Network News

X My Profile
View More Activity

Java Update Plugs Multiple Security Holes

Sun Microsystems is pushing out an important security update to various versions of its Java Runtime Environment (JRE) software, along with a couple of changes designed to make patching the program more predictable and manageable for companies running custom versions of the software.

The update, which applies to Java families 1.3.1, 1.4.2, 5.0 and 6.0, plugs nearly a dozen security holes, including some that Sun warns could be deployed on malicious Web sites to remotely compromise or steal data from unpatched systems. Don't put off installing this update, as Java represents a huge target for cyber crooks: Sun estimates that the program is installed on more than 600 million computers worldwide.

Not sure whether you've got Java or which version your system has? Visit Sun's Java home page and click on the "Do I have java?" link. That should tell you whether you need to update.

Beginning with this update release, Sun is changing a couple of things. First, it's giving advance notice of upcoming patch bundles to give businesses more time to prepare for them. It's also no longer going to release fixes for different versions of Java at different time; from now on, updates to the consumer-oriented versions such as Java 6 will go out at the same time as older version more frequently used by businesses.

"We've heard over a period of time that in effect we catch people by surprise at some level with these announcements," Bill Curci, product marketing manager for Java, told me in a phone interview last week.

Curci said the company is still working on some of the improvements I've discussed in past posts on Java updates, including an installer that automatically removes previously installed versions of the software, which take up hundreds of megabytes of disk space apiece and end up confusing users.

By Brian Krebs  |  October 8, 2007; 1:28 PM ET
Categories:  Latest Warnings , New Patches , Safety Tips  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   Del.icio.us   StumbleUpon   Technorati   Google Buzz   Previous: VOIP Mix-Up Exposes Customer Call Data
Next: A Year's Worth of Phish Facts

Comments

I was prompted by automatic Java update couple days ago to install this updated version Java 6.3 ... They also offered me free download of OpenOffice.org, a nice cross-promotion ;-)

Posted by: Samy | October 8, 2007 9:31 PM | Report abuse

I have a java query. Do you need to keep ALL of the java versions that are installed. For example, in the linked image from this blog entry, Runtime 5.0 and Runtime 6.0 are installed. Doesn't 6.0 include all of the updates/fixes from 5.0? And wouldn't update 6.3 include all of the updates/fixes from 6.1 and 6.2?

Aren't you fully updated if you only have the most recent updated installed?

Posted by: Paul | October 9, 2007 9:01 AM | Report abuse

@Paul,

Yes, you can safely remove older versions of Java. If you have 6.3 installed, you've got the latest patched version.

Posted by: Bk | October 9, 2007 9:13 AM | Report abuse

1. for paul, not only can you remove the old versions of java, you should remove all the old versions. The "evildoers" can select which bug-filled security-risking old version of java they run on your computer -don't allow them any but the current version by removing all old versions.

2. What is sun's major malfunction? My browser is firefox with no cookies allowed except for specific sites I allow to place session-only cookies. Java.com is one I have allowed. BUT when I go to java.com to check and get the download, their website complains that I am not allowing them to set cookies. Please note that I have specifically allowed java.com to set cookies. It turns out some website named "sunglobal" wants to set cookies. THE ONLY WAY TO FIND THIS OUT WAS ALLOW ALL WEBSITES TO SET COOKIES AND THEN EXAMINE THE COOKIES SET DURING A VISIT TO JAVA.COM.
Why is sun hiding their activities?
Are they not man enough to set their cookies under the java.com site name?
What a crock.

Thanks for allowing the rant.

Posted by: FtB | October 9, 2007 11:40 AM | Report abuse

As for removing old versions of Java, there are Java applications that are dependent on specific JRE/JVM releases so there is a small chance that removing an old version will break something. Still, I would take the risk because leaving them can also be risky. For good luck, don't add or remove any software or a few days so that if the Java changes break something you have an immediate suspect.

My site http://www.javatester.org
also tells you if you are running the latest version of Java, without ads and without cookies. And, it's open source :-)

Posted by: Michael Horowitz | October 9, 2007 8:41 PM | Report abuse

Michael Horowitz brings up a very good point about dependencies on existing Java Runtimes. You will find these primarily on servers. I can tell you that I have one server that runs a VERY popular corporate program that has a static pointer to the JRE installed when the program was installed so removing the older version of the JRE will absolutely break the program.
Most Java dependent application s have configuration files rather than utilizing the registry (in Windows environment) and it is a matter of finding that config file and changing the path to the new JRE.
Suggested action: Check your servers for java.exe running in the task manager BEFORE removing the old versions of Java.
If you see it running then one way of finding the dependent program is to download and run SysInternals (now Microsoft) process explorer and use it to determine all dependent applications.

Posted by: Fred Dunn | October 11, 2007 7:48 AM | Report abuse

I have never liked java, never will, use Silverlight!

Posted by: Steve Ballmer | October 11, 2007 4:42 PM | Report abuse

"an installer that automatically removes previously installed versions of the software"

Due to the way Java installs, any local modifications (such as a local fontconfig.properties file, which we need so Java knows what fonts to use for certain Unicode blocks) go in the Java *release* dir (on my Windows machine, in C:\Program Files\Java\jre1.6.0_03\lib\). If Java auto-uninstalls the old version, I suspect we will lose our locally modified files, too. Which is yet another reason why those files should NOT go where Java requires them to be (the other reason is that every time we get a new version, we have to copy over our fontconfig.properties file into the new version).

Java is broken, at least under Windows.

Posted by: Mike Maxwell | October 21, 2007 12:10 AM | Report abuse

The comments to this entry are closed.

 
 
RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company