Java Installer Flaw Shows Why You Should Clear Your Downloads Folder ( 64

itwbennett writes: On Friday, Oracle published a security advisory recommending that users delete all the Java installers they might have laying around on their computers and use new ones for versions 6u113, 7u97, 8u73 or later. The reason: Older versions of the Java installer were vulnerable to binary planting in the Downloads folder. 'Though considered relatively complex to exploit, this vulnerability may result, if successfully exploited, in a complete compromise of the unsuspecting user's system,' said Eric Maurice, Oracle's software security assurance director, in a blog post.

Researcher Finds Tens of Software Products Vulnerable To Simple Bug ( 152

An anonymous reader writes: There's a German security researcher that is arduously testing the installers of tens of software products to see which of them are vulnerable to basic DLL hijacking. Surprisingly, many companies are ignoring his reports. Until now, only Oracle seems to have addressed this problem in Java and VirtualBox. Here's a short (probably incomplete) list of applications that he found vulnerable to this attack: Firefox, Google Chrome, Adobe Reader, 7Zip, WinRAR, OpenOffice, VLC Media Player, Nmap, Python, TrueCrypt, and Apple iTunes. Mr. Kanthak also seems to have paid special attention to antivirus software installers. Here are some of the security products he discovered vulnerable to DLL hijacking: ZoneAlarm, Emsisoft Anti-Malware, Trend Micro, ESET NOD32, Avira, Panda Security, McAfee Security, Microsoft Security Essentials, Bitdefender, Rapid7's ScanNowUPnP, Kaspersky, and F-Secure.

Oracle To Drop Java Browser Plugin In JDK 9 ( 165

An anonymous reader writes: After Mozilla said in October that it would stop supporting Firefox plugins on the older NPAPI technology, Oracle had no choice now but to announce the deprecation of the Java browser plugin starting with the release of the JDK version 9, which is set for release in March 2017, and developers are urged to start using the Java Web Start pluginless technology instead. Security issues also had a big part in Java's demise.

Stephen Wolfram: No Need To Teach With 'Toy Programming Languages' Like Scratch ( 214

theodp writes: From Stephen Wolfram's blog post announcing the Wolfram Programming Lab: "It's a very important — and in fact transformative — moment for programming education. In the past one could use a 'toy programming language' like Scratch, or one could use a professional low-level programming language like C++ or Java. Scratch is easy to use, but is very limited. C++ or Java can ultimately do much more (though they don't have built-in knowledge), but you need to put in significant time—and get deep into the engineering details—to make programs that get beyond a toy level of functionality. With the Wolfram Language, though, it's a completely different story. Because now even beginners can write programs that do really interesting things. And the programs don't have to just be 'computer science exercises': they can be programs that immediately connect to the real world, and to what students study across the whole curriculum. Wolfram Programming Lab gives people a broad way to learn modern programming — and to acquire an incredibly valuable career-building practical skill. But it also helps develop the kind of computational thinking that's increasingly central to today's world." So, when it comes to programming education, are schools hitchIng their cart to the wrong horse?

Java Named Top Programming Language of 2015 ( 358

Nerval's Lobster writes: What was the most popular programming language of 2015? According to the people behind the TIOBE Index, Java took that coveted spot, winning out over C, Python, PHP, and other languages. "At first sight, it might seem surprising that an old language like Java wins this award," read TIOBE's note accompanying the list. "Especially if you take into consideration that Java won the same award exactly 10 years ago." Yet Java remains essential not only for businesses, it continued, but also consumer-centric markets such as mobile development (i.e., Google Android). That being said, even big languages can tumble. (Dice link) Objective-C tumbled from third place to 18th in the past 12 months, thanks to Apple's decision to replace it with Swift. In 2016, TIOBE expects that "Java, PHP (with the new 7 release), JavaScript and Swift will be the top 10 winners for 2016. Scala might gain a permanent top 20 position, whereas Rust, Clojure, Julia and TypeScript will also move up considerably in the chart." What has been your most-used (or best-loved) programming language of the last 12 months?

Google Confirms Next Android Version Won't Use Oracle's Proprietary Java APIs 215

An anonymous reader writes: Google is ditching the Java application programming interfaces (APIs) in Android and moving to only OpenJDK. The news first came by a "mysterious Android codebase commit" from last month submitted to Hacker News. Google confirmed to VentureBeat that Android N will rely solely on OpenJDK. “As an open-source platform, Android is built upon the collaboration of the open-source community,” a Google spokesperson told VentureBeat. “In our upcoming release of Android, we plan to move Android’s Java language libraries to an OpenJDK-based approach, creating a common code base for developers to build apps and services. Google has long worked with and contributed to the OpenJDK community, and we look forward to making even more contributions to the OpenJDK project in the future.”

Oracle Settles FTC Charges Regarding Deceptive Java Security Updates ( 33

An anonymous reader writes: The FTC and Oracle have come to an agreement regarding Oracle's deceptive Java security updates, which only removed recent versions of vulnerable Java SE, but left behind older, insecure versions. Oracle got away without a fine, but will have to overhaul its Java update process to remove older versions as well.

Ask Slashdot: How Will You Be Programming In a Decade? ( 279

An anonymous reader writes: Programmer Dave Cheney raised an interesting question today: How will you be programming in a decade? If you look back to a decade ago, you can see some huge shifts in the software industry. This includes the rise of smartphones, ubiquitous cloud infrastructure, and containers. We've also seen an explosion of special-purpose libraries and environments, many with an emphasis on networking and scaling. At the same time, we still have a ton of people writing Java and C and Python. Some programmers have jumped headfirst into new tools like Light Table, while others are still quite happy with Emacs. So, programmers of Slashdot, I ask you: How do you think your work (or play) will change in the next ten years?

No More Security Fixes For Older OpenSSL Branches ( 60

itwbennett writes: The OpenSSL Software Foundation has released new patches for the popular open-source cryptographic library, but for two of its older branches, OpenSSL 1.0.0t and 0.9.8zh, they will likely be the last security updates because support for these these two branches will end on Dec. 31. Previous research has shown that many companies using in-house built software keep poor records of which library versions their developers used in which of their applications. 'This makes it very likely that some systems and applications with OpenSSL 0.9.8 and 1.0.0 will never be updated, leaving them exposed to any critical vulnerabilities found in the library in the future,' writes Lucian Constantin.

Air Asia Pilot Response Leads To Plane Crashing ( 226

hcs_$reboot writes: The investigation took a year, but we finally know why Air Asia Flight QZ8501, en route to Singapore from the Indonesian city of Surabaya on December 28 last year, crashed into the Java Sea, killing all 162 people on board. The crash was caused by a combination of system malfunctions and improper pilot responses to cascading electrical and rudder-system problems. A cracked solder joint on the Airbus A320 resulted in an electrical interruption that caused computer-generated warnings of a rudder malfunction. The problem occurred four times during the flight. The first three times, the flight crew responded according to standard procedure, investigators said. The fourth time, however, the flight-data recorder indicated actions similar to those of circuit breakers being reset. That led the autopilot to disengage. Investigators said the crew was unable to react appropriately to "a prolonged stall condition," ending in the crash. The investigation points to weaknesses in pilot training in dealing with upsets, or when an aircraft is angled greater than 45 degrees.

Video Software Engineer Liz Bennett Talks About Being a Woman in a Nearly All Male Workplace (Video) 370

This conversation was generated by a post Eric S. Raymond published on his "Armed and Dangerous" blog that said, "...if you are any kind of open-source leader or senior figure who is male, do not be alone with any female, ever, at a technical conference. Try to avoid even being alone, ever, because there is a chance that a 'women in tech' advocacy group is going to try to collect your scalp." Eric later wrote a post about how Social Justice Warriors may be more of a problem than the problems they complain about.

Whoa! Predatory women in tech trying to entrap people like (and including) Linus Torvalds the way an old-time private eye got the goods on an errant husband as part of a divorce case? Scary! And worrying about thoughtcrime, too? Oh my! But Liz Bennett is an actual software engineer who works at Loggly in San Francisco. She writes for her company's blog when she's not writing Java code, has a (not very active) GitHub account, and plays bassoon. And her attitude is similar to the one espoused by ESR in the second post (above): write great code -- and if you do, they (for any value of they) have no right to be negative about you, period. And, she says, before you take a job you should be sure the company is a good "fit" for you and doesn't harbor people who will work to bring you down -- which is great advice for anyone, in any field of endeavor.

Python Is On the Rise, While PHP Falls ( 232

Nerval's Lobster writes: While this month's lists of the top programming languages uniformly put Java in the top spot, that's not the only detail of interest to developers. Which language has gained the most users over the past five years? And which are tottering on the edge of obsolescence? According to PYPL, which pulls its raw data for analysis from Google Trends, Python has grown the most over the past five years—up 5 percent since roughly 2010. Over the same period, PHP also declined by 5 percent. Since PYPL looks at how often language tutorials are searched on Google, its data is a good indicator of how many developers are (or aren't) learning a language, presumably because they see it as valuable to their careers. Just because PYPL shows PHP losing market-share over the long term doesn't mean that language is in danger of imminent collapse; over the past year or so, the PHP community has concentrated on making the language more pleasant to use, whether by improving features such as package management, or boosting overall performance. Plus, PHP is still used on hundreds of millions of websites, according to data from Netcraft. Indeed, if there's any language on these analysts' lists that risks doom, it's Objective-C, the primary language used for programming iOS and Mac OS X apps, and its growing obsolescence is by design.

Vulnerability In Java Commons Library Leads To Hundreds of Insecure Applications ( 115

An anonymous reader writes: Stephen Breen from the FoxGlove Security team is calling attention to what he calls the "most underrated, underhyped vulnerability of 2015." It's a remote code execution exploit that affects the latest versions of WebLogic, WebSphere, JBoss, Jenkins, and OpenMMS, and many other pieces of software. How? An extremely common Java library. He says, "No one gave it a fancy name, there were no press releases, nobody called Mandiant to come put out the fires. In fact, even though proof of concept code was released over 9 months ago, none of the products mentioned in the title of the blog post have been patched, along with many more. In fact no patch is available for the Java library containing the vulnerability. In addition to any commercial products that are vulnerable, this also affects many custom applications.

Apple Usurps Oracle As the Biggest Threat To PC Security 320

AmiMoJo writes: According to data from Secunia, Apple's software for Windows is now the biggest threat to PC security, surpassing previous long term champion Java. Among U.S. users, some 61 percent of computers detected running QuickTime did not have the latest version. With iTunes, 47 percent of the installations were outdated versions. There were 18 vulnerabilities in Apple QuickTime 7 at the time of the study. Oracle has now fallen/risen to 2nd place, followed by Adobe. All three vendors bundle automatic updater utilities with their software, but users seem to be declining new versions. Update fatigue, perhaps?

Oracle Fixes Java Vulnerability Used By Russian Cyberspies ( 126

itwbennett writes: Oracle said that it has fixed 154 security flaws in Java and a wide range of its other products, including one that Russian cyberespionage group Pawn Storm used to launch stealthy attacks earlier this year. The vulnerability, tracked as CVE-2015-4902, was being used by the Pawn Storm attackers to enable the execution of a malicious Java application without user interaction.

Ask Slashdot: Selecting a Version Control System For an Inexperienced Team 325

An anonymous reader writes: I have been programming in Python for quite a while, but so far I have not used a version control system. For a new project, a lot more people (10-15) are expected to contribute to the code base, many of them have never written a single line of Python but C, LabVIEW or Java instead. This is a company decision that can be seen as a Python vs. LabVIEW comparison — if successful the company is willing to migrate all code to Python. The code will be mostly geared towards data acquisition and data analysis leading to reports. At the moment I have the feeling, that managing that data (=measurements + reports) might be done within the version control system since this would generate an audit trail on the fly. So far I have been trying to select a version control system, based on google I guess it should be git or mercurial. I get the feeling, that they are quite similar for basic things. I expect, that the differences will show up when more sophisticated topics/problems are addressed — so to pick one I would have to learn both — what are your suggestions? Read below for more specifics.

Firefox Support For NPAPI Plugins Ends Next Year ( 147

An anonymous reader writes: Mozilla announced that it will follow the lead of Google Chrome and Microsoft Edge in phasing out support for NPAPI plugins. They expect to have it done by the end of next year. "Plugins are a source of performance problems, crashes, and security incidents for Web users. ... Moreover, since new Firefox platforms do not have to support an existing ecosystem of users and plugins, new platforms such as 64-bit Firefox for Windows will launch without plugin support." Of course, there's an exception: "Because Adobe Flash is still a common part of the Web experience for most users, we will continue to support Flash within Firefox as an exception to the general plugin policy. Mozilla and Adobe will continue to collaborate to bring improvements to the Flash experience on Firefox, including on stability and performance, features and security architecture." There's no exception for Java, though.

Retro Roundup: Old Computers Emulated Right In Your Browser 78

An anonymous reader writes: If you ever wanted to program an Altair, an Apple I, or a COSMAC ELF you may think you either have to buy one (expensive now) or load and configure simulation software. However, there's a slew of browser-based emulators for everything from a PDP-11 to Windows 1.0 out there. Some use Java, but many use Javascript and many perform better on a modern PC then they did in their original. If you want to learn some history or just want to finally play with the computers you saw in the magazines 35 years ago, these are great fun and slightly addictive.

Cassandra Rewritten In C++, Ten Times Faster 341

urdak writes: At Cassandra Summit opening today, Avi Kivity and Dor Laor (who had previously written KVM and OSv) announced ScyllaDB — an open-source C++ rewrite of Cassandra, the popular NoSQL database. ScyllaDB claims to achieve a whopping 10 times more throughput per node than the original Java code, with sub-millisecond 99%ile latency. They even measured 1 million transactions per second on a single node. The performance of the new code is attributed to writing it in Seastar — a C++ framework for writing complex asynchronous applications with optimal performance on modern hardware.

Slashdot Top Deals