Java vulnerabilities and the Arduino IDE

Greetings,

Very simple question: is there any IDE build that works with the latest Java patches? In the past couple of weeks, there was an exploit in the wild and Java 7 update 7 released to fix it.

As a side note, is there any policy on security by Arduino, being dependent on Java and its endless stream of security holes?

You are posting on this web site, which uses Java. What's your policy about that?

In fact the last post was another user impersonating Nick Gammon due the vulnerabilities.

I didn't expect to have security concerns met with comments like this. I believe I asked a legitimate question, with a legitimate concern. If the website uses Java and it gets exploited, it's the website owner's problem. If I'm using an app that depends on a vulnerable version of Java (or not!) then that is my concern to have. Last, I wasn't attacking Arduino, which I love working with, but Java itself, which apparently cannot stop being exploited version after version.

This website uses Java where? I have Java disabled in my browser and can navigate and use this site just fine.

The website does use Javascript, which is entirely different and unrelatd to Java.

Similar to the OP's concerns, I've seen it suggested lately that it's time to put Java to bed - that 90% of computer users never use it, that Java's risks outweigh the gains. Eg. http://www.pcworld.com/article/261843/time_to_give_java_the_boot.html I don't know how valid the report is, but it seems to be a cause for concern.

How would that affect Arduino,if Java was no longer available (or at least no longer pre-installed) on new computers?

This website uses Java where? I have Java disabled in my browser and can navigate and use this site just fine.

The website does use Javascript, which is entirely different and unrelatd to Java.

OMG indeed, just checked the forum software the site is running on, and it's all LAMP & Javascript, no Java to be seen anywhere. My original question stands :slight_smile:

mother:
In the past couple of weeks, there was an exploit in the wild and Java 7 update 7 released to fix it.

Let's read the security alert together, shall we...

From the first paragraph...

...affecting Java running in web browsers on desktops. These vulnerabilities are not applicable to Java running on servers or standalone Java desktop applications.

Do you believe the security alert applies to the Arduino IDE?

Perfectly good answer, all is well - I had read about the hole in other places, where that particularity wasn't included. What I sense though is some kind of protectionism towards Java, judging by the tone of the replies... I hope this is not the default way of addressing people here.

Otherwise, since I'm new here (although I've been a mod at BackTrack Linux & Netstumbler forums for years, so I know something about moderation) I respectfully ask what the rules are in posting questions, so as to not offend anyone again. :expressionless:

FWIW

I verified the IDE will work with 1.7.0_07 version of the JRE.

I am running Win7 X64 with 32-bit version of the JRE

I had to rename the java folder under Arduino, so that it would use the installed version instead of the Arduino version.

Here is the launch4j.log:

CmdLine:	C:\arduino\arduino-1.0.1\arduino.exe --l4j-debug
WOW64:		yes
Working dir:	C:\arduino\arduino-1.0.1\.
Bundled JRE:	java
Check launcher:	C:\arduino\arduino-1.0.1\java\bin\javaw.exe (n/a)
64-bit search:	SOFTWARE\JavaSoft\Java Runtime Environment...
32-bit search:	SOFTWARE\JavaSoft\Java Runtime Environment...
Match:		SOFTWARE\JavaSoft\Java Runtime Environment\1.7
Match:		SOFTWARE\JavaSoft\Java Runtime Environment\1.7.0_07
64-bit search:	SOFTWARE\JavaSoft\Java Development Kit...
32-bit search:	SOFTWARE\JavaSoft\Java Development Kit...
Check launcher:	C:\Program Files (x86)\Java\jre7\bin\javaw.exe (OK)
Add classpath:	lib\pde.jar
Add classpath:	lib\core.jar
Add classpath:	lib\jna.jar
Add classpath:	lib\ecj.jar
Add classpath:	lib\RXTXcomm.jar
Launcher:	C:\Program Files (x86)\Java\jre7\bin\javaw.exe
Launcher args:	-Xms128m -Xmx128m -classpath "lib;C:\Program Files (x86)\Java\jre7\lib\tools.jar;lib\pde.jar;lib\core.jar;lib\jna.jar;lib\ecj.jar;lib\RXTXcomm.jar" processing.app.Base
Args length:	167/32768 chars
Exit code:	259

There is some description of the vulnerabilities java has? I mean, I think installing java is more harmful than using an old version from the arduino folder.

mother:
What I sense though is some kind of protectionism towards Java, judging by the tone of the replies... I hope this is not the default way of addressing people here.

For a moderator you have surprisingly thin skin. :wink:

I respectfully ask what the rules are in posting questions, so as to not offend anyone again. :expressionless:

Who do you think was offended?

mother:
I didn't expect to have security concerns met with comments like this. I believe I asked a legitimate question, with a legitimate concern.

OK, I'll try again. The fact that a vulnerability has been found surely shows that things are now more secure now than they were a week ago (that is, if the patches are applied).

... is there any IDE build that works with the latest Java patches?

Well, why wouldn't it work? Surely a patch to a security problem does not change the way Java works using documented interfaces? Did you apply the Java patch? Then did you try using the IDE? What happened when you did those things?

As a side note, is there any policy on security by Arduino, being dependent on Java and its endless stream of security holes?

This is the only statement in this thread that has an unfortunate "tone" in my opinion. If you open in an aggressive way like that, what can you expect?

The Arduino, per se, is not dependent on Java. The IDE is. You can choose to develop using other development tool chains, such as avr-gcc directly. You have not identified any reported vulnerability that affects the Arduino IDE.

I respectfully ask what the rules are in posting questions, so as to not offend anyone again. smiley-neutral

Who is offended? My question was intended to draw out that Java is rather extensively used. As for posting questions, being polite and courteous will usually be sufficient.

However I do think your main question: "is there any IDE build that works with the latest Java patches?" could have been answered yourself by simply trying it.

I think we're almost there :slight_smile:

The fact that a vulnerability has been found surely shows that things are now more secure now than they were a week ago

Well, a new hole was found in the patch just a few hours later, so it's back where it started. The difference this time is that no exploits have been found in the wild yet.

Well, why wouldn't it work? Surely a patch to a security problem does not change the way Java works using documented interfaces? Did you apply the Java patch? Then did you try using the IDE? What happened when you did those things?

I installed the 1.7 SE and disabled old versions, and was told by the IDE that I needed v1.5 or older. It works OK with the 1.6 version provided by Apple, for example. I then did a git pull and built the IDE with 1.7 as the only enabled version, but it still complained. I'm pretty sure something needs to be changed in the build or config files for 1.7 to be compiled against, but I didn't go any further.

This is the only statement in this thread that has an unfortunate "tone" in my opinion. If you open in an aggressive way like that, what can you expect?

As I mentioned, it was aggressive against Java, not Arduino. In any case, if it came across as aggressive against Arduino or the forum, I apologize.

The Arduino, per se, is not dependent on Java. The IDE is. You can choose to develop using other development tool chains, such as avr-gcc directly. You have not identified any reported vulnerability that affects the Arduino IDE.

Agreed - I just asked if there was a known one, and had confirmed earlier in the thread that the vuln only affects web start apps, not desktop apps. So nothing to worry about in this case.

Who is offended? My question was intended to draw out that Java is rather extensively used.

If nobody was offended, then all is well. Sure, Java is extensively used, but that doesn't mean we all have to like it - I have worked with other cross-platform solutions such as Qt, and have come to the conclusion (again, my own, everyone is entitled and free to think & do what they want) that developing natively on each platform is better. Let's not start a religious argument now though :wink:

As for posting questions, being polite and courteous will usually be sufficient.

Yes, will do. I hope I can be a positive contributor here :slight_smile:

Sure, Java is extensively used, but that doesn't mean we all have to like it ...

Personally I don't like it. :wink:

So perhaps we are on the same side.