOPascal and probably even TCL/Tk.

This topic is closed for new posts.

Other stories you might like