[Micronet] Java for Windows Version 7 update 11

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

[Micronet] Java for Windows Version 7 update 11

Bruce Satow
Does anyone know if Java version 7 update 11 also has security issues?  It's the latest one from Oracle.


--
  Bruce Satow
  Systems Administrator
  University of California at Berkeley  
  Space Sciences Laboratory
  7 Gauss Way
  Berkeley, California 94720-7450

  Phone: (510) 643-2348
      Cell: (510) 847-1914



Si hoc legere scis nimium eruditionis habes

 
-------------------------------------------------------------------------
The following was automatically added to this message by the list server:

To learn more about Micronet, including how to subscribe to or unsubscribe from its mailing list and how to find out about upcoming meetings, please visit the Micronet Web site:

http://micronet.berkeley.edu

Messages you send to this mailing list are public and world-viewable, and the list's archives can be browsed and searched on the Internet.  This means these messages can be viewed by (among others) your bosses, prospective employers, and people who have known you in the past.
Reply | Threaded
Open this post in threaded view
|

Re: [Micronet] Java for Windows Version 7 update 11

Ian Crew
My own personal 2 cents (only speaking for myself, not anyone else):

From what I've read [1], some experts believe that there are many more unpatched security holes in Java.  One relevant quote: "'The safest thing to do at this point is just assume that Java is always going to be vulnerable. Folks don't really need Java on their desktop,' Moore said."

I agree with that: to me, the Java browser plugins are starting to sound a whole lot like the Flash plugins--bad news in both cases.  Given all the pain we've seen on campus with Java recently (Some financial reporting tools require Java X in Browser Y, CalTime requires Java Z in Browser W, etc. [2]), I'm increasingly of the opinion that any new system we implement on campus that requires Java or Flash on the client should require an exception to be granted by someone pretty high up in the organization.  I also think that the standards for getting that exception should be pretty stringent. From what I've seen here, and heard in conversations with colleagues who manage desktops, it seems pretty clear to me that those Java-on-the-client systems are a really major source of cost and headaches for the university.  I also don't see why, given modern browser technologies (HTML5, modern JavaScript compilers, etc.) why stuff like Java and Flash are all that necessary anymore.  For example, both Google and Box manage to do Flash-free and Java-free interfaces that are very cross-browser compatible, and also highly capable.

Cheers,

Ian

[2] - Yes, I know that there are remote-desktop based solutions for the systems I mention here, but those are really just workarounds for the fact that they require very specific client-side Java versions.  Those remote desktop solutions do wind up costing us a bunch, both to run the servers but also to configure and support all the clients to talk to them.

On Jan 22, 2013, at 5:19 PM, Bruce Satow <[hidden email]> wrote:

Does anyone know if Java version 7 update 11 also has security issues?  It's the latest one from Oracle.


--
<SSL-logo.gif>
  Bruce Satow
  Systems Administrator
  University of California at Berkeley  
  Space Sciences Laboratory
  7 Gauss Way
  Berkeley, California 94720-7450

  Phone: (510) 643-2348
      Cell: (510) 847-1914



Si hoc legere scis nimium eruditionis habes

-------------------------------------------------------------------------
The following was automatically added to this message by the list server:

To learn more about Micronet, including how to subscribe to or unsubscribe from its mailing list and how to find out about upcoming meetings, please visit the Micronet Web site:

http://micronet.berkeley.edu

Messages you send to this mailing list are public and world-viewable, and the list's archives can be browsed and searched on the Internet.  This means these messages can be viewed by (among others) your bosses, prospective employers, and people who have known you in the past.

___
Ian Crew
Platform and Services Manager, Research Hub

Content Management Technologies
IST-Architecture, Middleware and Common Applications
Earl Warren Hall, Second Floor
University of California, Berkeley


 
-------------------------------------------------------------------------
The following was automatically added to this message by the list server:

To learn more about Micronet, including how to subscribe to or unsubscribe from its mailing list and how to find out about upcoming meetings, please visit the Micronet Web site:

http://micronet.berkeley.edu

Messages you send to this mailing list are public and world-viewable, and the list's archives can be browsed and searched on the Internet.  This means these messages can be viewed by (among others) your bosses, prospective employers, and people who have known you in the past.
Reply | Threaded
Open this post in threaded view
|

Re: [Micronet] Java for Windows Version 7 update 11

Bruce Satow
It maybe unavoidable if your department requires using Java based online applications from other institutions.  It would be nice if they could move away from Java and Flash, but they may not have the resources to convert them.


On 1/22/2013 5:31 PM, Ian Crew wrote:
My own personal 2 cents (only speaking for myself, not anyone else):

From what I've read [1], some experts believe that there are many more unpatched security holes in Java.  One relevant quote: "'The safest thing to do at this point is just assume that Java is always going to be vulnerable. Folks don't really need Java on their desktop,' Moore said."

I agree with that: to me, the Java browser plugins are starting to sound a whole lot like the Flash plugins--bad news in both cases.  Given all the pain we've seen on campus with Java recently (Some financial reporting tools require Java X in Browser Y, CalTime requires Java Z in Browser W, etc. [2]), I'm increasingly of the opinion that any new system we implement on campus that requires Java or Flash on the client should require an exception to be granted by someone pretty high up in the organization.  I also think that the standards for getting that exception should be pretty stringent. From what I've seen here, and heard in conversations with colleagues who manage desktops, it seems pretty clear to me that those Java-on-the-client systems are a really major source of cost and headaches for the university.  I also don't see why, given modern browser technologies (HTML5, modern JavaScript compilers, etc.) why stuff like Java and Flash are all that necessary anymore.  For example, both Google and Box manage to do Flash-free and Java-free interfaces that are very cross-browser compatible, and also highly capable.

Cheers,

Ian

[2] - Yes, I know that there are remote-desktop based solutions for the systems I mention here, but those are really just workarounds for the fact that they require very specific client-side Java versions.  Those remote desktop solutions do wind up costing us a bunch, both to run the servers but also to configure and support all the clients to talk to them.

On Jan 22, 2013, at 5:19 PM, Bruce Satow <[hidden email]> wrote:

Does anyone know if Java version 7 update 11 also has security issues?  It's the latest one from Oracle.


--
<SSL-logo.gif>
  Bruce Satow
  Systems Administrator
  University of California at Berkeley  
  Space Sciences Laboratory
  7 Gauss Way
  Berkeley, California 94720-7450

  Phone: (510) 643-2348
      Cell: (510) 847-1914



Si hoc legere scis nimium eruditionis habes

-------------------------------------------------------------------------
The following was automatically added to this message by the list server:

To learn more about Micronet, including how to subscribe to or unsubscribe from its mailing list and how to find out about upcoming meetings, please visit the Micronet Web site:

http://micronet.berkeley.edu

Messages you send to this mailing list are public and world-viewable, and the list's archives can be browsed and searched on the Internet.  This means these messages can be viewed by (among others) your bosses, prospective employers, and people who have known you in the past.

___
Ian Crew
Platform and Services Manager, Research Hub

Content Management Technologies
IST-Architecture, Middleware and Common Applications
Earl Warren Hall, Second Floor
University of California, Berkeley



 
-------------------------------------------------------------------------
The following was automatically added to this message by the list server:

To learn more about Micronet, including how to subscribe to or unsubscribe from its mailing list and how to find out about upcoming meetings, please visit the Micronet Web site:

http://micronet.berkeley.edu

Messages you send to this mailing list are public and world-viewable, and the list's archives can be browsed and searched on the Internet.  This means these messages can be viewed by (among others) your bosses, prospective employers, and people who have known you in the past.

--
  Bruce Satow
  Systems Administrator
  University of California at Berkeley  
  Space Sciences Laboratory
  7 Gauss Way
  Berkeley, California 94720-7450

  Phone: (510) 643-2348
      Cell: (510) 847-1914



Si hoc legere scis nimium eruditionis habes

 
-------------------------------------------------------------------------
The following was automatically added to this message by the list server:

To learn more about Micronet, including how to subscribe to or unsubscribe from its mailing list and how to find out about upcoming meetings, please visit the Micronet Web site:

http://micronet.berkeley.edu

Messages you send to this mailing list are public and world-viewable, and the list's archives can be browsed and searched on the Internet.  This means these messages can be viewed by (among others) your bosses, prospective employers, and people who have known you in the past.
Reply | Threaded
Open this post in threaded view
|

Re: [Micronet] Java for Windows Version 7 update 11

Ian Crew
On Jan 22, 2013, at 5:58 PM, Bruce Satow <[hidden email]> wrote:

It maybe unavoidable if your department requires using Java based online applications from other institutions.  It would be nice if they could move away from Java and Flash, but they may not have the resources to convert them.

Understood, and I totally agree that my thoughts aren't practical in all cases.  However:

1) I'd wager that that's the exception rather than the rule on campus:  I'd imagine that the great majority of folks on campus are really only dealing with local systems that require Java.  

2) While I agree we'll never be able to completely ban client-side-Java or Flash from campus, we could at least dramatically reduce the scope of the problem by not implementing our own systems using those technologies.  That would also be setting a good example to other universities/institutions about this.

Cheers,

Ian

___
Ian Crew
Platform and Services Manager, Research Hub

Content Management Technologies
IST-Architecture, Middleware and Common Applications
Earl Warren Hall, Second Floor
University of California, Berkeley


 
-------------------------------------------------------------------------
The following was automatically added to this message by the list server:

To learn more about Micronet, including how to subscribe to or unsubscribe from its mailing list and how to find out about upcoming meetings, please visit the Micronet Web site:

http://micronet.berkeley.edu

Messages you send to this mailing list are public and world-viewable, and the list's archives can be browsed and searched on the Internet.  This means these messages can be viewed by (among others) your bosses, prospective employers, and people who have known you in the past.
Reply | Threaded
Open this post in threaded view
|

Re: [Micronet] Java for Windows Version 7 update 11

Ian Crew
In reply to this post by Ian Crew
FYI, as predicted by the article I linked below, Java 7 Update 11 (the supposedly "fixed" version) has been found to be vulnerable:


Ian

On Jan 22, 2013, at 5:31 PM, Ian Crew <[hidden email]> wrote:

My own personal 2 cents (only speaking for myself, not anyone else):

From what I've read [1], some experts believe that there are many more unpatched security holes in Java.  One relevant quote: "'The safest thing to do at this point is just assume that Java is always going to be vulnerable. Folks don't really need Java on their desktop,' Moore said."

I agree with that: to me, the Java browser plugins are starting to sound a whole lot like the Flash plugins--bad news in both cases.  Given all the pain we've seen on campus with Java recently (Some financial reporting tools require Java X in Browser Y, CalTime requires Java Z in Browser W, etc. [2]), I'm increasingly of the opinion that any new system we implement on campus that requires Java or Flash on the client should require an exception to be granted by someone pretty high up in the organization.  I also think that the standards for getting that exception should be pretty stringent. From what I've seen here, and heard in conversations with colleagues who manage desktops, it seems pretty clear to me that those Java-on-the-client systems are a really major source of cost and headaches for the university.  I also don't see why, given modern browser technologies (HTML5, modern JavaScript compilers, etc.) why stuff like Java and Flash are all that necessary anymore.  For example, both Google and Box manage to do Flash-free and Java-free interfaces that are very cross-browser compatible, and also highly capable.

Cheers,

Ian

[2] - Yes, I know that there are remote-desktop based solutions for the systems I mention here, but those are really just workarounds for the fact that they require very specific client-side Java versions.  Those remote desktop solutions do wind up costing us a bunch, both to run the servers but also to configure and support all the clients to talk to them.

On Jan 22, 2013, at 5:19 PM, Bruce Satow <[hidden email]> wrote:

Does anyone know if Java version 7 update 11 also has security issues?  It's the latest one from Oracle.


--
<SSL-logo.gif>
  Bruce Satow
  Systems Administrator
  University of California at Berkeley  
  Space Sciences Laboratory
  7 Gauss Way
  Berkeley, California 94720-7450

  Phone: (510) 643-2348
      Cell: (510) 847-1914



Si hoc legere scis nimium eruditionis habes

-------------------------------------------------------------------------
The following was automatically added to this message by the list server:

To learn more about Micronet, including how to subscribe to or unsubscribe from its mailing list and how to find out about upcoming meetings, please visit the Micronet Web site:

http://micronet.berkeley.edu

Messages you send to this mailing list are public and world-viewable, and the list's archives can be browsed and searched on the Internet.  This means these messages can be viewed by (among others) your bosses, prospective employers, and people who have known you in the past.

___
Ian Crew
Platform and Services Manager, Research Hub

Content Management Technologies
IST-Architecture, Middleware and Common Applications
Earl Warren Hall, Second Floor
University of California, Berkeley


___
Ian Crew
Platform and Services Manager, Research Hub

Migration Coordinator, bConnected Project

IST-Architecture, Platforms and Integration (API)
Earl Warren Hall, Second Floor
University of California, Berkeley


 
-------------------------------------------------------------------------
The following was automatically added to this message by the list server:

To learn more about Micronet, including how to subscribe to or unsubscribe from its mailing list and how to find out about upcoming meetings, please visit the Micronet Web site:

http://micronet.berkeley.edu

Messages you send to this mailing list are public and world-viewable, and the list's archives can be browsed and searched on the Internet.  This means these messages can be viewed by (among others) your bosses, prospective employers, and people who have known you in the past.