07
Jun 11

Java Patch Plugs 17 Security Holes

facebooktwittergoogle_plusredditpinterestlinkedinmail

Oracle today released an update to its ubiquitous Java software that fixes at least 17 security vulnerabilities in the program.

The company is advising users to apply this update as soon as possible; it looks like most — if not all — of the vulnerabilities addressed by this new version may be exploited remotely without authentication.

The latest version is Java 6 Update 26 (v. 1.6.0.26), and is available either through the updater built in to Java (accessible from the Windows control panel) or by visiting java.com. If you’re not sure which version you have or whether you’ve got the program installed at all, click the “Do I have Java” link below the red download button on the Java homepage.

Java’s broad install base has made it a major target for computer crooks. It certainly does not help that so many users fail to keep this very powerful program updated. If you have no use for Java, my advice is to get rid of it. If you can’t bring yourself to do that, consider disabling the Java plug-in(s) in your browser of choice unless and until you need  the program.

Tags: ,

13 comments

  1. As always, thanks for the heads-up, Brian!

    If you’re on Windows 7 64-bit, see the comment by Brain to get to the Java updater.

    http://krebsonsecurity.com/2011/02/java-6-update-24-plugs-21-securty-holes/

    Otherwise Java’s updater won’t load via the Control Panel.

    • PS And you might have to log in with an admin account.

      I don’t know why the updater asked for my admin account but then didn’t download the update.

      • Even when logged in as an admin I have seen the updater fail to load. Also sometimes the update tab on the Java control panel will not show up. In those cases just go to java.com and grab the latest installer.

  2. @sharpesecurity

    If for some reason you cannot upgrade some of your endpoints running Sun’s JRE, please consider adding IPS detection for teh list of actively exploited Sun Java vulnerabilities at http://blog.sharpesecurity.com/2010/10/25/list-of-currently-exploited-sun-java-vulnerabilities/

  3. OK. So I have Windows 7 64bit with newly installed IE9 that gives me misc pop-ups unless I disable Shockwave Flash and I just uninstalled Java which hadn’t been updated since last year. What am I going to be missing by doing that? So far so good but????

    • If you have to ask, probably not much. If you ever need it you’ll know. If not, good riddance.

  4. I just updated my XP Pro and noticed the Java update interval had been reset back to the default of monthly. Those of you who choose a different update interval might want to check you settings.

    • The update settings are reset with each upgrade. Both the notify setting and the checking interval. In this case, I prefer to prevent Java from automatically checking for updates. This was originally to preserve our network’s limited bandwidth and to prevent the notifications from annoying the end-users. However, for about a year or so, the Update tab is no longer visible for non-admin users. Therefore we cannot, by conventional means, turn off the automatic checking for updates for non-admin users. Wth?

      On another note, why can I never find the 64-bit version of JRE on Oracle’s Java site? I have to resort to locating it on Download.com. Anyone got the magical (ftp?) link? ;)

  5. Truck of Fark

    If you don’t need Java, remove it from your system(s).

  6. I second the suggestions here. Unless there is some mission-critical app that requires Java, it’s best to just uninstall it. You will not even notice any adverse effect.

  7. OK…wierd…thanks…Java is out. Also installed new Shockwave Flash version recommended and all the stupid flickering pop-ups stopped within IE9. My next question is what other little tidbits of software can I dump without loosing anything especially some of those start-ups that always delay initial fire-up in the morning?