Network News

X My Profile
View More Activity

Would You Like an Update With Your Java?

Sun Microsystems has released a security update to its Java software. Since cyber criminals have a history of targeting Java vulnerabilities, and because at least 800 million computer users have some version of Java installed, it's probably time for most readers to update this program.

java611.jpg

Sun's release notes are somewhat light on details, saying Sun Java 6.0 Update 11 contains fixes for one or more security vulnerabilities. Not sure whether you have Java or the latest version installed? Check out this link.

Windows users can grab the latest version by opening the Windows Control Panel, clicking the Java icon, and then visiting the "Update" tab and clicking "Update Now." After you begin the update process, note that unless you want the Yaboo! toolbar also installed, you'll need to uncheck that option before proceeding with the rest of the install. Other OS users can find the update by following this link.

java611yahoo.jpg

If you're using Java 6 and already have the most recent version (Java 6 Update 10) installed, you should notice that Sun's new patch-in-place mechanism works as advertised, meaning users won't have to manually uninstall old versions of the program. Update 11 successfully removed update 10 after it installed on a test machine, but be aware that it will not remove versions of Java prior to update 10.

Of course, one alternative to keeping Java updated is to simply remove it from your system altogether. I'm happy to report I've been living without Java on my Windows Vista system for several months now without any regrets or apparent need for the program.

For those readers who do have Java installed and wish to put it to good use, allow me to plug the free Software Inspector service from Secunia, which can help Windows users stay on top of which programs need updating. Users can run a scan either from the company's Web site, or by installing their Personal Software Inspector program. According to a post today on the company's blog, even with this help most computer users are running at least one outdated or insecure third-party program. The company found that 98 percent of the 20,000 PC users running Personal Software Inspector still have program updates to apply.

By Brian Krebs  |  December 3, 2008; 1:18 PM ET
Categories:  New Patches , Safety Tips  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   Del.icio.us   StumbleUpon   Technorati   Google Buzz   Previous: Apple: Mac Users Should Get Antivirus Software
Next: Court Rules Against Teacher in MySpace 'Drunken Pirate' Case

Comments

I wonder if you would like to address the practice of add-on software that Java, and many other free apps, piggyback on to their updates and installs. If you don't pay attention, Java installs the Yahoo Toolbar. If you have that already, it downloads an installer for OpenOffice if you don't see the checkbox. Shockwave updates keeps dropping Norton's "free" Scan software on various computers I support ("free" because it doesn't actually do anything useful unless you give them money). Others like Acrobat Reader try to get you to install Google Toolbar. The list goes on. It's one thing to offer these in conjunction with installs and updates; another altogether to make installing them the default option.

Anyway, just installed the latest Java update and am feeling irked once again by this issue. I'd be interested in your and other readers thoughts.

Posted by: goku234 | December 3, 2008 3:19 PM | Report abuse

Ask Secunia why I can run the Adobe uninstaller, run their scan and come up clean, install the latest flash, and Secunia has me back at one or two outdated versions. Been that way since I tried it two years ago, and on both of my machines.

Posted by: KeithWarner | December 3, 2008 3:48 PM | Report abuse

The point made by KeithWarner constitutes the single most annoying issue when using Secunia. Previous versions of Java can be uninstalled relatively easily (and this will no longer be an issue apparently). Not so with previous versions of Adobe Flash Player. I consider myself a functioning computer novice. I can only remove prior version of Adobe Flash Player sometimes. Secunia only identifies the old file to remove. This is not always enough info to remove the old file. Adobe does not uninstall previous versions of Adobe Flash Player when installing current versions. It should not be this hard. Security fix to the rescue?

Posted by: GeorgeSeals | December 3, 2008 4:48 PM | Report abuse

George/Keith : Have you guys tried removing Flash entirely using Adobe's uninstaller tool, and then reinstalling Flash? I agree it shouldn't be that hard, but others with this same problem have reported success after using the removal tool.

http://kb.adobe.com/selfservice/viewContent.do?externalId=tn_14157

Posted by: BTKrebs | December 3, 2008 5:12 PM | Report abuse

In response to goku234: I have also been annoyed by the growing number of add-on software with free programs. I wasn't careful when installing Foxit Reader and wound up with Ask.com toolbar for Firefox. It's frustrating but I suppose it one of the costs of being free.

I have had Secunia Software Inspector installed for several months and like their program but have noticed two issues: it's a bit of a memory hog and they are somewhat slow in picking up new updates.

The second reason above is why I like File Hippo. They have a smaller cadre of programs which they scan but new updates are much faster than Secunia.

Brian, we can thank you for decreasing the amount of spam in our inbox so let's also thank you for annoying Sun to fix their update to Java.

Posted by: jsapovits | December 3, 2008 5:43 PM | Report abuse

That's what I meant, Brian. I can run the Adobe uninstaller, then run Secunia, online or the PSI, and show no Adobe/Macromedia installed. But when I install Flash Player 10 (or previous in this 2-year saga), Secunia once again shows 1 or 2 old along with the new. Apparently, Secunia doesn't answer emails, either.

Posted by: KeithWarner | December 4, 2008 3:41 PM | Report abuse

The article states: "cyber criminals have a history of targeting Java vulnerabilities"

They do? Which cyber criminals? Can you point out an example of this, especially one that caused any issues for any organization? Cyber Criminals target Windows every minute of every day, but you don't usually get a Norton alert on Java viruses, worms, etc.

Posted by: OpenSource | December 4, 2008 6:13 PM | Report abuse

@OpenSource -- Sure. Here are a couple of semi-recent examples. I'm sure you could find plenty more going back a while.

http://isc.sans.org/diary.html?storyid=2934

http://www.vnunet.com/vnunet/news/2172403/java-exploits-brewing

https://forums.symantec.com/syment/blog/article?message.uid=305523

Posted by: BTKrebs | December 5, 2008 8:23 AM | Report abuse

I have tried both Secunia OSI (free online) and PSI (free personal use). PSi does scans which do not conform to what is actually on the computer when it makes recommendations. It will suggest removing patches which are current and then re-installing the same patches. It also recommends installing patches for software not installed on the computer. When my antivirus program attempted to download vital patches, Secunia PSI blocked it without giving sufficient time to respond or later by giving no choice at all. So I disabled PSI, sent an e-mail to Secunia detailing the problem and have not heard back at least 2 weeks later.

I would suggest subscribing to forums like Bleepingcomputer.com. BC has numerous features, some directed at the novice, some for those more expert. The site has a section for security alerts, an update calendar and referrals and downlinks to many resources. If BC isn't for you, there are other free forums which have similar features. I found out about the site when looking for a cure for Antivirus 2008 during the summer malware olympics.

As for Java vulnerabilities, many legitimate sites require Java use (including the Washington Post and the Huffington Post), but allow extremely active adware on their sites, which are often the source of infection. My credit union requires extensive use of Java, but a lot of the info pages it refers the customers to look amateurish and do not have a uniform appearance. Which requires frequent site verification. I am by no means a techie or security expert, and it is extremely frustrating.

Shouldn't sites be required to give credentials (verifiable) and Java use requirements up-front when you log in? Users should not be required to do extensive research for each site.

Posted by: befuddled86 | December 8, 2008 12:31 PM | Report abuse

One annoying thing that happens is that I'll visit a website and will get the message "You must be running the latest version of FlashPlayer in order to use this website..." when I already have the latest version installed - ver. 10.0.12.36. Or I'll get a message saying that I must be running Adobe Flash Player 9, etc.
To find out what you're running, go to http://www.adobe.com/products/flash/about/

Posted by: Dr_Steve | December 10, 2008 3:39 PM | Report abuse

The comments to this entry are closed.

 
 
RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company