Hyperbole. IIRC, the installer dialog said "3 billion". ;-)
I am happy for one thing. After having used the Control Panel feature introduced in 7u10 to allow disabling Java in all browsers via one checkbox, when I ran the 7u11 update and subsequently -- carefully! -- checked, I found that Java remained disabled in all the browsers on the system.
Hallelujah! Finally -- much too late, IMO -- one can apparently (I'd continue to manually verify, for the near if not foreseeable future) disable Java in the browser(s), and the setting sticks.
Prior to this, after each update, I'd have to go into all the browsers on the system and manually disable the Java plugins -- at least I had to until some, but not all, of the browser makers got smart and started ensuring that disabled Java plugins remained disabled, despite the Java installer's attempts.
And even disabling the browser plug-ins was apparently not sufficient, for IE:
That was actually a pretty fast response, considering the behemoth Java is and that the team is fractured since the acquisition. Things will get better, the websites are not even fully transitioned yet.
Wish people would cut Oracle a little slack here, although they really need to improve the Java update process. They could and should learn something from Flash (as depressing as that is to say!)
This I am genuinely annoyed with. I am going to start a petition to Oracle for these points, the Java community is extremely large and valuable and it's a disgrace to treat the platform this way.
I got a McAfee something or other offer bundled with the installer. I don't know why Sun and Oracle did this, it gives the installer the look of shady shareware shit.
One of the reasons Sun was gobbled up by Oracle is they could never figure out how to monetize their "extremely large and valuable" Java community. I don't like the toolbar spam any more than you, but Oracle doesn't have an obligation to provide a money-losing product.
Easy, write a mobile operating system that uses Java for all the apps- then license that to hardware OEMs until you've got a stranglehold on mobile OS, like the Microsoft model on desktop.
I am saddened that Google didn't buy Sun. Maybe they'll buy Oracle and the optical barrier over the valley will dissolve and reveal it is actually a portal into Hell.
The acquisition officially completed almost 3 years ago. Oracle had plenty of time and money to sue Google in the meantime. They are not poor and can do things quickly and competently when they want to; their customers and other Java users shouldn't have to "cut them a little slack" on such bugs.
I won't cut them slack on their update process, they should have improved that by now.
I don't think being poor or not matters, Java is a gigantic codebase and throwing money at a team doesn't make them code more efficiently. They are doing moderately well at transitioning.
I believe Google ripped Java off hard, and I believe both the ripping off Java and the suing for it were bad moves.
Google should have licensed or bought Java and Oracle should have sold it or open-sourced it.
This is why corporate-owned languages are bad, and why Dalvik isn't really any better in the long run.
The best thing, perhaps, would be if HotSpot and OpenJDK were completely community driven all the way down to the release/update/install process, the way IcedTea is.
Ironically you have just named the two plugins that have been disabled in my mainstream browser for over a year. Both of those plugins are examples of what not to do with regards to security, and the first thing I do with new users is train them to surf the web with them off, and switch to a different browser than their main one if they specifically need that functionality. I.e. browse the web with safari (all plugins/java disabled), switch to chrome to watch flash videos (and pray that their sandbox protects you) and switch to Firefox to run your corporate java plugin VPN.
Ideally java/flash plugins will die quickly, and we can replace them with browser native technology that we can hold the browser manufacturers accountable for.
The sarcasm was more referring to the fact that Java (and to some extent Flash with Alchemy VM stuff) is already the best solution for cross-platform native sandboxing in the browser.
(If Oracle improves on the updates, that is, and I'm sure they will, they've got a lot on the roadmap for Java.)
I have Java applets that can record and analyze audio and catch MIDI events from any browser including Internet Explorer (any version you're likely to see, really, probably including IE5), as long as Java is installed....
At some point I'm going to have to bite the bullet and switch everything to HTML5, but applets are failing faster than cross-browser native power is advancing, sadly.
I'm close to being able to do pitch detection in the browser (it's just a question of getting the code polished & integrated into features, not any tech hurdles; it already works), but that'll be toast for at least a few years if I switch.
And I doubt MIDI input will ever be browser-native; I've never even heard whispers about it....
It's a frustrating situation; I just wish it didn't seem like Oracle was so actively hastening the death of the applet.
perhaps you could do something along the lines of GWT and port your app over to use html5 tech. It was done with quake as a demo, and it works reasonably well.
>Ideally java/flash plugins will die quickly, and we can replace them with browser native technology that we can hold the browser manufacturers accountable for.
I don't know why you would think browser native technology will be any more secure. Java and Flash aren't heavily exploited because they're worse than other products - they're exploited because they're ubiquitous. And it's not like we don't have manufacturers to hold accountable here, whatever that means.
Security is hard. It's really, really, really hard to add new functionality without leaving a chink in your security armor. This cycle of 0-day exploits is not going away even when Flash and Java are only discussed in nursing homes.
People used to say the same thing about Java. When you can write a web app for Chrome that can do the same sorts of things applets can do, you're going to see the same sorts of exploits. The problem isn't that the Sun and Oracle people didn't know what they were doing. The problem is your opportunities for security problems scale with the amount of functionality you're delivering.
You can do almost anything you can do in an applet, now from NaCl/PNaCl or from Javascript (including TCP/UDP sockets, etc) when writing a Chrome CRX or CRX-less webapp that the user opts to install.
Maybe you're right, we'll see. That having been said, again, with Chrome's track record, update schedule, update mechanics and more, I'm trusting them a huge factor more than Oracle. Also, keeping in mind that having different implementations across 2-3 major web browsers dampens the effect of having an exploit in one.
Why have applets not been deprecated? Nobody uses Java in the browser for anything. Also before anyone gets too high on their anti-oracle rant. Java is maintained by fewer than 5 people.
40 comments
[ 3.0 ms ] story [ 92.3 ms ] thread1) Open Java Control Panel, see it says I have an update. Click "OK".
2) Reopen Java Control Panel because OK closes the window. This time click "Update Now"
3) After downloading 50MB another installer opens. Notice that it says 7u10 and not 7u11 (I was running 7u9).
4) Look back at Java Control Panel and see that it claims "Java Update was last run at 5:03 PM".
5) Reopen the JCP several times to try to force it to recognize that 7u11 is the latest, not 7u10.
6) Give up and install 7u10
7) Reopen JCP yet again. Success, 7u11 is available!
8) Click "Update Now" (not falling for your tricks again "OK" button)
9) http://d.pr/i/9UdC
10) Curse and post this.
That when, next month, the next 0-day exploit targetting Java applets comes out you'll be safe.
It only disable applets, nothing else.
1) Be notified of an update through the automatically running update check (probably with weak crypto and verification, given their track record...)
2) Clicking launches the MSI installer
3) "Java is wasting cycles on 6 billion (right now) insecure devices. Update now."
4) Remember to uncheck the Ask.com toolbar installer (Are you even trying at this point Oracle? Just kill it outright)
5) Installing
6) "Remember, Java is awesome, and for the moment its secure again"
(Not a comparison, just to make the point that the "experience" is equally great on the other side)
I have 3 different JDKs installed at the moment.
Unfortunate that they're dragging their feet on this.
1. Run "Ninite Java installer.exe".
2. Control panel -> Programs and Features -> Uninstall any old versions, if applicable.
If anyone on Windows doesn't know about www.ninite.com, it's probably worth your time to take a look.
I am happy for one thing. After having used the Control Panel feature introduced in 7u10 to allow disabling Java in all browsers via one checkbox, when I ran the 7u11 update and subsequently -- carefully! -- checked, I found that Java remained disabled in all the browsers on the system.
Hallelujah! Finally -- much too late, IMO -- one can apparently (I'd continue to manually verify, for the near if not foreseeable future) disable Java in the browser(s), and the setting sticks.
Prior to this, after each update, I'd have to go into all the browsers on the system and manually disable the Java plugins -- at least I had to until some, but not all, of the browser makers got smart and started ensuring that disabled Java plugins remained disabled, despite the Java installer's attempts.
And even disabling the browser plug-ins was apparently not sufficient, for IE:
http://krebsonsecurity.com/how-to-unplug-java-from-the-brows...
(see the section on Internet Explorer)
Wish people would cut Oracle a little slack here, although they really need to improve the Java update process. They could and should learn something from Flash (as depressing as that is to say!)
http://www.java.com/en/download/faq/ask_toolbar.xml
Sun JRE install once peddled OpenOffice and Google Toolbar, but at least OO is better than Ask. Ugh.
They need to get rid of this, it's an embarrassment.
He had good booze, but otherwise, sort of an asswipe.
Sent the girl home with a police matron.
I am saddened that Google didn't buy Sun. Maybe they'll buy Oracle and the optical barrier over the valley will dissolve and reveal it is actually a portal into Hell.
I don't think being poor or not matters, Java is a gigantic codebase and throwing money at a team doesn't make them code more efficiently. They are doing moderately well at transitioning.
I believe Google ripped Java off hard, and I believe both the ripping off Java and the suing for it were bad moves. Google should have licensed or bought Java and Oracle should have sold it or open-sourced it.
This is why corporate-owned languages are bad, and why Dalvik isn't really any better in the long run.
The best thing, perhaps, would be if HotSpot and OpenJDK were completely community driven all the way down to the release/update/install process, the way IcedTea is.
Ideally java/flash plugins will die quickly, and we can replace them with browser native technology that we can hold the browser manufacturers accountable for.
What we really need is some kind of native virtual machine that can run cross-platform bytecode in the browser.
Someone should make a plugin for this that works with all browsers, it would be genius!
</sarcasm>
(If Oracle improves on the updates, that is, and I'm sure they will, they've got a lot on the roadmap for Java.)
This is a neat idea though!
At some point I'm going to have to bite the bullet and switch everything to HTML5, but applets are failing faster than cross-browser native power is advancing, sadly.
I'm close to being able to do pitch detection in the browser (it's just a question of getting the code polished & integrated into features, not any tech hurdles; it already works), but that'll be toast for at least a few years if I switch.
And I doubt MIDI input will ever be browser-native; I've never even heard whispers about it....
It's a frustrating situation; I just wish it didn't seem like Oracle was so actively hastening the death of the applet.
I don't know why you would think browser native technology will be any more secure. Java and Flash aren't heavily exploited because they're worse than other products - they're exploited because they're ubiquitous. And it's not like we don't have manufacturers to hold accountable here, whatever that means.
Security is hard. It's really, really, really hard to add new functionality without leaving a chink in your security armor. This cycle of 0-day exploits is not going away even when Flash and Java are only discussed in nursing homes.
Maybe you're right, we'll see. That having been said, again, with Chrome's track record, update schedule, update mechanics and more, I'm trusting them a huge factor more than Oracle. Also, keeping in mind that having different implementations across 2-3 major web browsers dampens the effect of having an exploit in one.
Hopefully more browsers will stop blocking Java applets by default, as only they seem to be the cause of troubles at this point.