If you can read this, either the style sheet didn't load or you have an older browser that doesn't support style sheets. Try clearing your browser cache and refreshing the page.

(ZDNet)   Oracle rushes to fix another critical Java flaw, otherwise known as a day ending in y   (zdnet.com) divider line 31
    More: Obvious, Oracle, Java, Java SE  
•       •       •

1331 clicks; posted to Geek » on 05 Mar 2013 at 9:04 AM (1 year ago)   |  Favorite    |   share:  Share on Twitter share via Email Share on Facebook   more»



31 Comments   (+0 »)
   
View Voting Results: Smartest and Funniest

Archived thread
 
2013-03-05 09:07:31 AM
What's with the anti-Java bandwagon in the media lately?  Guess Apple's trying to buy a little bad publicity in advance of Google Glass being released.
 
2013-03-05 09:11:03 AM
Smell good, don't they?
 
2013-03-05 09:20:43 AM
i.imgur.com

About time to put the old girl down for good.
 
2013-03-05 09:26:44 AM

serial_crusher: What's with the anti-Java bandwagon in the media lately?  Guess Apple's trying to buy a little bad publicity in advance of Google Glass being released.


And how does Java being a steaming pile of crap have anything to do with Apple?

If you don't need Java, uninstall it. Problem solved.
 
2013-03-05 09:38:00 AM

Abe Vigoda's Ghost: serial_crusher: What's with the anti-Java bandwagon in the media lately?  Guess Apple's trying to buy a little bad publicity in advance of Google Glass being released.

And how does Java being a steaming pile of crap have anything to do with Apple?

If you don't need Java, uninstall it. Problem solved.


I've heard some idiots making the "java is insecure...andriod is built on java..." argument.
 
2013-03-05 09:55:46 AM
I don't think Oracle knew what they were getting themselves into with JAVA. I think they proved that fact with JAVA 7.
 
2013-03-05 09:57:21 AM

pkellmey: I don't think Oracle knew what they were getting themselves into.


Could have stopped there.  It explains everything.
 
2013-03-05 09:58:46 AM
It's just farking annoying that I have to override the security 15 times to get some of my applets to work in FF because they went on full retard Java lockdown.  Why can't I just whitelist the shiat I want?
 
2013-03-05 10:13:25 AM
Java 6 went end of life last month so they aren't going to patch that... well they will, but they'll make you pay for the update.  Considering there is still a ton of stuff that doesn't work with Java 7 (horray for changed architecture), I can see this getting hairy really quickly.
 
2013-03-05 10:21:38 AM

degenerate-afro: Java 6 went end of life last month so they aren't going to patch that... well they will, but they'll make you pay for the update.  Considering there is still a ton of stuff that doesn't work with Java 7 (horray for changed architecture), I can see this getting hairy really quickly.


Especially since Oracle has publicly acknowledged the JAVA 7 failures. This will probably force a platform jump to JAVA 8 quicker than they originally expected, because we all know Oracle doesn't just patch something if they know they can release a new version number and force people to purchase a renewed/new contract.
 
2013-03-05 10:22:36 AM

degenerate-afro: Java 6 went end of life last month so they aren't going to patch that... well they will, but they'll make you pay for the update.  Considering there is still a ton of stuff that doesn't work with Java 7 (horray for changed architecture), I can see this getting hairy really quickly.


1.bp.blogspot.com
                  Illustration of a hairy problem
 
2013-03-05 10:24:17 AM

serial_crusher: What's with the anti-Java bandwagon in the media lately?  Guess Apple's trying to buy a little bad publicity in advance of Google Glass being released.


No, it's just that Oracle/Java have managed to out-suck Adobe at security. That's newsworthy.

Related: A close look at how Oracle installs deceptive software with Java updates.
 
2013-03-05 10:24:27 AM
Java on the server side: great stuff.
Java as an application environment: OK on modern CPUs.
Java in the web browser: how about no?

I think there are two real problems: a lot of the Sun folks decided to GTFO when Oracle took over (taking their knowledge with them), and the crooks probably have a massive queue of exploits lined up that they can pop within days of the latest patch.

And fark you, Oracle, for the Ask.com foistware. I've had to clean that shiat off people's PCs more than once.

/can we kill Flash next?
 
2013-03-05 10:26:25 AM

Ivo Shandor: Related: A close look at how Oracle installs deceptive software with Java updates.


To be fair, they just never changed what Sun was already doing
 
2013-03-05 10:28:55 AM

pkellmey: I don't think Oracle knew what they were getting themselves into with JAVA. I think they proved that fact with JAVA 7.


This, but it's not just Oracle.  Adobe picked up a bloated piece of shiat with Shockwave Flash that was written in such a way that it couldn't easily be expanded from 32-bit x86 Windows.  64-bit x86 processors became common after 2003, but when Adobe bought Flash in 2005, it doesn't look like there had been *any* effort to make the software work on any other platforms.  (I didn't own a Mac at the time, so I'm not positive if it worked on OS X; I might be wrong on that front)

Adobe didn't release a version for a different platform until 2008.  When it released a preview for 64-bit Linux.  And then they took it away.  And then they came up with one again in 2010.

bhcompy: It's just farking annoying that I have to override the security 15 times to get some of my applets to work in FF because they went on full retard Java lockdown.  Why can't I just whitelist the shiat I want?


I think Noscript will do this for you if you whitelist all Javascript as well.  Noscript is farking annoying, but at least it has a whitelist.
 
2013-03-05 10:32:55 AM

Ivo Shandor: serial_crusher: What's with the anti-Java bandwagon in the media lately?  Guess Apple's trying to buy a little bad publicity in advance of Google Glass being released.

No, it's just that Oracle/Java have managed to out-suck Adobe at security. That's newsworthy.

Related: A close look at how Oracle installs deceptive software with Java updates.


touche, that is quite a feat.

I used to work with the guy who invented Gator.  It was great hearing him justify how it wasn't actually malware and had just gotten a bad rep.
 
2013-03-05 10:42:13 AM

andrewagill: I think Noscript will do this for you if you whitelist all Javascript as well. Noscript is farking annoying, but at least it has a whitelist.


That's just JS.  At current time, anything that uses Java in FF is instantly disabled and you have to jump through hoops to get it running
 
2013-03-05 10:59:59 AM

bhcompy: andrewagill: I think Noscript will do this for you if you whitelist all Javascript as well. Noscript is farking annoying, but at least it has a whitelist.

That's just JS.  At current time, anything that uses Java in FF is instantly disabled and you have to jump through hoops to get it running


Only if you're using an 'insecure' or out of date version of Java. And man is FF staying on top of whether or not your Java is up to date... I was getting alerts yesterday that my Java was out of date, and only just got prompted to update this morning. So if you're getting those messages, make sure you update to the newest version for your PC.
 
2013-03-05 11:31:46 AM

BrynnMacFlynn: I was getting alerts yesterday that my Java was out of date, and only just got prompted to update this morning. So if you're getting those messages, make sure you update to the newest version for your PC.


The malware guy at work says to ignore those things and go directly to java.com if you think your Java version is out of date.  The fake notices are getting pretty good, and I don't know that I could tell which is which right now.

For example, I got a software update notice today that popped right in front of everything.  The title bar said software update, but App Store was not running.  I'm pretty sure it was authentic, as it went away after I updated Java, but who knows what that thing was.
 
2013-03-05 11:32:59 AM

serial_crusher: What's with the anti-Java bandwagon in the media lately?  Guess Apple's trying to buy a little bad publicity in advance of Google Glass being released.


I'm guessing this is some technological equivalent of trolling.  If you don't know what's up with the Java stuff in the media lately, you've had your head in a hole.  It isn't about the utility of Java versus anything else, it's about the massive security flaws that Oracle has been having to repeatedly patch.  If you're in IT and have to deal with any (blergh!) BYOD devices, this is slowly becoming the bane of your existence.
 
2013-03-05 11:56:02 AM
the problem is morons in the enterprise environment have been purchasing and implenting software suites and application platforms that relie on Java to function in browser.
with Apple X-protecting us every couple of days this shiat got old fast, cuz having to manually push/install/manually activate a farking plugin on 2000 computers every 5 days is SO MUCH farkING FUN.
 
2013-03-05 12:06:10 PM

FitzShivering: serial_crusher: What's with the anti-Java bandwagon in the media lately?  Guess Apple's trying to buy a little bad publicity in advance of Google Glass being released.

I'm guessing this is some technological equivalent of trolling.  If you don't know what's up with the Java stuff in the media lately, you've had your head in a hole.  It isn't about the utility of Java versus anything else, it's about the massive security flaws that Oracle has been having to repeatedly patch.  If you're in IT and have to deal with any (blergh!) BYOD devices, this is slowly becoming the bane of your existence.


Security bugs are a constant problem, but media reporting on them comes in waves of FUD.
Repeated patches are a pain in the ass for everyone, but without the media blowout Oracle would probably be releasing them in batches instead of emergency patches.  Makes your job easier while making everybody else less secure.
 
2013-03-05 12:19:13 PM

BrynnMacFlynn: bhcompy: andrewagill: I think Noscript will do this for you if you whitelist all Javascript as well. Noscript is farking annoying, but at least it has a whitelist.

That's just JS.  At current time, anything that uses Java in FF is instantly disabled and you have to jump through hoops to get it running

Only if you're using an 'insecure' or out of date version of Java. And man is FF staying on top of whether or not your Java is up to date... I was getting alerts yesterday that my Java was out of date, and only just got prompted to update this morning. So if you're getting those messages, make sure you update to the newest version for your PC.


Actually, the current version(as of Friday at least) was under this restriction, and has been under this restriction for weeks.
 
2013-03-05 12:23:43 PM

bhcompy: Actually, the current version(as of Friday at least) was under this restriction, and has been under this restriction for weeks.


Update 17/43 breaks the restriction (which is what the article is talking about), and works without prompting. :) Go update if you need it!
 
2013-03-05 12:24:24 PM

andrewagill: For example, I got a software update notice today that popped right in front of everything. The title bar said software update, but App Store was not running. I'm pretty sure it was authentic, as it went away after I updated Java, but who knows what that thing was.


It was authentic; if you're running Lion or Mountain Lion, you have the Apple independent version of Java, which acts like the Windows version in that it independently will check for updates.
 
2013-03-05 12:28:37 PM
And don't worry about the vase.
 
2013-03-05 12:32:39 PM
I've been getting that stupid 'java check' crap every day for the last week, at least.  It's driving me crazy.

I really feel like home computing is taken a big step backwards as everyone screws everything up trying to make things better.
 
2013-03-05 12:52:18 PM

serial_crusher: FitzShivering: serial_crusher: What's with the anti-Java bandwagon in the media lately?  Guess Apple's trying to buy a little bad publicity in advance of Google Glass being released.

I'm guessing this is some technological equivalent of trolling.  If you don't know what's up with the Java stuff in the media lately, you've had your head in a hole.  It isn't about the utility of Java versus anything else, it's about the massive security flaws that Oracle has been having to repeatedly patch.  If you're in IT and have to deal with any (blergh!) BYOD devices, this is slowly becoming the bane of your existence.

Security bugs are a constant problem, but media reporting on them comes in waves of FUD.
Repeated patches are a pain in the ass for everyone, but without the media blowout Oracle would probably be releasing them in batches instead of emergency patches.  Makes your job easier while making everybody else less secure.


Except the difference is these security bugs are actually far more critical, far more easily exploited, and in almost every case were actively present and in use in the wild, including on large sites that people have set as home pages, like MSN.com.  This isn't the same as a "typical Windows bug" or bug in most other software.  This is something that Oracle has gone out of their way to make sure stays running in end user browsers (to the point that now most browser companies are disabling it by default), and has infected machines even browsing "safe" sites.  The vast majority of the most recent security breaches for enterprises (and, not as noticeably, smaller companies) have come from drive-by Java plugin exploits.

There isn't any "FUD" here, at least not in the pejorative sense you're intending.  People with Java enabled in their browsers who are not regularly (nay, constantly) updating it or removing it all together should be afraid of whether they're going to get infected, should be uncertain where they should visit, and should doubt whether it's even worth having those plugins any longer (if they even know what a plugin is).

I've been doing this a long time.  I've seen blithering stupid security flaws, especially, though not exclusively, from Microsoft.  But the attack vector here is something that virtually every one does -- even the most "locked down" businesses are still getting infected this way.

It might also be worth knowing that is isn't as simple as "pushing out a patch" for the browsers in an enterprise.  Java updates fail at a higher rate than the average patch (excluding Windows SPs).  Every time one of these comes out, they have to be tested, pushed, and then the ramifications dealt with.  The downsides heavily outweigh the upsides, and the media is accurately pointing out that one of the most widely used technologies -- as opposed to some obscure bug-ridden software install -- is opening everyone up on a regular basis to consistently exploited holes.  It is a story in precisely the same way that Microsoft's security was a story 10 years ago -- multi-billion dollar corporations are supposed to do a better job than this, and when they become one of the main attack vectors for cybercriminals, they damned well need to be repeatedly and consistently exposed.  If it weren't for the media, the vast majority of the people I know wouldn't have any idea what "Java" or a "Plugin" was -- and yet, even before the browsers started killing it, many non-technical people I know had correctly uninstalled them from their system.

This doesn't make my job or my life any harder -- it makes it easier.  It decreases the exposed space for the average person, and not just the employee, by having them remove what are increasingly pointless plugins that guarantee, for the consistent web surfer, an infection.
 
2013-03-05 02:04:59 PM

andrewagill: Noscript is farking annoying, but at least it has a whitelist.


For me, Noscript is a tradeoff: small levels of annoyance in the short term against massive amounts of annoyance later. I wasn't even aware of the deceptive ads disguised as "DOWNLOAD" buttons coming up on sites like SourceForge until I had the misfortune of using a system without it.

Thought: "Gee, lots of download buttons here."
Action: *hovers mouse over them*
Thought: "Oh, that's what's going on. Bastards."

Yes, I mark ad networks as "Untrusted" (and anything Facebook-related as well).

There's a NotScripts add-on for Chrome as well. It's not quite as easy to install as Noscript on Firefox, though.
 
2013-03-05 06:02:03 PM

Fubegra: andrewagill: Noscript is farking annoying, but at least it has a whitelist.

For me, Noscript is a tradeoff: small levels of annoyance in the short term against massive amounts of annoyance later. I wasn't even aware of the deceptive ads disguised as "DOWNLOAD" buttons coming up on sites like SourceForge until I had the misfortune of using a system without it.

Thought: "Gee, lots of download buttons here."
Action: *hovers mouse over them*
Thought: "Oh, that's what's going on. Bastards."

Yes, I mark ad networks as "Untrusted" (and anything Facebook-related as well).

There's a NotScripts add-on for Chrome as well. It's not quite as easy to install as Noscript on Firefox, though.


I should stipulate that I use NoScript at work, but would never do so at home.  I find it annoying.  Also, I know it takes ad revenue from places and I really don't want to do that.

/I do use flashblock, though.
 
2013-03-05 10:51:24 PM
the problem is the language it's the paradigm. Java in the browser mean you are letting a java computer program, from somewhere on the Internet run on your computer inside the browser.


substitute "java computer program" with "c++ computer program" in the previous statement and the problem gets worse, not better..

Meanwhile java is still doing things that aren't inside a browser just fine
 
Displayed 31 of 31 comments

View Voting Results: Smartest and Funniest


This thread is archived, and closed to new comments.

Continue Farking
Submit a Link »






Report