On 1/14/13 5:33 PM, Tom Johnson wrote:
Update on the update:
U.S. says Java still risky, even after security update
http://www.reuters.com/article/2013/01/14/us-java-oracle-security-idUSBRE90D10P20130114
Microsoft CLR has had similar problems..
http://technet.microsoft.com/en-us/security/bulletin/MS10-060
http://www.dhses.ny.gov/ocs/advisories/2011/2011-040.cfm
In practice Microsoft and Apple have a streamlined and automated update
system. Other than that (that JVMs and Java libraries are
comparatively stale), I don't see any reason to think that the JVM ought
to be more or less porous than the .NET CLR.
For example, I take scheduled operating system updates (whether it is
Linux or Mac or Windows) right away, as well as browser updates (Firefox
is pretty fast and basically automatic), but I am annoyed when Java
wants to update, esp. on Windows where it is decoupled from O.S.
updates, and sits in the notification area generally nagging me to take
10 minutes to do a heavy upgrade that I mostly don't need.
So I claim that Sun/Oracle/Java is mostly guilty of failing to tightly
integrate with desktop operating systems. (Android not being desktop
and it was not done directly by Oracle.)
Also Oracle is a victim of Java's success. It's a successful platform
for portable code deployment. It's great that DHS and security
companies just define that away as insignificant and gratuitous.
And this in contrast to C++ and C native code ABIs that can suffer
buffer overrun exploits all over the place..?
Marcus
============================================================
FRIAM Applied Complexity Group listserv
Meets Fridays 9a-11:30 at cafe at St. John's College
to unsubscribe http://redfish.com/mailman/listinfo/friam_redfish.com
