Oracle has acknowledged Java's recent security problems and outlined three new security initiatives to set things to rights. The first may not please everyone, as the company has committed to including Java updates among the quarterly Oracle Critical Patch Update it provides for all its products, as of the October 2013 update …

COMMENTS

House rules Send corrections

This topic is closed for new posts.

Monday 3rd June 2013 06:39 GMT Anonymous Coward

Group Policy

Well. Where credit is due having control over which sites are able to run Java through Group Policy will definitely make some people sleep better at night.

It's bloody annoying having to install this heap of junk just for that one website which requires it.

And quite a few of us should be more than familiar enough with such a scenario.

However... this is of course Oracle we're talking about and it really wouldn't surprise me to see a vulnerability surface which could either tamper or circumvent the trusted hosts lists.

3 0
1. Wednesday 5th June 2013 16:24 GMT Anonymous Coward
  
  Re: Group Policy
  
  All good, all very good indeed.
  
  So I can look forward to being able to use this in about 4 years when the websites for which we are forced to install java finally update to a version of Java for which the new security features are enabled. (1 year for Oracle to have a working product + 3 year for our guys. Based on past history for our guys, WAG for Oracle.)
  
  0 0
Monday 3rd June 2013 06:45 GMT ratfox

Removing unnecessary libraries?

Was that not one of the sins Google committed when it wrote its own implementation of the java language, thus causing fragmentation of the language and irreparable harm to Oracle's IP?

5 2
1. Monday 3rd June 2013 07:32 GMT Anonymous Coward
  
  Re: Removing unnecessary libraries?
  
  I wonder if Google are going to sue them for stealing their innovative additions to the Java infrastructure. Oracle are clearly infringing on Googles rights here.
  
  2 1
Monday 3rd June 2013 06:50 GMT chuckufarley

I guess this will solve all of their problems, eventually. Anyone starting a pool on what version number they will be at when they ship a secure product? If so put me down for Java version 8 to the power of 142,857!

1 0
Monday 3rd June 2013 07:14 GMT jerry 4

They should add some more toolbars to Java. Nothing says reliable, trustworthy software like toolbars. So they should add some more of them.

14 1
1. Monday 3rd June 2013 15:01 GMT Justin Pasher
  
  Re: @jerry 4 (toolbars)
  
  I was hoping that the "removal of certain libraries" was a reference to that...
  
  0 0
Monday 3rd June 2013 07:41 GMT Aitor 1

Bad idea

So now Java2EE is going to be java2EE lite? because they can't make it right?

0 2
1. Monday 3rd June 2013 09:44 GMT David Dawson
  
  Re: Bad idea
  
  Much Java enterprise development is completing its move away from JEE now.
  
  Servlets are the last bit thats not been replaced. Most Java web frameworks are removing them, and so a reliance on tomcat or its ilk, or have done already.
  
  May it moulder in pieces.
  
  1 2
Monday 3rd June 2013 08:04 GMT AMB-York

Please Apple

I really don't like Apple, but they've done us all a big favour by starting the death of Flash.

Wish they'd do the same with client side Java.

Maybe MS and Apple could agree on something, and just block Java installs?

1 1
Monday 3rd June 2013 09:55 GMT mark l 2

having the ability to only run java on trusted hosts is a good thing, the couriers we use (city-link) need Java installed to print the shipping labels and no other websites we need it for so we have chromium installed with java enabled just for that website and the rest of the time use firefox without java for day to day surfing

1 0
Monday 3rd June 2013 13:54 GMT Infernoz

Too many naive, maybe dotNots, and I bet even more insecure web platform trolls here.

Lots of sites use Java somewhere because it is very powerful; these issues have only become a problem because the crackers don't find Windows as easy any more, so they are finding the oversights, which are in-part caused by still lacking or unhelpful security in browsers, filesystems, OSs, web protocols, and other network protocols.

Flash is far far worse than Java for Security issues, so comparing Java to Flash is a bit rich! Yes, I'd like to see Flash gone too; it is near as bad as Active-X!.

Ruby on Rails, PHP, and many other web facing products still have nasty security issues, so this rather a lop-sided discussion.

It is now up to Oracle to do this properly and flexibly enough that it is possible to easily lock down only what needs to be locked down, so that this does not cause practical problems which cause vulnerabilities to be left exposed.

1 0