Hacker News new | past | comments | ask | show | jobs | submit login

You're right.

IIRC, the last non-Java security update I installed updated a bunch of image format libraries to fix exploitable vulnerabilities. We can't even safely decode static image files! I'm not sure how we expect to safely sandbox executable code, whether it's Flash, Java, Javascript, or anything else.

Even so, if Java's currently being exploited on a wide scale and Oracle's not having the greatest luck fixing the problems letting malware in, it seems prudent to direct people away from it unless they really, really need it.

Any well may be poisoned, but if you know this one is you'd avoid it and warn others, wouldn't you?




For me, the odd thing here is that they were already disabling running Java by default, which does a lot to defeat the drive-by download problem. Given that such a mechanism is in place, we already seem to have achieved the main goal you mentioned before: exploits don't "just work".

At that point, making Java "just work as long as you click somewhere to confirm you want it to" seems a reasonable policy to me. As many here have pointed out, reports of the death of Java applets serving useful purposes have been greatly exaggerated.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: