February 15, 2012

Oracle has shipped a critical update that fixes at least 14 security vulnerabilities in its Java JRE software. The company is urging users to deploy the fixes as quickly as possible.

Java flaws are a favorite target of miscreants and malware because of the program’s power and massive install base: Oracle estimates that Java is installed on more than three billion machines worldwide.

In an emailed advisory accompanying the new release, Oracle urged users to update without delay. “Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply fixes as soon a possible.”

The new versions are Java 6 Update 31, and Java 7 Update 3. To see if you have Java installed and to find out what version you have, visit Java.com and click the “Do I have Java?” link. Existing users should be able to update by visiting the Windows Control Panel and clicking the Java icon, or by searching for “Java” and clicking the “Update Now” button from the Update tab.

Each time Oracle ships a security update, I urge readers who have this program installed to reevaluate whether they need it at all. Failing to keep Java updated leaves you dangerously vulnerable to attacks. For those who need Java for the occasional site or service, disconnecting it from the browser plugins and temporarily reconnecting when needed is one way to minimize issues with this powerful program. Leaving the Java plugin installed in a secondary browser that is only used for sites or services that require Java is another alternative.


15 thoughts on “Java Security Update Scrubs 14 Flaws

  1. Jonathon

    I just updated 32-bit Java on my machine, and guess what? Without asking, it also installed an additional software package for “JavaFX 2.0.3” WITHOUT asking me!

    Forgive me while I vent my frustrations:
    AAAAAAAAAARGH!

    It shows up as a separate item in my uninstall programs dialog, but not for long!

  2. Nic

    Is it a safe assumption that most Java users are either:

    1. unaware they have it installed and likely don’t even use it or
    2. forced to use it by corporate policy

    I ask because watching from the sidelines, Java is a freakshow. Like, a multi-year trainwreck.

  3. BrianKrebs Post author

    Well, I’m sure one of the Java developers that likes to troll this blog will chime in here and set me straight, but yes I think your assessment is pretty spot-on. Java is a train wreck that doesn’t belong on end-user systems. Unfortunately, the program is required by a lot of business applications. Worse still, because often times those applications break if users update them, they frequently remain badly outdated and plugged straight into the browser.

    1. Dan

      The Java Developer troll must have visited this post and disliked all these comments. I don’t understand why this person does not realize that Java problems are very well documented and a crutch to IT security. It is nothing against Java Developers. Their product is just under more scrutiny.

    2. Tom Seaview

      I work in an environment where the main payroll/timekeeping application, used by every single employee, requires Java 6 update 15. Updating the Java VM breaks the application.
      The vendor would charge millions to update their software, which would only freeze the required version somewhere in the mid-20s.

      1. SeymourB

        Easiest solution would be to have two browsers, IE & Firefox, say, and have Java enabled in IE and disabled in Firefox. It needs to be IE & something else, since IE uses ActiveX controls and Firefox/Chrome/etc. use plugins.

        Then just tell users they shouldn’t browse in IE. If you want to be draconian adjust their security zones so everything is high security except for any sites used by your Java app. They’ll learn quick to not use IE when most interactive content is unusable.

  4. Dan

    Unfortunately it is the guys at the top of the food chain that decide they want Java and they have no security or IT experience. We are then forced to keep it updated or leave a gapping security hole.

  5. Gary

    As I’ve mentioned before, Verizon’s online voice mail retrieval (through Digital Voice) requires Java

  6. JimV

    That Fx app installation must come through the auto-update and auto-download features that are enabled (and re-enabled) whenever a new Java version is installed. I always make a point of disabling both in the settings afterward (the auto-download is in the ‘Advanced’ tab) to keep it on a tight(er) leash, and FileHippo seems to serve up only the basic download needed for the update and not the extra crap that some developers want to push out with updates.

  7. Don

    Personally, since I need to have it running on my work computer, I enable the console window within the Java control panel. This allows me to see when the JRE is getting called. Therefore should I see a console window when not expected I know something is wrong.

    I use a bare bones browser without any plugins while surfing outside the corporate network and after reading this article went and double checked the Java plugin was not enabled – thanks for looking out for me 🙂

  8. A340-600

    Ugh! I hate updating Java. I have to type C:\Program Files (x86)\Java\jre6\bin\javacpl.exe to get the Update tab.

  9. Stratocaster

    Yes, Java is a favorite tool of enterprise Web app developers. I use several which are mission-critical. And then, of course the IT Borg Collective locks down certain features of our desktops so we can’t update Java ourselves, but they don’t ever push out Java updates either. I actually encountered a department notebook a few days ago which had JRE version 1.5 on it. (Jeez.)

    Fortunately, I have found a workaround so I can keep Java on my own desktops updated, despite their best efforts to prevent it. As well, we abandoned an Avaya Web conferencing platform which required Java for WebEx, which does not. (hint hint)

    I have to be able to run the corporate apps at home, so I must tolerate Java there as well, but at least I have no trouble installing updates. Since our corporate standard is IE, at least I don’t have to make it active for REAL browsers.

  10. bob

    Java was the most sensible option for writing desktop apps in heterogeneous environments up until the point that webapps became feasible and common. There are still a huge amount of Java desktop apps out there as a result and they’ll take a long time to die off naturally. It’s hardly surprising that calling Java a “train wreck” because one particular use case is no longer valid gets somebody’s goat.

    As a forum for the discussion of security, this blog is is my favourite. As a forum for the discussion of programming languages, it doesn’t even register.

  11. bob

    @A340-600

    Open notepad
    Type “C:\Program Files (x86)\Java\jre6\bin\javacpl.exe”
    Save as updatejava.bat
    Stick it in the schedular to run weekly

  12. tom

    I installed the newest version. I no longer have the ability to check for updates in the Java Control Panel. Does anyone else have the same issue? (windows xp sp3)

Comments are closed.