18
Jun 13

Critical Update Plugs 40 Security Holes in Java

facebooktwittergoogle_plusredditpinterestlinkedinmail

Oracle today released a critical patch update for its Java software that fixes at least 40 security vulnerabilities in this widely deployed program and browser plugin. Updates are available for Java 7 on both Mac and Windows.

javamessThe latest patch brings Java 7 to Update 25 (looks like Oracle has finally followed through on its promise to stop shipping updates for Java 6). In its accompanying advisory, Oracle notes that 37 of the 40 vulnerabilities fixed in this update may be remotely exploitable without authentication — that is, they can be exploited over a network without the need for a username and password.

If you really need and use Java for specific Web sites or applications, take a few minutes to update this software. Updates are available from Java.com or via the Java Control Panel. Keep in mind that updating via the control panel will auto-select the installation of the Ask Toolbar, so de-select that if you don’t want the added crapware.

Other, seriously consider removing Java altogether.  I’ve long urged end users to junk Java unless they have a specific use for it (this advice does not scale for businesses, which often have legacy and custom applications that rely on Java). This widely installed and powerful program is riddled with security holes, and is a top target of malware writers and miscreants.

If you have an affirmative use or need for Java, unplug it from the browser unless and until you’re at a site that requires it (or at least take advantage of click-to-play). Java 7 lets users disable Java content in web browsers through the Java Control Panel. Alternatively, consider a dual-browser approach, unplugging Java from the browser you use for everyday surfing, and leaving it plugged in to a second browser that you only use for sites that require Java.

There are a couple of ways to find out if you have Java installed and what version may be running.  Windows users can click Start, then Run, then type “cmd” without the quotes. At the command prompt, type “java -version” (again, no quotes). Users also can visit Java.com and click the “Do I have Java?” link on the homepage. Updates also should be available via the Java Control Panel or from Java.com.

Mac OS X 10.6 (Snow Leopard) users who have Java should check Software Update for any available updates. Mac OS X 10.7 (Lion) and 10.8 (Mountain Lion) users can grab the updated version of Java from Java.com.

Tags: , ,

18 comments

  1. Nice tip, I have forwarded to my team in case they did not see it. I like how you acknowledge the issues with enterprises that usually have legacy apps that require different versions of Java. It is not good, but what we have to deal with..

  2. Brian,
    Apple’s update to Java today brought Java 6 to 1.6.0_51, in addition to Oracle’s Java 7u25. So at least Apple is still supporting Java 6…for whatever that’s worth.

  3. http://www.java.com/en/download/faq/java_6.xml

    “Java SE 6 End of Public Updates
    Oracle no longer posts updates of Java SE 6 to its public download sites. All Java 6 releases up to and including 6u45 have been moved to the Java Archive on the Oracle Technology Network, where they will remain available but not receive further updates.”

    and

    “Apple Java 6 for Mac OS X
    For Java versions 6 and below, Apple supplies their own version of Java. For Mac OS X 10.6 and below, use the Software Update feature (available on the Apple menu) to check that you have the most up-to-date version of Java 6 for your Mac. For issues related to Apple Java 6 on Mac, contact Apple Support. “

  4. So for all you enterprise users who must, sadly, rely on Web apps which have not yet been rewritten to accommodate Java 7 DESPITE PLENTY OF ADVANCE NOTICE, take all your personal information and data files off your office PC.

    Maybe you’ll get lucky and the next version of the app won’t require Java at all.

  5. Would you believe that someone recently tried to market a SCADA system based upon Java? They used it on both embedded platforms, PCs, and mobile apps on a smart phone.

    Yes, I work for a large water utility. Yes, many less informed people might have fallen for that pitch.

    If this stuff doesn’t keep you up at night, it’s because you don’t understand the situation.

  6. If a computer really needs Java, UNPLUG IT FROM THE INTERNET. That will save you a lot of time.
    Also, use Unix-based OSes, don’t use Windows, if you are going to use Windows, run it in a VM in Unix-based OS.

  7. Thanks for the tip, Brian. I’ll do that. :)

  8. If you prefer to bypass the default stub installer, the full installation files can be downloaded from:

    http://www.java.com/en/download/manual.jsp

  9. “java -version” doesn’t work on my system. Per http://introcs.cs.princeton.edu/java/15inout/windows-cmd.html, it may be due to the Java folder not being path’ed and indeed, it is not part of my system path.

    I had to go to C:\Program Files (x86)\Java\jre7\bin to get the java -version command to work on my Windows 7 system.

  10. The best site I have seen which explains all the methods that Java can be invoked (Applet, Object, Embed, JLNP, etc) can be found at

    http://www.greyhathacker.net/?p=610

    The author shows how java can be invoked and then explains how to mitigate the invocation method.

    Very nice – a good learning experience. The only thing not done is to put everything together in a single download.

  11. Java 6 can be updated for those with Oracle Support contracts. Visit https://support.oracle.com/ and search for “1439822.1”

    You can use this method to extract and deploy the MSI:
    https://www.java.com/en/download/help/msi_install.xml

    You can also use this MSI with Secunia CSI:
    https://windowsmasher.wordpress.com/2012/03/05/secunia-patching-java/

    For many of us with Oracle Financials and other Oracle apps and long test cycles, we’re still a month or so away from even being able to think of moving to Java 7 and removing Java 6.

  12. Thanks as always for the heads-up Brian

    I don’t think many people realize how prevalent Java really is, especially for people managing networks and datacenters. Next generation firewalls & intrusion prevention systems, servers, VPNs, network monitoring appliances, fabric/fibre optic switches … the majority of hardware I see requires Java for administration, and often it has to be enabled in the browser

    And of course then there are medical insurance company websites I’ve seen that require Java in the browser too and administrator privileges …

  13. Secunia PSI still not picking it up yet, I like the idea of this thing but it seems a bit flaky in practice.

    • It was worse/better than I thought, it eventually ended up stripping Java off and failed to apply the update.

  14. It´s not an option any more to deselect ask toolbar :(

  15. Brian,

    Thank you for taking some of the mystique out of Java. My wife relies on yahoositebuilder to update her website, and that program is not Mac friendly and seems to require Java 6. Do you have any tips to get an old windows based PC to swallow the last version of Java 6? The thread above mentioned support for Java 6 for those with “Oracle Support Contracts,” but that is not me.

  16. I’m an engineer for a software vendor who licenses a large web application that uses applets. The application is never exposed to the Internet directly as it’s run over a local LAN.

    Java 7 Update 25 makes it IMPOSSIBLE to delivery web applications to our customers. The “Codebase” manifest attribute is required in the applet Jar and must match the requesting codebase and the server URL where it is loaded from. That means the entire system must be built PER CUSTOMER. And what if they change the hostname or IP ?

    It really does seem that Oracle is going to kill Java using “security” as the excuse.


Read previous post:
Windows Security 101: EMET 4.0

Several years ago, Microsoft released the Enhanced Mitigation Experience Toolkit (EMET), a free tool that can help Windows users beef...

Close