back to article Oracle 'fesses up: Java security flaws more than storm in teacup

Oracle has broken its silence to admit there are security issues with Java in web browsers - but it insists the tech is solid on servers and within mobile and desktop apps. In a blog post published on Friday, Oracle noted the "media firestorm" around the recent Java vulnerability, admitting users may have been left "frustrated …

COMMENTS

This topic is closed for new posts.
  1. Richard Wharram

    Is there a more secure VM?

    Could users replace Oracle Java with IBM Java or some other version for a more secure experience?

    1. Anonymous Coward
      Anonymous Coward

      Re: Is there a more secure VM?

      Maybe they could license Dalvik from Google.

    2. Arto Huusko

      Re: Is there a more secure VM?

      The vulnerabilities are not in Java VM (hotspot). The vulnerabilities are in the Java security policy system, that runs on top of the VM, as normal Java code.

      The policy system works like this

      - any operation provided by Java that accesses the resources or the environment of the host computer, or various sensitive operations within the Java runtime, are considered privileged

      - programs always see and try to invoke those operations

      - but the implementation of the operation queries the policy system, and checks if the operation is allowed

      This is no different from what the operating system does. It provides all operations to all applications, but when the operations are called, the system policy checks whether the operation is actually allowed.

      By default, for desktop applications, the Java policy allows all actions.

      Now, when code is run inside the browser plugin, a very strict security policy is in place. It denies operations such as accessing local files, opening network connections, and so on. And what's important, it also denies operations that attempt to modify the security policy.

      The vulnerabilities are in the policy system it self. The holes allow java code to turn off the policy system, and thus gain access to all privileged operations.

  2. Destroy All Monsters Silver badge
    Facepalm

    Unbreakable Bullshit

    "The plan for Java security is really simple: it's to get Java fixed up, number one, and then, number two, to communicate our efforts widely."

    Talk like a politician. Confuse goals and the way and means to attain them. Mix in some "communication efforts". Probably raise taxes down the line...

  3. CreosoteChris

    Crapware Payload

    Oracle's Ask,com crapware payload is even more malignant than standard - if you accidentally leave the defaults enabled, you can't just go to CP - Add/Remove and uninstall. The installer routine is coded to wait ten minutes before inserting the entry on the Control Panel list.

    It's clearly intended to prevent moderately experienced Windows users from undoing their errors when they clicked too fast through the installer defaults.

    Oracle should be ashamed of associating itself wih such utterly scummy pracitces. It stinks.

    1. Duncan Macdonald

      Re: Crapware Payload

      Any user of Oracle products is used to their practices. There are times that they make CA seem good.

      1. I ain't Spartacus Gold badge

        Re: Crapware Payload

        Any user of Oracle products is used to their practices. There are times that they make CA seem good.

        A friend of mine worked for CA, and he said that they aspired to be as evil as Oracle, but weren't competent enough to manage it.

        Working for them was not a happy experience either. The saddest part was the people who left CA (possibly only joining after their company was bought out), and were in a company that CA subsequently also bought.. Then got made redundant. There were people who'd been through this cycle more than once.

    2. frank ly
      Happy

      Re: Crapware Payload

      That's ok. Oracle gave you Virtual Box so you can mess up a VM and then throw the whole polluted mess away and start again, older but wiser.

    3. Bucky 2
      Headmaster

      Re: Crapware Payload

      To be fair, if memory serves, the practice of bundling crap with the Java installer started with Sun.

    4. Daniel B.

      Re: Crapware Payload

      The developer version of Java SE / JRE doesn't come with the crapware stuff. In fact, I learned about the crapware only after the ZDNet article that mentioned it.

  4. Turtle_Fan
    Facepalm

    "Oracle needs to take a leaf out of Microsoft's book and play nice with researchers."

    Yeah right, the only thing Oracle plays nice with, is Ellison's egotism, sociopathy,vindictiveness and bank account.

  5. koolholio
    FAIL

    how many servers require JRE installed...

    http://msisac.cisecurity.org/advisories/2013/2013-008.cfm

  6. Anonymous Coward
    Anonymous Coward

    Oracle

    Nasty little maleware pushers

    1. Anonymous Coward
      Anonymous Coward

      Re: Oracle

      Yeah, I prefer the femaleware pushers - far tastier!

      1. Destroy All Monsters Silver badge
        Trollface

        Re: Oracle

        But in the end one is left with gaping holes either way.

        1. Peter Gray

          Re: Oracle

          Gahhh! Goatse flashback!! Curse you DAM, now I'll have to downvote you for the mental image.

  7. kororas
    Thumb Down

    I am and will continue to recommend uninstalling Java where it is not used or needed.

  8. NogginTheNog
    FAIL

    Bag of shite

    Come back Oracle when you can actually code a taskbar updater widget that works when run as a non-admin user (without the hopeless "Failed to download update" bollocks)!

  9. Anonymous Coward
    Anonymous Coward

    Oracle

    Is just evil. From closing down the OpenSolaris project to aggressive corporate purchases to their almost complete disregard for their non-enterprise DB customers, they're evil to the bone. I used to think they were just incompetent, but it almost looks like deliberate negligence at this point.

  10. Anonymous Coward
    Anonymous Coward

    On my wishlist then...

    is a JRE without any browser plugins (and of course no crapware).

    1. koolholio
      Facepalm

      Re: On my wishlist then...

      JRE is Java Runtime Environment (the interpretter), which can run on a number of devices, most commonly phones .e.g. JAR files, possibly even COD/ALX coded files? Just as SQLite appears to be a standard these days for phone databases?

      Servers would, presumably, require the JRE in order to serve it to a client? :-/

    2. Tom 13
      Unhappy

      Re: On my wishlist then...

      Sadly, in my organization the primary reason we install java is because somebody else's web based application requires it to run. And frequently requires a hideously outdated version at that.

  11. Anonymous Coward
    Anonymous Coward

    Anyone believe Oracle these days?

    I don't believe a singe thing Oracle says about any of its Sun acquisitions.

    Nor will I ever use Java again.

    I think that's probably the safest approach :)

  12. The Alpha Klutz

    Java

    Okay lets get one thing straight. All the smart devs know that Java shops turn out shite. I could earn quite a bit as a Java dev but I don't want to be involved with actively making the world a worse place.

    1. BlueGreen

      Re: Java

      Java or the JVM? If you can tolerate the latter then you might want to look at Scala. It's on my to-do list and it looks *nice*

    2. Destroy All Monsters Silver badge
      Facepalm

      Re: Java

      > All the smart devs know that Java shops turn out shite.

      Just what the fuck? /b/ is over there.

    3. asdf
      Facepalm

      Re: Java

      Don't get me wrong I am no fan of managed code (and neither is Microsoft based on their strategy going forward) but slagging off on all Java devs is bad form even for a troll.

  13. asdf
    FAIL

    somewhere

    Adobe has to be breathing a slight sigh of relief. There for awhile it was looking like they were the undisputed pariah of basic security best practices but now they have some serious competition.

    1. Anonymous Coward
      Anonymous Coward

      Re: somewhere

      Don't get me wrong I am no fan of managed code (and neither is Microsoft based on their strategy going forward) but slagging off on all Java devs is bad form even for a troll.

    2. asdf
      FAIL

      Re: somewhere

      And the joke falls flat because saying companies x security practice sucks is much different than saying all developers of a product are idiots. Do you really want me to post all the drive by critical CVEs found in Adobe's products even in the last year? Pretty significant list and these days is even longer than Microsoft's which is bad when they make the OS and the good portion of the software on most desktops.

      1. The Alpha Klutz

        Do you want me to post all the drive by critical CVEs found in Adobe's products in the last year?

        Go ahead. I could use a little gallows humour.

        1. asdf

          Re: Do you want me to post

          Here ya go. Lazy way out but still. This is an incomplete list obviously as it only covers two products but its still pretty impressive.

          http://www.cvedetails.com/vulnerability-list/vendor_id-53/product_id-497/Adobe-Acrobat-Reader.html

          http://www.cvedetails.com/vulnerability-list/vendor_id-53/product_id-6761/Adobe-Flash-Player.html

  14. Captain Scarlet
    Pint

    We listened so that you don't have to. You're welcome

    Thank you!

  15. Anonymous Coward
    Thumb Down

    Loose journalism ?

    This line caught my eye, as a juicy bit of grade-A whining:

    'He criticised the media for putting out the "loose" message to

    uninstall Java while admitting there was a security issue with the

    runtime in web browsers.'

    Journalists can be scummy and inaccurate but in this case they reported

    accurately. Java security is broken. Maybe one day it'll be fixed. Until then,

    you can sidestep a whole boatload of grief by uninstalling it.

    What's loose about that, Oracle?

  16. Anonymous Coward
    Anonymous Coward

    Crapware

    "... Oracle's much-criticised practice of bundling third-party crapware - such as a web search toolbar - with Java security updates..."

    YES!

    Cut this shit out! I can't stress that nearly enough.

  17. FanniM

    Is this the beginning of the end for Java?

  18. Zog The Undeniable
    FAIL

    It's getting worse

    The irony was that Microsoft's unofficial version of Java, once bundled with Windows, was generally OK. Then Sun sued Microsoft and the result is that we have to use the bloated, insecure, crapware-laden official version (anything that adds itself to the system tray and creates pop-up reminders is a fail in my eyes). I never install it when building a machine, and if a website requires it, I decide that I don't require that website.

    The current irritation is that the latest release of Firefox prompts me to install an updated version of Java whenever I start it (on Windows, anyway - it's OK on Linux Mint). One day the wife or kids are going to do what FF asks and I'll have a crapware-infested system. Hopefully them being "limited users" will prevent this.

This topic is closed for new posts.

Other stories you might like