Network News

X My Profile
View More Activity

Fun With Java Updates

Sun Microsystems has issued an update to fix stability and security problems with its Java software. The "platform-independent" programming language is supposed to make it easier for Web users to interact with some Web sites, but keeping it up to date with security patches can be anything but easy.

Still don't get what Java is all about? Don't sweat it: you're hardly in the minority. Just know that if you are running a Windows computer, chances are you have some form of Java on your machine. And that Java security holes could give attackers an opening on your PC: Earlier this year, security experts at the SANS Internet Storm Center tracked several sites installing nasty spyware and viruses when people visited them with older versions of Java. Dan Veditz, a security researcher working on Mozilla's Firefox browser, told me earlier this week that it isn't often Mozilla receives reports of people using the browser getting whacked by some rogue spyware or virus installation through the browser, but added that usually such things take advantage of known flaws in outdated versions of Java.

I always sort of dread Java updates because it's rarely a straightforward or painless ordeal, and Sun's installation instructions are rather involved and unnecessarily confusing. When I visit the "Add/Remove Programs" list in the Windows control panel, I see that I have "J2SE Runtime Environment 5.0 Update 6" installed. The latest version released today is J2SE 5.0 Update 7. When I click on the little Java icon in the Control Panel and click on the "About" button under the "General" tab, the program pops up another name for this version: "build 1.5.0_06-b05." I clicked the "Update Now" button under the "Update" tab, but it returned the message "no updates available," even though there is a newer version out already.

Alternatively, you could visit Sun's Java version checker site, or open up a command prompt (click Start, then Run and then type "command" or "cmd") and type "java -version" without the quotes.

According to Sun, "the ... command only determines the default version. Other versions may also be installed on the system." The company recommends that users uninstall any old versions before installing the new one. You should be able to remove the old Java program through the Add/Remove Programs option.

Sun's Java program ships with an automatic update mechanism which for some oddball reason is activated on one of my Windows computers but not the other. In the one with the auto-updates turned on (to toggle this setting, click on the Java icon in the Control Panel, and then under the "Updates" tab put a check in the box next to "Check for Updates Automatically") I have an older version of Java still on the system. I know Sun acknowledged late last year that it was looking into the fact that its updater routinely left older (read:exploitable) versions of its software lying around (and taking up disc space at a whopping 120 mb). But it doesn't look Sun ever got around to doing anything about that.

Sun posted a notice saying it was taking its download site offline part of the day on Thursday "due to scheduled maintenance," so maybe that's the reason I haven't been able to download the update so far.

By Brian Krebs  |  May 26, 2006; 8:20 AM ET
Categories:  New Patches  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   StumbleUpon   Technorati   Google Buzz   Previous: New Winamp Version Fixes Major Security Hole
Next: The Importance of the Limited User, Revisited


Its not that unix isn't user-friendly, its just choosy about who its friends are.

Posted by: Adam | May 26, 2006 9:54 AM | Report abuse

Make sure that if you want the latest version, you follow the link to "JRE 5.0 Update 7." Because if you go to the "Java version checker site," it will try to install Update 6 and you'll either A) still be behind, or B) get told that it can't install because you already have the latest version.

Posted by: Bob | May 26, 2006 10:15 AM | Report abuse

Is it just the JDK that's been updated? If the JRE hasn't, that woukd explain why the detection and update mechanisms report that you're up to date.

Posted by: James | May 26, 2006 11:30 AM | Report abuse

The new download you have linked to is NOT the runtime environment users need. It IS a kit for developers. If you are writing code this will be useful, otherwise not! I think this piece is likely to confuse some people.

Posted by: Steve | May 26, 2006 11:47 AM | Report abuse


You are correct, I included the wrong link (I have since corrected that in the main blog post itself. Thanks for the heads up. The link to the correct J2SE(TM) Runtime Environment 5.0 Update 7 is also here:;jsessionid=F32CBA61397B04A9CC92EE97E2DD0342

Posted by: Bk | May 26, 2006 12:24 PM | Report abuse

The link you've posted contains a session id and is only good for one use.

I think most of us will have to wait for Sun to post the new JRE to the main Java download page at .

Posted by: wacokid | May 26, 2006 1:23 PM | Report abuse

Now you see why I hate Java updates. I didn't realize it had a stupid session ID: you can get the link yourself from this one here, which I don't believe will expire

The link under JRE 5.0 Update 7 is:

That should do it.

Posted by: Bk | May 26, 2006 2:06 PM | Report abuse

Thank you Brian, for exposing Java's ungainliness that we Java developers have long endured. Java is a fairly nice language for developers, but for desktop users it's an absolute pain. And that's why it's still a poor choice for most consumer desktop applications. The biggest problem is that Sun is a server company and absolutely does not get what it takes to make good desktop software. The auto update mess is just one of many examples of Sun's desktop ineptitude. Compare what Brian had to go through with what a user has to do to update Flash or even iTunes and you begin to appreciate just how bad Java on the desktop is. Java developers have been pleading with Sun for years to make the runtime environment modular so that it's easy to deploy and update. But it won't happen until Java is either truly open sourced or sold to a company that understand desktop software (i.e. not IBM).

Posted by: Qian Wang | May 26, 2006 2:36 PM | Report abuse

Thanks for the working link.

I think you're being kind of harsh on Sun. Since I got my users updated to JRE 1.5, they've been updating automatically without any problems. The full installer also has the capability to do a silent install, and in some cases, I've used Active Directory to push an update out rather than waiting for it to happen automatically.

I expect that within another day or so, the new update will become available on the rest of Sun's web pages. I don't know what their system is for content management, but with a website as large as theirs, I'm not surprised at all that new JRE updates are not posted everywhere simultaneously. In my experience, Microsoft lags about a day behind on getting new updates pushed out as Automatic Updates too.

Posted by: wacokid | May 26, 2006 4:26 PM | Report abuse

I recieved the auto updater notice earlier, I tried to install the update, it failed. I then tried to uninstall java (failed), and then install the new version (failed). Finally, I managed get a version installed. Which? I have no idea, but at least my web browsing functions. Did Sun hire some programmers from Microsoft?

Posted by: Bob O | May 26, 2006 4:42 PM | Report abuse

I never had any problem in updating jre. May be the user needs to follow instructions properly.

Posted by: mat | May 26, 2006 6:11 PM | Report abuse

As far as i know, the update function is only for importen updates. So if a update brings security fixes, it will be sure show in the "Update Now" function.

Also you write about you don't know why the update function on some computer is active and on others not. I think that has something todo with the installer. If you use the online installer it is active, by the offline installer it is disabled.

I'm not sure where i read this info, i think it was in

But this blog it is so long, i'm too busy now to control if i'm right. But you should read this blog entry anyway...

Posted by: Anonymous | May 27, 2006 1:13 PM | Report abuse

The Java website is so confusing that it appears to have been designed to intimidate users as opposed to developers. They clearly indicate users need JRE and not J2SE ( ). Yet, if you follow the first link in your entry above (05/26), the information accompanying the JRE download exclusively refers to developers and J2SE. If you follow the second link, it refers to J2SE for the Sun Developers' Network.

As I, and I assume most readers, are users, I'm too confused to take any action other than use the "Download Now" link at

Posted by: Lou Messina | May 30, 2006 1:22 PM | Report abuse



Posted by: patrick-- | May 30, 2006 2:14 PM | Report abuse

patrick, i suspect your problem with java has to do with the caffeinated variety. you know, there are plenty of decaffeinated brands on the market today that are just as tasty as the real thing. just a thought.

Posted by: Anonymous | May 30, 2006 5:56 PM | Report abuse

I have norton anti virous 2006 and the 2006 fire wall. The other day I downloades the Yahoo messinger and I never opend it to install it but after I downloaded it to my desk top ann my norton anti virous and firewall was turned off and the icons vanished from my taskbar
is there a hole in the norton stuff to ???

Posted by: Ron Winkler | May 30, 2006 11:33 PM | Report abuse

The other day I downloaded yahoo messinger to my desk top but dident open it
After downloading it my norton antivirous and my norton firewall 2006 was turned off and the icons on my taskbar vanished
Whats up with this is there a whole in norton also ???

Posted by: | May 30, 2006 11:37 PM | Report abuse

The other day I downloaded yahoo messinger to my desk top but dident open it
After downloading it my norton antivirous and my norton firewall 2006 was turned off and the icons on my taskbar vanished
Whats up with this is there a whole in norton also ???

Posted by: ronald winkler | May 30, 2006 11:38 PM | Report abuse

'Still can't get the JRE as of 5.31.2006 (vs. JSE - see ).

As posted above "...most of us will have to wait for Sun to post the new JRE to the main Java download page at .
Posted by: wacokid | May 26, 2006 01:23 PM"

Posted by: J. Warren | May 31, 2006 9:33 AM | Report abuse

I got exactly the same reactions you did when attempting to update. I uninstalled the old version and I had a slew of leftover old files and folders starting with the name JAVA. They are now in the recycle bin and the new version downloaded from without any problem and installed and verified cleanly. Thanks for the "heads up" on this update.

Posted by: dbm1rxb | May 31, 2006 4:18 PM | Report abuse

I looked in my Add/Remove programs list and found a whole bunch of Java updates installed:

JS2E Runtime Environment 5.0 Update 2
JS2E Runtime Environment 5.0 Update 4
JS2E Runtime Environment 5.0 Update 6
JS2E Runtime Environment 5.0 Update 7
Java 2 Runtime Environment, SE v1.4.2_02
Java 2 Runtime Environment, SE v1.4.2_03
Java 2 Runtime Environment, SE v1.4.2_05
Java 2 Runtime Environment, SE v1.4.2_06

and finally

Java Web Start.

Sheesh. The latest is JS2E Runtime Environment 5.0 Update 7, the one mentioned in your blog. Are the Java 2 Runtime Environment, SE v1.4.2_02 thru v1.4.2_06 older versions that can be removed?

Steve S.
Reston, VA

Posted by: Steve S. | June 14, 2006 2:38 PM | Report abuse

I read posts indicating that people were having problems with Norton antivirus. I had used Norton for several years and had problems getting rid of some viruses/trojans/whatever...I'm not close to being a computer whiz. Fortunately, I am friends with a computer whiz who told me to try Nod32. It immediately got rid of the "stuff" that had been troubling my computer & I couldn't remove with The Norton Antivirus software. I have had no problems with Nod32 since I started using it 2 years ago. It is very reasonably priced and it works great.

Posted by: Ken | June 27, 2006 7:42 AM | Report abuse

The comments to this entry are closed.

RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company