October 20, 2011

Oracle Corp. released a critical update to plug at least 20 security holes in versions of its ubiquitous Java software. Nearly all of the Java vulnerabilities can be exploited remotely to compromise vulnerable systems with little or no help from users.

If you use Java, take some time to update the program now. According to a report released this month by Microsoft, the most commonly observed exploits in the first half of 2011 were those targeting Java flaws. The report also notes that Java exploits were responsible for between one-third and one-half of all exploits observed in each of the four most recent quarters.

Methods for exploiting one of the flaws fixed by this update were detailed at a recent security conference in Buenos Aires, where researchers demonstrated a method for intercepting encrypted SSL and TLS traffic.

Don’t know if you have Java? Check out this link, and then click the “Do I have Java?” link below the big red “Free Java Download” button. A majority of folks who have Java installed will have some update of Java 6; this latest patch brings Java 6 to Update 29. Java also has released a major revision to Java 7 (the vulnerabilities fixed in Java 6 Update 29 are available in Java 7 Update 1). It’s not clear whether Java 7 is more for regular users or for developers at this point, because the Free Java Download link at java.com still takes users to Version 6 Update 29.

Microsoft Windows users can update Java from the Java icon in the Windows Control Panel, and then clicking the “Update Now” button on the Update tab.

I’ve urged readers who have no use for Java to get rid of the program, but there is another way to keep it around while reducing the likelihood that the software will be targeted by malicious Web sites: unplug it from the browser. In Mozilla, Java can be toggled on or off via the plugins menu of the Add-ons page. In Internet Explorer, Java can be disabled via the “Manage Add-ons” option.

Finally, Windows users may find more than one Java version in the Add/Remove Programs list in the Control Panel. Older Java 6 versions can be safely removed after updating. The updater in Java 6 was long ago tweaked to remove older versions of Java before installing an update, but if you’ve already upgraded to Java 7, be aware that it does not remove Java 6 versions.


29 thoughts on “Critical Java Update Fixes 20 Flaws

  1. Lee Dickey

    Is there a recommended way to get Java to automatically and silently update without user intervention? I grow tired of depending on users to actually take the time to update Java and it is needed for our remote software solution.

    1. kurtisj

      Java itself has an auto-update component. You can see in the “Control Panel -> Java -> Update” Tab on Windows. I think that by default, it checks once a month. That may vary based on the version you initially install.

      1. AlphaCentauri

        Once a month is nowhere near often enough, unfortunately, given how frequently Java needs to be patched.

        I also don’t have the choice of using apps that require it on my job, nor of having much less tech-savvy coworkers using those apps. Since they don’t know what “Java” is, they aren’t sure if they should permit updates or if it’s some kind of scareware. It’s a pain.

    2. kurtisj

      Oh yeah, sorry, that’s not a recommendation. Just worth mentioning.

      Looks like it’s not helping your situation.

    3. David Chasey

      The updates of Java appear on my computer screen automatically
      Use it only if you have to. I use an insulin pump and the website that generates data from the pump is driven by Java.

    4. Daryl Zero

      There is a way to auto update, java’s auto update will download the update but the user still has to install it.
      Secunia Personal Software Inspector (PSI) is free software that can be set to auto update and auto install Java and a host of other programs.
      http://secunia.com/vulnerability_scanning/personal/

  2. Lee Dickey

    The Java “autoupdater” will at the very most download the update but will not automatically install. The user has to click through and do it.

    1. JCitizen

      I can’t attest to java specifically, but I quite often get a pop-up from Secunia PSI saying that a version change to one application or another has been patched. This is on the standard account side of Vista x64.

      When I check my CCleaner console, the new version is indeed already installed. I’m sure it probably doesn’t work for everything, but I’m very happy with this performance none-the-less.

      If for no other reason than seeing the color of the systray icon change from green to red or yellow; with a warning that something is past support(end of life, etc.); it is well worth the alerts, so immediate action can be taken. This lowers the threat profile quite a bit for zero day exploits.

  3. Nic

    99% of users haven’t used Java for anything since the last round of critical patches came through.

    If the installation of Java were a casino game, it would be one where you bet $100 on a 50/50 chance of either losing it or winning $2.

    The only winning move is not to play.

    Uninstall it.

  4. Lee Dickey

    Some of us need it installed. The issue is keeping it up to date without depending on the users to do it.

    1. JCitizen

      Same here; and I have at least one application that relies on it. I let File Hippo Update Checker or Secunia PSI let me know when to update. Sometimes FH update checker beats the regular updater. Not this time however. They alerted I and my clients at the same time this go around.

  5. Tom Seaview

    This particular update also installs the evil Ask Toolbar, unless the user un-checks the box during installation.

    1. Christian

      is the ask toolbar new to this version?
      im not sure but i thought it was already installed with earlier updates.

      @Brian perhaps thats a interesting story, “how the ask toolbar won the crapware war” 😉
      seems like all the other toolbars died, but every second shareware has ask bundled.

      1. JCitizen

        Not long ago they were so obtrusive they installed all the way to the Control Panel! It took Revo Uninstaller to get rid of the tentacles Ask put into the system. Anything that nasty just doesn’t deserve to exist in my book.

      2. TJ

        The free version of Ninite automatically says “No” to toolbars and other junk. However, unlike Ninite Pro, which Big Geek Daddy mentioned above, you have to manually run the app periodically. I run it every morning and it usually takes less than a minute.

  6. YaVerOt

    Oracle and Apple point toward each other, any idea where a version newer than 1.5.0_30 is available?

  7. Wayne

    Hey Brian:
    You forgot to mention the Adobe Flash 11 update…

    1. JCitizen

      I could have sworn he already covered that in another story?

    2. Bart

      I’m an Opera user and upon updating to Flash 11 I began getting browser abends, and they have continued after updating from version 11.51 to version 11.52 of Opera.

      1. TJ

        I’m also a Opera user, but I haven’t had any problems with the latest versions of Flash.

        Win7 Home Premium 32bit and 64bit

        1. Bart

          Sorry, TJ, I should have specified that I am a MAC user with Opera.

  8. jim c

    mozilla has an add-on called “no script” which i find very useful in controlling what runs on my computer including java.

  9. Phoenix

    It’s not just some websites that may require Java. The Openoffice Suite which I suppose is now supported by Oracle indicates it requires Java, but I’ve never installed Java and Writer and Calc, the only apps I used, worked just fine without it. So if you use Openoffice I would say try it without Java. And if you find some of the Openoffice apps need it, read and heedd the words of Brian to make sure you’re up to date.

    1. JCitizen

      For people who may be new to computer maintenance; this would not prevent JavaScript exploitation; but of course turning off java in the browser controls would prevent that avenue. Another post already mentions No-script, another good way to block that attack vector, in Mozilla FireFox, at least.

    2. David Chasey

      Without Java the Open Office word processor only functions with Rich Text Format.

  10. mechBgon

    I saw a remark from a security researcher that Java 7 has finally got comprehensive ASLR support. If you have to have Java installed, switch from the 6 family to 7. And I’d also use Microsoft EMET to throw its own anti-exploit protections around Java as well.

    1. JCitizen

      Interesting mechBgon; hopefully this will turn out to be true.

Comments are closed.