17
Oct 12

Critical Java Patch Plugs 30 Security Holes

facebooktwittergoogle_plusredditpinterestlinkedinmail

Oracle on Tuesday pushed out a bevy of security patches for its products, including an update to Java that remedies at least 30 vulnerabilities in the widely-used program.

The latest versions, Java 7 Update 9 and Java 6 Update 37, are available either through the updater built into Java (accessible from the Windows control panel), or by visiting Java.com. If you’re not sure which version you have or whether you’ve got the program installed at all, click the “Do I have Java” link below the red download button on the Java homepage.

Apple maintains supplies its own version of Java. Given the rapidity with which they have followed Oracle’s Java updates (ever since April 2012, when the Flashback worm used an unpatched Java flaw to infect more than 650,000 Macs), I would expect Apple to have an update ready soon. Update: Apple did release an update for Java, one that sees the Java plugin removed from all Mac-compatible browsers installed on the system.

Broken record alert: If you need Java, update it now. Cyber thieves and malware love to use unpatched Java holes to break into systems, and miscreants are always looking for new Java exploits to use. If you don’t need Java, uninstall it; you can always reinstall it later.

If you need it for a specific Web site, I’d suggest unplugging it from the browser and adopting a two-browser approach. For example, if you normally browse the Web with Firefox, for example, consider disabling the Java plugin in Firefox, and then using an alternative browser (ChromeIE9Safari, etc.) with Java enabled to browse only the site that requires it.

Note that Oracle’s updater may pre-select the installation of some third-party product, such as McAfee Security Scan Plus. If you don’t want this software, be sure to de-select that option before updating. Also, bear in mind that if you opt for the two-browser approach and unplug Java from the browser, the plugin will be re-enabled after every update.

More on this update is available from Oracle’s Java SE Critical Patch Update Advisory.

Tags: , , , , , ,

30 comments

  1. I thought Apple had finally handed over OS X Java updates to Oracle? http://www.h-online.com/security/news/item/Java-SE-7-Update-6-hands-OS-X-support-to-Oracle-1667714.html

    I’m with you, though. I’ve been telling everyone: If you don’t need it, dump it. Not sure? Dump it and if an app needs it, you’ll find out. ;)

    • Oracle released and maintains Java 7 for OS X, but Java 6 from Apple is still installed on the overwhelmingly vast majority of Macs that have Java installed.

      Looks like Apple released a synchronized update: http://support.apple.com/kb/HT5549

      • Thanks for the clarification, Braden! :)

        Sophos is reporting that Apple has released their Java 6 updated for OS X and it _removes_ the browser plugin altogether.

        So, it seems OS X users who really want/need it in their browser will have to install Oracle’s Java 7 to get that functionality back.

  2. Exploitable Java? Oracle releases patched version? What’s new then? :D broken record indeed Mr. Krebs. Don’t get me wrong – this remark is not pointed in Your post in any way kind Sir. I appreciate the information that You provide. It’s just… soon (today? tomorrow?) we will find out that the patches have opened another points of entry for the bad guys… And the story will repeat itself very soon again after that.

    In one of the James Bond movies (“Tomorrow never dies” with Pierce Brosnan) the “bad guy” is discussing with his associates the plan to “take over the world” and one of the points of his plan is “releasing software full of bugs which will force users to upgrade for years”. I always thought it was a poke aimed at Bill Gates and Microsoft… Looking at what happens to Adobe (Flash) and Oracle (Java) I am not so sure of that anymore…

    Regards.

    AndrzejL

  3. Chrome has been asking permission to run Java when it’s needed. As long as it asks first, is it safe?

    • It is – sorta… Well it is safe till the bad guys will find a way to bypass that question… if they haven’t already…

      Regards.

      Andrzej

  4. I really DISLIKE the fact that Java tries to jam in the ASK.COM toolbar on each of these downloads. Is there a place to grab a malware free Java download?

  5. I don’t think it is a good idea to use Safari for Windows even as a second browser.

    Apple no longer support Safari for Windows since the release of Mac OS X Mountain Lion (i.e. when Safari 6 was launched). 5.1.7 is the final version and it will not be updated to v6. I strongly advise you to uninstall Safari for Windows and choose a different web browser.

    Here are some news articles that discuss Apple’s decision with regard to Safari for Windows and the risks that you are leaving yourself open to.

    http://www.msnbc.msn.com/id/48425652/ns/technology_and_science-security/t/apple-security-update-ditches-snow-leopard-windows-users/

    http://nakedsecurity.sophos.com/2012/07/30/no-safari-security-updates/

    Having recently tested the Microsoft Browser Choice update on 1 of my PCs, Apple Safari is no longer on the list of browsers to choose from.

    I hope this helps. Thank you.

    • I also feel very sorry for Apple OS X Snow Leopard (10.6), Leopard (10.5) and Tiger (10.4) users. They either have the choice of upgrading their OS which isn’t too bad since OS X is fairly priced.

      But for Apple users with older hardware that isn’t supported for Lion (10.7) or Mountain Lion (10.8) they have to upgrade their hardware in order to stay safe while browsing if they wish to use Safari. This is very far from ideal.

      The versions of OS X that no longer receive security updates are still quite new by today’s standards and I think that Apple’s practice of phasing them out so soon is wrong.

      The links below will help you determine if you can upgrade to a newer version of OS X (while keeping your current hardware or if you need to upgrade that too). I hope this helps.

      Thank you.

      http://www.apple.com/osx/how-to-upgrade/

      http://en.wikipedia.org/wiki/Mac_OS_X_Lion

      • I have two Macs. One runs the Lion OS while the other is still Snow Leopard due to an on-going project. Both machines can easily upgrade to Mountain Lion, but why?

        As I hate the unified bar, I still browse using 5.1.7. (I tried 6.0.1 and rolled back via Time Machine.) I saw the new Java for Mac OS X 10.6 Update 11 an hour ago. By using this browser, I don’t think I am missing anything. I use Little Snitch so I block can my two favorite sources of crap – twitter and facebook – along with a bunch of other connections I don’t want to make. Even though an upgrade to Mountain Lion is pretty cheap, I really didn’t see any features that swayed me to buy it.

        Why some people still use Tiger, I don’t know. For me, being a long-time Mac user, I really hate how Apple is making the Mac just like the iPhone. There are some features in Lion I absolutely abhor and the same goes for Mountain Lion. As long as Apple releases a security update for Snow Leopard I will continue using it until I finish my project or maybe even longer. And for those who use the older OSes, I am sure they feel the same way.

        Your argument is about the same as the people who complain about those who still use Windows XP. If they feel safe with their choice, and don’t believe upgrading is providing them with desirable features, why upgrade. Not everyone answers calls from unknown callers or browses to untrustworthy sites. So, the cost of getting a new computer just to browse may not be in their best interests.

        In addition, for those using the older OSes, I am sure they know by now that Apple support only lasts for a couple of years for each product before the next, shiny new thing comes along. That is simply how it is done in the tech industry today, i.e., and it is not just Apple that operates this way.

        • Look, I can see what you mean about preferring the older one, but that nonsense about “not visiting untrustworthy sites” is pure BS. ANY site can be hijacked to serve up Blackhole at ANY time. How secure do you think the sites you browse are?

          These days you have to assume ALL sites – even this one – have a hidden iFrame serving up some nasty content, and take reasonable precautions, which include keeping your shit up to date in order to prevent getting owned.

      • I’m still using Leopard, because several programs that I use every day won’t function on the later versions of OSX. Some of these programs require costly upgrades to work with the newer system software; for other programs, the upgrades simply aren’t available (or weren’t the last time I checked).

        I also agree with the comment above that the newer versions of OSX contain “some features that I absolutely abhor”, at least according to the publicity that Apple has sent out.

  6. As always, thanks for the heads-up. :)

  7. Thank you Brian!

  8. Second time now that I don’t have to worry about a Java update.

    Good thing I took your advice and uninstalled Java.

  9. I honestly feel bad for people who don’t understand these updates. I can’t imagine trying to explain to an end user why they should use a different browser strictly for java applications. Most of them don’t even know what a browser is. They won’t take the time out of their day to learn security and why it is essential to keep things updated. I have been installing Secunia PSI on most of these people’s computers in an effort to make these updates easier for them. But, the complexity seems to be overwhelming for most.

    • There are computer courses online for free. Ask them if they would try to fly a jet fighter without flying lessons… :D

    • Maybe, but if your first Mac came with Lion, you don’t have to worry about Java, unless you installed it yourself.

  10. Has anyone else lost the Java applet in the Control Panel? I’ve just updated 4 different WinXP Pro machines, all have lost the Control panel icon for java.
    Pondering what to do…I run OpenOffice & I believe Java is required….

    • “Pondering what to do…I run OpenOffice & I believe Java is required….”

      AFAIK you can run OpenOffice without the Java Run Time but some features (including OpenOffice Base in particular) won’t be able to function. If you only use it for basic Word and Excel replacement you should be okay, though any associated wizards might not work.

      You may have other software that also requires Java, though. Cisco’s Configuration Professional and ASDM require Java.

    • Switch to LibreOffice. It’s a fork with lots of nice updates and way less reliance on Java.

    • Doug, I’m also running XP, and I also find that the Java icon no longer shows in Control Panel after the update. (On a Win7 machine, meanwhile, all is well.) This doesn’t mean, however, that Java has disappeared from your computers. Mine still has Java, though Control Panel doesn’t seem to know it. Check Add or Remove Programs and you’ll probably find Java 7 Update 9 there.

      My guess is that the disappearance from Control Panel is just a temporary glitch. They’ll probably fix it with the next update.

      • gtodon – thanks for confirming it’s not just me!!

        A work around is to use a Shortcut to “C:\Program Files\Java\jre7\bin\javacpl.cpl”

        I have not yet tried an uninstall & full install to see if that will fix it – but I have downloaded the full install (Thanks to John (above) October 17, 2012 at 11:31 am who posted the link) & will eventually get around to it.

        Andrew Zizzo – thanks for the info I think I will uninstall Java on 4 of 6 WinXP machines but you also called it – 2 of my machines use java for other programs.

        bob – good suggestion, I am already using Libre on a Win7 machine and have no problems with it, knowing it is less reliant on java is making me want to switch to it on the XP machines too – just a matter time.

        Thank you all.

      • gtodon – question for you, am I right that you are using java 7 update 9? (You referred to it in the uninstall) My win 7 has vers 6 update 37, and, like your experience, the icon is still there. All the machines that lost the control panel icon were XP Pro and java vers 7 update 9.
        Thanks.

    • Me too. However, the console is available as an executable through the directory starting at /program files/Java/. Sorry, I’m not at my home computer now or I would provide the entire path.

      • Thanks for thought, Tom. The full path is above in my first comment, I know how easy it is to miss those things. :)

        Hilary provided an excellent link (below) – author acknowledges the icon disappearing on XP machines and much more.

  11. Technical people using IE8 and above may control ActiveX (i.e. Java plugin) execution on per site basis.
    So two browser approach not required to mitigate such threats.

    http://blogs.msdn.com/b/ieinternals/archive/2011/05/15/controlling-java-in-internet-explorer.aspx

  12. If Java is not necessary then why is it installed on the pc?
    I have had any security issues with it just keep getting a error the java script is not working properly. Not sure it is even related to this JAVA.