16
Oct 13

Critical Java Update Plugs 51 Security Holes

facebooktwittergoogle_plusredditpinterestlinkedinmail

Oracle has released a critical security update that fixes at least 51 security vulnerabilities in its Java software. Patches are available for Linux, Mac OS X, Solaris and Windows versions of the software.

Java7-45This update brings Java 7 to Update 45, and addresses a whole mess of security flaws. Oracle says that all but one of the 51 vulnerabilities fixed in this update may be remotely exploitable without authentication.

Updates are available from Java.com and the Java Control Panel. Apple has issued an update to its supported version of Java, which brings Java on the Mac to 1.6.0_65 for OS X 10.6.8 or later. As CNet notes, Apple is using this update to further encourage users to switch to Oracle’s Java runtime, especially for Web-based Java services.

“When this latest update is installed, according to Apple’s documentation it will remove the Apple-supplied Java plugin, and result in a ‘Missing plug-in’ section of a Web page that tries to run a Java applet,” CNet’s Topher Kessler writes. “If you click on the missing plug-in message, the system will direct you to Oracle’s Java Web site so you can download the latest version of Java 7, which will not only support the latest features in the Java runtime, but also include the latest bug and vulnerability fixes. Apple’s last supported version of Java is Java SE 6, and since handing the reigns over to Oracle, has progressively stepped back from supporting the runtime in OS X.”

Broken record alert: If you really need and use Java for specific Web sites or applications, take a few minutes to update this software. Oracle likes to remind everyone that 3 billion devices worldwide run Java, and that 89 percent of desktops run some form of Java (that roughly matches what vulnerability management firm Secunia found last year). But that huge install base — combined with a hit parade of security bugs and a component that plugs straight into the Web browser — makes Java software a perennial favorite target of malware and malcontents alike.

If you have an affirmative use or need for Java, unplug it from the browser unless and until you’re at a site that requires it (or at least take advantage of click-to-play). Java 7 lets users disable Java content in web browsers through the Java Control Panel. Alternatively, consider a dual-browser approach, unplugging Java from the browser you use for everyday surfing, and leaving it plugged in to a second browser that you only use for sites that require Java.

Otherwise, seriously consider removing Java altogether.  I’ve long urged end users to junk Java unless they have a specific use for it (this advice does not scale for businesses, which often have legacy and custom applications that rely on Java). This widely installed and powerful program is riddled with security holes, and is a top target of malware writers and miscreants.

There are a couple of ways to find out if you have Java installed and what version may be running.  Windows users can click Start, then Run, then type “cmd” without the quotes. At the command prompt, type “java -version” (again, no quotes). Users also can visit Java.com and click the “Do I have Java?” link on the homepage. Updates also should be available via the Java Control Panel or from Java.com.

Tags: , , , ,

51 comments

  1. Hi Brian,

    Thanks very much for your always-helpful advice and guidance. A non-techie like me would not survive the digital world without you!

    One quick question I’ve been meaning to ask you for a long time now. I have Java disabled in my Firefox browser — I don’t even remember the last time I needed it.

    However, I’ve never been able to figure out how to completely remove it. Is there an easy way to do that?

    Thanks, Brian!

  2. Take time to remove windows too :)

  3. As a lovely bonus for those who do need Java in the browser (yes, its 2x click to run for me: Firefox’s click to run and java’s click to run).

    One of the changes is a new “permissions” manifest, where a signed applet can say “I want everything” or “Even though I’m signed, run me in the sandbox only”, which will be mandatory in a future version.

    The former works: which means the #1 bug in Java: “with a signature, its ‘click to p0wn'” remains, and really can’t be eliminated since that is why so many web legacy stuff is written in Java: with a click you can bypass the sandbox.

    But the latter is blocked. Yes, an applet can’t say “Yeah, I’m signed, but run me in the sandbox anyway, I don’t need any scary permissions”.

    • The Java Sandbox leaks, and the technology may be able to fix this, but once you find a way into the sandbox and know its finer inside workings, if the programmers intend to do it the same wy again and again, it will fail.

      Software can always be broken by software, as it has been in the past. No matter the intention, its a matter of determination by either the programmers of the cracker / hacker. Depends on which one gives up first.

  4. Amazing how an 18 year old language that runs in a vm/sandbox and was designed for safety and reliability from day one can still have a couple hundred vulnerabilities found in it every year.

    We use active directory to disable the web plugin company-wide:
    CLASS USER
    CATEGORY “Java”
    POLICY “Disable Java Web Plugin”
    KEYNAME “Software\JavaSoft\DeploymentProperties”
    VALUENAME “deployment.webjava.enabled”
    VALUEON “false”
    VALUEOFF “true”
    END POLICY
    END CATEGORY

    Though I fear anyone with concurrent old versions installed may be unaffected by the setting, or worse as disabling the new version’s plugin gives the older versions precedence.

    • I learned long ago about java and it leaving older versions on your system. Its alot easier to remove all instances of Java, THEN apply the latest version.

      If you update Java, and then remove an older version, Java seems to be unstable, if it works at all.

      HTML5 is a better solution, I hope the products I use switch to it and rid me of one more piece of vulnerable software.

    • Java, was never ‘designed’ for anything. It’s just a quick and dirty tool to test the working of embedded devices… That why it has a VM… To emulate the E.D.

      After the project failed, Scott Mc Neally thought that the VM could be used to write programs for use on many platforms… The history of BASIC repeated and that’s why we have C# nowadays. But you never hear about security problems with that…

      Maybe Java’s sole purpose, because of it’s ‘openess’, is to spy…

    • I copied that lovely piece of text, David. Finally I might get Java out of our office completely… Thanks for posting that GP!

  5. The Oregano Router

    Thanks but no thanks on the Java run time plug-in.

    I think it’s best not to use it under Windows

  6. While you are getting rid of Java get rid of Windows too. Install OS like Linux Mint. Need Windows? Put it in a VM. Put Java in a VM too.

    • GeorgeOfTheJungle

      Different OS is not a workable solution in the work place. Works at home till you want to play a game or something similar.

      • Windows – the toy OS, useful mostly for games

        • Gates named the software appropriately…… Windows.

          As long as you have windows, your always a subject of attack. The windows don’t have to be “open” for some one to get inside, and that leads me to believe that this software’s marketability is pushed by the powers to be, so organizations can get in and out with ease, even on a ‘window” that has been secured.

  7. If you need to update Java but don’t want to use the default stub installers pushed out by Oracle (plus FileHippo and Secunia), go to the link below and download the offline installer file(s) appropriate to your OS flavor(s):

    http://java.com/en/download/manual.jsp

    • I usually grab the installers off Oracle’s developer site, which you can find by searching for JDK or Java Development Kit. On that site you can choose what version of JSE to download, which include “online” (stub) and “offline” Windows installers, as well as OSX, Linux, Solaris, etc. installers.

      Unfortunately Oracle wised up to me and now includes their blasted Ask.com widget with the developer version too, but for a time you could avoid that damn thing by grabbing the installer from here.

  8. so I downloaded the new version and my primary application won’t run. I get an error that says “could not call startup.startup for InMac”

    Anybody out there have ideas. It is my Internet based gradebook from Pearson.

    • If it expects to run Java in a web browser, you may need to follow Apple’s advice and install Java 7. Java 6 no longer is capable of running in a web browser.

      If Java 7 is the culprit, you may need to contact Pearson and see if they have an update that’s compatible with it. Java 7 is fairly backwards compatible on Windows but I have no idea about the OS X version.

    • Same here. I can’t get into the gradebook on my PC. The error message is startup.startup for Inproc Mode.

    • PowerTeacher’s Gradebook has this error with PowerSchool.

      See here: ( https://powersource.pearsonschoolsystems.com/d/powerteacher_gradebook__error_generated_when_using_java_17_45_update_45_ ) for more info.

      • Greg M, I don’t have a Pearson account and can’t see into the link that you posted. Can you tell me if it has a solution? Thanks!

        • I had the same problem. Downloaded/installed a version 6 runtime and now the gradebook opens just fine. Had to set up an account first, but not a big deal.

          http://www.oracle.com/technetwork/java/javasebusiness/downloads/java-archive-downloads-javase6-419409.html

          • Thanks Ryan!
            We found that deleting the Java folders, after uninstalling newest version, allows reinstall of 7u25, and no “could not call startup.startup for inproc mode” error. Otherwise, the error.
            For our district Gradebook is especially frustrating right now. Many of our staff have reported “Server refused connection”. Clearing the Java and browser cache works for some staff, not for others. Using a different browser works for some, and not for others. Installing the “Alternate Link” option which puts the “Gradebook Launcher” works for some but not for others. And for some, this “Alternate” program doesn’t even open.
            So until Pearson fixes their mess, our staff is still stuck dealing with “Java out of date” messages on any other program running Java, and our district is paying 50% of the tech’s pay, for me to try to get Gradebook running, go from computer to computer to computer, back to some computers, etc.
            I’ve heard that most of the Student Management program companies have gone/are going away from Java, but that Pearson probably won’t because Gradebook is built on it. I think our district might be looking to change to a non-Java program.
            And to think, Pearson must have had this knowledge about 7u45 before it was released to the public. Nice that a company like Pearson is so proactive.

  9. My Mac computer has just loaded the lastest Java update. I now cannot open the Danish Archives viewimage.aspx.jnlp files

    How do I revert to the older Java or how do I overcome the problem?

  10. I removed all traces of java using revo uninstaller. There were over 3000 registry entries! all are removed now. I don’t miss it one bit. Crapware as far as I am concerned. And the update forces flipping ask.com browser default crap even when unchecked….arsehats.

  11. Lysergic Acid Diethylamide

    Brian, here’s a question — if I leave Java disabled in the browser (which I do), do I even need to update Java in the first place, or is it alright to just let it languish in an older version?

    Usually, I’ve just been updating for the hell of it, which re-activates it in the browser, and then I manually disable it again. Am I just wasting time doing this?

  12. It is fun how people like to blame Java but forget completely about their own behaviour. I don’t need to uninstall Java or Windows, or to have an AntiVirus if I know what I am doing.

  13. Anatoly Nechaev

    Well that was fast.
    Firefox now disabling U45 on account of security problems.

    A week. Who would’ve know…

  14. so is there a fix for the error: “Could not call Startup.startup for Inproc Mode as another teacher stated above? I’m trying to access PowerTeacher Gradebook from home from my Windows 8 computer and I cannot.

    any updates? fixes? suggestions?

  15. Hello Brian i have the new Java update : Programs :

    Java 7 update 45
    Java 7 update 45(64 -bit)
    Java ™6 update 45 (64-bit)

    do i have to delete the third ? java ™6 update 45?

    • You should delete it. It’s incredibly unlikely that you have software that uses a 64bit version of Java and doesn’t support Java 7. Having the old version lying around is asking to eventually have an insecure and outdated (no longer supported) version. Something may someday manage to trigger it and lead to your computer being exploited.

  16. To Carolin and Pam
    About the PowerSchool gradebook: There is a way to not use Java which gives you a desktop icon and then you can click that. The district website gave it as an alternative if you have problems. Now I don’t need Java anymore. It was truly annoying to have to wait for Java every time I wanted to access my grades.

  17. @Carlos, you must be living in the 80s or 90s if you think you don’t need to uninstall java or install anti malware, because you “know what your doing”

    Maybe you mean, because you “don’t do anything” on your pc lol

    If you actually read BK’s blog you will hear about sites like NBC.com getting hacked and giving people malware without having to click to install anything. Just visit the URL and your infected.

    Why should we limit ourselves on the pc?
    I mean are we not allowed to play games or browse the web?

    The head of IAD for the NSA says there are a million new viruses made every month! lol

    And i ask you who are the real ones taking away our freedoms and censoring our opinions and limiting our choices? Its not the Gov’t thats for sure.

  18. Yesterday I found that Java plugin 7 updates 45 is blocked by windows and firefox. And there is no new update for it, I have uninstalled Java and reinstall it, but the problem still exists, what should I do?

  19. I just love how Oracle has bundled this little piece of swizz cheese together with that damn Ask Toolbar. Found a easy way to disable it though, its just a regedit away :)

    HKEY_LOCAL_MACHINE\SOFTWARE\JavaSoft
    HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\JavaSoft (for 64bit)

    Add a string called SPONSORS, set value to DISABLE. Next time I sure as hell aint gonna get all my colleagues running to get me to “uninstall that idiot toolbar that came with the Java-update, I forgot to uncheck that during the upgrade”…

    Regards from a cold Sweden.
    Ps. Brian, you are still the best independent security blogger out there in my opinion!

  20. Dear Mr. Krebs
    In the past 24 hours I have downloaded both the 64 bit and no bit versions of Java 7 Update 45. When Java site tries to verify – it says it is not installed. Neither of the 2 applications, POGO and Cribbage recognize it either. Where is the problem?
    Thank you – Tom Woods
    Stirling, Ontario, CANADA

  21. I have a new MacBook Pro and I cannot get Pearson PowerSchool to open. It keeps on giving me the following warning. I do not know how to uninstall my Java 7 update. Please help! I can’t put in my grades.

  22. Howdy would you mind stating which blog platform you’re working with?
    I’m planning to start my own blog in the near future but I’m having a tough time selecting between
    BlogEngine/Wordpress/B2evolution and Drupal. The reason I ask is because your design
    seems different then most blogs and I’m looking
    for something unique. P.S
    Sorry for getting off-topic but I had to ask!

  23. Ever since I updated Java to 1.6.0_65 for Mac OS 10.6.8 about 2 weeks ago, I can no longer get into the one chat room I frequent (for 6+ years). I always disable Java except for when I go to my writer’s chat room twice a week. It now says, “Plug-in Failure”.

    For those of us who cannot use Oracle (don’t have OS 10.7 or higher), how can we fix this? I’ve tried many things and nothing seems to work. I’ve searched & searched online for answers to no avail. What good is the update if it fails?

    I primarily use Safari (version 5.1.10) but tried it within Firefox as well with the same result, “Applet plug-in crashed”. Any help would be greatly appreciated!! Thank you.

  24. @Coolout_AC if there is so high level of paranoia and hacking attempts to personal computers then no anti-virus, firewall or program uninstallation will save us. They can spy us anyway. I don’t care anymore. It is not so easy to install something if I don’t download and execute anything suspicious. I just need to run some anti-malware program sometimes. For the rest I can only pray.

  25. I am confused about the Java version numbers. The article says that the latest supported version is 1.6.0_65. I guess it does not refer to Java 6 Update 65, or does it.

    What confused me even more was that apple.com, referred to by this article (http://support.apple.com/kb/HT5982) had a link to oracle.com (http://www.oracle.com/technetwork/java/javase/releasenotes-136954.html) that the latest version is 1.6.0_45. I would have expected it to be 1.7.0_45 if it is Java 7 Update 45.

    Is anybody able to clarify these Java version numbers?

  26. Can someone tell me just exactly why Java exists? I don’t play games on the internet, but aside from that, Java must have some purpose. I have xp 32bit. Is there any reason at all to have the latest Java 7-45 installed? I use a wireless router to my laptop to surf the web, watch occasional youtube vids, edit wikipedia, etc. Is Java just a disaster waiting to happen to me, or does it have any redeeming qualities at all–as long as it is consantly updated, with older versions deleted? thanks

  27. caith culbertson

    Java is requisite to use at ancestry.com.

  28. I mean even BK censors my opinions on here, He will cite spam, which is usually the excuse people use.

    I laugh at these so called cyber activists online, at least BK goes after other hackers.

    But when it comes down to it, the computer industry is filled with people who are way more oppressive then our Gov’t can ever be. Just go into their forums and chatrooms, doesn’t matter where.

    Its still predominantly very much one race, and one political view. And all of them think the public are too stupid for them to care about or protect.


Read previous post:
Thousands of Sites Hacked Via vBulletin Hole

Attackers appear to have compromised tens of thousands of Web sites using a security weakness in sites powered by the...

Close