Network News

X My Profile
View More Activity

Java Update Released

Sun Microsystems issued another update to fix security and stability problems with its Java software, but few users are likely to have noticed, as Sun currently isn't doing anything to alert people.

Java's updater errantly says my Java 6 Update 5 is the latest.

The latest update to version of Java most Microsoft Windows users have on their machines -- Java Runtime Environment (JRE, also called simply "Java Update" in the Windows Add/Remove programs list) -- is JRE 6 Update 6. However, both of the methods I normally use to tell whether I'm running the latest, patched version failed to tell me that there was a new version of Java available. Update 6 plugs at least one security vulnerability, along with at least a dozen other bugs.

Sun's Java page isn't much help either.

I've found that the Java updater that ships with the software typically takes anywhere from two to four weeks after an update has been shipped to alert me that it is available. Sun's Java homepage is usually a bit faster on the uptake, but it also still tells me that I'm running the most current version with my install of Java 6 Update 5.

Note to Sun: When you ship an update that includes security fixes, alert your user base and update your Web site. Who is that user base? Just about anyone who owns a Windows computer. Sun estimates that Java is installed on more than 600 million computers worldwide.

Users who want to install this latest update now can grab it from this link here(the JRE is the 5th item listed). As always, remember to uninstall any older versions of Java you may have, either before or after updating, as Sun's Java installers still do not take care of this basic process for the user.

By Brian Krebs  |  April 21, 2008; 1:25 PM ET
Categories:  New Patches  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   Del.icio.us   StumbleUpon   Technorati   Google Buzz   Previous: When Monetizing ISP Traffic Goes Horribly Wrong
Next: A Shifting Definition of 'Severity'

Comments

"Just about anyone who owns a Windows computer. Sun estimates that Java is installed on more than 600 million computers worldwide."

Not mine. (been that way for over 4 years).

Wonder how many of those came that way from the OEM (ex. Dell, HP, etc.), not to mention all the other junk.

First thing I do with any new system is wipe it clean and install a fresh copy of the operating system sans any third party software.

I understand it may not be possible for many to forego Java, but at some point it is wise to evaluate the benefit/risk ratio and take a stand. Ditto on QuickTime and Adobe Reader.

Anyway, as always thanks for the heads up and the option to comment. :)

Posted by: TJ | April 21, 2008 1:55 PM | Report abuse

Aah! BSOD! First time ever under XP for me. Can I tell you how much I don't like using custom downloaders? Please let us know when the darn thing's available over HTTP (or FTP).

Posted by: Hemisphire | April 21, 2008 2:37 PM | Report abuse

I followed your advice and tried to update and download Java JRE 6, update 6, but the download only produced the older version 6, update 5, the same version I had before. There is no mention of JRE 6, update 6 on any of Java's websites, as far as I can tell. What did I do wrong?

Posted by: Anonymous | April 21, 2008 3:11 PM | Report abuse

Has Sun ever explained why it's so slack in this area? I'd think that even their own programmers would be annoyed that the company doesn't really try to do anything with their work.

Posted by: ugh | April 21, 2008 3:41 PM | Report abuse

Hemisphere, it is available via http, just click directly on the file name instead of the check box.

Posted by: Adrian | April 21, 2008 5:27 PM | Report abuse

So, which is worse - an installer that takes a week or two to detect new software, or an installer that pushes new applications from the vendor?
It's distressing (no offense, Brian...) that end-users essentially need to follow something like Security Fix to keep up to date with their software. How's the average user supposed to keep their computer from being a zombie? Vendor-supplied updaters tend to be a very weak area.

@Hemisphire: There is a direct link, although it's not obvious. Click the filename (the name ending in .exe) and you'll get a download window.

Posted by: Nathan | April 21, 2008 5:30 PM | Report abuse

"How's the average user supposed to keep their computer from being a zombie?"

Via a multi-layered defense (see list below) of which patching is only one part. The point is do not rely on just one defense. With multiple layers, if one is compromised, another protects, making it much more difficult for malware to get a foothold.

1. Use a non-admin (limited user) account
2. Use a firewall (preferably a hardware firewall at the perimeter and a software firewall on each computer)
3. Keep the system fully patched (includes ALL software)
4. Use Antivirus/Antimalware software that is configured to update itself DAILY
5. Practice safe computing
6. Routinely (at least monthly) backup your data to external media
7. Install ONLY required software using the latest versions, uninstall old or unused software (reduces system attack surface and minimizes patching)
8. Stay informed of computer security news (like this blog)

Posted by: TJ | April 21, 2008 6:21 PM | Report abuse

Secunia doesn't detect it either, and they always find everything. Maybe by tomorrow they'll have it figured out and send out the email reminder to update.

Posted by: Catester | April 21, 2008 8:10 PM | Report abuse

Brian,

In XP, go to Control Panel and click on the Java icon and select the Update tab, then if "Check for Updates Automatically" is checked, click the Advanced button. It will show you how often your machine is configured to check for Java updates. I believe the default is Monthly...

Posted by: scottr | April 21, 2008 10:42 PM | Report abuse

Nice thing about Segunia beta is it already notified its users of the release.

Posted by: brucerealtor | April 22, 2008 1:52 AM | Report abuse

Sun continues to have issue with their Java updates. This has been an on-again off-again on-again problem for at least a couple years.

One thing that seems to [usually] work for me is to download the offline full exe, for example from
http://cds.sun.com/is-bin/INTERSHOP.enfinity/WFS/CDS-CDS_Developer-Site/en_US/-/USD/VerifyItem-Start/jre-6u6-windows-i586-p.exe?BundledLineItemUUID=MUNIBe.oIHEAAAEZoARHCHZW&OrderID=7jtIBe.oAyEAAAEZlgRHCHZW&ProductID=fU5IBe.nalwAAAEZyWklHgvk&FileName=/jre-6u6-windows-i586-p.exe

BEFORE installation of JRE, UNinstall previous JRE - any/all versions.

Posted by: Steve | April 22, 2008 9:36 AM | Report abuse

Brian K. wrote: "As always, remember to uninstall any older versions of Java you may have, either before or after updating, as Sun's Java installers still do not take care of this basic process for the user."

That was news to me and thus I just checked out the installed programs on my workstation. There were 9(nine!) different versions of the JRE installed. Thanks for the info.

That situation is rather vexing. Download the updated version or patch thinking that security risk X has been resolved only to find that the old and at-risk software is still installed. Huh?

Posted by: C.B. | April 23, 2008 10:06 AM | Report abuse

Could it be that Sun soft-pedals its updates at first, to give savvy users who regularly check for updates a chance to find bugs in them, then puts the word out to others about them after the new versions has been vetted? This seems wrong-headed, but possible.

Also, do many people need the "multi-language" version?

Posted by: Heron | April 23, 2008 5:45 PM | Report abuse

When I tried downloading JRE 6, update 6 via Firefox after deleting JRE 6, update 5, I got an error message about how the installer couldn't access a necessary file. I reinstalled JRE 6, update 5, using Internet Explorer. When I now try to download JRE 6, update 5, I get the following error message:

"General Error
A technical error occured while processing your request. Please contact the system administrator.
Thank you for your patience."

Is anyone else getting this error message?

In the past, I've deleted the previous version of JRE after installing the new one, and never had any trouble. Is it okay to sit tight and wait till the web version of Securia recognizes the new version of JRE, or should I try something else now?

Thanks.

Posted by: Heron | April 23, 2008 6:28 PM | Report abuse

Heron,
I ran into a similar message. I kept hitting "retry" 4 or 5 times while I was thinking about what to do next and it ended up fixing itself.

Posted by: ugh | April 23, 2008 11:13 PM | Report abuse

Ugh, thanks. I was able to download update 6 this morning on the first try.

Posted by: Heron | April 24, 2008 9:02 AM | Report abuse

thank you

Posted by: akif | May 3, 2008 9:42 AM | Report abuse

The comments to this entry are closed.

 
 
RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company