Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Oracle Ships Java 7 Update 11 With Vulnerability Fixes

samzenpus posted about 2 years ago | from the try-it-now dept.

Java 243

An anonymous reader writes "After announcing a fix was coming just yesterday, Oracle on Sunday released Java 7 Update 11 to address the recently disclosed security vulnerability. If you use Java, you can download the latest update now from the Java Control Panel or directly from Oracle's website here: Java SE 7u11. In the release notes for this update, Oracle notes this version "contains fixes for security vulnerabilities." A closer look at Oracle Security Alert for CVE-2013-0422 details that Update 11 fixes two vulnerabilities."

Sorry! There are no comments related to the filter you selected.

Is this really a fix? (5, Interesting)

DavidClarkeHR (2769805) | about 2 years ago | (#42578413)

It's great that the default security settings have been increased - and the zero-day flaws needed fixing (as always).

Proper web browsing hygiene protected users from this zero-day vulnerability - but my mom needed this update.

Re:Is this really a fix? ..apk (-1)

Anonymous Coward | about 2 years ago | (#42578443)

ur mom needs "proper" hygiene? I can give her some tips &/or advice => personally (i prefer the "hands on" approach, btw)

APK

PS => BTW I recdommend a hosts file to prevent malware &/or ads, etc.

...apk

Re:Is this really a fix? (1)

Thinine (869482) | about 2 years ago | (#42578609)

Why does your Mom need Java in the first place?

Re:Is this really a fix? (0)

Anonymous Coward | about 2 years ago | (#42578773)

Games!

Don't even ask. People are stupid. However many people also don't exactly have much use for the computer without such things.

Re:Is this really a fix? (1)

sproketboy (608031) | about 2 years ago | (#42578859)

To play Minecraft obviously.

Re:Is this really a fix? (-1)

Anonymous Coward | about 2 years ago | (#42578873)

I'm raping sensei's dick with my butthole! Rape! Rape!

Re:Is this really a fix? (1)

dubbayu_d_40 (622643) | about 2 years ago | (#42579051)

This is a common misunderstanding of apple users.

Re:Is this really a fix? (1)

PNutts (199112) | about 2 years ago | (#42578827)

Proper web browsing hygiene protected users from this zero-day vulnerability...

I'm not sure what you mean by that. What is "proper web browsing hygiene"?

Re:Is this really a fix? (4, Funny)

Anonymous Coward | about 2 years ago | (#42578945)

keeping a box of tissue next to the computer

Re:Is this really a fix? (0)

Anonymous Coward | about 2 years ago | (#42578961)

Proper web browsing hygiene includes not infecting one's system with Java to begin with.

What about Java 6 (et al)? (0)

Anonymous Coward | about 2 years ago | (#42578445)

It isn't cool to force users to do a major version upgrade just to get a security patch.

Re:What about Java 6 (et al)? (4, Informative)

black3d (1648913) | about 2 years ago | (#42578605)

Java 6 isn't vulnerable to this particular exploit. Only 7.

Re:What about Java 6 (et al)? (1)

Anonymous Coward | about 2 years ago | (#42578721)

Java 6 isn't vulnerable to this particular exploit. Only 7.

Java 6 already has it's own security issues.

Re:What about Java 6 (et al)? (2, Insightful)

Anonymous Coward | about 2 years ago | (#42578743)

So they give you something for free, choose to dictate how they will support this something and you complain?

No wonder these companies gouge on the licensing where they can,ppl like you will demand an inch and take a mile.

Re:What about Java 6 (et al)? (3, Insightful)

fuzzyfuzzyfungus (1223518) | about 2 years ago | (#42579139)

So they give you something for free, choose to dictate how they will support this something and you complain?

No wonder these companies gouge on the licensing where they can,ppl like you will demand an inch and take a mile.

Nobody said that owning a 'platform' was a fun job. It's high blame, low praise, your undemanding customers have a willingness to pay hovering around $0, your customers who are willing to pay have a list of whiny demands about 'compatibility' and such. That's just how these things roll. Is it worth it to you to suck it up and reap the rewards, or is a different category of software a better fit?

It honestly looks like (consumer) in-browser java is nearly dead, and the JVM isn't as lively on the client side as it once was, so Oracle might not have to decide whether they are in the 'platform' business in that area. The general point still stands. "Platform" is not a pretty category of software to be responsible for, it just sometimes happens to be lucrative enough to be worth it.

Java or Javascript? (1)

jkrise (535370) | about 2 years ago | (#42578481)

I'm totally confused every time this comes up... do browsers have Javascript (more accurately ECMA Script) or Java itself? I understand it is the former; whiereas Java is a plugin that needs to be explicitly installed. And I also believe Javascript has almost nothing to do with Java.

Is Java on browsers so widespread?

Java and Flash (4, Informative)

tepples (727027) | about 2 years ago | (#42578503)

Browsers come with only JS. Java is a plug-in published by Oracle that plays applets written in Java, just as Flash Player is a plug-in published by Adobe that plays applets written in ActionScript.

Re:Java and Flash (1)

jkrise (535370) | about 2 years ago | (#42578537)

Java is a plug-in published by Oracle that plays applets written in Java,

Yes, I understood that bit, which is why I asked the final question: Is the Java plugin downloaded so often, to run on browsers? (alternately)

Is Java plug-in bundled with browsers without the need for separate downloading?

Re:Java and Flash (1, Informative)

Shikaku (1129753) | about 2 years ago | (#42578583)

You have to manually install it or a piece of software you run needs it and installs it. No modern browser needs it nowadays.

Re:Java and Flash (-1)

Anonymous Coward | about 2 years ago | (#42578663)

Wrong on both counts. Firstly, use of Java is a feature of a particular website you might visit. Secondly, it auto-installs if the plug-in isn't present. Yes, you have to click on a couple of prompts but that's about it - you don't have to go download something separately yourself.

If you are so ignorant of how the web works, why even bother commenting? You just made a fool of yourself.

Re:Java and Flash (2)

PNutts (199112) | about 2 years ago | (#42578835)

No modern browser needs it nowadays.

It depends on what you're trying to do.

Re:Java and Flash (0)

Anonymous Coward | about 2 years ago | (#42579385)

If you're doing anything involving Java then you're doing it wrong.

Re:Java and Flash (0)

Anonymous Coward | about 2 years ago | (#42578897)

Java comes preinstalled on a lot of PCs (or at least it used to). Also, some browsers prompt you to install Java when you encounter an applet (or at least they used to).

The result is that a buttzillion users have Java installed even if they don't want or need it.

Re:Java and Flash (1)

fuzzyfuzzyfungus (1223518) | about 2 years ago | (#42579155)

Java comes preinstalled on a lot of PCs (or at least it used to). Also, some browsers prompt you to install Java when you encounter an applet (or at least they used to).

The result is that a buttzillion users have Java installed even if they don't want or need it.

The one that really pisses me off is when the official Java autoupdate utility decides that you must not have meant it when you disabled the browser plugin, and helpfully re-installs it for you...

Re:Java and Flash (2)

tepples (727027) | about 2 years ago | (#42578589)

Is Java plug-in bundled with browsers without the need for separate downloading?

No. As far as I know, Flash isn't bundled either, except with Chrome. Java also has an environment for applications that run outside the browser such as FrostWire and Minecraft. Perhaps people are installing Java to run those, and the installer drops the plug-in into all installed browsers.

Re:Java and Flash (1)

Giant Electronic Bra (1229876) | about 2 years ago | (#42579085)

Normally the browser plug-in is a totally different independent install from Java itself. Its POSSIBLE an installer could bundle java and a java browser plug-in (like say icedtea). Linux distros will generally install java to satisfy the plugin's dependencies for instance, which in something like Ubuntu could happen almost automatically. I don't think anything like that will happen in Windows or OSX normally.

Lots of people DO have Java installed for completely other reasons than web applets though. In fact it is mostly used the same way .NET is, as a platform-independent managed code runtime. Nowadays frankly I don't see a lot of reason for most people to install the plugin though. Applets are OK, but most stuff is migrating to HTML5/JS anyway.

Re:Java and Flash (0)

Anonymous Coward | about 2 years ago | (#42578911)

Java is a plug-in published by Oracle that plays applets written in Java,

Yes, I understood that bit, which is why I asked the final question: Is the Java plugin downloaded so often, to run on browsers?

No, but if you download Java runtime for anything (for example, LibreOffice or Eclipse, including the Android dev kit) it will install the web plugin as well.

Since there is a lot of software that, for whatever reason, requires the Java runtime, a lot of people have the plugin installed without realizing it.

Re:Java and Flash (0)

Anonymous Coward | about 2 years ago | (#42579225)

Yes, it's part of the remote console access toolkit for HP's ILO remote management, Dell's old "DRAC" technology, and almost anything that uses what is really VNC behind the scenes to provide remote console access to a browser.

Re:Java and Flash (0)

Anonymous Coward | about 2 years ago | (#42579235)

The java plugin generally isn't bundled with browsers. However, it may be bundled with your computer. A Lenovo laptop I had about a decade ago came pre-loaded with Java, because its software update program was written in Java.

Re:Java or Javascript? (0)

Anonymous Coward | about 2 years ago | (#42578511)

You appear to already know the answers. How can you be confused when you can clearly differentiate between Javascript (ECMA) and Java?

Re:Java or Javascript? (0)

Anonymous Coward | about 2 years ago | (#42578517)

Yes.

Re:Java or Javascript? (0)

Anonymous Coward | about 2 years ago | (#42578545)

Excellent point, jkrise.

To my knowledge, Java applets aren't too common and haven't been since the '90s, when (ironically) that was the feature that fueled the endless hype around Java. By the mid-90's Java had become known as a mostly server-side technology. But there are still sites that want to provide a richer GUI than you can get from CSS, JavaScript/Ajax, for example for interactive vector graphic simulations.

Re:Java or Javascript? (1)

jkrise (535370) | about 2 years ago | (#42578569)

But there are still sites that want to provide a richer GUI than you can get from CSS, JavaScript/Ajax, for example for interactive vector graphic simulations.

Thanks for the explanation. Any examples of such sites, if they are popular?

Re:Java or Javascript? (3, Informative)

RedHackTea (2779623) | about 2 years ago | (#42578677)

I think the only popular sites are games now. Minecraft is the first you'll hear on /. It uses Java and LWJGL (Light-Weight Java Game Library) -- which essentially just uses JNI to expose native calls to OpenGL/AL/CL using C code. I believe there is both a Java Applet version and offline version (which may use Java WebStart, don't know).

RuneScape and all of FunOrb (also made by Jagex -- the creators of Runescape) are also Java Applets.

Other than games, you'll see sites use Java Applets for simulations, etc. -- things that are either computationally intensive or too complex. Since Java is object-oriented, has tons of built-in data structures, garbage collection, and runs off the client's (pretty fast) JVM in which there is a JVM available for the popular OSes, it's a better alternative to JavaScript or Silverlight for these tasks.

Re:Java or Javascript? (0)

Anonymous Coward | about 2 years ago | (#42578737)

Here's a random example [rit.edu] ; although in this particular case it could probably be recoded to use JavaScript.

Re:Java or Javascript? (0)

Anonymous Coward | about 2 years ago | (#42578813)

Popular? No. However, there are still plenty of sites that use java. For instance:

    http://www.diyonline.com/ [diyonline.com]

Most of the tools there require java. And those tools are used by several large companies.

Re:Java or Javascript? (0)

Anonymous Coward | about 2 years ago | (#42578575)

oops, s/mid-90's/mid-00's/

Re:Java or Javascript? (0)

QQBoss (2527196) | about 2 years ago | (#42578695)

LOL, this reminds me of when our HR people took my project head's request for an experienced programmer knowledgeable in Java and put out a notice for a Java programmer, 10 years experience required- in 1997.

Re:Java or Javascript? (3, Informative)

black3d (1648913) | about 2 years ago | (#42578567)

It's correct that the two have virtually nothing in common. However, Java in browsers is fairly widespread simply due to the fact that so many applications are built around the Java runtime and there's a good chance that at some time many users have needed to install it. A typical install of the Java Runtime Environment includes browser interaction.

Many websites utilize Java through in-line apps and modern browsers make the installation process fairly simple (ie, a couple of on-page redirects and a pop-up window which takes care of it all - the same way most browsers simplify Flash installation simply because it's so universal). For example, nVidia's video-card-dectection routine is in Java and if it's not installed, will helpfully let you know and give a button to click to download it. Minecraft, of course, requires Java. Many development tools and even many network management packages are written in Java.

Java on PCs is quite widespread and thus by default, so is Java on browsers.

Javascript, as you rightly raise, is altogether different, and prevalant on all browers by default (even though different browsers have different JS interpreters) and has nothing to do with the JRE.

Re:Java or Javascript? (1)

rwyoder (759998) | about 2 years ago | (#42578667)

I'm totally confused every time this comes up... do browsers have Javascript (more accurately ECMA Script) or Java itself? I understand it is the former; whiereas Java is a plugin that needs to be explicitly installed. And I also believe Javascript has almost nothing to do with Java.

Is Java on browsers so widespread?

I haven't need Java since my last job where I routinely needed to use the web interface of F5 proxies, in which the latest major revision went to an all-Java interface.

Re:Java or Javascript? (5, Informative)

Billly Gates (198444) | about 2 years ago | (#42578949)

Javascript absolutely has nothing to do with Java.

Netscape realized for the web to take off as a platform it needed to do more than just display text and pictures so logic was needed. Netscape invented Livescript. Sun didn't like it and was in talks with making Java used instead of Livescript for dynamic web content.

So Netscape made a deal to rename Livescript Javascript with the contract to include jre with Netscape 3. It has nothing to do with it other than pure marketing name to confuse users to spread synergy to Java instead which is what Sun hoped as Livescript aka Javascript was very limited at the time.

It became a standard to this day.

Re:Java or Javascript? (1)

c0lo (1497653) | about 2 years ago | (#42578975)

Is Java on browsers so widespread?

Don't know how accurate they are, but some [statowl.com] say more than 40% of the computers connected to internet have Java plugin.

Leftovers (0)

Anonymous Coward | about 2 years ago | (#42578483)

So does this leave the last 15 versions of Java the user has still installed and listed in the programs list? How secure is that?

Re:Leftovers (1)

black3d (1648913) | about 2 years ago | (#42578577)

I've never experienced that. Could it be a user configuration issue?

Re:Leftovers (1)

lister king of smeg (2481612) | about 2 years ago | (#42578727)

Odd, as I have regularly run into it when cleaning up peoples computers.

Re:Leftovers (1)

X0563511 (793323) | about 2 years ago | (#42578801)

The JRE, or just the JDK?

For a -loooong- time the JRE gets installed in a place like c:\program files\java\jre[5,6,7]

However, the JDK if you have that, get's it's full version in the path. So when that is updated, the old version remains.

Re:Leftovers (3, Informative)

bertok (226922) | about 2 years ago | (#42578849)

Older versions of Java defaulted to side-by-side installation mode, which was then kept even after newer releases were installed on top.

Newer versions default to in-place upgrade mode instead.

It's poorly documented, and as far as I know, the only way to fix it is to completely uninstall and re-install the latest version.

Re:Leftovers (0)

sourcerror (1718066) | about 2 years ago | (#42578633)

How secure is using Firefox 3.0?

August 2012 to January 2013 (4, Insightful)

QuietLagoon (813062) | about 2 years ago | (#42578501)

A vuln that apparently was first reported in August 2012 [seclists.org] is finally fixed (maybe) in January 2013.

.
Why can't the larger companies, e.g. Microsoft and Oracle, respond to and fix the sucrity issues more quickly than on a timeline expressed in months?

Re:August 2012 to January 2013 (3, Insightful)

dreamchaser (49529) | about 2 years ago | (#42578525)

I couldn't agree more. It will probably take legal action to change this mentality. Eventually someone will sue one of the big software companies and win because a known vulnerability wasn't patched.

I really hate saying this because I am mostly libertarian and wary of too much regulation, but I think it is high time that there are regulations akin to those imposed on other engineering disciplines put into place over software that is used in 'e-infrastructure' such as banking, etc. Right now there isn't any, and thus huge multi-billion dollar companies are free to drag their feet on fixes or even outright ignore vulnerabilities that can cause serious harm to people.

Re:August 2012 to January 2013 (1)

phantomfive (622387) | about 2 years ago | (#42578841)

I really hate saying this because I am mostly libertarian and wary of too much regulation, but I think it is high time that there are regulations akin to those imposed on other engineering disciplines put into place over software that is used in 'e-infrastructure' such as banking, etc.

You ask for that, but what you end up with will teach you the problems of regulations.

You will end up with some standards to follow that will slow you down, and won't make the code secure (in some cases, may make it less secure). It will be hard to change the standards, because the legislative process is slow. Large companies will get in on the process and make sure the regulations benefit them in some way (for example, Oracle might lobby that everyone be forced to use Java, because "sandboxes are more secure" or something. It doesn't matter if it's true. Coverity will lobby to force you to use static analysis. Someone will have the bright idea that every function must have one return statement, and only at the end of the function).

It's also worth mentioning, if you use open source, you won't be at the mercy of companies dragging their feet like this.

Be careful what you wish for (5, Insightful)

Anonymous Brave Guy (457657) | about 2 years ago | (#42578855)

I really hate saying this because I am mostly libertarian and wary of too much regulation, but I think it is high time that there are regulations akin to those imposed on other engineering disciplines put into place over software that is used in 'e-infrastructure' such as banking, etc.

Be careful what you wish for.

As a professional software developer, I find the poor choices made by big name software companies very frustrating, and I'm well aware of the cumulative damage caused when software used by many people fails.

On the other hand, if you mandate heavyweight regulation in such an industry, you're going to see prices go up significantly, and a lot of useful free-as-in-beer software would probably disappear almost overnight because the people writing it are going to be reluctant to accept engineering-level liability for work they do at charity/PR level prices.

Then you'll get some sort of approved person/recognised competency qualification, probably administered by some bureaucratic organisation with expensive membership fees and a lofty title, possibly backed by law so people can't even practise software development without jumping over the officially sanctioned barriers to entry any more, or at least such that you can't get professional insurance policies to cover your engineering-level liabilities without playing the game.

Oh, and since there are about three people on the planet who actually know how to write really robust software and they're all in very high profile jobs already, that organisation is instead going to be run (or more likely "advised" by some sort of "expert panel") by the kind of smooth-talking consultants who move from one fad to the next, making lots of money on the upside and then running away before they have to face the consequences of their expensive advice. You know, the ones who use terms like "Agile" and "software craftsmanship", but who can't manage to write a Sudoku solver or who think there are no more programming languages left.

In short, if you want to stifle genuine innovation in the industry by people who really are competing on quality or exploring better ways to write software, and ensure that all you ever get is junk written by people who are more interested in competing on compliance with "quality standards" and exploring better ways to make money from software, regulation is exactly how you do it. In time, we'll learn how to build software better and people who make the effort to do so will be able to compete on genuine quality, but until we have learned how to do that with some level of consistency, any attempt to turn software development into some sort of engineering profession is doomed.

Re:Be careful what you wish for (2)

GenieGenieGenie (942725) | about 2 years ago | (#42579095)

That's amazing. I'm a biologist and you are describing exactly what happened in my discipline due to over-regulation.

Re:August 2012 to January 2013 (1)

sproketboy (608031) | about 2 years ago | (#42578871)

Then you're not a libertarian, you're a hypocrite.

Re:August 2012 to January 2013 (0)

Anonymous Coward | about 2 years ago | (#42579055)

Just like everyone else who got hot on Atlas Shrugged when they were 19 and ended up managing in a regulated industry by the time they were 45.

If you're looking for a sophomoric philosophy, forget libertarianism and embrace marxism. At least the analysis remains correct even after you've sold out to the man.

Re:August 2012 to January 2013 (2)

black3d (1648913) | about 2 years ago | (#42579083)

To be fair, he did say "mostly libertarian".

Show me a man who's "100% libertarian" and I'll show you an insane man.



If "insane" is too harsh for you, substitute with "wearing intellectual blinders". While Libertatianism portrays itself as a platform of individual rights, taken to the logical extreme all the rights become null and void as they have no bearing on your interactions with anybody else. For example, how do you resolve the good old conflict of "I have a right to speak" with "I have a right not to hear you" (or, I have a right to peace and quiet)? The only ways to resolve it to either to force one of the individuals to move (a violation of the doctrine), forcing one of the individuals to wear sound-block devices (a violation of the doctrine), or create laws about when or where people can be heard or expect to have to listen and expect the two parties to work around these limitations (a violation of the doctrine).

Of course, various philosophers have their own answers to this, and varying interpretations and extremes of Libertarianism, and ultimately it must be accepted to reasonably be about "minimizing" rather than "removing" controls. Which means OP, being "mostly Liberarian", is a sane Libertarian.

While Godwin, Rand and Armand may outwardly appear like sensible people who write sensible books, most of their views are in violation of the Tragedy of the Commons. In other words, the philosophies only pan out for the individual if a small percentage of the population are self-absorbed egoists. If everyone was, it stops working, and any philosophy which relies on other people being worse off than you is tremendously selfish.

Re:August 2012 to January 2013 (1)

spongman (182339) | about 2 years ago | (#42579349)

how do you resolve the good old conflict of "I have a right to speak" with "I have a right not to hear you"

wouldn't that be covered by trespass?

Re:August 2012 to January 2013 (2)

Gadget_Guy (627405) | about 2 years ago | (#42578693)

When a bug report is received, it gets evaluated and prioritised. It can take a non trivial time to track down and fix the bug (and any associated bugs in similar code). It takes time to test it in all the platforms and configurations (they have had to hastily recall patches in the past where the fix does more damage than the original bug).

It probably goes through some review process before being merged into the main code line (large companies can't allow anarchy with their code edits). Finally, patches are buffered to a schedule to allow their clients to plan for their own testing and application of patches.

All this takes time. You can make a system where you don't have this level of beurocracy, but that can cause its own problems and delays [networkworld.com] . So why did this specific Java bug take five months to fix? Without being privy to their processes we can't say for sure. Perhaps the extra step of outsourcing the fix to a third world country took a bit more time!

Re:August 2012 to January 2013 (1, Troll)

QuietLagoon (813062) | about 2 years ago | (#42578847)

When a bug report is received, it gets evaluated and prioritised. It can take a non trivial time to track down and fix the bug (and any associated bugs in similar code).

Instead of trying to rationalize and trivialize the incompetence of the companies that provide a lot of the software infrastructure that the IT industry uses, maybe your online efforts might be better served to try to effect a change in the companies providing that software infrastructure to be able to produce a timely solution that protects the users from vulns.

Re:August 2012 to January 2013 (-1)

Anonymous Coward | about 2 years ago | (#42578895)

Yeah we should do that with Canonical - whoops they're a Linshit company that can do no evil right?

Re:August 2012 to January 2013 (1)

Gadget_Guy (627405) | about 2 years ago | (#42579089)

What is your solution then? Release patches that are rushed and untested? Mark everything as "top priority" so that all bugs are finished faster?

As a developer in a small team, I can get away with shipping bug fixes without having to go through a process like I described. A small team can be agile and responsive like that. But I can imagine how chaotic this would be in a large organisation. Just because you can't understand that bug fixing actually takes time means that you would be more suited to a career in management rather than programming.

Re:August 2012 to January 2013 (1)

QuietLagoon (813062) | about 2 years ago | (#42578853)

Additionally, if the companies you seem to be defending have such a rigorous process for putting software out into general usage, how do such critical security bugs apparently seem to be able to side-step that very rigorous process and get Out Into The Wild?

Re:August 2012 to January 2013 (1)

jebblue (1160883) | about 2 years ago | (#42578877)

Because software is hard to get right and it's written by people who make up companies from 1 person to tens of thousands, still just people trying to put food on the tables for their families.

Re:August 2012 to January 2013 (1)

Gadget_Guy (627405) | about 2 years ago | (#42579169)

Because no system is perfect. The code behind any modern operating system is far too complicated for any individual to understand. All the best intentions and best practices in the world will not completely catch all the bugs. But they do catch some, so it is worth trying to catch them.

To use a car analogy, what you said is like questioning the worth of seatbelts. Just because they don't save every life in an accident doesn't mean that it not worth wearing them.

Re:August 2012 to January 2013 (1)

sk999 (846068) | about 2 years ago | (#42578755)

Why can't the larger companies, e.g. Microsoft and Oracle, respond to and fix the sucrity issues more quickly than on a timeline expressed in months?

It's because big companies like Oracle are too busy pursuing lawsuits against Google for IP infringement:
http://news.cnet.com/8301-1023_3-57526509-93/oracle-appeals-ruling-in-lawsuit-over-googles-use-of-java/ [cnet.com]

Protection of "IP" takes precedence over fixing security holes in the same "IP" every time.

Re:August 2012 to January 2013 (2)

X0563511 (793323) | about 2 years ago | (#42578807)

Laywers and PHBs do not write code (thankfully). Nor do they test builds.

Re:August 2012 to January 2013 (1)

sk999 (846068) | about 2 years ago | (#42578937)

It is the CEO of the big company who establish priorities. If the CEO wants a security hole fixed, it will be fixed. When the CEO is personally involved in the courtroom protecting "IP':
http://www.sfgate.com/technology/article/Ellison-testifies-in-Android-suit-against-Google-3489185.php [sfgate.com]
the fixing security of holes will suffer.

Re:August 2012 to January 2013 (1)

X0563511 (793323) | about 2 years ago | (#42579103)

Er, the CEO shouldn't be micromanaging all the different departments and sections of the company. He's got people below for that, and people below those etc.

The people who do product development and maintenance are not the people who would be in the courtroom. They are not the finance people, and they are not the sales/marketing people. Saying that one department being focused on lawsuits would prevent an unrelated department from doing their job tells me you've not been involved with a company larger than 10 or so people...

Re:August 2012 to January 2013 (1)

KingMotley (944240) | about 2 years ago | (#42578829)

UH, yeah. I know the large companies I was in, I was constantly getting sidetracked by having to study law so that I could lead an IP infringement suit. That's what all good corporate programmers spend their time on.

Re:August 2012 to January 2013 (1)

phantomfive (622387) | about 2 years ago | (#42578803)

Why can't the larger companies, e.g. Microsoft and Oracle, respond to and fix the sucrity issues more quickly than on a timeline expressed in months?

They can, the reason they don't is because they don't care. There are ways to do this, even in large companies.

If they wanted to do it, they would tell a middle-manager, "Fix this, test it, and get it out quickly. Your performance on this task will show up on your annual review." Then make sure he has the resources he needs to accomplish that. They didn't do this, which indicates that they don't care.

Re:August 2012 to January 2013 (0)

Anonymous Coward | about 2 years ago | (#42578899)

They didn't do this, which indicates that they don't care.

You cannot draw that conclusion so simply. You have to remember that their first priority is to ship solid, full-feature software. Getting a patch through the professional regression testing takes some time.

Re:August 2012 to January 2013 (1)

phantomfive (622387) | about 2 years ago | (#42578971)

You cannot draw that conclusion so simply. You have to remember that their first priority is to ship solid, full-feature software.

Yes I can, I'm an experienced professional and I know what it takes. Java is well known to have an extensive automated testing suite, further simplifying the task. If Larry says it's a priority, it will get fixed.

Oracle is facing a problem that many good engineers who used to work at Sun have left. It is likely they are understaffed with the people necessary to maintain their systems, and the remaining people are having trouble making good priorities.

Re:August 2012 to January 2013 (0)

Anonymous Coward | about 2 years ago | (#42579207)

Why can't the larger companies, e.g. Microsoft and Oracle, respond to and fix the sucrity issues more quickly than on a timeline expressed in months?

Because there is no real (profit) motivation until they get bad press, like this recommendation to uninstall Java [zdnet.com] from US Department of Homeland Security.

Disaster (4, Interesting)

timeOday (582209) | about 2 years ago | (#42578581)

All the main codebases I work with and develop are in java. Tonight I was doing some work and tried to google some javadoc, but the first result was an illustration of a java-logo coffee cup going into a garbage can, and the first pageful of results were "how to uninstall java." I already had a customer balking about installing java. Now it seems certain we'll have to port everything away, a huge undertaking. (Even though we'll end up porting it to C++ and have multiple times more vulnerabilities when we're done, but I guess at least they'll be specific to our application).

Re:Disaster (0)

Anonymous Coward | about 2 years ago | (#42578659)

I hear you. It's going to take a lot of education to undo this mess.
For us, there's no way we could port our system to anything else
in any sensible length of time -- we've been working with it for
5 years, and don't even have all the equipment it controls here
any more. We use a lot of Swing, so what cross-platform UI are
you going to replace THAT with. And pointers? Most of our
programmers can barely manage in java's pretty benign environment,
having them deal with pointers would be a disaster.

Arrg.

Re:Disaster (0)

Anonymous Coward | about 2 years ago | (#42578703)

All the main codebases I work with and develop are in java. Tonight I was doing some work and tried to google some javadoc, but the first result was an illustration of a java-logo coffee cup going into a garbage can, and the first pageful of results were "how to uninstall java." I already had a customer balking about installing java. Now it seems certain we'll have to port everything away, a huge undertaking. (Even though we'll end up porting it to C++ and have multiple times more vulnerabilities when we're done, but I guess at least they'll be specific to our application).

Wouldn't it be 1000x easier just to port your launcher to work outside of a browser and let people uninstall the Java browser plugin? ... Did you forget to check the anonymous box when you trolled?

Re:Disaster (1)

RedHackTea (2779623) | about 2 years ago | (#42578749)

I don't see how porting it to C++ is a solution. This must not be a very big program. For any average enterprise software, porting the product from Java to C++ is a huge undertaking (almost a year of work). I would just take the month of educating your customers, making sure that their machines are up-to-date, and that your software works in the newest version (you can specify a lower version in the JVM args if you need compatibility).

Re:Disaster (1)

timeOday (582209) | about 2 years ago | (#42578833)

You're right, porting is not really a solution. And there's really no problem in the first place, since we don't do web apps. But all this negative press damages the Java brand name immensely, and it's very easy for people higher up in the bureaucracy to simply say, "Java? Oh yeah, we're aware of all the problems with that. The answer is no."

Re:Disaster (1)

jebblue (1160883) | about 2 years ago | (#42578901)

So with all the years of negative press for Windows I guess the world stopped using Windows. Oh wait, no they didn't.

Re:Disaster (1)

KingMotley (944240) | about 2 years ago | (#42578857)

Sure, rewriting the applications would take some time, but I think you'll find that you'll spend less time rolling out a C++ application that you would a Java application. There is so many more things that can go wrong with Java than a standard C++ application. And I'm not sure why you even mention having to make sure their machines are up-to-date. That's a bigger issue with having to rely on the JVM than the C++ libraries that get compiled into the application or are dynamically linked in and most installers can chain in the C++ runtime libraries (that can be set to be application specific or system wide installation -- obviously app specific causes less headaches).

Re:Disaster (0)

Anonymous Coward | about 2 years ago | (#42578917)

Of all the advantages of C++, Deployment is one I've really never heard before. Java Web Start might not be sexy but what's the native alternative? InstallShield?

Re:Disaster (1)

TheSunborn (68004) | about 2 years ago | (#42579151)

The alternative we use on Windows is to include a jre with the app. That way our jre is only used by our app. It is not installed in as a jre in windows so windows don't see the jre as an independent app.

And then we can just install our app as any other app using install shild, or any other installer you want. And we don't have to think about compability with other versions of jre/jdk.
   

Re:Disaster (2)

Billly Gates (198444) | about 2 years ago | (#42578933)

Sure, rewriting the applications would take some time, but I think you'll find that you'll spend less time rolling out a C++ application that you would a Java application. There is so many more things that can go wrong with Java than a standard C++ application. And I'm not sure why you even mention having to make sure their machines are up-to-date. That's a bigger issue with having to rely on the JVM than the C++ libraries that get compiled into the application or are dynamically linked in and most installers can chain in the C++ runtime libraries (that can be set to be application specific or system wide installation -- obviously app specific causes less headaches).

Have you coded any huge +1 million lines of code projects before?

There is a reason developers fled C++ to Java back in the 1990s until recently. It doesn't make sense to go back to C++.

Re:Disaster (1)

spongman (182339) | about 2 years ago | (#42579353)

seriously, you write applets for a living?

otherwise you're barking up the wrong tree.

Re:Disaster (1)

timeOday (582209) | about 2 years ago | (#42579487)

No, desktop applications. What managed, crossplatform runtime is better?

Meh. already fixed that (0)

Anonymous Coward | about 2 years ago | (#42578639)

noscript. block all java.

whitelist for the one single site that needs it. ameritrade.

Re:Meh. already fixed that (0)

Anonymous Coward | about 2 years ago | (#42578675)

i use ameritrade without java i donno wtf ur doin

And I still can't use it.... (-1)

Anonymous Coward | about 2 years ago | (#42578685)

Since the application I develop somehow manages to crash the JVM in versions 7+. Hurray! Try it for yourself [pastebin.com] and see if it doesn't work for you too.

Re:And I still can't use it.... (0)

RedHackTea (2779623) | about 2 years ago | (#42578791)

I think Double.NaN is your problem here... Not Java.

Re:And I still can't use it.... (1, Offtopic)

c0lo (1497653) | about 2 years ago | (#42579031)

I think Double.NaN is your problem here... Not Java.

If an API call doesn't sanitize/check its input but causes a core dump, then it's the API problem, not the callers'.

Brings to mind an old saying... (0)

Anonymous Coward | about 2 years ago | (#42578701)

Let him who hath coded a large project completely error free perform the first cast.

All it takes (0)

Anonymous Coward | about 2 years ago | (#42578869)

Is the US Government recommending disabling Java for them to fix it.

Sounds like a sustainable development model.

just nuke it (0)

stenvar (2789879) | about 2 years ago | (#42578891)

Just nuke Java, and the gigantic towers where it lives, from orbit; it's the only way to be sure.

Java Control Panel can't update. (0)

Anonymous Coward | about 2 years ago | (#42578893)

you can download the latest update now from the Java Control Panel or directly from Oracle's website

My Java Control Panel has no update functionality.

Too Late Now (4, Interesting)

Greyfox (87712) | about 2 years ago | (#42579041)

I'm not going to tell my friends and family it's safe to reinstall it. None of them even noticed that anything had changed after the uninstall.

Oracle owns Java now? (-1)

Anonymous Coward | about 2 years ago | (#42579069)

When the fuck did this happen?

Re:Oracle owns Java now? (-1)

Anonymous Coward | about 2 years ago | (#42579459)

apparently a week before someone discovered the rock you have been living under

Oracle doesn't give a crap about security (1)

Anonymous Coward | about 2 years ago | (#42579079)

They did NOTHING even thought they knew about this since last August.

It makes the news, and it's fixed in one day.

Java 64-bit has no auto update? (1)

RockMFR (1022315) | about 2 years ago | (#42579175)

While I was manually updating to 7u11, I found out that the 64-bit version does not even have auto update - only the 32-bit version does. How the hell can Oracle be so irresponsible? I know most people use the 32-bit version, but still, what the fuck.

Re:Java 64-bit has no auto update? (0)

Anonymous Coward | about 2 years ago | (#42579395)

64-bit JRE doesn't have a web browser plugin.

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?