
Oracle releases 127 security fixes, 51 for Java alone - teawithcarl
http://nakedsecurity.sophos.com/2013/10/16/oracle-releases-127-security-fixes-51-for-java-alone
======
beedogs
_I heard that Oracle won the America 's Cup recently which leads me to give
them some unsolicited advice._

 _Put the award on the shelf in your lobby, sell the ten million dollar boat
and hire the engineers needed to update the Java patch cycle to monthly with
the spare cash._

 _3+ billion devices will thank you._

Spot on. Working with their products on a daily basis, I just get the feeling
that Oracle doesn't really give a shit about anything other than that god
damned boat.

~~~
andyjohnson0
Bryan Cantrill on Oracle:

 _" As you know people, as you learn about things, you realize that these
generalizations we have are, virtually to a generalization, false. Well,
except for this one, as it turns out. What you think of Oracle, is even truer
than you think it is. There has been no entity in human history with less
complexity or nuance to it than Oracle. And I gotta say, as someone who has
seen that complexity for my entire life, it’s very hard to get used to that
idea. It’s like, ‘surely this is more complicated!’ but it’s like: Wow, this
is really simple! This company is very straightforward, in its defense. This
company is about one man, his alter-ego, and what he wants to inflict upon
humanity — that’s it! …Ship mediocrity, inflict misery, lie our asses off,
screw our customers, and make a whole shitload of money. Yeah… you talk to
Oracle, it’s like, ‘no, we don’t fucking make dreams happen — we make money!’
…You need to think of Larry Ellison the way you think of a lawnmower. You
don’t anthropomorphize your lawnmower, the lawnmower just mows the lawn, you
stick your hand in there and it’ll chop it off, the end. You don’t think ‘oh,
the lawnmower hates me’ — lawnmower doesn’t give a shit about you, lawnmower
can’t hate you. Don’t anthropomorphize the lawnmower. Don’t fall into that
trap about Oracle."_ [1]

[1]
[http://news.ycombinator.com/item?id=5170246](http://news.ycombinator.com/item?id=5170246)

------
jeswin
I was reading this FUD whitepaper just a while back, in which they are saying
OSS is unsuitable for enterprises, unscalable, untested, insecure, etc.
[http://www.oracle.com/us/products/middleware/cloud-app-
found...](http://www.oracle.com/us/products/middleware/cloud-app-
foundation/weblogic/dod-and-open-source-software-2012277.pdf)

And then this.

~~~
logn
That whitepaper isn't really FUD. It's basically just explaining 'open source'
to people who don't really get it. The paper explains that Oracle software
includes open source software and then Oracle is arguing that they do a better
job of developing, leveraging, integrating, and supporting FOSS than IT
workers in gov't offices can. It's a fairly reasonable argument.

~~~
chrissmeuk
I beg to differ. The UK government (finally) has got its act together in this
department. We're seeing the NHS's core "Spine" system being rewritten using
open source software (riak/erlang/ubuntu + others) and we have the excellent
[http://gov.uk/](http://gov.uk/) as well.

~~~
CircusAct
And then you have a look at the new Universal Credit scheme. Glad IT schemes
to do with the NHS are improving though.

~~~
chrissmeuk
Good point. I do however feel that the government departments that have failed
miserably on projects will start looking at more successful projects for
inspiration. We'll be a few more £billion down by then but things will
improve.

HMRC's systems are pretty good these days as well (I just did my tax return
online). Relatively smooth process for a large Java behemoth.

------
damian2000
They would gain a bit more respect by getting rid of the Ask toolbar option
from the Java installer. Wonder if they actually make any significant money
from that garbage.

~~~
logn
It basically was Sun's way to make budget. I would hope Oracle just does away
with it.

[https://jonathanischwartz.wordpress.com/2009/05/18/will-
the-...](https://jonathanischwartz.wordpress.com/2009/05/18/will-the-java-
platform-create-the-worlds-largest-app-store/)

 _We signed a contract through which we’d make their toolbar optionally
available to our audience via the Java update mechanism. They paid us a much
appreciated fee, which increased dramatically when we renegotiated the
contract a year later. Distribution was becoming quite valuable to us and to
them – and given the “take” rates, or the rates at which consumers were
choosing to install new content, the Java audience saw value in the new
application._

 _The year following, the revenue increased dramatically again – when an
aspiring search company (again, you can figure out who) outbid our first
partner to place their toolbar in front of Java users (this time, limited to
the US only). Toolbars, it turns out, are a significant driver of search
traffic – and the billions of Java runtimes in the market were a clear means
of driving value and opportunity. The revenues to Sun were also getting big
enough for us to think about building a more formal business around Java’s
distribution power – to make it available to the entire Java community, not
simply one or two search companies on yearly contracts._

 _And that’s what Project Vector is designed to deliver – Vector is a network
service to connect companies of all sizes and types to the roughly one billion
Java users all over the world. Vector (which we’ll likely rename the Java
Store), has the potential to deliver the world’s largest audience to
developers and businesses leveraging Java and JavaFX. What kinds of companies
might be interested? If you talk to a Fortune 500 company or a startup, pretty
much everyone craves access to consumers – which is the one problem we’ve
solved with the Java platform. Most folks don’t think of Sun as a consumer
company, and largely we’re not, but our runtimes reach more consumers than
just about any other company on earth._

 _-Jonathan Schwartz_

~~~
waps
Of course "java audience" in that text should be understood to mean Sun and
Oracle management, not, you know, java users and/or developers.

------
stevoski
Did I understand the article correctly...Oracle releases lots of security
fixes, and the author is _critical_ of this?

~~~
hobbes
If you posted a comment to HN with 127 spelling mistakes, which you then
corrected, should you be applauded for that?

~~~
0xEA
This isn't one comment to HN with 127 spelling mistakes, it would be
equivalent to 1000s of people as part of a collective group contributing 1000s
of spelling mistakes over the past 15 years, then all of a sudden fixing a ton
of the mistakes.

Your argument is wrong but your point is correct. In the above scenario,
should they be applauded for fixing 3 year old spelling mistakes that someone
told them about 3 years ago...

------
_red
(Mac OSX): Can anyone explain why 'java --version' still produces java version
"1.7.0_17" even though I've updated?

EDIT: Solved. Including this in case anyone runs into it. There are apparently
two update mechanisms in OSX (1) From within System Preference->Java Control
Panel and (2) By downloading the java file manually from Oracle.

I ran the update "1" from control panel and said system had been updated to
U45, but command line didn't reflect that.

After manually downloading and installing JDK from Oracle command line now
reflects "1.7.0_45".

I have no idea why this half-baked situation exist, but evidently its how it
works....?

~~~
cflee
I think that's because the Java Control Panel updates the JRE, but that just
updates the plugins and stuff. The manually downloaded JDK pkg definitely will
update the java you invoke in the shell.

------
Skinney
Could someone explain why Applets/Webstart is so insecure? I know that JRE
itself isn't really bad, it's the web-plugin for Java that has security
vurnabilities. But how so?

~~~
logn
Because the full power of Java exists in Applets. Browsers do their best to
sandbox it and to make sure users give permission before it is allowed outside
the sandbox. There are probably other reasons too, but that's afaik the basic
reason.

I think it's a little unfair how the whole industry has treated Applets vs.
Flash. Applets were pretty nice but Sun couldn't really fight it out like
Adobe did against the other larger players.

Anyhow, I disabled Applets and Flash recently myself too. The web works ok,
thanks to Apple I guess, but I still need to flip on Flash occasionally.

~~~
throwawaykf
Applets, whenever I used them, were also much, much slower to load than Flash.

------
pjmlp
Every time there is a report for Java security exploits, I would like to see
bug listings from other compiler runtimes, specially C and C++ ones.

~~~
static_typed
Fine, go read the bug trackers for them. Your point was? Oh, probably better
to spend the time patching your desktop and servers given the massive drive
through holes Java has left there.

~~~
pjmlp
My point is that it is easy to escalate Java security issues to average Joe,
while forgetting it is just the tip of the iceberg of all attack vectors a
computer has, regardless of which programming languages are used.

~~~
fauigerzigerk
But the criticism isn't that others have no security issues. It is that others
fix them with a greater sense of urgency than Oracle.

~~~
pjmlp
Do they?

I can tell from the companies I worked for, security fixes are handled like
any other bug fix.

~~~
fauigerzigerk
_> Do they?_

The perception is that they do, and I have to say that I share that
perception. I'm open to be convinced otherwise ... by facts.

~~~
pjmlp
> I'm open to be convinced otherwise ... by facts.

Well, as you might understand I cannot publish the internal backlog of any
Fortune 500 company my employer does consulting for.

Either you believe me that security issues get the same priority as any other
bug/feature on the backlog, or you don't.

~~~
fauigerzigerk
The issue we're talking about has nothing to do with the relative priority of
security issues versus other bugs. The OP claimed that Oracle issues bug fixes
less frequently (quarterly) than Microsoft or Adobe (monthly). Your claim is
completely unrelated to that.

~~~
pjmlp
So the world of computing is composed only by Microsoft, Adobe and Oracle,
right?

No other software requires security fixes, I see.

~~~
fauigerzigerk
I certainly hope that not many of the major vendors take three months to fix
critical, remotely exploitable security issues. If they do, they deserve the
same criticism that Oracle got.

------
Zigurd
> _" 51 security vulnerabilities are addressed in Java this quarter, and 50 of
> them affect Java Applets or Java WebStart, the plugin that runs Java in your
> web browser. Worse yet, all but one are remotely exploitable without
> authentication."_

I wonder is that's just where all the cruft is, or if Oracle is getting
serious about webstart?

~~~
jtheory
What does "remotely exploitable" _mean_ , though?

What would "authentication" mean, in this context?

I _think_ what this must mean is that IF you click through the various dialogs
to enable an applet or Java webstart application to run in your browser (or be
launched from it), at that point the running code could do something bad.
Perhaps these are ways to escape the normal applet sandbox?

And "exploitable without authentication" I guess must be about... what, signed
JARs? That's a sort of authentication, and I can't imagine what else this
could be talking about.

That's not so amazing, really, or even very scary, because the user has to
explicitly click at least one (usually more) dialogs before the code will run.
On some browsers, there are many more steps involved because Java is disabled
by default (and even _re-disabled_ by default if you don't use it for a
while), and you have to figure out how to enable it first. On some browsers
(like Chrome on OS X) Java simply doesn't work, so it's out of the question.

This is where a lack of detail really harms the point -- if they walked
through the _actual steps_ involved in using any of these exploits, people
would have a much better idea of what was actually at risk. My suspicion is
that for anyone who _doesn 't_ approve applets on shady sites, the risk is
negligible.

------
peterhunt
Are all of these Java vulnerabilities lately recently introduced or just
recently discovered?

~~~
brokenparser
About half of them have been patched in Java 5, more details here:

[http://www.oracle.com/technetwork/topics/security/cpuoct2013...](http://www.oracle.com/technetwork/topics/security/cpuoct2013-1899837.html#AppendixJAVA)

