01
Apr 10

Java Patch Plugs 27 Security Holes

facebooktwittergoogle_plusredditpinterestlinkedinmail

A new version of Java is available that fixes at least 27 security vulnerabilities in the ubiquitous software.

To see which version of Java you have installed, visit this link and click the “Do I Have Java?” link under the big red “Free Java Download” button. The newest version that includes these 27 fixes is Java 6 Update 19.

It seems Java’s built-in updater has gotten better about notifying users in a more timely fashion about available security updates. On one of my Windows 7 test machines, I received a prompt today to install the update. If you didn’t get that prompt yet and want to force an update, go to the Windows Control Panel, click the Java icon, then on the window that pops up click the “Update” tab, and then the “Update Now” button.

Updates are available for Windows, Linux and Solaris systems. Apple maintains its own version of Java and generally doesn’t release Java security updates until about six months after the fixes are made available for other operating systems.

If you don’t have Java, then you probably don’t need it. My personal philosophy is that if I don’t need it, I don’t install it or keep it. Java vulnerabilities increasingly are being targeted in automated exploit kits that are sewn into hacked and malicious sites, so by all means if you don’t have a use for it, I say get rid of it. Eliminating unnecessary programs helps reduce what security wonks call the “attack surface” of a system: You’re basically bricking up potential windows and doors into your computer. At any rate, if it turns out you do in fact need Java for some reason, you can always reinstall it.

By the way, the Java installer has for the past seven or so versions removed older versions of the software, but if your Java install is really old, you might find that your PC has several Java versions listed in the Add/Remove Programs panel. If that describes your situation, you should uninstall those older versions.

One final gripe: I’m tired of seeing major software companies use security updates as a way to install more third-party software. Adobe does this with its updates, and this Java update — like so many before — preselects the “Yahoo! Toolbar” to be installed. Broken record alert: If you don’t need it, don’t install it. It’s just one fewer program you have to worry about updating.

Tags:

30 comments

  1. No update notification from Java on my Win7.
    I know Java make a big deal out of being platform independent – which is great – but it does place a bigger responsibility on them to manage their updates more successfully than they do right now; otherwise they should swallow a little pride and let Java be updated like any other add-on/extension.

    • By default, Java checks for updates on the same day each month. If your day was not today, your notification could take up to almost a month before it shows up. Go into the the control panel>>Java>>Update>>Advanced and set your notification to “daily”.

      Of course, you want to update now, so press the “Check for Update Now” button ( or whatever it is called ).

      Oh, and when you actually do an update, you will have to redo the step above because the update checking will be changed back to “once a month”. Sigh.

      • I have to confess it was my fault that Java didn’t update – in the perpetual quest for speed I’d disabled updates in Startup Manager.
        My apologies for incorrectly maligning Java.

  2. One of these years we’ll get all the high risk targeted application vendors to release security patches on the same agreed upon scheduled timeline. Adobe made an effort to try this on Reader, but went out-of-band twice and Flash is still on it’s own schedule. The more monster size patches come out in various schedules, the more we’ll probably have to move into a virtualized sandboxed application security model.

    • DrZaiusApeLord

      Adobe isn’t trying, really. I can’t download the msi of just the update to put on a network share. I have to extract them while the installer is running via a little trickery and push it out via GP/batch/psexec. Why is this? Why are so protective of their updates? I don’t want or need eight different updates to run on my machine.

      Nor are they doing anything with WSUS’s third-party API, even though they occasionally work with Microsoft for updates to serious security issues with Flash.

      Their ‘disable javascript’ option in Reader is terrible. It prompts the user to enable javascript, not per document, but to turn it back for every document once it encounters a JS PDF.

      Adobe needs to step up and fix many of its shortcomings in regards to security.

  3. Good emphasis on going into control panel to remove older versions of Java. I often find in a lot of environments with a variety of vulnerable java releases even on the same system. While the latest java 6U9 release installation process is “supposed” to remove older versions, it doesn’t remove the releases that are now classified as EOL (5.0, 1.4). People that updated to the latest release may still be vulnerable because much older release can still co-exist. There are plenty of available exploits (crimeware, exploit kits, and commercial exploit modules) that target these older Java release whether people realized they have it installed or not.

    • In follow up to my 9:23 p.m. post below, let me mention that I did indeed uninstall Java twice through Windows XP control panel and not with the uninstall function at java.com.

  4. Other new security updates include Quicktime, iTunes and Firefox.

  5. Brian, I’m with you on the unsolicited third party software. Sometimes my old eyes miss those and I get stuck. BTW, Firefox 3.6.3 update request just popped up.

  6. Also make sure to remove/uninstall older Java add-ons within Firefox. I updated to 19, but had 17 and a 5.13 still as add-ons.

    Win7 & 3.6.2

  7. For Windows users, there’s a wonderful little tool called JaVaRa that launches the update, checks for old versions of Java, and removes them all.

    It’ll remove the Java update monitoring tool that sits (invisibly) in the System Tray, too.

    http://raproducts.org/javara.html

    –Bob.

  8. Thanks Brian. Great advice all around! Limiting what software is installed takes discipline, but the rewards are invaluable in a more secure system and one that is easier to patch/maintain. It goes to the KISS principle. Keep It Simple, Stupid! Something I try to follow in all facets of life. Again, takes discipline, but the rewards are priceless.

    As to Java itself, we use it extensively at work. Not a day goes by without a server crashing with a Java heap dump or some squirrely operation on an end user’s computers that requires uninstalling/reinstalling Java. Not to mention all the versions that must be maintained because various applications require a certain version to operate correctly. Talk about the opposite of the KISS principle! Guess it’s job security for us IT folks though. ;)

    I despise those third party add-ins! Argh! They shouldn’t be included to begin with! At the very least, they should use an opt-in method instead of opt-out. Most of them are crapware anyway! It all goes against the idea of “limiting” what you install! KISS! :)

  9. Several months ago, I contacted a bank for help on navigating their site while driving Firefox+NoScript+RequestPolicy. One of the stock emails they sent me declared NoScript, AdBlock and others as dangerous addons that hindered navigation and instructed their removal. Another said to uninstall older Java versions because Java never uninstalls them (16 was current then so I knew this was false). They kept insisting their info was correct and it took a few replies before they got it (I guess they must have asked someone). The stock emails they were blasting out were months/years out of date, they were clueless on Firefox and this is a large-ish regional bank. Scary, huh?

  10. Thanks yet again, Brian. The NYTimes crosswords use Java, so it’s good to have it up to date. Java offered the Bing toolbar, which I declined.

  11. Like all updates, please test before deploying. Cisco ASDM on an ASA5540 fails to load for us using 6.19, works fine on 6.17.

  12. Downloaded/installed offline-install Java exe, no toolbar offered, confirmed no toolbar present on IE8 and Firefox 3.6.3.

  13. I’ve been offered ‘Carbonite Back Up Tool’ or some such in my last few java updates.

  14. Thanks for mentioning piggy-back installs, such as the selected-by-default toolbars. The Java updater drives me nuts and I’m worried that one day I’ll be in a hurry and forget to uncheck all the extra crapware. Is there a setting or a registry key that can be toggled to prevent the piggy-back from being offered?

  15. I have been trying to install this Java up date, but keep getting the following error message: “Unable to launch the JAVA(TM) Update installer: The requested operation required elevation.” Any idea what this means and what I have to do.

    • Robert Guenther

      I’m getting the same message. If anyone has an answer…

      My system is Vista Home Basic. Verizon FIOS was installed last week.

      • I’ve experienced several cryptic Java error messages when trying to update from within Java Control Panel (update process apparently interacts badly with firewalls and AVs). One can diddle with firewall+AV settings or disable then temporarily, or go to http://java.com/en/download/manual.jsp and get the *offline* install exe (various flavors offered). Should you decide on offline updates, I suggest going into Java Control Panel and disabling auto-update (default=yes but if it’s failing now, it will also fail then). Manual offline updates works best for me.

        • I use Windows XP, updated.

          What is the difference between the officially-labeled “offline” Java install and what I did — choose the ‘online’ install, but then saved the file to my programfiles/Java folder (my own creation) and then ran the .exe file to install Java. I notice there is a significant difference in file size. For better or worse, that’s what I do with Adobe Rdr., Adobe Flash, Firefox updates (I let Windows updates do their own thing).

          • Java’s initial “online” download is tiny compared to the “offline’s” but when run, it downloads a large file off the net, verifiable by watching network traffic. Online works if I disable firewall+AV but if a large file (don’t know how large) has to be downloaded anyway, I’d rather simply download the large offline exe and not have to disable either.

          • Michael, thanks very much for describing the difference between the online and offline installs. Your rationale for installing “offline” Java makes sense to me. Yesterday I removed Java online and installed the offline version. I wonder if I’ll notice any performance difference.

  16. I have Verizon high speed (not FIOS) and Vista Home Premium.

  17. I run Windows XP with updates and Firefox 3.6.2. Thanks to Brian’s post I used Brian’s link to the Java update. I ran “Do I have Java?” and got the message at the end of this post – that I wasn’t up to date. I checked Java in my control panel /add/delete programs and it said I did have 6.19. I uninstalled my Java anyway and reinstalled fresh from java.com. Restarted Windows. Ran “Do I have Java?” again and got same message. For fun, I uninstalled and reinstalled again. Restarted Windows. Get same message again.

    I post this because this “Do I have Java?” check seems quirky and I wonder if there is a technical or commercial reason for false readings.

    ========================
    Verifying Java Version
    Oops! You don’t have the recommended Java installed.
    Your installed family version is Java 6

    Please click the button below to get the recommended Java for your computer.

    NOTE: If you recently completed your Java software installation, you may need to restart your browser (close all browser windows and re-open) before verifying your installation.
    Download Free Java for Windows
    Windows 7, Vista, XP, 2000, 2003 and 2008 Server
    Version 6 Update 19

  18. Since the acquisition of SUN by Oracle in January I have been wondering just how much future support we can expect on some SUN products. This might be something to watch.

  19. I used the link in the article and updated without a problem. Thanks.

  20. Was just offered the Carbonite trial install offer (pre-checked of course) in one Java update.

  21. Hmmm.

    In the Vista x64 Windows Control Panel, I don’t see any listing for Java.

    (I know I have it installed.)