January 26, 2016

Oracle has shipped an update for its Java software that fixes at least eight critical security holes. If you have an affirmative use for Java, please update to the latest version; if you’re not sure why you have Java installed, it’s high time to remove the program once and for all.

javamessAccording to Oracle’s release notes, seven of the eight vulnerabilities may be remotely exploitable without authentication — meaning they could be exploited over a network by malware or miscreants without the need for a username and password. The version with the latest security fixes is Java 8, Update 71. Updates also should be available via the Java Control Panel or from Java.com.

Windows users can check for the program in the Add/Remove Programs listing in Windows, or visit Java.com and click the “Do I have Java?” link on the homepage.

If you really need and use Java for specific Web sites or applications, take a few minutes to update this software. Otherwise, seriously consider removing Java altogether. I have long urged end users to junk Java unless they have a specific use for it (this advice does not scale for businesses, which often have legacy and custom applications that rely on Java). This widely installed and powerful program is riddled with security holes, and is a top target of malware writers and miscreants.

If you have an specific use or need for Java, there is a way to have this program installed while minimizing the chance that crooks will exploit unknown or unpatched flaws in the program: unplug it from the browser unless and until you’re at a site that requires it (or at least take advantage of click-to-play, which can block Web sites from displaying both Java and Flash content by default). The latest versions of Java let users disable Java content in web browsers through the Java Control Panel.

Alternatively, consider a dual-browser approach, unplugging Java from the browser you use for everyday surfing, and leaving it plugged in to a second browser that you only use for sites that require Java.

Many people confuse Java with  JavaScript, a powerful scripting language that helps make sites interactive. Unfortunately, a huge percentage of Web-based attacks use JavaScript tricks to foist malicious software and exploits onto site visitors. For more about ways to manage JavaScript in the browser, check out my tutorial Tools for a Safer PC.


29 thoughts on “Oracle Pushes Java Fix: Patch It or Pitch It

  1. Steve

    Any advice on how to really, 100%, remove it from a Mac? I try what I find on Google but traces remain, still asks me to do updates.

      1. RemoveJavaWithThis

        Also, depending on your OS version, there are 3 AppCleaner versions that work with OS X 10.x.x.

        Version 3.2.1
        Supports Mac OS X 10.10 to 10.11
        Version 2.3
        Supports Mac OS X 10.6 to 10.10
        Version 1.2.2
        Supports Mac OS X 10.4 to 10.5

        AppCleaner 2.3 (OS X 10.6-10.10, Intel64/Intel32)

        or this one.

        Version 3.2.1:

        Fixed an issue where SmartDelete would crash when asking for admin privileges.

        Requirements

        Intel, 64-bit processor OS X 10.10 or later

        Happy Deleting

        YWIA

        1. JCitizen

          Excellent post RJWT! You do KOS readers a great service! Despite hearing about AppCleaner years ago, it had completely slipped my mind. I let my Apple fanboy clients know about that now. 😀

          Fortunately – every since my UPS died, I’ve never needed java on board my PC, and I can issue a hearty GOOD RIDDANCE!

        2. That's how you...

          Seriously? Is it not possible to do anything on a Mac without having to install untrusted third party apps which themselves could be some sort of badware?

  2. Brian

    I really struggle to understand the continued negative bias towards Java, the most powerful and available and used programming language in the world.
    On the basis of number and significance of security issues I should also pitch the Windows OS out of my shop!

    1. jdmurray

      If you have no specific need for Flash or Windows then ditch them too!

    2. Joseph

      The difference is that most people need Windows. However, unless you’re a developer or working for an out-of-date enterprise, you don’t need the Java runtime. It’s not about hate, it’s about security. Oracle has done a terrible job of securing the Java runtime, so why keep it around when it presents such a huge threat?

      And while one could argue that other language runtimes are just as insecure, at least their owners haven’t tried to get everyone everywhere to install it (and the half-dozen other paid addons they hide in the installer).

      I have to have Java installed (I develop Java-based backends), but I’ve always been careful to keep it as far away from my browser as possible. With the advent of containerization tools like Docker, I’m now looking at keeping it walled off from the rest of my system as well.

      1. rick

        Out of date enterprise?

        People are mixing up the java plugin with java’s runtime. Remember way back, we had activex which was the plugin from hell that linked the web to native windows executables.

        Along came java with a much better security model, and it was good for that. With javascript we don’t need it for that purpose any more.

        Plenty of apps run in java just as many are running under other languages with runtimes.

        Java isn’t dying, the plugin is.

      2. J0s3ph

        “The difference is that most people need Windows.”

        No they don’t.

    3. svim

      I’m also confused about so much Java hate. Java itself isn’t the security problem, it’s the Java web browser plugin that’s the problem. Having Java on your computer is no more or less hazardous than most everything else a typical user has on their computer. Most modern browsers do not allow the Java plugin to be auto-enabled anyway, and for Chrome browser users it’s completely irrelevant as Chrome no longer supports NPAPI (Netscape Plugin API) based plugins, and there is no Java plugin based on Google’s PPAPI (Pepper Plugin API).
      I still have some things on my computers that use Java applets so I still have Java, and I don’t worry about it.

      1. JCitizen

        Java may just be a victim of its own success; but it is no doubt that one of the first things a malware attack looks for, is that Java is installed on the machine; so it might not be so much that the plugin makes the browser vulnerable as it is just that keeping java updated against zero day attacks is the issue. That concern is that it makes the whole PC vulnerable. I bear in mind that even Linux and OSX can be made vulnerable to Java attacks.

        If ORACLE had done a better job building an auto updater, maybe we wouldn’t be so harsh on them! That stupid updater has been a major headache of mine for years. Thankfully I no longer have to worry about it! It is also fortunate that the browser developers are ending support for plugin and extension technology, and that enhancements to the browsers are provided by separate processes now.

    4. ~java!

      Java the JVM and stuff isn’t the problem. Java connected to a web browser is the problem. Or, for that matter, pretty much anything that is powerful and versatile and connected to a web browser.

  3. Biff

    One thing that you are not getting about Java. Java enables multiple versions of the software to run on a single machine. Software written on Java can all out for a specific version or simply use the latest version. As such, a user may have software running that requires an older version of Java. As such, it may not be patched. As such, installing a newer version may not help as the software forces use of the older version.
    This is the beauty of Java. This is the hell of Java.

    1. Rich

      Yep, Java is hell. I have to run no later then Java 7 for 2 different work applications. Any newer, and they just won’t run.

      After supporting servers for years, I’ve been woke up at night to many times because of a rampant java program going bonkers and eating all the resources on a box.

      The sooner java dies the better. Unfortunately, to many people think java is the greatest thing in the world, so it won’t die.

      I’d like to put it in the grave next to Flash!

      1. Someguy

        Java 7? You are lucky, I have stuff I can’t run without Java 6. Specifically some brocade SAN switch management page crap.

  4. null

    I got rid of java at home years ago. Haven’t missed it all.

  5. Bob

    I think I got prompted to do this update a few days ago by the auto-updater.

    Unfortunately, I need that software to use my employer’s VPN software.

    1. JCitizen

      I used to need Java to view my Linux OS in my UTM appliance! After HTML-5 came along, I noticed I didn’t need it anymore, and the one security software I was using that needed it, coded it out at the last update. So no more Java for me!

    1. RemoveJavaWithThis

      the Official ‘Java’ page at [https://www.java.com/en/download/manual.jsp]

      is still only pushing Version 8 Update 71 at this time.

      and if you’re suggesting that users get it from any other place, they’re pretty much on their own with what they might be really installing. I you don’t get you system software from the Original Vendor source, you only get what you deserve to be installed on your devices.

      that being said, since i work in an enterprise environment, we don’t have the luxury or freedom to remove this or other things that we need to operate daily. but i would remove them if we didn’t need them.

      YWIA

        1. JCitizen

          It has always been my policy to test my required software to see if it can do without Java as the code base changes, and other factors such as browser improvements come along. Although I’m sure you gentlemen do the same, I just want to push that idea to any newbie IT techs out there than might not have as much experience.

  6. Larry

    The security risk with Java is with the browser plugin. Read the 4th and 5th paragraphs closely.

    Programs that were written in Java can be safe to run; Crashplan is one example. It’s when you allow the Java browser extension that you open your computer to malware.

  7. Aja Gupta

    I wonder if Oracle has patched JRE 8u76-b03 (the early access version). Since it was published about seven days ago, I would conjecture no. Does anyone know for sure?

  8. Stratocaster

    I noticed that Adobe snuck out an(other!) out-of-band security update for Flash Player yesterday also, v20.0.0.286.

    1. Jerry Leichter

      To the contrary. With the Java plugin gone, Java will become just another programming language – much safer than many, actually. What it won’t have any more is the ability to run inside a browser, a feature that was neat when first introduced but has had overwhelming more negatives than positives.

      Java as a programming language and environment remains very healthy – and a number of new languages (e.g., Scala) actually use the Java run-time environment.

      (BTW, the plugin goes away, but there’s a replacement technology, Java Web Start. Java Web Start has actually been around for many years, but doesn’t have the convenience (for both good and ill) of the plugin. Web Start downloads and starts a stand-alone Java program. This is as safe – and unsafe – as many other techniques for downloading and executing programs.

      — Jerry

Comments are closed.