Open Source Adapted Bicycle Pedal Comes to the Rescue
Accessibility has always been important to designers of open source software. Now that open source has come to design, that's more true than ever, as demonstrated with this open source bicycle
Linux Action Show to End Eleven-Year Run at LFNW
Six more episodes before the popular Linux podcast, Linux Action Show, ends its nearly 11-year run in a live broadcast from LinuxFest Northwest.

Media



Jupiter Broadcasting's long-running
Dealing With Real-Life, Everyday Security Threats
No one has ever been shot by a hacker who was breaking into their computer through the Internet. Not so for thieves coming in through the back door.

Roblimo's Hideaway



I wrote a piece
Four Things a New Linux User Should Know
When you move from "that other operating system" to Linux, you're going to find that in most ways you'll be in familiar territory. However, that's not always the case. We sometimes do things a little differently
The Future of Desktop Ubuntu
With all the changes happening at Canonical, you might wonder what this means for the future of desktop Ubuntu, besides the return to the GNOME desktop.



There hasn't been this much news about a single Linux distro
Libreboot Reorganizes: Seeks to Make Amends
It appears the people developing Libreboot have done some of the hard work necessary to fix potentially toxic personal dynamics after last year's controversy, when the project removed itself from the
It's Windows Time in Linux Land Again
Using Windows. What a horrible thing to ask a Linux user to do.
February 5th, 2013

Java: Where Oracle, Twitter and Black Hats Meet


Back on January 24th, Oracle was sitting on their hands after issuing incomplete patches to not handle security issues in Java, issues bad enough to evoke dire warnings from the U.S. Department of Homeland Security. I opined on that day that Ellison’s hired help needed to get off their duffs and come up with a good fix quick, even if Java has turned-out to be a puppy Larry Ellison no longer wants to keep. Evidently, somebody in Deadwood City felt the same way, as Oracle pushed a patch this past Friday addressing 50 security holes in the beleaguered programming language.

Wait a minutes, did I just write that the patch addressed 50 security holes? I’ve got a five pound block of Swiss cheese in the fridge that has fewer holes than that. I think if I was Larry Ellison I would be ashamed to admit I’d allowed that many security vulnerabilities to accrue unfixed while any project was under my care. I think I’d fix ten a day or something in five separate patches and try to make it look like I had my security eagles working overtime finding new holes ahead of the bad guys.


On the Oracle website, announcing the patch, the company did try to give the impression that Marshall Ellison and his posse were riding in to save the day for everybody:

“The original Critical Patch Update for Java SE – February 2013 was scheduled to be released on February 19th, but Oracle decided to accelerate the release of this Critical Patch Update because active exploitation “in the wild” of one of the vulnerabilities affecting the Java Runtime Environment (JRE) in desktop browsers, was addressed with this Critical Patch Update.”

In Marshall Dilbert talk, they were warning that Billy the Kid is already at the saloon where he’s already killed five in five separate gunfights. Apply this patch and stay indoors, away from any Windows–especially 7 or 8.

Indeed, we’re now learning that the hack at Twitter that compromised about a quarter million accounts might have done so using a Java exploit. The UK technology site V3 quotes Sean Sullivan with anti-virus, cloud content and computer security company F-Secure:

“‘My hunch is that Twitter employees were targeted. Twitter developers use Macs and code in Java (on the back end). Those developers probably have a funny notion that there are no viruses for Macs and so had JRE enabled in their browsers–probably browsing the Web with their development computers/images.

‘I suspect that a targeted attack using a Java exploit and a Mac binary payload nailed a Twitter employee. Twitter, having a good security team was able to detect the unusual outside connection and mitigated the attack.'”

It doesn’t seem like it was a long time ago that we were being assured that Java is hacker-proof because of the sandbox approach it takes. I suppose the moral of this story is one I imagine that everybody who frequents this site already knows all too well: just as there’s no such thing as a lock that can’t be picked, there’s no such thing as hacker proof when it comes to computers.

The following two tabs change content below.
Christine Hall has been a journalist since 1971. In 2001, she began writing a weekly consumer computer column and started covering Linux and FOSS in 2002 after making the switch to GNU/Linux. Follow her on Twitter: @BrideOfLinux

Latest posts by Christine Hall (see all)

3 comments to Java: Where Oracle, Twitter and Black Hats Meet

  • djohnston

    “It doesn’t seem like it was a long time ago that we were being assured that Java is hacker-proof because of the sandbox approach it takes.”

    As far as I can remember, java has had new security holes with each new iteration of the language. And probably undiscovered ones before each new point release. I’m not saying that every application or computer language written is inherently secure. What I am saying is that java has always had more than its fair share.

  • Stephen Green

    Java? exposure always means more ‘eyes’ on the code, exposing flaws. Proof positive that coding has its hazards. In this case java has gone through several companies, and still no one has figured out how to make it right. Money first, good product is second..