

Oracle knew about critical Java flaws since April - amboar
http://www.theregister.co.uk/2012/08/30/oracle_knew_about_flaws/

======
brudgers
_"Much like Microsoft's "Patch Tuesday," Java's slow-but-steady patch schedule
is designed to give enterprise customers time to properly test the fixes
before deploying them."_

Microsoft does not wait for Patch Tuesday when there is a zero day exploit. Or
at least not always, as the article implies.

~~~
batgaijin
After the release of Java 7 and having to deal with those issues, I decided to
never get another job that involved the JVM.

[http://searchhub.org/dev/2011/07/28/dont-use-java-7-for-
anyt...](http://searchhub.org/dev/2011/07/28/dont-use-java-7-for-anything/)

I can handle breaking changes if they are community driven; I will not accept
excuses for something that is maintained by a large corporation that has the
resources and staff to prevent such issues. Oracle is rotting the fish from
the head.

~~~
pron
C'mon. The JVM's problems have such wide effects because so many people use
it; probably more than all other non-native platforms combined. The JVM is
still the most performant, best tested and most stable application platform
out there. For real heavy duty applications, there is still no true
alternative for the JVM. Certainly not a better one.

~~~
jemfinch
Pardon, but why isn't "no JVM" a "true alternative for the JVM"? The vast
majority of the world's software still runs on raw hardware.

~~~
dclusin
Because pointers are scary!

~~~
cmccabe
Um, not using a virtual machine doesn't mean using unmanaged code. Even Java
can be compiled to native x86 machine code using GCJ.

Golang, for example, does not use a VM, but it is a managed language.

~~~
dclusin
Good point. Do you happen to know of a list of managed native languages? All
that really comes to mind is C# (the CLI really) and Go. Tried googling for a
list of such languages but couldn't find any using terms "list of native
managed languages" (without quotes).

------
Joeboy
Why is java still enabled in browsers by default anyway? Who would notice its
absence in 2012?

~~~
hucker
I don't know how it works in the US, but in Norway most online banks can only
be accessed through a Java applet where you enter SSN, password and token-
code. Extremely frustrating since whether it works or not in Linux seems like
a function of the day of the week, and, well, it's a Java applet.

~~~
w1ntermute
At least you guys don't have a system that uses ActiveX. That's how it is in
South Korea[0], supposedly the world's "most wired" nation. You can only use
IE, on Windows, to access online banking services. Things are slowly getting
better thanks to the explosion of iPhone/iPad/Mac popularity in Korea
(particularly the iPhone), but even now, IE has more than 91% market share in
South Korea[1].

0: <http://www.kanai.net/weblog/archive/2007/01/26/00h53m55s>

1: [http://blog.mozilla.org/gen/2012/05/29/browser-
competition-i...](http://blog.mozilla.org/gen/2012/05/29/browser-competition-
in-korea/)

~~~
justincormack
Indeed. This is a typical South Korean bank website[1]. I despair.

[1] <http://www.globalibk.com/home.jsp>

~~~
slig
The page won't even show up.

    
    
        if(typeof(navigator.appName)=='undefined' || navigator.userAgent.indexOf("MSIE")<0)  {
            top.wgmain.location.href='about:blank';
            alert('Microsoft Internet Explorer 사용자만 사용가능합니다.');
            return false;
        }

~~~
jff
Wow that Javascript sure is interesting, glad you pasted it _three goddamn
times_!

~~~
slig
Sorry. HN seemed to have chewed up and I didn't check my threads link to see
if it had worked or not.

~~~
jff
Yeah, my reply was rude--I'd delete it if I could but I guess I've passed the
point of no return. I can certainly sympathize with software screwing you
over.

------
mikle
I love when companies behave like that. It just leaves so much room for the
small guys to distinguish themselves as better.

In a perfect world bugs won't exist. Less perfect - they will be dealt with as
soon as someone notifies the company (and there will be no blame on that
someone). Our world isn't perfect, but as an optimist I see many great
business opportunities in this.

~~~
alttag
Not just the small guys. Behavior like this may have (in part) led Apple to
ignore Adobe's Flash. Five years later, Flash is dying a slow death.

~~~
ConstantineXVI
Apple stopped caring about Java a long time ago. They deprecated the Java
bindings for Cocoa back in '05; stopped bundling it in 10.7 last year, now
they've punted the OSX JVM back to Oracle.

Not to say that really matters to Oracle, the desktop has never been Java's
strong point.

------
Zenst
Given Oracles tardiness in fixing a remote security issue with there database
product this year and they make alot of $ from that product then this is not a
supprise.

Why woulc Oracle be so tardy in fixing security issues is the big question as
it appears there approach recently is:

1) get told of a security issue. 2) ???? 3) Release fix once issue is out in
wild/publicly known

Given there history and how they got started and there connections thru large
contracts then it is not impossible that they were asked to hold back and/or
offered to hold back on a patch. Rememebr security issues are more than that
these days, they are after all gradualy replaceing Nuclear weapons as they can
be used and abused as the fallout is less unferstood and in that they are not
the stand-off weapons which nukes are and given that they are opening up
entirly new theartes of war.

Thing is until Oracle explains there delays in addressing recent security
issues in there database and now java, then people will and rightly so
speculate as to there motivations in acting in the way they have.

[EDIT ADD] some background on Oracles patch approach this year
[http://www.esecurityplanet.com/network-security/oracle-
datab...](http://www.esecurityplanet.com/network-security/oracle-database-
security-flaw-remains-unpatched.html)

------
beedogs
If ever there were a language which was _crying out_ to be open-sourced...

~~~
eckyptang
I thought it already was (OpenJDK)?

~~~
papercrane
Most of the hotspot VM along with all of the standard library is GPL (plus a
classpath exception for the library,) but the JVM that Oracle ships has some
closed source additions.

Not sure what the final status of their JRockit + Hotspot merge is going to be
though.

~~~
Legion
I'm not too up on the Java world, but starting to poke my toe in with my
interest in JRuby and Clojure.

So forgive me if this is a dumb question: what is the nature of the Oracle
closed source extensions? Are they anything I'm going to care about in playing
with JVM languages, or deploying apps in a web startup (ie. non-corporate)
environment?

~~~
papercrane
Nothing you'll miss in those contexts. Most of what is closed source is code
that 3rd parties wrote and Sun couldn't open source (code java.awt relies on
mostly.)

For the actual JVM I don't think there is anything big missing, except maybe
some support for SPARC. The big question will be what happens in the future
when they start merging JRockit with Hotspot. JRockit has quite a few
extensions for monitoring that I think Oracle will keep closed (and
expensive.)

------
j_baker
Much as I hate to get the government more involved in software development, I
really wish someone would hold companies accountable for this behavior. Just
think of how many peoples' computers are vulnerable to these exploits.

~~~
zurn
That's how it usually works, companies are liable for damages resulting from
defective products. Doens't really require any broadening of "government
involvement".

A lot has been written about software liability, but not much has happened
(except lots of countries have adopted US style "EULA click through makes a
contract" stupidity)

See eg. this article about a staged debate about it between Bruce Schneier and
Marcus Ranum at RSA 2012:
<[http://www.law.com/jsp/lawtechnologynews/PubArticleLTN.jsp?i...](http://www.law.com/jsp/lawtechnologynews/PubArticleLTN.jsp?id=1202544288549&Will_Software_Liability_Make_Software_Secure&slreturn=20120730142159>);

------
rbanffy
BTW, is OpenJDK affected?

~~~
diminoten
I don't believe so but I can't cite anything to back that up.

------
rplnt
This does seem like a security firm trying to shine for a few minutes. I might
be wrong, but I would wait for a response from Oracle before bashing them
(even more).

