So you're saying that exploits, malware and viruses that can enter a system where Java (or at least the JRE) as a vector are not important.
Not at all - I'm saying that there comes a point where once you allow an application to run beyond a certain level, the vector pretty much becomes irrelevant. I could knock up a .NET application, a Java application, Delphi app, VB.NET app, C app, C++ app, etc. that would trounce through a user's files, corrupting anything that it had access to and came accross.
(No, it's not an argument for Java being more or less secure than anything else, it was more of a side point.)
Exactly, and there have been a ton of vulnerabilities of this nature exposed recently.The point is that Java does open new vectors for attack simply because it adds new methods for running code which should run in a reliable way, (or does run in a reliable way) at the OS layer, but in the abstraction layer that the runtime is adding nefarious things are happening. -i.e there is no way for the OS to adequately see that some kind of exploit is attempted.
But here's the clincher, and what I keep continually coming back to with this argument - pretty much all of these vulnerabilities have been exploits centred around the applet plugin.
However, I do have a confession to make at this point, in that when I was saying the "applet plugin", I was also referring to the web start plugin (that's the one that's used to load up JNLP files) that's based on the same architecture - sorry for any confusion there. As far as I'm concerned, it's another flawed design and I failed to mention it simply because it's been so long since I've last used it (and conceptually I tend to view the two things as one for various technical reasons over how they work.) By desktop Java, I pretty much mean solely downloading programs via conventional methods, written in Java, installing them and running them with a provided JRE.
A side note: The JNLP plugin doesn't necessarily cause as many security problems as vanilla applets though purely because its vulnerabilities aren't drive by - with a lot of the applet based problems, they are (you can "catch" a virus simply by visiting a web page with an embedded applet.) With a JNLP file, you actually have to download and run that file; granted it's not a secure mechanism but there is at least an extra step there.
Just to show the point, let's take a look at those 50 security fixes included in the update, details are here. Note that all of them have notes, saying what technologies they refer to. Out of those 50, 43 of them have the following note:
So that leaves a grand total of 7 security updates that don't fit into this category (and even then, 2 are server side issues that have nothing to do with client side Java, one is a vulnerability that can't be used to achieve anything on its own, and the rest bar one involve either web start / applets or server side web service calls.)Applies to client deployment of Java only. This vulnerability can be exploited only through untrusted Java Web Start applications and untrusted Java applets. (Untrusted Java Web Start applications and untrusted applets run in the Java sandbox with limited privileges.)
I agree with your last part showing that JNLP / web start can request specific versions of Java (as in that's a silly design choice if you ask me.) And I've no idea how the updater works, I don't think it's flawed in the security sense but it is bizarrely implemented (I don't use it, as a Java developer I always do manual installs of the JDK which I need rather than just the JRE.)
I think Oracle have finally got it right in that the latest JavaFX toolkit now contains build tasks to produce platform dependant installer packages that are more secure (and that users expect.) Seems The write-once, build-many, run-anywhere approach just seems fundamentally better to me than write-once, build-once, run-anywhere-and-try-to-deal-with-the-problems-as-they-appear approach. I use this approach, running an automated 3-tier build system for my projects (I get a .exe installer, .deb package, .dmg package and .jar cross platform installer out the other end.) That's what I class as "desktop Java", the more traditional approach - and I fully maintain that Java in that sense of the word is as secure as anything else.
I don't doubt that at all - it happens all the time, with big and small corporations alike. The fact that it "worked then" also meant no-one probably bothered to look in more detail about what the code was doing, so didn't spot the problem - I've got no proof, but experience tells me this is almost certainly the IBM devs doing something wrong rather than Sun introducing a major backwards incompatible change in a minor version update.I understand that things can change in what may be executed in code, but I doubt that IBM rolled out worldwide a piece of hardware containing a processor running code to be interoperated by the JRE that was a bit sloppy doing things it shouldn't have.
Too much to go into here in detail, but suffice to say as a Java dev there's various well defined conventions that you should stick by if you want your code to be future-proof. Things like not reflecting to access private methods on library classes, not using com.sun.* classes, not doing painting in Swing unless it's on the EDT, not doing painting in JavaFX unless it's on the Platform thread (actually the last two are of conventions just to ensure your code works reliably in *any* version, but still.) Some of these mistakes are easy to spot (such as searching for any used com.sun classes), others are more tricky. (I don't think it's anything to do with exploits.)how do you define the ways you should use something? if something is good code, and it works, BUT using a feature in a slightly different way is a bug or can lead to an exploit, then Sun's fix was just to rip out the feature, and to hell with a million of so integrated hardware devices deployed over the world. -they will have to use the old buggy version that we know if full of security holes!