back to article Critical Java SE update due Tuesday fixes 40 flaws

Thought your Java security woes were behind you? Think again. Oracle is planning to release a Critical Patch Update on Tuesday that affects multiple versions of Java, and it's another doozy. According to Oracle's security announcement, the patch pack addresses 40 different vulnerabilities. All update levels of Java SE 5, 6, …

COMMENTS

This topic is closed for new posts.
  1. Anonymous Coward
    Anonymous Coward

    Very reassuring that Java is being used in many banks (even online banking, customer facing) and other financial services....

    Have Oracle been hibernating for a couple of years? The amount of remote-exploitable flaws just seems surreal.

    1. asdf
      Trollface

      I would parade out the Oracle Unbreakable joke but to be fair SUN did give them a giant steaming pile of shit with the java reference implementation.

    2. Anonymous Coward
      Windows

      @AC

      Very reassuring that Java is being used in many banks

      And the ones which don't more than often resort to ASP.NET. You're point being?

      1. JDX Gold badge

        Re: @AC

        Where are all the news stories about .NET being an insecure POS? Or are you just against anything that isn't FOSS regardless of if it's actually any good? What'd you rather they use, PHP (laugh).

  2. jerry 4
    FAIL

    Double tap. Cardio. Kill client side Java, please.

    Larry Ellison, I promise you I will install your damn toolbars if you would just stop shipping them with Java!

  3. Barbarian At the Gates

    Write once...

    get owned anywhere

  4. Daniel B.
    Boffin

    Guessing....

    Oracle must've sat over Java for quite some time, and neglected to fix this stuff. It took a public outing of "DUDE FIX THIS NOW" for them to finally act on it.

    That said, client-side Java is still useful. I wouldn't kill it.

    1. asdf

      Re: Guessing....

      The dude wasn't lying when it said it would be at least a couple of years until Java was properly secured again.

      1. Anonymous Coward
        Anonymous Coward

        Re: Guessing....

        Again? You mean for the first time, right?

  5. DryBones
    Trollface

    I was upset about this for a little. Just long enough to verify that I don't actually have Java installed. Right, back to snooker.

    1. Anonymous Coward
      Anonymous Coward

      @DryBones

      If you don't know whether you have Java installed, snooker might be a safer bet for you than computers ...

      1. Arion

        Re: @DryBones

        I disagree.

        With modern Linux systems it's not unreasonable to not know every package on your system. My current ubuntu system has 2436 packages.

        Unless you're specifically using Java systems, then Java's little different from any other dependency, such as .so/.dll library or something like that. In other words it's no different from the 2435 other packages.

        1. JDX Gold badge

          Re: @DryBones

          Some of us actually use computers to get work done.

  6. Anonymous Coward
    Anonymous Coward

    Damned if they do, damned if they don't

    The reporter seems to be annoyed that they are releasing the security fixes?

    1. Version 1.0 Silver badge

      Re: Damned if they do, damned if they don't

      They are probably just updating the NSA backdoors.

    2. Roo
      Facepalm

      Re: Damned if they do, damned if they don't

      In my experience (YMMV) Oracle's bug fixes & security patches follow the rule of a day late and a dollar short. Actually that's being way too kind, Oracle tend to be in the region of 8 months late and $1m short. If the Reporter has enjoyed a similar level of customer service and product quality I have, I would expect them to be a bit churlish because they will have been living with ball breaking defects in very expensive products for months or even years...

      When I first got my hands on Java 1.1 I had a gut feeling that Java's huge runtime combined with people placing too much trust in the whole sandbox idea would end in tears. Having had the Java wonks insisting that Java is the safest and most secure language I should be feeling Schadenfreude. As it happens I'm feeling a mixture of anger and pity because their ignorance and complacency has contributed towards security holes being overlooked which in turn has caused real users real harm.

      It's a pity because there are a few things I like about Java...

  7. Anonymous Coward
    Anonymous Coward

    Plugin or runtime vulnerabilities?

    It would be handy to know if the bugs are in the runtime or just the plugin, and what platforms they affect. Most Java usage is server side these days, or via Java Web Start for client side apps.

    1. Anonymous Coward
      Anonymous Coward

      Re: Plugin or runtime vulnerabilities?

      ...or if they make us update the whole JRE only to fix the browser plugin.

      This browser plugin vs. JRE thing really needs to be reported more clearly (not meaning El Reg specifically).

    2. Anonymous Coward
      Anonymous Coward

      Re: Plugin or runtime vulnerabilities?

      AFAIK the flaws are in the JRE itself - having the browser Java plugin active just make them expolitable remotely. Just have a look at CVE data when they're available.

      1. James R Grinter

        Re: Plugin or runtime vulnerabilities?

        This report makes it sound like its in particular classes (or libraries, as we old folk call them).

        But libraries that ship as part of the "core" platform, akin to a bug in libc or stdlib (but many times more complex as they're often working at a higher level of abstraction)

        As to complaint about Java, show me a language and runtime/ ecosystem that haven't had a history of security bugs or, worse, caused lots of code to be written with security bugs. If you have one, explain why everyone isn't already using it...

        1. Arion

          Re: Plugin or runtime vulnerabilities?

          I'm not sure if 'djb-ware' would count as an ecosystem, but while there might have been the occasional security issue, it doesn't have a 'history of security bugs'. He has developed some libraries to assist in this task that are not as susceptible to security bugs as the standard C library.

          As for why people don't use it?

          1: People are idiots.

          2: DJB's original licencing was incompatible with software distributions, so his software wasn't included.

          3: Some people have a negative opinion of DJB.

  8. Eddy Ito

    Java SE

    I assume this means Java Shite Edition or is that too broad?

  9. JOKM
    Stop

    I want more security fixes more often.

    Javas transition to Open Source and the decline of Sun and the eventual purchase by Oracle, meant that Java was pretty much left to rot for 5 years. However over the past couple of years Oracle have been ramping up production of new features and security fixes, this is only a good thing. I suspect the security issues will eventually become less of an issue.

    Although to be fair most of the security holes are due to piss poor sys admins who have no idea how to secure their networks from the outside world, than oracles fault at releasing too many patches. Of course the excessive moaning on the Reg forums would make most believe otherwise.

    1. Anonymous Coward
      Linux

      Re: I want more security fixes more often.

      "However over the past couple of years Oracle have been ramping up production of new features and security fixes"

      The only real security is to run your Java Virtual Machine from a read-only device, that way when you reboot, you end-up with a clean machine ..

      "Installation/FromUSBStick"

  10. Anonymous Coward
    Anonymous Coward

    (nothing to see here)

    Does it fix the major flaw that, whilst the JVM is an excellent piece of technology, the Java language is verbose and ponderous, and apart from the woefully implemented generics, hasn't evolved for 10+ years?

    No, I thought not.

    I'll stick with F# and Python.

    AC, because you Java developers are somewhat... intense... with your views.

    1. Destroy All Monsters Silver badge
      Facepalm

      Re: (nothing to see here)

      People with IQs above 60 have been noticing for some time that there is a large selection of languages on the JVM.

      > F#

      Yes, go back to the .NET faggotry. Don't let the closure hit you on the way out.

      1. Anonymous Coward
        Anonymous Coward

        Re: (nothing to see here)

        "Yes, go back to the .NET faggotry.."

        Nice. As I wrote before:

        AC, because you Java developers are somewhat... intense... with your views.

        Thanks for so eloquently proving my point. You just run along and keep destroying those monsters until Mummy brings you your bedtime cocoa.

      2. Dr U Mour
        Thumb Down

        Re: (nothing to see here)

        As much as I dislike .net, I dislike your use of "faggotry" far more

  11. Anonymous Coward
    FAIL

    Critical Java SE update ..

    Considering the amount of time Java has been about, and considering the Java sandbox was designed to isolate the underling OS from untrusted java apps, why is it still so full of security holes.

    "Low Level Security in Java"

  12. BornToWin

    Most intelligent people...

    ...never installed or removed Java a long time ago.

    1. Anonymous Coward
      Anonymous Coward

      Re: Most intelligent people...

      or many intelegent people do more than 1st line telehone support, so actually need it for their jobs.

      Fixed.

    2. Down not across

      Re: Most intelligent people...

      ..and then in the real world that choice often is not available due to some vendor software (some storage vendors come to mind and they're not alone) being written in Java. Larger corporations tend to have other corporate tools that require Java, so as much as the intelligent people might not want to have Java on their machines, that is not always possible.

  13. Anonymous Coward
    Anonymous Coward

    Good, less bugs

    At least Oracle are fixing these issues, given Sun staff were obviously too damned lazy to fix many bugs (some I reported), and were quite slow to add important new language features and APIs.

    I hope that Oracle run PMD and FindBugs over the core source code soon, because it needs a serious code and interface cleanup, which Sun should have done before they released 1.5; a lot of this cruft is still in 1.7!

  14. Inselaf
    Unhappy

    Update? What update?

    So there is supposed to be an update on the 18th June. It is now the 20th & I have have not received any update from Sun. Do they expect us to go to their site & download it? This is really a joke, were it not so serious.

    Have they even released the update? My last update was on the 11-03-2013.

    So off I go to take a look at the homepage from Java. It is not as though I have nothing better to do.

  15. Inselaf
    Unhappy

    Update? What update? 2

    Update. I was on Javas website & although I have the update function on automatic I had to do it manually. I have checked & the settings were for automatic updates. So even that does not work properly.

    So the motto of this experience is do it manually as in my case one can not depend upon Java/Oracle to automatically inform you of updates. Absolutely unbelievable.

This topic is closed for new posts.

Other stories you might like