October 12, 2010

Oracle today released a critical update to its widely-installed Java software, fixing at least 29 security vulnerabilities in the program.

Most consumers on Microsoft Windows PCs will have some version of Java installed (if you’re not sure whether you have Java or what version might be installed, click this link). Existing users can grab the latest version — Java 6 Update 22 — by visiting the Windows Control Panel, clicking on the Java icon, and then selecting the “Update Now” button on the “Update” tab. If you don’t already have this software, I recommend that you keep it that way.

Per Oracle’s advisory, updates are available for Windows, Solaris and Linux versions of Java. Apple maintains its own version of Java for OS X systems, and typically issues fixes for its version several months after the official Java release.

Be aware that Java’s updater may by default also include free “extras” that you may not want, such as the Yahoo! Toolbar or whatever other moneymaker they decide to bundle with their software this time around, so be sure to de-select that check box during installation if you don’t want the add-ons.

20 thoughts on “Java Update Clobbers 29 Security Flaws

  1. JBV

    Thank you, Brian. Your updates are always timely and much appreciated!

  2. Scott

    Brian, Your post seems contradictory. Could you clarify? You say: “Existing users can grab the latest version — Java 6 Update 22 — by visiting the Windows Control Panel, clicking on the Java icon, and then selecting the “Update Now” button on the “Update” tab. If you don’t already have this software, I recommend that you keep it that way.”

    Am I supposed to “keep it that way” by NOT installing the new update, which is what the sentence parses out to, at least to my mind.

    I be confuzed, man!

    – Scott

    1. JBV

      No contradiction here. Just click on “keep it that way,” which is a link, and you will be instantly deconfused.

    2. David Chasey

      Keep it that way means don’t install it because it is the single most viral infected software extant. If you don’t absolutely need Java, it should not be on your computer.

  3. JCitizen

    I’ve been trying to get java to work on Vista x64 for some time. I’ve tried every work around. I need it for certain sites, and it is just no go. I guess Sun doesn’t give a hoot anyway!

    I’ve never understood the need for JRE JDK or any of that obtuse language. If an IT tech can’t figure it out, how is the general public supposed too?

    Their goofy instructions are obsolete, they obviously don’t apply to Vista, and I assume Win7.

    I have to run javaws -viewer just to see the control panel, because it won’t show up in Vista x64 – apparently I shouldn’t have uninstalled the x64 version. I just couldn’t see having both versions if I don’t use the 64 bit browser. Oh well! Call the WAAaambulance!

  4. Scott

    Oh. Okay. Sorta. But I must say (and I recognize that this is not your job to deal with) that I have no idea whether I need Java or not, or how to tell, nor how to find out. I know that I sometimes get error messages which say something about Java, so I guess I’m using it in some of the things I do, but, as the guy above says (sorta), it seems that only an IT tech on steroids with a bionic brain implant enhanced with psilocyben could have a clue.

    Aarrgghh. (to quote from Charlie Brown, I think) 🙂

    – Scott

    1. David Chasey

      Scott, when I uninstalled Java I found out what I needed it for: a Retrospect Forum. I needed answers about this backup program. But I nonetheless decided to do without the Forum. Java is just too dangerous. Good Luck. – David

    2. 67GTV

      Man! You voters are being a little harsh on Scott.

      I require Java here at work for several applications, namely Symantec Endpoint Protection Manager. I choose to have it running on my main PC at home more for convenience than anything. Now my gaming rig is Java/Adobe Reader free!

      Unlike others here, I turn off Automatic Updates for various applications. I prefer to be in control when my apps call home. I was surprised to find out about this latest Java update by a user’s Automatic Update, as opposed to getting the heads up here or at other IT related sites.

      Lastly, it appears that Java is necessary for this site, in order to read posts with low ratings, like Scott’s above. “javascript:crSwitchDisplay(‘ckhide-11327’); is displayed in my IE Status Bar. Go figure.

      1. BrianKrebs Post author

        @67GTV — If you read about this update somewhere else first, then you weren’t’ reading this blog when it first posted, because I think mine was among the first to warn folks.

        Also, Javascript and Java are two different things. Javascript is code rendered in the browser, whereas Java is a stand-alone program that includes browser plugins that handle “applets” mini applications that can run in the context of the browser or as a program separate from the browser.

        Javascript can be blocked across the board or selectively, by disabling Javascript in the browser (kind of hard to browse the web this way), or by allowing Javascript on a list of approved sites. Firefox has several add-ons that make this very easy, including Noscript and RequestPolicy.

        1. 67GTV

          Hello Brian,

          First off, thank you for your reply. I rely on your information heavily!

          As for the Java update notification, I refresh and read your site each morning. I later found a PC’s JRE prompting me for an update. I am sure I just had not refreshed your site prior to this discovery.

          Regarding the Java/Javascript clarification, all I can say “D’oh!”. Even though I have been in IT for 10 years (I was in completely different fields the previous 26 years) – I never profess to being an IT expert. 😉 Thanks to sites like your’s and Larry Selzter’s PCMag Security Watch, I keep informed on IT Security related issues.

          Kind Regards,


  5. Michael

    So, after seeing this post, I went to make sure I was up to date.

    I went to the control panel. clicked Update. “You are up to date.” WRONG, I actually had Java 6 update 20 installed — not the previous latest 21. (I know now that I hadn’t been up to date, but the control panel button previously telling me I was had led me to believe otherwise.)

    So I went to java.com’s download page and downloaded and installed the latest (the offline installation version, no risk of accidentally installing the yahoo spyware). I twiddled my thumbs while it installed, then killed Firefox. (Which I hate to do, I am one of those who has lots of stuff in tabs at any time, but security is important). So then I go to the website to “verify my installation” like they recommend.

    What do I see? “You have Java 6 Update 21. Please click here to update to the latest version.” Arggghhhh.

    So I click again, the online version thsi time, go through the whole upgrade again, restart Firefox, and finally I am up to date with Update 22.

    Haven’t they heard of QA? Haven’t they tasked even a summer intern with making their upgrade process easy and reliable? Very frustrating. Makes me not want to go anywhere neare any of their other products unless absolutely necessary.

  6. Lo

    Scott, he is saying if you are not currently running Java, he recommends keeping Java off your machine. But if you insist on running Java (like me), then update it via the Control Panel.

    Java exploits are major contributor Browser Hijacks and much could be avoided by disabling it.

    1. JCitizen

      Good advice. IF you can see the java applet in the control panel. As I related before, after version 1. 6.0.21 somewhere the applet disappeared for some Vista users. Me included!

      It looks to me like ORACLE developers are repeating old bugs in 2006 versions of java!!

  7. hwKeitel

    I thinkt the biggest problem with Java is that the Update-mechanism is s***.

    How often have I tried to update my private computer and nothing happens. different computer, same day and it works.

    I can’t always download the whole software just because the f*** button is not working how it should.

  8. PJ

    Worked fine on my desktop, on my netbook it had 6.20 and the update tool said I had the latest version. I need Java for far too many programs to remove it, but I would like to keep it as secure as possible.

  9. resldad

    One annoying facet of these upgrades is that it overwrites the previously-chosen value for ‘frequency’ of scan to look for newer versions (under Update tab/Advanced). I choose ‘daily’ after each update and sure enough, after an upgrade, my choice gets overwritten.

    1. Troy

      Grrrr, thanks for the heads up, resldad! I had my Java set to look for updates weekly and sure enough, the last update reset it back to the stupid “Monthly at 2 am”.

      I have to use Java for some of our IT monitoring sites and services, so I prefer to have it check more often than the default for updates. Good info!

  10. TenorBrian

    Thanks, Brian. As is frequently the case, you were the first to make me aware of the new version.

    As to installing the new version, I do something that might be of assistance to others. Whenever a new version of Java or Flash becomes available, I uninstall the current version first, and then go to the appropriate site & install the new one. There may still be glitches, but at least the system is cleaner prior to the new install. Thankfully, Google recently made my job easier by incorporating Flash into their Chrome browser. But alas, updates are still required.

    Thanks again, Brian. Cheers!

  11. Aleta

    Hi, I have windows vista 64. Behind a router.

    I am confused. I’m not totally inept, but don’t know a thing about Java. I am usually careful but picked up a mess somewhere and had to reformat it was so bad.

    After reading your comments, now I don’t know what to do about Java… I just recently had Java tell me I needed to update. (So I did, no problem there). After reading this, I do see another Java in my Control Panel.

    How do I know if I even NEED Java?!!

    If it is MORE secure to >not< have it, how do I get it off.

    I am not current with the 250 mb in Windows updates that I need (every time I try to do something with that, I loose my pc and it doesn't operate right so I quit putting on the updates.

    Any suggestions are appreciated.

    1. BrianKrebs Post author

      Aleta — You can see what version of Java you have by opening the Windows Control Panel (Start, Control Panel) and clicking the Java icon, then click the “about” tab. That should tell you what version you have.

      If you don’t see it in the control panel, chances are good you don’t have it and don’t need it.

      The most current, patched version is Java 6 Update 22. If you have anything less than this on your system, you should visit the “Update” tab and click the “update now” button.

Comments are closed.