Linked by Hadrien Grasland on Thu 20th Jan 2011 21:16 UTC
Privacy, Security, Encryption "In 2010, exploited Java vulnerabilities outpaced the exploit of Adobe Reader and Acrobat," Landesman, senior security researcher at Cisco, said. "Java was 3.5 times more frequently exploited than were malicious PDFs. That really spells out the need for paying attention to what's making the headlines but also paying attention to the types of things that aren't making the headlines."
Order by: Score:
update java
by fran on Thu 20th Jan 2011 21:53 UTC
fran
Member since:
2010-08-06

From what i can gather the problem is not that Java is insecure its because many dont update it to the current versions and ignore the update prompt screen.

Reply Score: 3

RE: update java
by Delgarde on Thu 20th Jan 2011 21:58 UTC in reply to "update java"
Delgarde Member since:
2008-08-19

Newer versions *do* auto-update, just like Firefox or any other decent modern software.

But I imagine it's a big issue for the corporate world, who are more likely to be running ancient Java versions for support reasons. I know I just found an issue with the ancient 1.4 version one of our clients are running - it's fixed in newer versions, but they don't want to pay to get things certified.

Reply Score: 3

RE[2]: update java
by Lennie on Fri 21st Jan 2011 00:10 UTC in reply to "RE: update java"
Lennie Member since:
2007-09-22

Just disable the plugin in the browser, what webpage still uses Java-applets ? Really ?

Edited 2011-01-21 00:11 UTC

Reply Score: 2

RE[3]: update java
by WorknMan on Fri 21st Jan 2011 01:56 UTC in reply to "RE[2]: update java"
WorknMan Member since:
2005-11-13

Just disable the plugin in the browser, what webpage still uses Java-applets ? Really ?


Only a few that I have seen, but not enough to bother with installing it. Flash is still a necessary evil, so I run it with flashblock on. Fortunately though, I've been able to get by without Java.

Wasn't one of the whole points of Java (besides the 'run everywhere thing, that doesn't really work so much) is that it was supposed to be more secure running in a VM?

Edited 2011-01-21 01:57 UTC

Reply Score: 2

RE[4]: update java
by Subcomputer on Fri 21st Jan 2011 05:31 UTC in reply to "RE[3]: update java"
Subcomputer Member since:
2011-01-21

It is more secure in a VM, but the problem here is that the VM itself (or at least older versions) is insecure.

As far as updating, one of the reasons that there are so many old, insecure JVMs out in the wild is the pure ridiculous number of corporate apps that somehow flat out refuse to run on anything but the version they were created with, which often end up being 1.5.

Reply Score: 1

RE[5]: update java
by WorknMan on Fri 21st Jan 2011 09:44 UTC in reply to "RE[4]: update java"
WorknMan Member since:
2005-11-13

As far as updating, one of the reasons that there are so many old, insecure JVMs out in the wild is the pure ridiculous number of corporate apps that somehow flat out refuse to run on anything but the version they were created with, which often end up being 1.5.


Sounds like IE6 all over again ;) lol

That's the thing about corporate apps... somebody writes it, leaves the company (or was a contract programmer), and those left behind don't have a farking clue how it works.

Wonder how many hundreds of thousands of apps written in VB5/6 out there are still being used that were written in the mid-to-late 90's. Or anybody ever ran into one of those Excel macros from hell that was written about 15 years ago, and the entire company depends on?

Reply Score: 3

RE[5]: update java
by moondevil on Fri 21st Jan 2011 11:33 UTC in reply to "RE[4]: update java"
moondevil Member since:
2005-07-08

The main problem is that most JVMs are implemented in C or C++. The languages responsible for bringing a dark era of buffer overruns and pointer mis-indirections to mankind, thus starting an era of insecure software, which we still fight to recover from.

One just needs to create a clever designed sequence of bytes as a .class file that exploits a security issue in a specific JVM version. Then you release the exploit in the wild and for sure a few thousand users will be hit.

As for the users not updating it. It is really a big issue, in most corporate environments there is a big burocracy that you need to go through to update any software, even patch level versions.

Most corporate environments I know, the automatic updates are disabled, and updates are triggered by IT when they approved a certain software version.

Not to mention that recently I saw an offer for a project using Java 1.4 with Tomcat 4!

Reply Score: 2

RE[6]: update java
by Neolander on Fri 21st Jan 2011 16:05 UTC in reply to "RE[5]: update java"
Neolander Member since:
2010-03-08

Well, if you implemented the JVM in a "safer" language like Java, how the hell would it run ? ;)

Besides, C(++) can be secure, when people know what they're doing with it (e.g. don't use scanf and char* apart for very low-level stuff where they can't do otherwise, think of the "delete" as soon as they've written a "new" somewhere, things like that)

Edited 2011-01-21 16:08 UTC

Reply Score: 1

RE[7]: update java
by moondevil on Fri 21st Jan 2011 20:28 UTC in reply to "RE[6]: update java"
moondevil Member since:
2005-07-08

Well, if you implemented the JVM in a "safer" language like Java, how the hell would it run ? ;)


Actually it has already been done:
http://wikis.sun.com/display/MaxineVM/Home;jsessionid=383E286046FA9...

Still, there are lots of safe languages to choose from in the TIOBE top 50. I did not say that the JVM had to be coded in Java.

Besides, C(++) can be secure, when people know what they're doing with it (e.g. don't use scanf and char* apart for very low-level stuff where they can't do otherwise, think of the "delete" as soon as they've written a "new" somewhere, things like that)


I hear this excuse a lot, the problem is that it does not work in the real world. Contrary to what you may think, I do know C and C++ pretty well, and I also do have the experience what means to have multi-site development across the globe in such languages in the corporate world.

The result is not always pretty, there are tons of developers that should have never been allowed to touch C or C++, but they were.

Reply Score: 2

RE[3]: update java
by dvhh on Fri 21st Jan 2011 09:29 UTC in reply to "RE[2]: update java"
dvhh Member since:
2006-03-20

in the scientific/academic world it is still widely used for data display.

And I want to play minecraft too :p

Reply Score: 2

RE[3]: update java
by nt_jerkface on Fri 21st Jan 2011 14:31 UTC in reply to "RE[2]: update java"
nt_jerkface Member since:
2009-08-26

Banking websites for one. They use Java for electronic check deposits.

But anyone who doesn't have such a need should uninstall it.

Reply Score: 2

RE[4]: update java
by Lennie on Sun 23rd Jan 2011 10:52 UTC in reply to "RE[3]: update java"
Lennie Member since:
2007-09-22

This differs widely among countries. What country uses java-applets for banking ?

Reply Score: 2

RE: update java
by Neolander on Thu 20th Jan 2011 22:07 UTC in reply to "update java"
Neolander Member since:
2010-03-08

If only they made their update system less annoying, people would be more enclined to let it do its job...

Reply Score: 1

RE[2]: update java
by Delgarde on Thu 20th Jan 2011 22:51 UTC in reply to "RE: update java"
Delgarde Member since:
2008-08-19

And less buggy, going by the article. I've not noticed the problems they mention myself (as a Linux user, I don't use their updater), but I can see how that would be annoying.

Reply Score: 2

Apple meet orange
by fretinator on Fri 21st Jan 2011 01:13 UTC
fretinator
Member since:
2005-07-06

Java was 3.5 times more frequently exploited than were malicious PDFs


So a framework that is used to create 1000's of applications is being compared to a single application. Nice. Me like like logic lots!

Reply Score: 1

RE: Apple meet orange
by Subcomputer on Fri 21st Jan 2011 05:14 UTC in reply to "Apple meet orange"
Subcomputer Member since:
2011-01-21

It actually is a fair comparison. It's usually not Java programs that are being targeted, in most of these cases it's the framework itself.

Reply Score: 1

RE: Apple meet orange
by kaiwai on Fri 21st Jan 2011 08:49 UTC in reply to "Apple meet orange"
kaiwai Member since:
2005-07-06

Java was 3.5 times more frequently exploited than were malicious PDFs

So a framework that is used to create 1000's of applications is being compared to a single application. Nice. Me like like logic lots!


It was also compared to Adobe Flash which is also a framework located on millions of computers - more computers and devices than I'd say Java is loaded onto and being used on a regular basis.

I see so many end users with Java installed but they never use anything that requires it! My neighbours were looking at it wondering what the heck it was and whether they needed it. How many end users out there want to get rid of it but scared that they might break something - I'd say many.

If there is one thing I remove as soon as I get a PC it is the preloaded crap - Java being top of that list.

Edited 2011-01-21 08:49 UTC

Reply Score: 3

RE[2]: Apple meet orange
by testadura on Fri 21st Jan 2011 10:46 UTC in reply to "RE: Apple meet orange"
testadura Member since:
2006-04-14

Well, the Java distribution on the Windows platform is a mess indeed. It's bulky and has a malfunctioning update mechanism. Oracle could learn some things from Adobe about how they provide the Flash plugin.

But besides this, I really like the Java platform. And for a lot of uses Java is still a necessary. Our clients make use of an applet (embedded in a webapp) to login and sign data using a smartcard. This applet works on Linux/OSX/Windows as long as the native drivers are available. I could not think of a better way to make our webapp communicate with a smartcard on the clients machine on all major platforms.

Reply Score: 2

RE[2]: Apple meet orange
by moondevil on Fri 21st Jan 2011 11:34 UTC in reply to "RE: Apple meet orange"
moondevil Member since:
2005-07-08

It might be crap to you, but in the corporate world, the majority of the new software being developed is either Java or .Net based.

Reply Score: 3

RE[3]: Apple meet orange
by kaiwai on Sat 22nd Jan 2011 05:54 UTC in reply to "RE[2]: Apple meet orange"
kaiwai Member since:
2005-07-06

It might be crap to you, but in the corporate world, the majority of the new software being developed is either Java or .Net based.


If you pulled you head out of your ass for just a second I was referring to Java being installed on end users computers that they use at home - I'd say a good portion of that statistic can be blamed on Sun paying OEM's to load Java onto desktops by default.

Reply Score: 2

RE[4]: Apple meet orange
by moondevil on Sat 22nd Jan 2011 19:01 UTC in reply to "RE[3]: Apple meet orange"
moondevil Member since:
2005-07-08

Ho! Did I hit a nerve point?

I was just refereeing to how important Java actually is.

Reply Score: 2