"Much like Microsoft's "Patch Tuesday," Java's slow-but-steady patch schedule is designed to give enterprise customers time to properly test the fixes before deploying them."
Microsoft does not wait for Patch Tuesday when there is a zero day exploit. Or at least not always, as the article implies.
I can handle breaking changes if they are community driven; I will not accept excuses for something that is maintained by a large corporation that has the resources and staff to prevent such issues. Oracle is rotting the fish from the head.
C'mon. The JVM's problems have such wide effects because so many people use it; probably more than all other non-native platforms combined. The JVM is still the most performant, best tested and most stable application platform out there. For real heavy duty applications, there is still no true alternative for the JVM. Certainly not a better one.
Good point. Do you happen to know of a list of managed native languages? All that really comes to mind is C# (the CLI really) and Go. Tried googling for a list of such languages but couldn't find any using terms "list of native managed languages" (without quotes).
When Oracle were originally informed about it in April it wasn't a zero day. They could have rolled out a fix on their next scheduled update and it would have been patched for everyone before it became public.
Hearing "Oracle ignored a critical security flaw" is so extremely ordinary that I almost just skipped this post. The only new thing is that they have found a new product for which they can neglect to provide security updates.
They have one of the worst records on this. (Is SGI still is business?)
Old-SGI (Silicon Graphics, Inc.) went bankrupt. The assets were sold to Rackable. Which then renamed itself as "Silicon Graphics International", or new-SGI.
Despite sale of assets and similar names, they're separate companies.
No, but it could have been without them knowing it. Just because an exploit hasn't been found and publicized by a security firm, doesn't mean black hats couldn't have found the bug and been using it without it being widely known.
So should we expect vendors to immediately fix all vulnerabilities and release the fixes immediately?
That creates a near-constant stream of updates which is difficult for users & sysadmins to manage, and is why Microsoft and others have a "Patch Tuesday".
(I know that Oracle didn't do that here, but that's what the GP post was talking about)
I don't think immediate fixes are reasonable, but expecting a <3mo rollout for critical vulnerabilities (such as this one) isn't unreasonable at all. If they plan to fix this in October, that's 6 months; regardless of a 0-day being out or not, that's pretty abysmal. Of course, Oracle is not the only company that does this, but that doesn't make it okay.
Usually (and hopefully) the exploit isn't public yet. But as soon as the patch is released the bad guys can figure out what the exploit is and start attacking unpatched machines.
If the sysadmins know when the patches are coming out then they can schedule downtime in advance and get things patched very soon after they're released.
Interesting, I was under the impression that most of the time the exploit was known before the patch release. But of course the patch gives away everything. Live an' learn.
I don't know how it works in the US, but in Norway most online banks can only be accessed through a Java applet where you enter SSN, password and token-code. Extremely frustrating since whether it works or not in Linux seems like a function of the day of the week, and, well, it's a Java applet.
At least you guys don't have a system that uses ActiveX. That's how it is in South Korea[0], supposedly the world's "most wired" nation. You can only use IE, on Windows, to access online banking services. Things are slowly getting better thanks to the explosion of iPhone/iPad/Mac popularity in Korea (particularly the iPhone), but even now, IE has more than 91% market share in South Korea[1].
Yeah, my reply was rude--I'd delete it if I could but I guess I've passed the point of no return. I can certainly sympathize with software screwing you over.
Not debating the rest of your post, but not all Norwegian banks rely solely on BankID. Just clarifying that there is no national mandated standard here, just a system which banks can opt in on to use. And then they don't have to opt in fully or exclusively.
One example of one who manages to get authentication right, through HTML alone is Skandiabanken. No Java, nonsense or security pains required. They allow you to use BankID too if you like to, but you don't have to.
Java is a never ending story of fun. I had a case where my grandma had issues logging into her online banking account, because the applet threw some sort of error response to her. Turns out that Chrome shipped with a newer version of Java than the banks accepted, and instead of telling her that, they threw an "You're running an old and outdated version of Java, please contact support"-error.
Because the applet produces a digital signature from a cryptographic key on your hard drive. This is much more secure and scalable than sending the password, see [1] and [2].
An alternative solution would be to use an SSL client certificate[3] or the WebCrypto[4] API (still under development).
well, in brazil you even have gbieh.dll - an undeletable, unkillable, always running, mysterious, "security" file/process from banco do brasil. http://www.file.net/process/gbieh.dll.html
Can't tell if trolling or not. That's an URL and they can name it with whatever name they want (.dll, 1761,1238,196.htm, .php, etc), and has absolutely nothing to do with an actual process running on your machine.
No so easy mate. Brazil has one of the largest bank concentration in the world, orchestraded of course by the central bank. We have the choice of 6 major banks, in this order of size -> Banco do Brasil, Itaú, Bradesco, BNDES, Caixa Econômica Federal, Santander
They are all highly regulated and with very little incentive to innovate. So they can screw around and do pretty much nothing at all. The fascist/socialist banking system that exists across the globe is even more pronounced here.
Pretty much every bank in Brazil optimizes for its largest target audience. Since most of their account holders run Windows and Internet Explorer and are able to install a Java runtime, that's what they will go for.
I have accounts on three banks that work well with Ubuntu and Firefox. Only one of them mandates a Java runtime to be installed (and only enforces the requirement on Windows and OSX).
I talked to some of the Mozilla security guys about it back in February at CanSecWest, since we've been blocking out-of-date and dangerous plugins (more than just Java) for a while in Chrome. They seemed in favor of doing it, so it's definitely on their radar.
Plugin management is actually a bit complicated, and in the case of Chrome we've had mulitple levels of it for years. The simplest is click-to-play, where the plugin is replaced with a graphic in the page that you can click to run it. This is the most convenient, but is vulnerable to click-jacking or other trickery. Then there's plugin blocking, which doesn't have the click-to-play weaknesses but is less convenient because you need to enable the plugin through a browser control (ie. infobar, page action, or context menu). Finally there's disabling, which just prevents the plugin from running at all.
For out-of-date and perennially vulnerable plugins (like Java) Chrome uses the second mode, which blocks the plugin unless the user accepts it through an infobar. It's not a perfect defense, but we've found it to be extremely effective at preventing exploits because the vast majority of the users don't let the potentially vulnerable plugin run. I'd really like to see this approach catch on more broadly, but other browser makers are understandably cautious about how they should handle plugins.
As a corporate sysadmin, I should say that the Chrome method is much better than the Firefox one.
We often have slightly out of date plugins, simply because it takes a while to get new versions tested and rolled out. When Firefox blocks them it breaks functionality and can cause a few awkward problems. Generally that just means that the user will use IE instead, so the protection is lost.
I wasn't aware the blocking worked that way in Firefox. We considered going that route as well, but in our testing the optional block was nearly as effective as fully disabling.
It's interesting that you don't mention uninstalling as a final option. Shouldn't the user have the ability to permanently remove a plugin from the browser?
They are working on it - the feature exists, but isn't currently exposed through the GUI configuration as it has some issues.
You can go to "about:config" and enable the option "plugins.click_to_play" if you want to see it. I disabled it as it caused issues with Flash for me, but I've straight up disabled the Java plugin anyway.
There're some banks that still need them. The irony is that, since their applet is signed, the user must click and confirm that he trusts the thing every time. Hackers can leverage that users won't read a damn thing, they will just click next to build an applet with file system access. Why exploit flaws when users will simply click a trust your applet?
I don't trust my bank with a signed applet (why the hell do they need that?), so obviously I only access my internet banking using a VM.
Most corporates that I've seen make heavy use of Java applet based software for internal software (and have multiple versions installed as a result). Also I've seen a fair number of administrative interfaces for IT kit that work via Java Applets...
I've had Java disabled in browsers for a long time and click to activate for other plugins. I've never noticed its absence.
I understand from other comments that banks in some require Java. I have or have had accounts or credit cards with nearly all major banks in the USA and many smaller institutions and none have required any plugins. Some require 3rd party cookies to use services like bill pay or ACH transfers.
Danes. It is used by the government electronic id system (nemid), and is the only way to e.g. make corrections to your tax returns (they are by default filled by the tax authority). Most government and many private (e.g. banks) institutions use it.
I have successfully avoided installing Java on many machines, even when installing browsers. The had to break down when it came time to build Android apps.
I love when companies behave like that. It just leaves so much room for the small guys to distinguish themselves as better.
In a perfect world bugs won't exist. Less perfect - they will be dealt with as soon as someone notifies the company (and there will be no blame on that someone). Our world isn't perfect, but as an optimist I see many great business opportunities in this.
Apple stopped caring about Java a long time ago. They deprecated the Java bindings for Cocoa back in '05; stopped bundling it in 10.7 last year, now they've punted the OSX JVM back to Oracle.
Not to say that really matters to Oracle, the desktop has never been Java's strong point.
Or in this case botnet operators. They are entrepreneurs too, just less ethical. It is unfortunate that they exist, but once again the optimist keeps saying that their existence is great because they create problems for smart and ethical people to solve.
Given Oracles tardiness in fixing a remote security issue with there database product this year and they make alot of $ from that product then this is not a supprise.
Why woulc Oracle be so tardy in fixing security issues is the big question as it appears there approach recently is:
1) get told of a security issue.
2) ????
3) Release fix once issue is out in wild/publicly known
Given there history and how they got started and there connections thru large contracts then it is not impossible that they were asked to hold back and/or offered to hold back on a patch. Rememebr security issues are more than that these days, they are after all gradualy replaceing Nuclear weapons as they can be used and abused as the fallout is less unferstood and in that they are not the stand-off weapons which nukes are and given that they are opening up entirly new theartes of war.
Thing is until Oracle explains there delays in addressing recent security issues in there database and now java, then people will and rightly so speculate as to there motivations in acting in the way they have.
Most of the hotspot VM along with all of the standard library is GPL (plus a classpath exception for the library,) but the JVM that Oracle ships has some closed source additions.
Not sure what the final status of their JRockit + Hotspot merge is going to be though.
I'm not too up on the Java world, but starting to poke my toe in with my interest in JRuby and Clojure.
So forgive me if this is a dumb question: what is the nature of the Oracle closed source extensions? Are they anything I'm going to care about in playing with JVM languages, or deploying apps in a web startup (ie. non-corporate) environment?
Nothing you'll miss in those contexts. Most of what is closed source is code that 3rd parties wrote and Sun couldn't open source (code java.awt relies on mostly.)
For the actual JVM I don't think there is anything big missing, except maybe some support for SPARC. The big question will be what happens in the future when they start merging JRockit with Hotspot. JRockit has quite a few extensions for monitoring that I think Oracle will keep closed (and expensive.)
AFAIK it's rather the other way round: the original Sun JDK contained some third party components that could not be released under the GPL. OpenJDK is the result of going through everything and making sure all those parts are replaced with clean-room reimplementations.
Note that starting with Java 7, OpenJDK is the reference implementation.
Much as I hate to get the government more involved in software development, I really wish someone would hold companies accountable for this behavior. Just think of how many peoples' computers are vulnerable to these exploits.
That's how it usually works, companies are liable for damages resulting from defective products. Doens't really require any broadening of "government involvement".
A lot has been written about software liability, but not
much has happened (except lots of countries have adopted
US style "EULA click through makes a contract" stupidity)
This does seem like a security firm trying to shine for a few minutes. I might be wrong, but I would wait for a response from Oracle before bashing them (even more).
Microsoft does not wait for Patch Tuesday when there is a zero day exploit. Or at least not always, as the article implies.