17
Feb 11

Java 6 Update 24 Plugs 21 Security Holes

facebooktwittergoogle_plusredditpinterestlinkedinmail

A new version of Java fixes at least 21 security flaws in the widely-distributed software bundle. Updates are available for Windows, Linux and Solaris users.

If you’re curious about the security updates included in Java 6 Update 24, see the release notes from Oracle. As I have shown in many stories on this blog, outdated Java installations can give bad guys and malware a foothold on your system, so if you use Java, please keep it updated. If you have Java installed but can’t remember why, you might consider simply uninstalling it altogether (you can always reinstall it later). I only keep Java installed on one system of mine, and I disable the Java plugin from within Mozilla Firefox (Tools, Add-ons, Plugins).

Updates are available from within Java (click the Update tab from the Java entry in the Windows control panel), or from Java.com. Mac users will need to wait until Apple releases a separate update to fix these flaws on OS X because the company maintains its own version of Java (for now, anyway).

Tags: ,

31 comments

  1. >”(click the Update tab from the Java entry in the Windows control panel)”

    Interestingly enough, my J6R23 control panel applet no longer has an update tab.

    Also, I see that there is a FlashPlayer update, but I can’t find the release notes to see what updates it contains.

    • Weird, Moike. What happens when you do this?

      Start -> Run -> “C:\Program Files (x86)\Java\jre6\bin\javacpl.exe

      Do you see the Update tab after running that file?

      • > Start -> Run -> “C:\Program Files (x86)\Java\jre6\bin\javacpl.exe

        Thanks – now the Update tab shows with that program.

      • Brian,

        That link does have the Update tab (Thanks for the tip!) but when I clicked on the update button, but I had to switch to an admin account.

        I disabled Java in both iE9 RC and Chrome (beta channel) but will think about removing it completely.

        Thanks again for the heads up on the update!

    • Remember that the Update tab only appears if you have admin privilege. LUA users don’t even see it–one of the few things Java does right.

      • >LUA users don’t even see it–one of the few things Java does right.

        Java doesn’t quite get everything right – an administrative user doesn’t have the option to elevate privileges. There doesn’t even appear to be any way to run the control panel or java applet with elevated privileges.

        • I does seem ridiculous that the administrator has to run the execution file to get the tab/button to show up. I don’t see how this would be a good security feature, but maybe not.

          I haven’t seen mine(update control), in control panel every since version 6.0.220.

  2. As widely used as Java is, I cannot believe they still try to push out, by default, the “free Yahoo toolbar” and other assorted nonsense. Anyway, thanks for the heads up Brian. Downloading now.

  3. Brian, I noticed that after patching, Java leaves outdated Firefox extensions of the Java Console. For instance, while the latest extension seems to be 6.0.24, I noticed I was still running 6.0.23 and 6.0.19. No other Firefox extensions I have work this way — when there is an update, the old version of the extension is replaced by the new. How does Sun justify its odd update practice?

    • After reading your comment I went and checked and found a java deployment component in FF (npdeployJava1.dll) and renamed it.

      I also noticed a couple of Microsoft DRM plugins (npwmsdrm.dll and npdrmv2.dll) and wonder if anyone knows anything about these (e.g. are they necessary in any way [from the user's point of view that is]).

      • To bgc’s question;

        I’m guessing it has to do with premium content streamed over browser’s. I watch HD content over my browser all the time. Both FF and IE8 do a better job rendering high definition than Media Center; so I stopped using WMC for that.

        Netflix rocks!!
        (I am not a paid fan-boy of any streaming service)

  4. Hi Brian,

    Love your blog!

    I took your advice long ago (when you were still at the Washington Post) and removed Java — haven’t missed it (or needed it) since.

    John

  5. good cause u23 kept crashing.
    whatever the problem was, it’s now resolved.

    I rarely use java so w/e.

  6. Ive used Java for about 8 years now.There are still nifty programs i use it for.I will not FEAR what might happen.The majority of security issues are user based in general.

    Still that being said if you dont use it for much or anything, no real reason to keep it on your system.One less potential hole a hacker can exploit.

  7. I’ve never once gotten the Java Update to work properly, whether as a user or an admin. I always wind up having to uninstall old / install new. Rather a PITA.

    • I hear you Dave;

      I let Secunia PSI or FileHippo point to the solution on that. I’ve never had any luck with the java console either. The solution those utilities download automatically uninstall and replace the old versions(not the console necessarily).

  8. Thanks for this! I have disabled it in Firefox :)

  9. Just thought I’d let you know you’ve got a typo in the title of this post.

    Great read though! Gave me something to do while I updated Java this morning..

  10. Sigh. Why does it only check for an update once a month? It even resets back to checking once a month after updating, even though I deliberately set it to check daily.

    Shocking.

  11. I was asked to download java 6 update 24 and then delete all other Java from my computer. I am still unable to download the coupons that they said I needed the download for. The only other Java I have is Java 6 update 1. Is it safe to delete it?

    • Coupons? Are you sure you didn’t get a fake alert? Be careful of clicking on anything that could be a fake update alert. It could compromise you PC!

      It is better to save the installation files of the new update, if you suspect you have legacy version of java; and remove all versions from the add remove console – depending on what OS you are using.

      After that the java installer should remove previous versions automatically. If you only see the latest version in the programs console, then you should be fine. If they won’t remove using the programs console, you may have to delete the .exe file. This is not for the faint hearted. It is better to look it up on google to get the best instructions and follow them to the letter.

      I use Secunia PSI to find the path, and simply delete the legacy .exe file at the end of the path. If this sounds like geekinese to you, then you need to find a friend who knows what they are doing.

      • @Linda; addendum;

        Most people use “javara” to delete all previous dross caused by java. The Secunia forum states that this program leaves some of the newer versions intact. But that is okay, because java has now finally figured out how to automatically uninstall previous versions upon updating.

        Will ORACLE wonders never cease!?

  12. Hi Brian,

    I am trying to remove Java(TM) 6 Update 24

    it tells me to open this file

    AppData\LocalLow\Sun\Java\jre1.6.0_16\jre1.6.0_16-c-l.msi

    and my computer does not have that file.

    I am stuck, please help.

    • Dear Moyeen;

      This isn’t a customer service help site; but I’ll try to give some pointers. I’m pretty sure you are not showing us the full path. It should have been preceded by C:/Users or C:/Program Files or something like that.

      Appdata files are usually hidden by the file system. You will have to go into the Folder Control in Explorer or Control Panel to unhide everything from the Folder Options control. Just Google it – Google is your friend!

      P.S. – don’t forget to reverse anything you have unhidden after finishing your maintenance!

  13. Dear JCitizen,

    Yes I did unhide all folders. the path is like this

    C:\User Name\AppData\LocalLow\Sun\Java\jre1.6.0_16\jre1.6.0_16-c-l.msi

    I have googled and it seems like a bug and not much help there as well.

    Best regards,

    • Also @ Moyeen;

      You will have to subsitute the “User name” that is in your PC – I hope you didn’t overlook that – I assumed you didn’t but we all know what happens when we assume!

      Your administrator will have a different “User name” of course!

  14. It may be possible that your windows installer has issues. After the SP1 update even Vista users had corrupted Windows Installer issues. I’m still in the process of installing my last repair on my PC.

    Did you attempt to use the search function to find “jre1.6.0_16-c-l.msi”?

    You haven’t stated whether it was Secunia PSI that delivered this file path or not? Perhaps doing a search for anything *.msi will point you in the right direction?

    Many have solved this same problem using Revo Uninstaller to fine pesky application files – especially if they are posing as malware and won’t show up on the regular “Add/Remove Programs” applet.

    Perhaps you are getting a false signal because the file structure or registry needs cleaning. CCleaner will usually solve that problem safely.

    • @JCitizen,

      After deep cleaning with Revo, its gone. Thank you so much. I think, I should install Java update 23 now and wait for update 25 to come in.

      Best regards,

      • Oh Joy! That is sooo good to hear! I hope you never have to mess with it again, because the java seems to update and remove the previous version without a problem now; or at least while using File Hippo Update Checker it doesn’t. I read reports the regular java console works well now that ORACLE is running Sun now.

        I never use it, because the update tab doesn’t work, and the auto-updater module doesn’t either – for me anyway.

  15. I have tried installing java in my laptop. I use windows vista home edition. When I try to install java, it says that java is already installed into my computer. How do I get java to remove from my add and remove programs, and be able to put it back into my system?