Oracle pulls Java 6 plug, but Apple likely to keep patching OS X Snow Leopard
Apple on Monday patched Java 6 for OS X, following Oracle's lead and quashing a browser plug-in vulnerability that hackers have been exploiting.
Oracle issued the "out-of-band," or emergency, update for Java 6 and Java 7 to patch two critical vulnerabilities. One of those bugs -- designated CVE-2013-1493 -- has been exploited in the wild since at least Feb. 28, according to security firm FireEye, which discovered the attacks.
Because Apple maintains Java 6 for OS X -- unlike Java 7, which Oracle handles -- it followed with its own update, as usual. Read more...
Oracle brings cross-platform Java dev to mobile devices
Oracle is augmenting its Oracle Application Development Framework (ADF) to allow developers to create mobile applications for Apple and Android devices.
The advantage the newly released ADF Mobile will offer is that a developer can write an application once and have it run with no modification on either the Apple iOS on Android.
"You don't have to learn different languages to deploy on different platforms," said Bill Pataky, Oracle vice president of product management. "We abstracted away the differences of the devices and paneled them in the framework."
This extension to ADF probably wouldn't be suitable for the weekend developer hoping to make the next version of "Angry Birds," Pataky said. Instead, this product is suited for helping developers extend their ADF and non-ADF enterprise Java applications to mobile platforms. "Any Web application, including a website, can be integrated into the mobile application," he said. Read more...
Security researcher digs up another critical zero-day Java bug
A security researcher known for finding Java bugs has uncovered a new critical zero-day vulnerability in all currently-supported versions of the popular Oracle software.
The bug, which was publicly reported on the Full Disclosure security mailing list Tuesday by Adam Gowdiak, the founder and CEO of Polish security firm Security Explorations, can be leveraged to hijack a machine equipped with Java, letting attackers install malware on the system.
Windows PCs and Macs are equally at risk if their users have installed Java, or in the case of OS X, are running 10.6, aka Snow Leopard, or earlier. Snow Leopard was the last edition where Apple bundled Java with the operating system. All currently supported versions of Java, including Java 5, Java 6 and Java 7, contain the bug. Read more...
Larry couldn’t, but we can: Upstart Waratek touts cloudy Java love
A startup has pledged to deliver for Java what the brains of Larry Ellison’s mighty Oracle and the entire Java community cannot: cloud scalability - now.
It also hopes to spread the love to Java-hating sysadmins.
Waratek is planning the general release of its Cloud VM for Java at JavaOne next week. The Cloud VM product is a virtualisation engine built by Waratek to deliver multi-tenancy and elasticity for Java apps. It will also release APIs that let you build for Cloud VM for Java at the event.
Cloud VM introduces Waratek’s substrate layer into the Java container that controls the memory and CPU allocation given to each and every Java app. The idea is to make Java less of a resource hog and easier to manage. Read more...
Oracle seeks to delay cloud features in enterprise Java
Oracle is finding its road map for enterprise Java is a bit too ambitious, with the company now proposing a postponement in cloud computing capabilities that had been anticipated for Java EE (Java Platform, Enterprise Edition) 7 next year. Instead, the cloud capabilities would be included in Java EE 8 in 2015.
In a blog post, Oracle's Linda DeMichiel cites slow progress in developing cloud technologies due to immaturity in the provisioning, multitenancy, and elasticity spaces, as well as in application deployments. Providing solid support for standardized PaaS (platform as a service) programming and multitenancy would delay Java EE 7 until spring 2014, more than a year behind schedule, she said. "In our opinion, that is way too long," said DeMichiel, who has served as Java EE 7 specification lead. Read more...
Security pros advise users to ditch Java
Security firms are being none too gentle with Oracle's Java following the revelation this week that attackers are using two unpatched Java vulnerabilities to compromise selected targets. The most common advice: Uninstall the Java plug-in in your browser and don't use services that require the software.
On Monday, security firm FireEye revealed that a customer had been attacked with a previously unknown vulnerability. Yet Oracle already knew about the security issue and apparently had an update at the ready to be released on its regularly scheduled patch day in October. With reliable exploits for the vulnerabilities rapidly being adopted by security researchers and cyber criminals alike, the company rushed out a fix for the flaw on Thursday.
Overall, the incident has left a bitter taste in the collective mouths of many security professionals. Read more...
Unpatched Java vulnerability exploited in targeted attacks, researchers say
Attackers are exploiting a new and unpatched vulnerability that affects the latest version of Java -- Java 7 Update 6 -- in order to infect computers with malware, according to researchers from security vendor FireEye.
So far, the vulnerability has been exploited in limited targeted attacks, FireEye's senior staff scientist Atif Mushtaq said Sunday in a blog post. "Most of the recent Java run-time environments i.e., JRE 1.7x are vulnerable."
The exploit is hosted on a website that resolves to an Internet Protocol address in China and its payload is a piece of malware that connects to a command and control server located in Singapore.
The malware installed in the attacks seen so far appears to be a variant of Poison Ivy, Jaime Blasco, a researcher with security firm AlienVault, said Monday in a blog post. Read more...
Dice.com: Java developer most difficult tech job to fill
Java developers remain the most difficult tech pros to land, followed by mobile developers, .Net developers and software developers, according to new data from Dice.com.
Hiring managers and recruiters cite these positions two or three times more frequently than other skill sets in the employment marketplace, according to Alice Hill, managing director at Dice.com
The IT jobs site polled 866 tech-focused hiring managers and recruiters to come up with its list of hard-to-fill positions. Rounding out the top 10 list are candidates with skills related to: security, SAP, SharePoint, Web development, active federal security clearance, and network engineering.
In general, companies are looking for candidates with at least a few years of experience. Read more...
Red Hat releases NoSQL database for enterprise Java
Enterprise open source software provider Red Hat has jumped into the emerging NoSQL market, releasing an in-memory data store as part of an update of its JBoss management platform.
Red Hat JBoss Data Grid 6 "is JBoss' big data solution. It will allow companies to scale out their applications and reduce the need for adding more relational databases," said Craig Muzilla, Red Hat's vice president and general manager of middleware, in a Webcast Wednesday announcing the release.
The software is designed to serve as a large data cache for high-volume, low-latency transactional workloads. As such, it may be of particular value to run trading, logistics and e-commerce applications, the company claims. It is built to be fault-tolerant and scalable: nodes can be easily added or removed. Read more...
Flashback removal tool arrives for Mac OS X 10.5 Leopard
Apple has announced the release of a standalone Flashback malware removal tool for computers running Mac OS X 10.5 Leopard, even though the operating system is no longer officially supported. Like the security updates for 10.6 Snow Leopard and 10.7 Lion, the 1.23MB tool removes "most common variants of the Flashback malware", which reportedly infected more than 600,000 systems, exploiting flaws in earlier versions of Java. Read more...
Apple patches Safari, blocks outdated Flash Player
Apple on Wednesday patched four security vulnerabilities in Safari and blocked outdated versions of Adobe's Flash Player from running in its browser.
The Flash blocking move was similar to one Apple made last month when it stopped the Java plug-in from launching automatically.
Safari 5.1.7, which runs on OS X 10.6 and 10.7 -- Snow Leopard and Lion, respectively -- as well as on Windows XP, Vista and Windows 7, was released alongside another update for Lion that included a slightly-older version of the browser. Lion users must download and install both updates to push Safari to version 5.1.7. Read more...
Oracle-Google verdict signals need for copyright reform
Today, the jury in the case by ruling in favor Oracle against Google over Android's use of Java demonstrated how badly the copyright laws of the 19th and 20th century fit the technology market of the 21st century. The jury found that Google had infringed Oracle's copyrights on the overall design of Java (procured by Oracle in its purchase of Sun Microsystems), but Google's use of the Java documentation did not infringe -- and it was unable to determine whether Google's usage was justified as "fair use," which is a legally acceptable form of infringement. Read more...
Mozilla blocks Java in Firefox for some Mac users
Mozilla this week began blocking outdated versions of a Java plug-in in Firefox for some Mac users after calling the threat posed by the Flashback malware "evident and imminent."
The move came two weeks after Mozilla disabled unpatched versions of Oracle's software on Firefox for Windows.
Although Mozilla said on April 2 that it might add the Java plug-in to Firefox for Mac's blocklist -- a list it maintains of add-ons and plug-ins that the company disables because they're infected with malware or have been targeted by attackers -- it didn't follow through until Monday. Read more...
It’s time to run Java out of town
I've been railing about Java for years, but enough is enough. Java exploits top all other infection vectors, on any platform, year after year. Oracle has shown repeatedly that it's organically incapable of keeping the Java Runtime Environment secure. If your company makes Java apps, either for internal use or for release to an unsuspecting world, it's time to stop. If your clients are using Java, it's time to give them the tools and the support they need to block Java.
Java's done. Put a fork in it.
No doubt you've heard about the Flashback Trojan/virus. You might not have heard that Kaspersky now has hard, cold details on 670,000 infected Macs -- that isn't an estimate, it isn't an extrapolation, it isn't some sky-is-falling scare tactic. The folks at Kaspersky have ID numbers for 670,000 Macs that are actively participating in the Flashback botnet.
Windows users shouldn't be feeling complacent or smug. The Java holes used to infect those Macs also appear in Windows versions of Java. We just dodged the bullet this time because the Flashback author(s) decided to pick on Macs. Read more...
Apple releases Java security updates
Just a day after reports spread about a Java-based Trojan horse that could install itself on your Mac without requiring that you enter a password, Apple has released Java for OS X Lion 2012-001 and Java for Mac OS X 10.6 Update 7.
The updates, which are available for Mac OS X 10.6.8 Snow Leopard and 10.7.3 Lion (including both OSes' Server editions), patch multiple vulnerabilities in Java 1.6.0_29--including some that could allow malicious code to run on your Mac outside of the Java sandbox, triggered merely by your visiting a webpage containing the right nefarious code. Read more...