April 27, 2012

An earlier version of this blog post incorrectly stated that Oracle had shipped security updates for its Java software. Oracle did push out an update for Java earlier this month — Java 6 Update 32 — but the new version was a maintenance update that did not include security fixes. My apologies for any confusion this may have caused.


15 thoughts on “Correction to Java Update Story

  1. BrOuhaha

    In my Chrome browser, a check on the link above yields: “You have the recommended Java installed (Version 6 Update 31)”

    Also, there is no “Preferences” in my toolbox. Please clarify.

    1. BrianKrebs Post author

      Oh right. You’re using Chrome on Windows, then, yeah?

      In Chrome on Windows, click the wrench, then Settings, then search for Java. If you have the plugin installed, you should be able to find it from there.

      1. Jason

        I think you have to use about:plugins in the address bar to find the Java version (and to disable it) in Chrome in Windows, at least that’s how I do it for the version I’m using.

  2. nichol price

    Hi,
    I was wondering if using a sandboxing system like Sandboxie on Windows XP/7 would really open me to java exploits?
    Everytime I close one wedsurfing session and open another, sandboxie clears the sandbox. I also sandbox any and all PDF views.

    I sandbox, run noscript in firefox, and have absolutely NO antivirus installed. I’m *thrilled* with this setup, but am concerned I am being too lax.

    1. JCitizen

      “too lax”? – As long as you don’t bank or shop online, and use limited accounts for daily web work; you might get away with it. I’d backup anything important though – bear in mind you will be backing up any hidden malware also.

      CCleaner can be your friend!

  3. Tim

    Are you sure about this Brian?

    The advisory that you link to discusses the quarterly patch update released about 10 days ago. These all concern patches for the core database products, Peoplesoft…etc. there was no JRE update in that bundle.

    The release notes for v6u32 are here:

    http://www.oracle.com/technetwork/java/javase/2col/6u32bugfixes-1579554.html

    …and I can find no reference to critical security issues patched by this release.

  4. Greg Sergienko

    At this point, Firefox has automatically disabled my Java as outdated, but my Mac software update hasn’t given me a download yet. I’m not too happy with the Apple people on this.

  5. Someone

    Why not suggest disabling _all_ plugins in your everyday browser? Java isn’t the only culprit. Adobe Flash comes to mind.

    On my Linux setup I run various browsers as fictive users, so at least attackers won’t get access to my files unless they exploit a root vulnerability.

  6. John Cali

    Thanks very much, Brian for this. I downloaded NotScripts for Google Chrome. Despite their detailed instructions on how to set your password, I could not figure it out — even after 8 or 10 attempts.

    1. maubs

      You just need to find the password file and fill in a password with a text editor. It’s an annoyance, but pretty easy to do. The hardest part is locating the file.

      1. JCitizen

        After each update too – as I understand it.

  7. JimV

    I haven’t used or needed Java6 in a long time. Filehippo identified Java 7 update 4 as the upgrade needed on my various Windows machines, with a 64-bit version in addition to a 32-bit version. I downloaded both versions from FH and after uninstalling the JRE7u3 version from each machine, installed JRE7u4 without any issues on my various XP Pro, Vista Home Premium/Ultimate 32-bit and Win7 Pro 64-bit machines.

    Of course, as usual afterwards I had to disable the automatic update toggle Java sets by default in Control Panel applet, as well as untoggling the version it places in startup functions when examined in msconfig — this despite unchecking the query to approve automatic updates when the installation program first runs.

    I also checked the task scheduler to see if it had placed an entry there, but found none — so it doesn’t behave quite as badly as Google’s updater but still irritates greatly by ignoring the user-choice instruction during the installation process.

  8. Marc Harmon

    If you have Java 6 Update 31 then this Sun/Oracle page

    http://java.com/en/download/testjava.jsp

    says you have the latest. Its not the latest, of course, but apparently to Oracle its good enough. This java.com download page

    http://www.java.com/en/download/manual.jsp

    also says that update 31 is the latest. As for Java 6 vs. 7, version 6 goes off maintenance in November 2012.

    There are download links for Java 6 update 32 and Java 7 update 4 here

    http://javatester.org/version.html

Comments are closed.