Oracle's fix for zero-day Java flaw to be available 'shortly'

[OneMoreThing...]

Oracle's fix for zero-day Java flaw to be available 'shortly'


Read more

 

[cptkrf]

As to Java, I am afraid that Oracle is in the position of a person who has bought a boat and set off on a round-the-world expedition only to find that the vessel isn't seaworthy.

Java is a good language for what it does - I would hate to replace the code by writing in pure C - but it looks like it may have slid off the cliff too far to come back. With all the horror stories coming out every day, it is just a matter of time until such a large percentage of systems in the world have it locked out or removed that the critical mass limit is broken and developers jump ship.

Given Oracle's apparent disinterest in what they bought from Sun, I don't see any other (probable) outcome.

 

[vansmith]

With all the horror stories coming out every day, it is just a matter of time until such a large percentage of systems in the world have it locked out or removed that the critical mass limit is broken and developers jump ship.

I'm not sure we've hit that cliff. Java is way too entrenched in the enterprise market and re-writing some large scale projects may not be worth it for many. If they do, it's going to take time so they'd have to hold on for now.

What's interesting to note is that the iTMS and Apple's online store are powered by WebObjects. Guess what language WO applications are written in.

 

[cptkrf]

Java is way too entrenched in the enterprise market and re-writing some large scale projects may not be worth it for many. If they do, it's going to take time so they'd have to hold on for now.

Correct. Enterprises can't and won't normally change course for a single event.

But I am watching the story as it unfolds and it is getting worse by the day. Eventually even the most over dressed first class passenger reaches the point where he knows it's time to get off the ship before it drags him under - and if his new Bond Street suit gets wet, that's just tough.

I have no Java irons in the fire and haven't had for a long time, but what I can't figure out is how these problems cascaded all at once. They should have been gradually seen one at a time in the past - not over the course of short time. After all, there are a LOT of Java developers.

Strange.

 

[vansmith]

I have no Java irons in the fire and haven't had for a long time, but what I can't figure out is how these problems cascaded all at once. They should have been gradually seen one at a time in the past - not over the course of short time. After all, there are a LOT of Java developers.

It could just be coincidental or it could very well be reflective of something much greater. Either way, I think it speaks to some issues endemic to the platform especially since, given its cross-platform nature, all types of systems are at risk.

 

[cptkrf]

Infoworld has a good article on it. Turns out I was wrong. The problems didn't just crop up all at once. According to him, last year half of the hacks in cyberattacks were through holes in Java and those in the know have been complaining about the insecurity for years.

I still don't quite follow why it has taken till now for someone to ring the bell.

At any rate, I don't need it and I have made sure that is isn't only disabled on my machines, but is totally removed. Which, by the way, can take some doing.

 

[Nethfel]

It really is a pain honestly, and I can't disable it on the machines in my network because of a variety of reasons including:
Many of the educational sites used by our classrooms have or use java content
our new controller for our chiller system is - you guessed it - Java based.

The security holes are scary, the long time between security patches are scary, the fact that I have no option to disable it in the network I maintain at work is terrifying.

 

[vansmith]

Many of the educational sites used by our classrooms have or use java content

I've noticed that as well. There does seem to be a preponderance of Java based solutions in education.

the long time between security patches are scary

This is the scariest part for me. This has been alleviated somewhat by giving control of Java back to the developer but it's still far from perfect.

 

[Nethfel]

I've noticed that as well. There does seem to be a preponderance of Java based solutions in education.

Of which I just found out today, one of the major systems we have to communicate with for accounts payable/receivable uses java - ugh. Of course, not a huge surprise as I think the underlying support software of it is an oracle based system.

This is the scariest part for me. This has been alleviated somewhat by giving control of Java back to the developer but it's still far from perfect.

I agree, it is better, but it still seems that updates are sluggish in comparison to, for example, prior to Oracle's aquisition of Sun

 

[vansmith]

Of which I just found out today, one of the major systems we have to communicate with for accounts payable/receivable uses java - ugh. Of course, not a huge surprise as I think the underlying support software of it is an oracle based system.

I think it amazes people how much control Java has at the enterprise level. If Java were to cease working right now, the tech infrastructure of enterprises everywhere would just collapse.

I agree, it is better, but it still seems that updates are sluggish in comparison to, for example, prior to Oracle's aquisition of Sun

Sun may have been better than Oracle but Oracle is better than Apple.

 

[AliOop]

I don't know how long we'll need and continue to use Java. But until something better comes along, we'll still be using and needing it. It's just the way it is. We can moan and groan and bellyache all we want. Just flat out can't do with out it. **** it!

 

[vansmith]

I don't know how long we'll need and continue to use Java.

Consumers likely don't need it directly (this being the operative word). I'd guess that 95% of end users don't use it regularly enough to warrant an installation. However, indirectly, I'd guess that 95% use it through services we use. It's role in powering web applications alone means that you probably use it indirectly daily. For example, WebObjects powers the iTunes and Apple stores and guess what language powers the WO framework?

 

[dropthepuck4]

java update

was ask to update java7 again now everthing is screw up again what's going on

 

[XJ-linux]

Java misbehaving is the worst part of my SAP/Unix SysAdmin job. BI/Portal applications use Java, as does the IBM HMC. When stuff does actually display correctly (and not run off the browser page or become unresponsive or slow) it's sucking up all the RAM and paging space. Java is a pig if it runs more than a few months at a time. For persistent enterprise applications, it stinks. We don't even give new solutions that use Java a second glance anymore.

 

[vansmith]

Java has always been a resource hog and consequently, slow as molasses. I just built and ran an old Java GUI app I'd written ages ago...it was slower than an equivalent Cocoa app and the UI styling...oh the UI styling.

 

[cptkrf]

Java has always been a resource hog and consequently, slow as molasses. I just built and ran an old Java GUI app I'd written ages ago...it was slower than an equivalent Cocoa app and the UI styling...oh the UI styling.

I think that was the reason that I never got into Java big time. I went to a seminar when JRE 1.0 came out (1995 or 96 maybe?), got back home all Java fanboyed up and began to use it. Immediately, it was apparent that interpretive Basic could run circles around it, speed wise. (Well, maybe not, but it crawled on the available systems at the time.) I finally decided it was too slow to use and went back to C and Delphi.

Looks like the latest Twitter attack may have come through a Java hole. I am going out on a limb and say that IMO, Java is on a downward slide that probably won't stop. And I know the argument that Java is embedded too deeply into the Enterprise to abandon. But...

Lawyer: "...and you knew that this insecure program was being used in your company?"

CEO defendant: "...uh, yes."

Lawyer: "And you used it anyway, knowing that all your customer identities could be easily stolen?"

CEO defendant: "I was told we didn't have a choice."

Lawyer: "So... How much cash DID you set aside to pay for the harm you knew was going to come to my clients?"

An animal will gnaw off a leg to save its life. I suspect a corporation will also. And if anyone has worked in a large company's IT, they know that it is perfectly possible for the technically challenged in the upper levels to just decree to take something off right now and replace it. Or put it on. Arguments that what they want would take thousands of man hours and millions of dollars don't even register. After all, "My young daughter can install that windows thingie in one evening. Maybe we need some new computer blood down there."

Of course, I'm being the Devil's advocate here. It's an interesting story that is unfolding.

 

[vansmith]

Welcome to the world of reactive action.

Looks like Oracle pushed out an update with a version number that exceeds Apple's minimum for XProtect so let's see how this goes.

 

[cwa107]

Java misbehaving is the worst part of my SAP/Unix SysAdmin job. BI/Portal applications use Java, as does the IBM HMC. When stuff does actually display correctly (and not run off the browser page or become unresponsive or slow) it's sucking up all the RAM and paging space. Java is a pig if it runs more than a few months at a time. For persistent enterprise applications, it stinks. We don't even give new solutions that use Java a second glance anymore.

I feel for you - though I'm not a Unix System Admin, we have a lot of the same crap running on JRE on the Windows side.... BI, IBM crapware, JBoss, Tidal, you name it... amazing that all of these "mission critical" apps run on a proverbial house of cards, like Java.

 

[vansmith]

It's a shame that something which commanded so much control and respect in its more halcyon days has become such a burden. It had so much promise - it was cross platform (and perfectly so), it was easy to create object oriented apps, etc.

On top of that, Oracle is trying to micromanage to the point where the actual Java team from Sun feels as if they unable to do anything. In fact, this is one of the reasons that James Gosling (creator of Java) left Oracle (source).

 

[XJ-linux]

The sad thing with Oracle, is that Java is really interwoven with the plain old Enterprise Oracle DB packages. Monitoring utilities and the like for Oracle, at least in the SAP/Unix space, all use it as a front end interface with the DB to see performance stats, set up alerts and monitoring, even run installers/uninstallers. Getting TDP (Tivoli Data Protection) components installed and configured without the Java GUI on an AIX LPAR is a challenge that can easily ruin your week. Don't even get me started on the Java front end for IBM's TSM (Tivoli Storage Manager). The addition of Java can take really solid applications, and render them really flaky and unpleasant without much effort.

But hey - with a Java front end you can hire a $10/hr guy with little IT experience to do things better left to professionals - until Java quits working and troubleshooting is required. When Java kills something it front ends for, then you usually hear from the $10/hr idiot and his manager that "Oracle/SAP/the network/etc... sucks!"