Linked by Hadrien Grasland on Thu 20th Jan 2011 21:16 UTC
Privacy, Security, Encryption "In 2010, exploited Java vulnerabilities outpaced the exploit of Adobe Reader and Acrobat," Landesman, senior security researcher at Cisco, said. "Java was 3.5 times more frequently exploited than were malicious PDFs. That really spells out the need for paying attention to what's making the headlines but also paying attention to the types of things that aren't making the headlines."
Thread beginning with comment 459289
To view parent comment, click here.
To read all comments associated with this story, please click here.
RE[4]: update java
by Subcomputer on Fri 21st Jan 2011 05:31 UTC in reply to "RE[3]: update java"
Subcomputer
Member since:
2011-01-21

It is more secure in a VM, but the problem here is that the VM itself (or at least older versions) is insecure.

As far as updating, one of the reasons that there are so many old, insecure JVMs out in the wild is the pure ridiculous number of corporate apps that somehow flat out refuse to run on anything but the version they were created with, which often end up being 1.5.

Reply Parent Score: 1

RE[5]: update java
by WorknMan on Fri 21st Jan 2011 09:44 in reply to "RE[4]: update java"
WorknMan Member since:
2005-11-13

As far as updating, one of the reasons that there are so many old, insecure JVMs out in the wild is the pure ridiculous number of corporate apps that somehow flat out refuse to run on anything but the version they were created with, which often end up being 1.5.


Sounds like IE6 all over again ;) lol

That's the thing about corporate apps... somebody writes it, leaves the company (or was a contract programmer), and those left behind don't have a farking clue how it works.

Wonder how many hundreds of thousands of apps written in VB5/6 out there are still being used that were written in the mid-to-late 90's. Or anybody ever ran into one of those Excel macros from hell that was written about 15 years ago, and the entire company depends on?

Reply Parent Score: 3

RE[5]: update java
by moondevil on Fri 21st Jan 2011 11:33 in reply to "RE[4]: update java"
moondevil Member since:
2005-07-08

The main problem is that most JVMs are implemented in C or C++. The languages responsible for bringing a dark era of buffer overruns and pointer mis-indirections to mankind, thus starting an era of insecure software, which we still fight to recover from.

One just needs to create a clever designed sequence of bytes as a .class file that exploits a security issue in a specific JVM version. Then you release the exploit in the wild and for sure a few thousand users will be hit.

As for the users not updating it. It is really a big issue, in most corporate environments there is a big burocracy that you need to go through to update any software, even patch level versions.

Most corporate environments I know, the automatic updates are disabled, and updates are triggered by IT when they approved a certain software version.

Not to mention that recently I saw an offer for a project using Java 1.4 with Tomcat 4!

Reply Parent Score: 2

RE[6]: update java
by Neolander on Fri 21st Jan 2011 16:05 in reply to "RE[5]: update java"
Neolander Member since:
2010-03-08

Well, if you implemented the JVM in a "safer" language like Java, how the hell would it run ? ;)

Besides, C(++) can be secure, when people know what they're doing with it (e.g. don't use scanf and char* apart for very low-level stuff where they can't do otherwise, think of the "delete" as soon as they've written a "new" somewhere, things like that)

Edited 2011-01-21 16:08 UTC

Reply Parent Score: 1