Yesterday Oracle updated their Java JRE to fix yet another zero-day exploit. It seems that lately Java has become the new Flash, with new exploits being found on a daily or weekly basis. It really looks like they are dropping the ball on the security aspect of Java. This is specially upsetting since the whole idea of Java was built on security from day one, yet since Oracle acquired SUN it is obvious that the situation, far from improving, has gone downhill ever since.
It is true that Java has become a monster. I recall the early days were all you could do was perform simple animations on a browser, but there was no standard way to connect to a database. Those days are long gone, and now there are zillions of APIs to do almost anything you can dream of in Java. That is a strength of the platform, but also a weakness, as it is becoming harder and harder to spot bugs. I do understand, and it may be time to remove some APIs from the platform, but it doesn’t have to be like that. There are alternatives to the Oracle JRE and not all are affected by this bug. For example, IBM’s JRE does not have this bug. That is because IBM spends money to harden the security of its own product. It can therefore be done, it is just a matter o spending additional time and money on quality testing. My issue is not that there are no better options available, it is that Oracle’s failure to secure Java is casting a long shadow on the future of the platform, and all of us who have invested in it.
I think it is time for Oracle to clean their act. They have always to solve their problems through heavy marketing spending? Remember when they advertised their database as being Unbreakable? That, obviously wasn’t true. Their product wasn’t sub-par, but it hardly was above the pack, specially if you compare it to DB2 on the mainframe. The same can be said for their applications, which require regular fixes, which address serious security issues. Marketing, allowed them to enjoy a reputation they didn’t deserve. Now they have to deal with reality. I think this is something new for them. The only way out is to invest in their product and solve the issues. In other words, more engineering and less marketing. Otherwise, Java will go the way of the Dodo.
Disclaimer, I have always worked at companies that have competed with Oracle. However, this is personal, these problems do affect me and my career directly, as well as hundreds of thousands of fellow Java developers.