Critical Updates for Java

April 22, 2013

Last week, in keeping with its usual quarterly schedule, Oracle released a new version of its Java SE software, version 7 update 21, for all platforms (Windows, Linux, Solaris, and Mac OS X).  This Critical Patch Update Advisory addresses a total of 42 identified vulnerabilities; Oracle says that 39 of these can be exploited over the network without authentication: that is, an attacker would not need to log in to the target system.   Nineteen of the vulnerabilities receive the maximum possible CVSS severity score of 10.0.

If you have Java installed on your system, I recommend that you install the new version as quickly as you conveniently can.  Windows or Mac users can use the built-in automatic update mechanism; alternatively, the new version can be downloaded here.

As I’ve written before, most recently last October, there is a good case that the average individual user is better off without Java on his or her system.   I won’t bore you by going through all of it again.  If you do decide to install or keep Java, though, please be careful to keep it up to date.


More Java-Induced Jitters

January 20, 2013

I’ve written here several times before (most recently last October) about some of the security issues with Oracle’s Java software.   Lately, Java has been in the news again, because of a new, serious security vulnerability recently discovered in the latest version of the software.

Java has proved to be, over the years, a rich source of security vulnerabilities, at least in part because it is widely installed across multiple platforms (including Windows, Mac OS X, and Linux), making it an attractive target.   Also, unlike a typical application software package, installing a new version  of the Java environment did not necessarily remove older versions that had been installed previously.  (This was done, I think, because the definition of the language was evolving, and a new version was not guaranteed to be 100% compatible with an older one.)  This meant that, although the updated software might fix security flaws, the old version, complete with flaws, was still there to be exploited.

I won’t take the time and space here to relate the history of the latest vulnerability.  (If you are interested, Brian Krebs has a good summary at his Krebs on Security blog.)  Oracle issued a Security Alert  for this problem, together with a new version of the Java Runtime Environment [JRE], version 7 update 11.  (You can download the new version, for all platforms, here.)  However, subsequent to that release, testers discovered that the new version fixed only part of the vulnerability, so that an exploit was still possible.

US-CERT has issued a Vulnerability Note (VU#625617) concerning the situation at present.  Their recommendation, which I endorse, is that users who require Java should update to version 7 update 11 immediately, and should also disable the Java browser plugin(s).   Instructions for doing this are available at the Java site.  The Vulnerability Note also contains links to more technical information.

As I wrote in last October’s post (and in another post a couple of years before that), there is a good case that the average individual user is better off without Java on his or her system.   I won’t bore you by going through all of it again.  If you do decide to install or keep Java, though, please be careful to keep it up to date.

Update Monday, 21 January, 11:13 EST

The SANS Internet Storm Center has a diary post with links to some additional technical information on the latest vulnerability.


Java Survey Results

October 24, 2012

Last Friday, I posted a note here about an article and informal survey at Ars Technica, on whether keeping Java on the desktop was a significant security risk; and, if so, whether the risk was worth running.  Ars has posted a follow-up article, summarizing the results of their survey.  The results are interesting, although likely to disappoint anyone expecting a clear-cut, black and white sort of answer.

There seems to be a consensus of sorts that the most risky part of the Java system is the browser plug-in.  Those respondents who had security concerns often focused on mitigating that aspect of risk,

Some users have disabled or uninstalled Java entirely. But the most common solution for those worried about security risks is to leave the Java Runtime Environment in place on the desktop while disabling the browser plugins that allow Java applets to run on websites. Those plugins are often vulnerable to attacks involving remote code execution.

This approach, which I mentioned in an earlier post on getting rid of Java, probably removes the most serious threat, while leaving the Java Runtime Environment available to support features of packages like the open-source office suite, Libre Office (the successor to Open Office).   Libre Office can still be installed without Java, but some features will not be available.

Not surprisingly, the responses also indicated that Java still enjoys substantial popularity among developers; one respondent wrote:

I use Java heavily at work because it has the killer combination of: being good enough as a programming language; being cross-platform; having a great set of libraries; running fast.

Java is also used extensively in enterprise environments.

Java has lots of real-world use cases, enough that uninstalling or disabling the platform isn’t realistic for many users. Numerous people report keeping Java enabled in browsers because of banking, government, work, and school-related websites.

For both the developers and enterprise users, a common theme seems to be that Java, while not being perfect for any particular application, offers a practical approach for many things.  That it is available and gives decent performance across a variety of platforms is an obvious selling point.   Beyond that, it is a reasonably structured language, and much better for sizable projects than a scripting language like Perl.

For the average individual user, I’d recommend the following approach:

  1. Look through the list of software and Web sites that you use regularly, and see if any of them require Java.
  2. If none does, then removing Java will reduce your risk at minimal cost.  (You can always re-install it if your situation changes, of course.)
  3. If you have application software, like Libre Office or Minecraft, that requires Java, you can leave the Java environment installed, but remove or disable the browser plugin.
  4. If you regularly use Web sites that require Java, you can leave the plugin enabled, or disable it, re-enabliing it when you need the Java-dependent site, depending on how frequently that occurs.

As always in security, there are trade-offs, but I hope that making this sort of information available will help people in making choices.


Apple Updates, Disables Java

October 22, 2012

Last week, as part of its regular Critical Patch Update, Oracle released new versions of its Java software.  Apple has also released new versions of Java for Mac OS X. (As Mac users probably know, Apple packages and releases its own Java updates.)    The new versions are Java for OS X 2012-006 and Java for Mac OS X 10.6 Update 11.  These updates address twenty identified security flaws (essentially, the same ones that Oracle’s update fixed); further information is available on Apple’s support page for this update.

According to an article at Ars Technica, this update also makes one significant change to past Apple practice: it does not include a browser plug-in for Java, and in fact removes any existing plugins.  The Naked Security blog from anti-virus vendor Sophos has a post with some additional information.  (I didn’t know about this aspect of the update when I wrote yesterday’s post on Java.)

You can get the new version via the Software Update pane in System Preferences, or you can download the new version from Apple’s support site.


Jettisoning Java, Again

October 21, 2012

Whenever I post a note here about an update to Oracle’s (formerly Sun’s) Java software, as I did last week, I try to remember to suggest that readers  think about whether they really need Java at all, especially on their personal systems.  Java has proved to be, over the years, a rich source of security vulnerabilities, at least in part because it is widely installed across multiple platforms (including Windows, Mac OS X, and Linux)., making it an attractive target.   Also, unlike a typical application software package, installing a new version  of the Java environment did not necessarily remove older versions that had been installed previously.  (This was done, I think, because the definition of the language was evolving, and a new version was not guaranteed to be 100% compatible with an older one.)  This meant that, although the updated software might fix security flaws, the old version, complete with flaws, was still there to be exploited.  I first discussed the Java issue in a post back in October, 2010.

Ars Technica, on Friday, published an article on dumping Java, “Is Using Java on a Desktop Worth the Security Risks?”.  The question is not solely rhetorical; Ars has invited readers to post comments addressing the following questions:

  • Do you run Java at home and/or at work?
  • If you’ve considered disabling Java but decided against it, what were your reasons?
  • What Java-based functionality are you not willing to give up?
  • For those of you who have disabled Java, what made you take the plunge—and have you ever regretted your decision when encountering software that won’t run without Java?

The editors intend to monitor the comments, and present a recap of the most interesting ones tomorrow (Monday, October 22).  I am most interested to see the results.

Regardless of whether you wish to comment or not, the rest of the article has a good summary of some of the issues involved in deciding whether to keep Java, especially for businesses.  It’s worth the (quick) read if this is something that affects you.

 


Oracle Releases Critical Patch Updates

October 17, 2012

Oracle, in keeping with its usual quarterly schedule, has released a batch of critical patch updates for its software products.  These are described in the Oracle Critical Patch Update Advisory, October 2012.  Most of the fixes are for software that is used mainly in corporate environments, such as the Oracle database server, and its E-business Suite.  There are two products, though, that individual users might have: the MySQL Server, and VM Virtual Box.  (The emphasis is on “might”, since neither of these is installed by default on any system I know of; if you have them, it is almost certainly because you installed them.)  Complete details of the vulnerable products and versions are in the Advisory.

Oracle has also issued a Java SE Critical Patch Update Advisory, for all platforms (Windows, Linux, Solaris, and Mac OS X).  This software is installed on many user machines, particularly in the form of a browser plugin.  (It’s not clear that a typical individual user needs Java; I’ve discussed that issue in an earlier post.)  According to the Java Advisory, the following versions of the software are vulnerable:

  • JDK and JRE 7, Update 7 and earlier
  • JDK and JRE 6, Update 35 and earlier
  • JDK and JRE 5.0 Update 36 and earlier
  • SDK and JRE 1.4.2_38 and earlier
  • JavaFX 2.2 and earlier

Java 7 Update 9 is the most recent version of the software, and is recommended unless you have a specific reason for sticking with an earlier version.  Windows users can get the new release via the update mechanism built into the software.  Alternatively, you can download an installation package from the Java Download Page.

If you still require version 6, the latest release is Java 6 Update 37, which is available here.

If you do have Java installed on your system(s), I recommend updating it as soon as you conveniently can.


Critical Updates for Java Released

June 16, 2012

Oracle has released its quarterly security fixes for Java.  The new Version 6 Update 33, addresses 14 identified security vulnerabilities; at least one of these is extremely serious, because it can be exploited remotely without a login.  (There is also a Version 7 Update 5 available for developers, with the same fixes.)  The new versions also fix some minor bugs.  Further information is available in the Critical Patch Update Advisory.

The new version is available for almost all platforms: Linux, Windows, and Solaris.  Apple supplies its own versions of Java for Mac OS X; there is usually a time lag of at least a few days after Oracle releases a new version before an updated Mac version is available

Because of the security content of this release, if you have Java installed on your system, I recommend that you install this update as soon as you conveniently can.  You can obtain the new version, including the browser plug-in, from the download page for Version 6 Update 33, or the download page for Version 7 Update 5.  Windows users can also use automatic updates to get the new release.


%d bloggers like this: