If you can read this, either the style sheet didn't load or you have an older browser that doesn't support style sheets. Try clearing your browser cache and refreshing the page.

(Stuff.co.nz)   Enjoying your new computer with the latest Java software? Well, about that   (stuff.co.nz) divider line 104
    More: Fail, free softwares, PC users, poison ivy, installations, Java, collaboration tools, computers  
•       •       •

7273 clicks; posted to Geek » on 28 Aug 2012 at 10:32 AM (1 year ago)   |  Favorite    |   share:  Share on Twitter share via Email Share on Facebook   more»



104 Comments   (+0 »)
   
View Voting Results: Smartest and Funniest

Archived thread

First | « | 1 | 2 | 3 | » | Last | Show all
 
2012-08-28 08:11:42 AM
To me, this sounds like a big deal-- Recommending disabling Java seems to be an extreme step. I don't recall ever seeing something like it.

But Oracle software hasn't moved at all.

If you haven't all been turned into zombies, please tell us if this is something to worry about?
 
2012-08-28 08:35:25 AM
Java has been an abomination since the start. Adopting it as Sun's main strategy basically killed the company. Sun went from a successful maker of quality server and operating system hardware, the absolutely top of the heap for internet commerce circa mid-late 1990s ... to an afterthought being swallowed up by the evil that is Oracle... by de-emphasizing operating system perfection and instead worshipping at this false altar of Java.

Took a lot of developers along with it. Oh but it is so great. Write once run anywhere! The Network Is The Computer! (if that were so, why did Sun wind up not owning the network?)

Now Oracle sees Java for what it was all along, a distracting afterthought that shouldn't be given more than minimal support. Another widget in a sea of widgets.

Will Developers get a clue and follow suit?

Not betting on it, at least not for a while. Fifteen years of hypnosis doesn't just die overnight, particularly if you ever fell into the Cult of Java thinking.


As a security guy, Java has always been suspect... now that they put it in a upgrade schedule that does not match reality... Java would be a liability to have to support in the enterprise.

Krebs has it right. Disable/uninstall the sh*t or only let it out of the house on select required sites using a carefully configured browser.

Or you have open holes attackers know of who will steal your stuff. Thats what attackers do.

The Network Isn't The Computer .. but its a great way to get at the information on yours.
 
2012-08-28 08:38:09 AM
 
2012-08-28 09:00:56 AM
Java is passed its freshness date.

I wouldnt mind if it would just disappear from the web tomorrow
 
2012-08-28 09:43:51 AM

cman: Java is passed its freshness date.

I wouldnt mind if it would just disappear from the web tomorrow


Passed vs Past
 
2012-08-28 09:47:55 AM

notmtwain: cman: Java is passed its freshness date.

I wouldnt mind if it would just disappear from the web tomorrow

Passed vs Past


Thank you for the correction
 
2012-08-28 10:16:09 AM

Generation_D: Now Oracle sees Java for what it was all along, a distracting afterthought that shouldn't be given more than minimal support. Another widget in a sea of widgets.


Larry's destruction of Java was not intentional. Remember, this is the guy who wanted to put Java in the database and hoped his Network Computer would put Microsoft out of business.
 
2012-08-28 10:18:33 AM

Diogenes: Generation_D: Now Oracle sees Java for what it was all along, a distracting afterthought that shouldn't be given more than minimal support. Another widget in a sea of widgets.

Larry's destruction of Java was not intentional. Remember, this is the guy who wanted to put Java in the database and hoped his Network Computer would put Microsoft out of business.


I still have no idea how that moron has made money in the computer business.
 
2012-08-28 10:36:08 AM
FTFA when prompted for permission by trusted programs such as GoToMeeting, a Web-based collaboration tool from Citrix Systems Inc

How much did Citrix pay for that ad placement?
 
2012-08-28 10:37:22 AM

cman: I still have no idea how that moron has made money in the computer business.


By developing software with high profit margins that corporations use to run their businesses?

/hardly a moron
 
2012-08-28 10:39:57 AM

gingerjet: cman: I still have no idea how that moron has made money in the computer business.

By developing software with high profit margins that corporations use to run their businesses?

/hardly a moron


Yes, you are correct. What I was speaking about was how Oracle became as big as it did with their open war with Microsoft. This man took every opportunity he had to bash Gates or Microsoft. Considering how ruthless Microsoft was in the 90s, I am quite shocked that Oracle survived.
 
2012-08-28 10:45:09 AM
I wonder if that's just the Oracle JVM that has the exploit?
 
2012-08-28 10:48:05 AM

Diogenes: Generation_D: Now Oracle sees Java for what it was all along, a distracting afterthought that shouldn't be given more than minimal support. Another widget in a sea of widgets.

Larry's destruction of Java was not intentional. Remember, this is the guy who wanted to put Java in the database and hoped his Network Computer would put Microsoft out of business.


Larry hopes everything he does puts Microsoft out of business. He hopes having that Oracle plane fly over SeaFair every year helps put Microsoft out of business.

Larry's a bit myopic when it comes to Microsoft.

I did not know about this "put Java in the database." I assume this was said before his own coders got word to him what that might mean. Unless the hypnotic, narcotic, alluring appeal of Java has started its hold over Oracle now too.
 
2012-08-28 10:48:12 AM

gingerjet: cman: I still have no idea how that moron has made money in the computer business.

By developing software with high profit margins that corporations use to run their businesses?

/hardly a moron


By devloping high margin software that is a nightmare to secure or support.
 
2012-08-28 10:49:01 AM
Yes... because this is something unique to Java and has never presented in the history of the internet before.. oh... wait...

"Boogy man gonna get you" scare stories now masquerading as news... how about we all grab the latest Secunia update and spend a few reading through the numerous browser exploits taken care of without publicity... :/

Experts say... good going with the FUD, there, Jim.

Java is great at what it does. There's a reason for its penetration. Anyone saying different is as knowledgeable as a rotting carrot.
 
2012-08-28 10:51:11 AM

cman: Yes, you are correct. What I was speaking about was how Oracle became as big as it did with their open war with Microsoft. This man took every opportunity he had to bash Gates or Microsoft. Considering how ruthless Microsoft was in the 90s, I am quite shocked that Oracle survived.


Because they never truly competed with each other. MS SQL was never a serious competitor to Oracle on the high end. And Microsoft doesn't have a serious enterprise application business. Sure - Ellison gets distracted on occasion ("net computers" anyone?) but his business is run with a lot more focus than Gates ran and now Ballmer runs Microsoft. Ellison would never put up with the fiefdoms and the lack of communication that bogs Microsoft down these days.

/and I would say that Ellison is a lot more ruthless than Gates ever was - the guys an asshole of the highest order - remember Jobs and Ellison were best friends
 
2012-08-28 10:51:13 AM
Well, let me just turn my computer off for a few days/weeks until a patch is released...
 
2012-08-28 10:53:23 AM
Yeah. I wish it was an option to disable Java. Unfortunately, it's a major component of Blackboard, and if Java's not up, Blackboard's not up, and students can't complete their coursework. So yay! My students are going to get hacked!
 
2012-08-28 10:56:24 AM

notmtwain: To me, this sounds like a big deal-- Recommending disabling Java seems to be an extreme step. I don't recall ever seeing something like it.

But Oracle software hasn't moved at all.

If you haven't all been turned into zombies, please tell us if this is something to worry about?


Except for the same thing at the beginning of the year, 'Flashback' exploit. Reason that you might not have heard about it on your PC is that they almost immediately released a fix, while Apple denied the issue for 3 months. These Java exploits happen every 4-6 months, it seems, and they can be nasty.

'Flashback' on Mac
 
2012-08-28 11:00:50 AM
is this something to worry about? everyone started bitaching about java and not addressing the question.
 
2012-08-28 11:02:23 AM
You'll need to enable Javascript for us to detect your Java version.

Guess I'm safe then
 
2012-08-28 11:02:34 AM
Or you can run FireFox with NoScript. "You'll need to enable Javascript for us to detect your Java version."

Beats overreacting and panicking.
 
2012-08-28 11:04:02 AM
Let's try this again for the hard of reading.

It's a drive-by exploit.

It can only get you if you're a mouth-breathing throwback who clicks on links in unsolicited mail or who trawls the internets trying to get infected...

It's not actively hunting you down.. sheesh.
 
2012-08-28 11:05:02 AM
Link

For disabling Javascript in Chrome.
 
2012-08-28 11:05:49 AM
There is a link in the article that takes you to a web page to determine if your Java is exploitable. So, I clicked on it.

"You'll need to enable Javascript for us to detect your Java version."

Think I'm good.
 
2012-08-28 11:08:11 AM
This is not a repeat from...
 
2012-08-28 11:10:16 AM

Abe Vigoda's Ghost:
For disabling Javascript in Chrome.


Java!=Javascript. :/
 
2012-08-28 11:11:58 AM
Java and Javascript have nothing to do with each other.
Javascript just piggybacked off the name when Java started becoming popular.

They both run in browsers though. This article is, I would assume, talking about Java web apps, although it's comically low on details.
 
2012-08-28 11:13:10 AM

nulluspixiusdemonica: Let's try this again for the hard of reading.

It's a drive-by exploit.

It can only get you if you're a mouth-breathing throwback who clicks on links in unsolicited mail or who trawls the internets trying to get infected...

It's not actively hunting you down.. sheesh.


It's a zero-day exploit that can be pushed by a link. No, it's not actively hunting you down, but given the propensity of Farkers for clicking links, it's best to simply disable Java 7 until such time as Oracle can close the exploit.
 
2012-08-28 11:13:51 AM
Implying that your computer is secure without java being enabled. Want a secure computer? Unplug from the internet.
 
2012-08-28 11:16:26 AM
I like Java at the OS Level (things like Eclipse), but the entire concept of a Java plugin running your browser needs to be taken out back and shot. In my browser your web app should run using HTML and Javascript. A Java plugin is just a different flavor of suckitude in the same vein as a flash plugin.
 
2012-08-28 11:17:00 AM

BraveNewCheneyWorld: Implying that your computer is secure without java being enabled. Want a secure computer? Unplug from the internet.Nuke it from orbit

 

FTFY


/Still, degrees of security. A solid wood locked door can be busted down, but it is still better than a screen door
 
2012-08-28 11:18:26 AM

nulluspixiusdemonica: Abe Vigoda's Ghost:
For disabling Javascript in Chrome.

Java!=Javascript. :/


No, but Javascript does enable Java applets on a particular page to load.
 
2012-08-28 11:18:44 AM

Abe Vigoda's Ghost: Link

For disabling Javascript in Chrome.


IntertubeUser: Or you can run FireFox with NoScript. "You'll need to enable Javascript for us to detect your Java version."

Beats overreacting and panicking.


SwiftFox: You'll need to enable Javascript for us to detect your Java version.

Guess I'm safe then


It's been said, but it needs to be said again

JAVASCRIPT IS NOT JAVA 
 
2012-08-28 11:19:59 AM

FormlessOne: given the propensity of Farkers for clicking links.


Well, yes. They immediately started clicking a link which promised to tell them if their instance can be exploited. Which would be hilarious if it weren't depressing,..
 
2012-08-28 11:21:22 AM

IntertubeUser: No, but Javascript does enable Java applets on a particular page to load.


Not really, a Java applet can be embedded in an HTML tag (Embed, applet or object tag)
 
2012-08-28 11:24:56 AM

Generation_D: I did not know about this "put Java in the database." I assume this was said before his own coders got word to him what that might mean. Unless the hypnotic, narcotic, alluring appeal of Java has started its hold over Oracle now too.


It was something he was driving for back with the 8i DB. Unfortunately "ours is not to question why" yadda yadda.

Yes, I am one of his evil minions. In fact, I got my start with Oracle as a consultant.
 
2012-08-28 11:26:33 AM
I should note that there is a JS way of embedding Java into a page, and it is the preferred way for many, but it's not necessary

/And the applet tag has been deprecated, so it's not likely to work on a modern browser.
//Might be a good way to target people stuck on older versions of IE
 
2012-08-28 11:27:01 AM
No offense, but when ISN'T there a "You gonna git raped through the latest Java exploit!" alert out there? Seriously, between JRE and Acrobat exploits, you might as well just give up trying to keep on top of therm.
 
2012-08-28 11:28:17 AM

the_sidewinder: IntertubeUser: No, but Javascript does enable Java applets on a particular page to load.

Not really, a Java applet can be embedded in an HTML tag (Embed, applet or object tag)


If that's possible, you've got my attention now.

But I've never seen that. Every time a webpage has tried to run Java on my machine, NoScript has caught it and I have to explicitly allow that applet to run.
 
2012-08-28 11:28:33 AM

Close2TheEdge: No offense, but when ISN'T there a "You gonna git raped through the latest Java exploit!" alert out there? Seriously, between JRE and Acrobat exploits, you might as well just give up trying to keep on top of therm.


If the Flash updater was honest it would read "Fixes three known security bugs, creates seven new ones."
 
2012-08-28 11:30:20 AM

gingerjet: cman: Yes, you are correct. What I was speaking about was how Oracle became as big as it did with their open war with Microsoft. This man took every opportunity he had to bash Gates or Microsoft. Considering how ruthless Microsoft was in the 90s, I am quite shocked that Oracle survived.

Because they never truly competed with each other. MS SQL was never a serious competitor to Oracle on the high end. And Microsoft doesn't have a serious enterprise application business. Sure - Ellison gets distracted on occasion ("net computers" anyone?) but his business is run with a lot more focus than Gates ran and now Ballmer runs Microsoft. Ellison would never put up with the fiefdoms and the lack of communication that bogs Microsoft down these days.

/and I would say that Ellison is a lot more ruthless than Gates ever was - the guys an asshole of the highest order - remember Jobs and Ellison were best friends


I agree 100% with your characterization.

And I think that Ellison realizes, of course, that we don't compete head to head on technology. We have different product offerings that aren't parallel. So instead of trying to outdo MS, at least as far as the network computer was concerned (as an example), was to make Windows obsolete instead of trying to come up with better OS.
 
2012-08-28 11:31:05 AM

Close2TheEdge: No offense, but when ISN'T there a "You gonna git raped through the latest Java exploit!" alert out there?

When it's replaced by Windows, iOS, Chrome, IE, ...

As noted, if you were in the mood for a secure browsing experience, cut the cord and go for a stroll. If you're aware of the issues and you're still acting like a 2yr old in a candy store, you deserve to get "trimmed" from the herd.
 
2012-08-28 11:31:11 AM

IntertubeUser: the_sidewinder: IntertubeUser: No, but Javascript does enable Java applets on a particular page to load.

Not really, a Java applet can be embedded in an HTML tag (Embed, applet or object tag)

If that's possible, you've got my attention now.

But I've never seen that. Every time a webpage has tried to run Java on my machine, NoScript has caught it and I have to explicitly allow that applet to run.


HTML 4.0 method

For HTML 5, use the embed tag.
 
2012-08-28 11:42:32 AM
I'm using IcedTea-Web1.2 Java plugin (1.2-2ubuntu1). Would it suffer from a similar security hole, or am I being overly paranoid? I know absolutely nothing about the exploit.
 
2012-08-28 11:44:07 AM

ha-ha-guy: IntertubeUser: the_sidewinder: IntertubeUser: No, but Javascript does enable Java applets on a particular page to load.

Not really, a Java applet can be embedded in an HTML tag (Embed, applet or object tag)

If that's possible, you've got my attention now.

But I've never seen that. Every time a webpage has tried to run Java on my machine, NoScript has caught it and I have to explicitly allow that applet to run.

HTML 4.0 method

For HTML 5, use the embed tag.


Thanks.

Crap.
 
2012-08-28 11:49:33 AM
So, the exploit analysis:

Use flaw in Java 7.0 reflection utility to get access to a restricted class that handles access control.

Use reflection to retrieve the private field that sets the current access controls from the restricted class.

Create a new access control statement to grant full access, replacing the old one via reflection.

Tell the newly created access control system to grant full access.


/Doesn't seem like rocket science, and the exploit code is tiny.
//Oracle should have caught this.
 
2012-08-28 11:57:45 AM
Anybody know if this exploit works on OpenJDK?
 
2012-08-28 12:03:29 PM
i.imgur.com

It'll totally replace the need to write those evil proprietary Windows only apps! You can write one app in Java with the ultra modern Swing interface and run it slowly everywhere!

Who wants to download an entire office suite in your browser and run it slowly inside of Netscape? Forget opening Word, we're going to stick it to the Microsoft man!

Thanks, Sun Microsystems!
 
2012-08-28 12:04:11 PM

Generation_D:
Will Developers get a clue and follow suit?

Not betting on it, at least not for a while. Fifteen years of hypnosis doesn't just die overnight, particularly if you ever fell into the Cult of Java thinking.


We get it, you don't like Java. Real engineers program in the best tool for the job, including Java when appropriate.
 
Displayed 50 of 104 comments

First | « | 1 | 2 | 3 | » | Last | Show all

View Voting Results: Smartest and Funniest


This thread is archived, and closed to new comments.

Continue Farking
Submit a Link »






Report