This discussion is archived
8 Replies Latest reply: Aug 30, 2012 4:28 PM by EJP RSS

Is this an issue to be concerned about? Is this a legitimate statement?

958589 Newbie
Currently Being Moderated
I found this while browsing the web today, 8/28/2012.
Is this of any concern?

http://www.theregister.co.uk/2012/08/27/disable_java_to_block_exploit/
  • 1. Re: Is this an issue to be concerned about? Is this a legitimate statement?
    EJP Guru
    Currently Being Moderated
    If you chase the link through you will see that he says "But now after two days, this domain is no longer alive."
  • 2. Re: Is this an issue to be concerned about? Is this a legitimate statement?
    958776 Newbie
    Currently Being Moderated
    Just because the initial domain "is no longer alive" that doesn't mean that there wont be hundreds of other domains crop up as soon as the exploit starts selling on the black market.

    Yes, this is a very serious threat and should not be taken lightly. I for one have reverted back to Java 6 u 34 as it is not (yet) vulnerable and if it were up to me completely i would uninstall java totally.

    My question is, for a product that claims to be used on 3 billion devices...why would Oracle ignore the fact that Java is one of the most attacked and exploitable software products in the world?
    You would think that they would have a security team releasing "Zero Day patches" rather than working off of a quarterly update cycle.

    I think that does its customers a great disservice. Oracle, if you have any sense you will start hiring people to monitor exploits and start releasing updates as soon as they surface if you want people to continue using your technology.

    Its a good thing HTML5 and other web technologies are winning out with most companies these days, otherwise we would all be screwed.

    Here are some additional articles that you might find interesting

    http://krebsonsecurity.com/
    http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-4681

    Good luck
  • 3. Re: Is this an issue to be concerned about? Is this a legitimate statement?
    958822 Newbie
    Currently Being Moderated
    I have been combing the oracle site... can find absolutely no mention of this exploit.
    asked about it on google plus, no answer yet.

    we need answers on this!
  • 4. Re: Is this an issue to be concerned about? Is this a legitimate statement?
    EJP Guru
    Currently Being Moderated
    Oracle, if you have any sense you will start hiring people to monitor exploits and start releasing updates as soon as they surface if you want people to continue using your technology
    This is a user to user forum. Oracle isn't reading this.
  • 5. Re: Is this an issue to be concerned about? Is this a legitimate statement?
    959095 Newbie
    Currently Being Moderated
    I have had one client disable Java, thus disabling access to the application they need to use. Has anyone seen issues with lowering the Java version?
  • 6. Re: Is this an issue to be concerned about? Is this a legitimate statement?
    gimbal2 Guru
    Currently Being Moderated
    956092 wrote:
    I have had one client disable Java, thus disabling access to the application they need to use. Has anyone seen issues with lowering the Java version?
    I'm sure someone has seen some issue. New versions are there with a reason: to fix stuff. And also screw up existing stuff of course.

    Give the thread up - it is not going anywhere because this is not Oracle support. All you'll get is wild speculation and heated emotional statements - neither of which are in any way useful or something you can quote. Its really a shame that Oracle keeps silent, but its something we all have to live with unfortunately. This is certainly nothing new - not for Oracle and not for large multinational corporations in general.
  • 7. Re: Is this an issue to be concerned about? Is this a legitimate statement?
    959165 Newbie
    Currently Being Moderated
    It may be a User Forum but it is/has Oracle at the header of the page.

    It is sponsored by Oracle and therefore it is incumbent on them to take note of the content even if it hurts.

    As for the exploit, yes it is something to be concerned about and it is something Oracle should be advising Java users on as SOON as it is aware of an issue affecting end users security.

    They are responsible for the product regardless of price (it is 'sold' free of charge) and it still comes under Sale of Goods and Services regardless of any acceptance of agreement of use, it has to be fit for purpose.

    Therefore they must be PROACTIVE in informing users of how to protect themselves and how long it will be before a patch is released. 6 months is UNACCEPTABLE!
  • 8. Re: Is this an issue to be concerned about? Is this a legitimate statement?
    EJP Guru
    Currently Being Moderated
    It is sponsored by Oracle and therefore it is incumbent on them to take note of the content even if it hurts.
    Assuming they read it. 'Even if it hurts' is irrelevant: mere phrase-making. You can rant all you like but you can't make Oracle read this. You're having enough trouble getting me to read it.
    They are responsible for the product regardless of price (it is 'sold' free of charge) and it still comes under Sale of Goods and Services regardless of any acceptance of agreement of use, it has to be fit for purpose.
    I doubt it. No payment, no contract, no sale. You should take that up with their lawyers, not this forum.

    Instead of fantasizing in the wrong place about what Oracle should and should not do, I suggest you file a bug report.

    Locking this thread.

Legend

  • Correct Answers - 10 points
  • Helpful Answers - 5 points