Network News

X My Profile
View More Activity

Sun Releases Java Security Update

Sun Microsystems is urging users of its Java software (i.e., most computer users on the planet) to apply a security patch to fix a dangerous security vulnerability that exists in most versions of the program.

Many people may not even know they have Java on their systems. It may have come pre-installed (in which case your copy probably is really old), or you may have installed it because some interactive Web site said you needed it to properly view its content. To check, visit the "Add/Remove Programs" list in the Windows control panel and look for something called "J2SE Runtime Environment."

If your version says anything less than "Update 10," it's time to update again. The patch is available for download here (most people will want to select the "Java Runtime Environment (JRE) 5.0 Update 10" option.

The vulnerability, according to the Sun security advisory, stems from a problem with the way that Java handles certain types of image files ending in ".gif." By convincing users to visit a Web page that hosted a specially crafted .gif image file, an attacker could take complete control of a vulnerable computer running vulnerable version of Java.

It's worth noting that this is far from a Windows-only problem. While Java is installed on most Windows systems, it is built into all Mac OS X systems and most Unix and Unix-like systems, according to the SANS Institute, a security research and training group based in Bethesda, Md. Sun urges all computer users to apply this update.

I am not a huge fan of Java. I believe that most people are better off without this program installed on their systems at all. After the last couple of updates, I removed Java from most of the systems I use and haven't had any need to re-install it.

If you do decide to update, keep in mind -- as Security Fix has mentioned time and again -- that it's a good idea to make sure and get rid of older copies of Java that may be lying around on your system -- and there may be several older (i.e. vulnerable) copies of the software taking up hundreds of megabytes of space on your hard drive.

Previous Java updaters have tended to leave older versions of the Java plug-in, well...plugged in to both Firefox and IE, but this installer did not. However, it did leave behind Update 9, so you're probably best off making sure that's gone whether you choose the update or abandon Java route.

By Brian Krebs  |  January 23, 2007; 11:15 AM ET
Categories:  New Patches  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   Del.icio.us   StumbleUpon   Technorati   Google Buzz   Previous: Critical Microsoft & Mozilla Patches for 2006
Next: Broken Windows: Clean-up or Rebuild?

Comments

"...I removed Java from most of the systems I use and haven't had any need to re-install it..."

Yes you did, Brian. See:
- http://blog.washingtonpost.com/securityfix/2007/01/free_tool_scans_your_pc_for_mi.html
01/11/2007

...and there will probably be other times you'll need it for other apps.

Posted by: J. Warren | January 23, 2007 12:00 PM | Report abuse

"i.e., most computer users on the planet ..."

Actually, I'm not sure that Java is widely used. AFAIK, after their spat with Sun, Microsoft neither ship their own virtual machine nor bundle Sun's. And I doubt many Windows users go to Sun to get it.

One contributor in a thread on Java at O'Reilly intimates that programers needing to write web apps that can't be done with simpler means now have to toss up whether it's worth writing *two* versions - one in ActiveX for people with stock Windows installations, one in Java for everybody else. He says: "You can ask MSIE users to install the JVM, but most won't".

http://www.oreillynet.com/onjava/blog/2007/01/java_to_the_iphone_can_you_hea.html

The main reason for the O'Reilly thread is the news that Apple's forthcoming iPhone won't use Java, neither for applications (Cocoa does the job better) nor as a plug-in for the browser (there will be plug-ins - JavaScript, and possibly Flash, but no Java, which Steve Jobs likens to a huge ball and chain).

http://mooseyard.com/Jens/2007/01/in-which-i-think-about-java-again-but-only-for-a-moment/

I've got Java disabled in my browsers on both Mac and Windows now. There doesn't seem to be a lot of it on the web, and it's another risk I can do without.

Posted by: Nick | January 23, 2007 12:07 PM | Report abuse

Having mentioned Apple, it might be worth adding that Sun does not distribute a version of Java compatible with OS X. Apple will doubtless roll out an update themselves in time after consulting with Sun - watch this space:

http://www.apple.com/support/downloads/

So any Mac users would be wasting their time going to Sun to look for an update.

IF OS X users wish to disable Java, they should go into their browser's preferences:

Safari > Preferences > Security

and uncheck the "Enable Java" box.

Posted by: Nick | January 23, 2007 12:19 PM | Report abuse

There are sites out there that do use Java including a very popular game site called Runescape (http://www.runescape.com). I also recall my kids going to various sites that used Java Applets for common online games (similar to what MSN Game Zone offers).

Posted by: Jim | January 23, 2007 1:20 PM | Report abuse

Firefox has an add-on called NoScript that blocks Java until you want it up, to see a web site, for example; very useful, especially in this case

Now if only Firefox would fix their password vulnerability in the same way...

Posted by: SPENCER ADAMS | January 23, 2007 1:26 PM | Report abuse

Hey Brian,
Thanks for including where to check for software version numbers when you write these pieces. It's really helpful for a lot of us since it's not always obvious where to find the info, and I appreciate it.

Posted by: Balto, MD | January 23, 2007 2:23 PM | Report abuse

Have tried several times to navigate the download from your link, and though it says the update is downloaded, I cannot find it in any of the registries (including add/remove and accessories) nor is their the promised desktop shortcut.
In passing, I found the JRE shortcut that does exist is for update 8, even though the only version I can find in add/remove registry is update 9
Is their some more easily verifiable way to update?

Posted by: dijit44 | January 23, 2007 2:59 PM | Report abuse

What does Java do?

Posted by: aleks | January 23, 2007 3:20 PM | Report abuse

this is hilarious.

perhaps he should get rid of Microsoft Software on his machine as well, since on the same page there is a blog with the title 'TEN Microsoft Patches for Security...'.

The Java patch is for a very specific type of attack. There are much simpler solutions than getting rid of Java.

Posted by: javafreak | January 23, 2007 3:48 PM | Report abuse

In a previous column you wrote:

>>What I like most about this tool is that
>>you don't need to install any software to
>>use it: You can run the scanner straight
>>from the Secunia site

The site uses a Java applet to do its work

Posted by: Anonymous | January 24, 2007 7:09 AM | Report abuse

A better site to direct your readers (consumers)to is www.java.com. The URL you directed them to is for Java developers. From the java.com site, users can click on 'verify' to learn what version of the software they are running and whether there is an update available for them. Also, the java.com site offers a variety of games and applications for both mobile and desktop. Java is in 80% of cell phones, and on over 300M PCs. Apple may not like it but Google does, as does thousands of other companies. And, as some of your readers have pointed out, Java is not always obvious but it is often a part of your online experience with dynamically generated web content.

Posted by: Vicky | January 24, 2007 11:45 AM | Report abuse

i have a question....since i have java update10 now, do i still need to keep the updates 8and 9??????? or can i remove them from my programs.... thanks for taking time to help...........PLLEEEEEAASSSSE

Posted by: brandon | February 13, 2007 10:57 AM | Report abuse

The comments to this entry are closed.

 
 
RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company