If you can read this, either the style sheet didn't load or you have an older browser that doesn't support style sheets. Try clearing your browser cache and refreshing the page.

(ZDNet)   Oracle rushes to fix another critical Java flaw, otherwise known as a day ending in y   (zdnet.com) divider line 15
    More: Obvious, Oracle, Java, Java SE  
•       •       •

1328 clicks; posted to Geek » on 05 Mar 2013 at 9:04 AM (1 year ago)   |  Favorite    |   share:  Share on Twitter share via Email Share on Facebook   more»



Voting Results (Smartest)
View Voting Results: Smartest and Funniest


Archived thread
2013-03-05 12:52:18 PM
1 votes:

serial_crusher: FitzShivering: serial_crusher: What's with the anti-Java bandwagon in the media lately?  Guess Apple's trying to buy a little bad publicity in advance of Google Glass being released.

I'm guessing this is some technological equivalent of trolling.  If you don't know what's up with the Java stuff in the media lately, you've had your head in a hole.  It isn't about the utility of Java versus anything else, it's about the massive security flaws that Oracle has been having to repeatedly patch.  If you're in IT and have to deal with any (blergh!) BYOD devices, this is slowly becoming the bane of your existence.

Security bugs are a constant problem, but media reporting on them comes in waves of FUD.
Repeated patches are a pain in the ass for everyone, but without the media blowout Oracle would probably be releasing them in batches instead of emergency patches.  Makes your job easier while making everybody else less secure.


Except the difference is these security bugs are actually far more critical, far more easily exploited, and in almost every case were actively present and in use in the wild, including on large sites that people have set as home pages, like MSN.com.  This isn't the same as a "typical Windows bug" or bug in most other software.  This is something that Oracle has gone out of their way to make sure stays running in end user browsers (to the point that now most browser companies are disabling it by default), and has infected machines even browsing "safe" sites.  The vast majority of the most recent security breaches for enterprises (and, not as noticeably, smaller companies) have come from drive-by Java plugin exploits.

There isn't any "FUD" here, at least not in the pejorative sense you're intending.  People with Java enabled in their browsers who are not regularly (nay, constantly) updating it or removing it all together should be afraid of whether they're going to get infected, should be uncertain where they should visit, and should doubt whether it's even worth having those plugins any longer (if they even know what a plugin is).

I've been doing this a long time.  I've seen blithering stupid security flaws, especially, though not exclusively, from Microsoft.  But the attack vector here is something that virtually every one does -- even the most "locked down" businesses are still getting infected this way.

It might also be worth knowing that is isn't as simple as "pushing out a patch" for the browsers in an enterprise.  Java updates fail at a higher rate than the average patch (excluding Windows SPs).  Every time one of these comes out, they have to be tested, pushed, and then the ramifications dealt with.  The downsides heavily outweigh the upsides, and the media is accurately pointing out that one of the most widely used technologies -- as opposed to some obscure bug-ridden software install -- is opening everyone up on a regular basis to consistently exploited holes.  It is a story in precisely the same way that Microsoft's security was a story 10 years ago -- multi-billion dollar corporations are supposed to do a better job than this, and when they become one of the main attack vectors for cybercriminals, they damned well need to be repeatedly and consistently exposed.  If it weren't for the media, the vast majority of the people I know wouldn't have any idea what "Java" or a "Plugin" was -- and yet, even before the browsers started killing it, many non-technical people I know had correctly uninstalled them from their system.

This doesn't make my job or my life any harder -- it makes it easier.  It decreases the exposed space for the average person, and not just the employee, by having them remove what are increasingly pointless plugins that guarantee, for the consistent web surfer, an infection.
2013-03-05 11:32:59 AM
1 votes:

serial_crusher: What's with the anti-Java bandwagon in the media lately?  Guess Apple's trying to buy a little bad publicity in advance of Google Glass being released.


I'm guessing this is some technological equivalent of trolling.  If you don't know what's up with the Java stuff in the media lately, you've had your head in a hole.  It isn't about the utility of Java versus anything else, it's about the massive security flaws that Oracle has been having to repeatedly patch.  If you're in IT and have to deal with any (blergh!) BYOD devices, this is slowly becoming the bane of your existence.
2013-03-05 11:31:46 AM
1 votes:

BrynnMacFlynn: I was getting alerts yesterday that my Java was out of date, and only just got prompted to update this morning. So if you're getting those messages, make sure you update to the newest version for your PC.


The malware guy at work says to ignore those things and go directly to java.com if you think your Java version is out of date.  The fake notices are getting pretty good, and I don't know that I could tell which is which right now.

For example, I got a software update notice today that popped right in front of everything.  The title bar said software update, but App Store was not running.  I'm pretty sure it was authentic, as it went away after I updated Java, but who knows what that thing was.
2013-03-05 10:59:59 AM
1 votes:

bhcompy: andrewagill: I think Noscript will do this for you if you whitelist all Javascript as well. Noscript is farking annoying, but at least it has a whitelist.

That's just JS.  At current time, anything that uses Java in FF is instantly disabled and you have to jump through hoops to get it running


Only if you're using an 'insecure' or out of date version of Java. And man is FF staying on top of whether or not your Java is up to date... I was getting alerts yesterday that my Java was out of date, and only just got prompted to update this morning. So if you're getting those messages, make sure you update to the newest version for your PC.
2013-03-05 10:42:13 AM
1 votes:

andrewagill: I think Noscript will do this for you if you whitelist all Javascript as well. Noscript is farking annoying, but at least it has a whitelist.


That's just JS.  At current time, anything that uses Java in FF is instantly disabled and you have to jump through hoops to get it running
2013-03-05 10:32:55 AM
1 votes:

Ivo Shandor: serial_crusher: What's with the anti-Java bandwagon in the media lately?  Guess Apple's trying to buy a little bad publicity in advance of Google Glass being released.

No, it's just that Oracle/Java have managed to out-suck Adobe at security. That's newsworthy.

Related: A close look at how Oracle installs deceptive software with Java updates.


touche, that is quite a feat.

I used to work with the guy who invented Gator.  It was great hearing him justify how it wasn't actually malware and had just gotten a bad rep.
2013-03-05 10:24:17 AM
1 votes:

serial_crusher: What's with the anti-Java bandwagon in the media lately?  Guess Apple's trying to buy a little bad publicity in advance of Google Glass being released.


No, it's just that Oracle/Java have managed to out-suck Adobe at security. That's newsworthy.

Related: A close look at how Oracle installs deceptive software with Java updates.
2013-03-05 10:21:38 AM
1 votes:

degenerate-afro: Java 6 went end of life last month so they aren't going to patch that... well they will, but they'll make you pay for the update.  Considering there is still a ton of stuff that doesn't work with Java 7 (horray for changed architecture), I can see this getting hairy really quickly.


Especially since Oracle has publicly acknowledged the JAVA 7 failures. This will probably force a platform jump to JAVA 8 quicker than they originally expected, because we all know Oracle doesn't just patch something if they know they can release a new version number and force people to purchase a renewed/new contract.
2013-03-05 10:13:25 AM
1 votes:
Java 6 went end of life last month so they aren't going to patch that... well they will, but they'll make you pay for the update.  Considering there is still a ton of stuff that doesn't work with Java 7 (horray for changed architecture), I can see this getting hairy really quickly.
2013-03-05 09:58:46 AM
1 votes:
It's just farking annoying that I have to override the security 15 times to get some of my applets to work in FF because they went on full retard Java lockdown.  Why can't I just whitelist the shiat I want?
2013-03-05 09:55:46 AM
1 votes:
I don't think Oracle knew what they were getting themselves into with JAVA. I think they proved that fact with JAVA 7.
2013-03-05 09:38:00 AM
1 votes:

Abe Vigoda's Ghost: serial_crusher: What's with the anti-Java bandwagon in the media lately?  Guess Apple's trying to buy a little bad publicity in advance of Google Glass being released.

And how does Java being a steaming pile of crap have anything to do with Apple?

If you don't need Java, uninstall it. Problem solved.


I've heard some idiots making the "java is insecure...andriod is built on java..." argument.
2013-03-05 09:26:44 AM
1 votes:

serial_crusher: What's with the anti-Java bandwagon in the media lately?  Guess Apple's trying to buy a little bad publicity in advance of Google Glass being released.


And how does Java being a steaming pile of crap have anything to do with Apple?

If you don't need Java, uninstall it. Problem solved.
2013-03-05 09:20:43 AM
1 votes:
i.imgur.com

About time to put the old girl down for good.
2013-03-05 09:07:31 AM
1 votes:
What's with the anti-Java bandwagon in the media lately?  Guess Apple's trying to buy a little bad publicity in advance of Google Glass being released.
 
Displayed 15 of 15 comments

View Voting Results: Smartest and Funniest

This thread is closed to new comments.

Continue Farking
Submit a Link »






Report