
Security of Java takes a dangerous turn for the worse, experts say - shawndumas
http://arstechnica.com/security/2013/09/security-of-java-takes-a-dangerous-turn-for-the-worse-experts-say/
======
humbledrone
This is a misleading headline, since the article is referring to the security
of old versions of Java. I guess "Outdated Software Contains Known Security
Holes and Will Probably Never be Patched, Experts Say" is not as catchy of a
title.

How is this news? The more popular a piece of software is, and the longer a
specific version of it has been in use, the more bugs will be found and
exploited. Duh?

~~~
gph
While I agree that the article is highly misleading, I don't think this is a
complete non-issue. I imagine there are still a lot of organizations
(especially those in developing countries) that have systems that were setup a
decade or so ago with XP, IE7, Java5, etc. and haven't been properly upgraded.

~~~
a3n
I know of a company whose standard is XP, and will not upgrade Java because
existing applications won't run if they do.

------
jtheory
Who exactly is exposed to these flaws?

Anyone who has attempted to run an applet on any modern browser in the past 6
months will know it now involves a lot of work -- clicking through several
dialogs and warnings even if you _do_ have the latest version.

If you don't have the latest version, some browsers make it impossible, and
others let you go ahead only after you acknowledge that you're putting your
immortal soul in dire peril (or something along those lines).

Java on OS X will _self-disable_ if you don't use it for a while, so then you
have to figure out how to enable it, again, if you even figure out what has
happened.

In Safari _even when everything is enabled_ you see a gray box with small text
saying something like "plugin disabled" in it. You have to click the small
text (though it doesn't look like a link or button) to access the menu to
enable it and continue.

I suppose they must be targeting corporate machines running XP and IE7 or
something like that? I don't think most other people are succeeding in running
legitimate Java applets, let alone anything that would be a security risk.

~~~
coldtea
> _Who exactly is exposed to these flaws? Anyone who has attempted to run an
> applet on any modern browser in the past 6 months will know it now involves
> a lot of work -- clicking through several dialogs and warnings even if you
> do have the latest version._

Some hundrends of millions of people still running XP, Windows 2000 or Vista,
with IE or Firefox?

~~~
jtheory
With an old version of FF, you mean?

AFAIK FF still supports XP (though probably not per-service-packs XP), though
I haven't checked recently.

For IE, you're probably right.

------
SCdF
So, correct me if I'm wrong, but aren't these issues all around the sandbox
functionality of applets?

So specifically, to exploit these, you write a dodgy applet, then convince
users to run these applets locally (by hijacking websites or whatever),
whereby you break out of the sandbox and do bad shit.

So then, in terms of how Java is generally used: on servers, on android, to
execute code that runs locally on your box outside of a sandbox anyway (e.g.
minecraft) these issues are in fact complete non-issues?

It seems to me that if they just split off the applet part into its own thing
the world would be a far better place.

~~~
frozenport
You are wrong, the article isn't about the merit of applets, these issues deal
with a company that doesn't want to support software that is deployed on
millions of PCs.

~~~
SCdF
When I said issues I meant the bugs which Oracle isn't fixing, not the issue
that Oracle isn't fixing the issues.

But I feel like you already knew that.

------
coin
Do people still run Java Applets now adays?

~~~
iso-8859-1
Yes. If you want people to stop, make a fully functional replacement for
[http://ysangkok.github.io/algorithms-in-
action/](http://ysangkok.github.io/algorithms-in-action/) or JFLAP. I made a
B-Tree visualization: [http://ysangkok.github.io/js-clrs-
btree/btree.html](http://ysangkok.github.io/js-clrs-btree/btree.html) but
there are still dozens of algorithms left.

------
simula67
Didn't redhat say that they will continue to maintain OpenJDK 6 ?
[http://www.redhat.com/about/news/press-archive/2013/3/red-
ha...](http://www.redhat.com/about/news/press-archive/2013/3/red-hat-
reinforces-java-commitment)

------
educating
Long-time Java developer here saying I mostly abandoned ship several years
ago. Still work doing some Java dev, but have mostly switched to Ruby, because
Scala is unreadable to me and I've not found anything else I like as much as
Ruby yet. Oracle really fucked things up, if for no other reason than they've
poorly managed security issues. They let the government tell people to
uninstall Java from their browsers. That is fucked up. It's like they don't
even care and want it to die.

~~~
nemothekid
Doesn't the article pertain to applets? Are there any developers out there
still writing Java _applets_?

~~~
Al-Khwarizmi
Well, I have a Java system for playing interactive fiction games on the
desktop. When people started playing them on the browser, the obvious way to
adapt my system to that functionality was an applet. That way I could reuse
99% of the code, and they could get the same functionality as on the desktop.

Sadly, now it's getting harder and harder to run applets. And I'm not going to
code a different web-based version of my system (which would involve not only
rewriting a lot of code, but finding different libraries to handle MP3, OGG,
SVG graphics, etc.) so I suppose my system will just slowly fade into
obsolescence.

For some things, applets are still the best choice... or would be, if users
were not aggressively discouraged from using them due to what amounts mostly
to PR campaigns (as i.e. Flash is by no means more secure than Java applets,
and browsers don't make you click through four layers of scary dialogs to run
it).

What I hate about coding projects for end users that need to run on shiny
platforms (like the web) is that you always get caught on politics. Stuff like
company X not allowing running software written in language Y on platform Z so
as to promote its own platform, and making you port everything several tiems.
Or company X including a crippled distribution of software Y because it hates
company Y (this happened with Ubuntu and Java and has brought me scores of bug
reports to handle). I guess my future hobby projects will be in C/C++ and
directed to technical users that don't expect to run their machine learning
software (for example) on a tablet browser...

~~~
Skinney
If you really want to target the web, what's wrong with JS/CS in the browser
or on Node.js for desktop apps?

Of course, you could always use C/C++ with emscripten, and target the web that
way...

~~~
Al-Khwarizmi
Because this project is already there, I started it in year 2000 when most of
those technologies didn't exist. I would need to code everything again in JS,
and we are talking about more than 150 KLOC. Plus libraries that might not be
available in JS. And then I would have two separate versions to maintain. No
way I'm going to do that, I'm not getting paid for this project and I don't
have enough free time.

With Java on the other hand, I had a desktop app and an applet sharing the
vast majority of the codebase, only very specific parts of the code (a small
part of the UI and I/O code) differ. This is what was allowing me to maintain
the project and support both desktop and browser, until the applet paranoia
growed out of proportion and browsers put applets in permanent quarantine.

Of course, if I started this project now rather than in 2000, I would probably
make different decisions regarding language and technologies used. Although it
would still be a bit annoying not to be able to use Java. It's not my favorite
language, but I definitely prefer it to JS by a mile.

~~~
Skinney
I was thinking more about the fact that you had switched to C/C++.

I agree that re-writting an app of that size is a giant PITA.

You could always use GWT though, and compile Java to Javascript. Altough you
would probably have to re-write code as you're not targeting an applet
anymore.

------
lysium
Which Java software does not run on Java 7, preventing users to upgrade? I
thought Java was backwards compatible.

~~~
ryanknapp
AspectJ would probably be the most widely broken dependency, even with
UseSplitVerifier enabled. Version 1.7 of AspectJ fixes the issue, but most
corporate IT consumers aren't in a position to update it themselves.

------
anuraj
Please don't use java Applets for anything. It is age old, unsafe technology.
End of story.

~~~
eatmyshorts
Please also disable the .jnlp extension handler included with many older
browsers, and activated by installing Java from the Oracle (and formerly Sun)
Java virtual machine.

------
pkulak
> custom-written apps that work only on the older Java version

How is that even possible?

~~~
eatmyshorts
Using Java WebStart, the .jnlp file can specify which version of the JVM to
use when running the application (not an applet, but a full-blown Java
application).

