Critical Updates for Java

April 22, 2013

Last week, in keeping with its usual quarterly schedule, Oracle released a new version of its Java SE software, version 7 update 21, for all platforms (Windows, Linux, Solaris, and Mac OS X).  This Critical Patch Update Advisory addresses a total of 42 identified vulnerabilities; Oracle says that 39 of these can be exploited over the network without authentication: that is, an attacker would not need to log in to the target system.   Nineteen of the vulnerabilities receive the maximum possible CVSS severity score of 10.0.

If you have Java installed on your system, I recommend that you install the new version as quickly as you conveniently can.  Windows or Mac users can use the built-in automatic update mechanism; alternatively, the new version can be downloaded here.

As I’ve written before, most recently last October, there is a good case that the average individual user is better off without Java on his or her system.   I won’t bore you by going through all of it again.  If you do decide to install or keep Java, though, please be careful to keep it up to date.


More Java-Induced Jitters

January 20, 2013

I’ve written here several times before (most recently last October) about some of the security issues with Oracle’s Java software.   Lately, Java has been in the news again, because of a new, serious security vulnerability recently discovered in the latest version of the software.

Java has proved to be, over the years, a rich source of security vulnerabilities, at least in part because it is widely installed across multiple platforms (including Windows, Mac OS X, and Linux), making it an attractive target.   Also, unlike a typical application software package, installing a new version  of the Java environment did not necessarily remove older versions that had been installed previously.  (This was done, I think, because the definition of the language was evolving, and a new version was not guaranteed to be 100% compatible with an older one.)  This meant that, although the updated software might fix security flaws, the old version, complete with flaws, was still there to be exploited.

I won’t take the time and space here to relate the history of the latest vulnerability.  (If you are interested, Brian Krebs has a good summary at his Krebs on Security blog.)  Oracle issued a Security Alert  for this problem, together with a new version of the Java Runtime Environment [JRE], version 7 update 11.  (You can download the new version, for all platforms, here.)  However, subsequent to that release, testers discovered that the new version fixed only part of the vulnerability, so that an exploit was still possible.

US-CERT has issued a Vulnerability Note (VU#625617) concerning the situation at present.  Their recommendation, which I endorse, is that users who require Java should update to version 7 update 11 immediately, and should also disable the Java browser plugin(s).   Instructions for doing this are available at the Java site.  The Vulnerability Note also contains links to more technical information.

As I wrote in last October’s post (and in another post a couple of years before that), there is a good case that the average individual user is better off without Java on his or her system.   I won’t bore you by going through all of it again.  If you do decide to install or keep Java, though, please be careful to keep it up to date.

Update Monday, 21 January, 11:13 EST

The SANS Internet Storm Center has a diary post with links to some additional technical information on the latest vulnerability.


Apple Updates, Disables Java

October 22, 2012

Last week, as part of its regular Critical Patch Update, Oracle released new versions of its Java software.  Apple has also released new versions of Java for Mac OS X. (As Mac users probably know, Apple packages and releases its own Java updates.)    The new versions are Java for OS X 2012-006 and Java for Mac OS X 10.6 Update 11.  These updates address twenty identified security flaws (essentially, the same ones that Oracle’s update fixed); further information is available on Apple’s support page for this update.

According to an article at Ars Technica, this update also makes one significant change to past Apple practice: it does not include a browser plug-in for Java, and in fact removes any existing plugins.  The Naked Security blog from anti-virus vendor Sophos has a post with some additional information.  (I didn’t know about this aspect of the update when I wrote yesterday’s post on Java.)

You can get the new version via the Software Update pane in System Preferences, or you can download the new version from Apple’s support site.


Jettisoning Java, Again

October 21, 2012

Whenever I post a note here about an update to Oracle’s (formerly Sun’s) Java software, as I did last week, I try to remember to suggest that readers  think about whether they really need Java at all, especially on their personal systems.  Java has proved to be, over the years, a rich source of security vulnerabilities, at least in part because it is widely installed across multiple platforms (including Windows, Mac OS X, and Linux)., making it an attractive target.   Also, unlike a typical application software package, installing a new version  of the Java environment did not necessarily remove older versions that had been installed previously.  (This was done, I think, because the definition of the language was evolving, and a new version was not guaranteed to be 100% compatible with an older one.)  This meant that, although the updated software might fix security flaws, the old version, complete with flaws, was still there to be exploited.  I first discussed the Java issue in a post back in October, 2010.

Ars Technica, on Friday, published an article on dumping Java, “Is Using Java on a Desktop Worth the Security Risks?”.  The question is not solely rhetorical; Ars has invited readers to post comments addressing the following questions:

  • Do you run Java at home and/or at work?
  • If you’ve considered disabling Java but decided against it, what were your reasons?
  • What Java-based functionality are you not willing to give up?
  • For those of you who have disabled Java, what made you take the plunge—and have you ever regretted your decision when encountering software that won’t run without Java?

The editors intend to monitor the comments, and present a recap of the most interesting ones tomorrow (Monday, October 22).  I am most interested to see the results.

Regardless of whether you wish to comment or not, the rest of the article has a good summary of some of the issues involved in deciding whether to keep Java, especially for businesses.  It’s worth the (quick) read if this is something that affects you.

 


Oracle Releases Critical Patch Updates

October 17, 2012

Oracle, in keeping with its usual quarterly schedule, has released a batch of critical patch updates for its software products.  These are described in the Oracle Critical Patch Update Advisory, October 2012.  Most of the fixes are for software that is used mainly in corporate environments, such as the Oracle database server, and its E-business Suite.  There are two products, though, that individual users might have: the MySQL Server, and VM Virtual Box.  (The emphasis is on “might”, since neither of these is installed by default on any system I know of; if you have them, it is almost certainly because you installed them.)  Complete details of the vulnerable products and versions are in the Advisory.

Oracle has also issued a Java SE Critical Patch Update Advisory, for all platforms (Windows, Linux, Solaris, and Mac OS X).  This software is installed on many user machines, particularly in the form of a browser plugin.  (It’s not clear that a typical individual user needs Java; I’ve discussed that issue in an earlier post.)  According to the Java Advisory, the following versions of the software are vulnerable:

  • JDK and JRE 7, Update 7 and earlier
  • JDK and JRE 6, Update 35 and earlier
  • JDK and JRE 5.0 Update 36 and earlier
  • SDK and JRE 1.4.2_38 and earlier
  • JavaFX 2.2 and earlier

Java 7 Update 9 is the most recent version of the software, and is recommended unless you have a specific reason for sticking with an earlier version.  Windows users can get the new release via the update mechanism built into the software.  Alternatively, you can download an installation package from the Java Download Page.

If you still require version 6, the latest release is Java 6 Update 37, which is available here.

If you do have Java installed on your system(s), I recommend updating it as soon as you conveniently can.


Critical Updates for Java Released

June 16, 2012

Oracle has released its quarterly security fixes for Java.  The new Version 6 Update 33, addresses 14 identified security vulnerabilities; at least one of these is extremely serious, because it can be exploited remotely without a login.  (There is also a Version 7 Update 5 available for developers, with the same fixes.)  The new versions also fix some minor bugs.  Further information is available in the Critical Patch Update Advisory.

The new version is available for almost all platforms: Linux, Windows, and Solaris.  Apple supplies its own versions of Java for Mac OS X; there is usually a time lag of at least a few days after Oracle releases a new version before an updated Mac version is available

Because of the security content of this release, if you have Java installed on your system, I recommend that you install this update as soon as you conveniently can.  You can obtain the new version, including the browser plug-in, from the download page for Version 6 Update 33, or the download page for Version 7 Update 5.  Windows users can also use automatic updates to get the new release.


%d bloggers like this: