Network News

X My Profile
View More Activity

Time to Update Java

Sun Microsystems has shipped an update to its widely deployed Java platform that fixes multiple security flaws present in older versions.

javajpg.jpg

The latest Java software, Java Version 6 Update 13, is available from this link here. Not sure what version of Java you have? Check out this page, and click the "Do I Have Java?" link. Users of more recent Java versions may already have received a prompt from the built-in auto-update client to grab this version.

After updating, you may find older versions of Java still present in the Windows "Add/Remove Programs" listing. If you spot any older versions, go ahead and remove those.

Be advised that Sun's installer may by default install some browser add-on, such as Microsoft's MSN Toolbar (this is the plug-in the Update 13 installer offered me when I ran it on a Windows 7 Beta machine using IE 8). If you want the Java update but not the add-ons that come with it, be sure to uncheck the box next to this option during the installation process.

javamsntool.jpg

By Brian Krebs  |  April 7, 2009; 7:10 PM ET
Categories:  New Patches , Safety Tips  | Tags: java, patch, sun microsystems  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   Del.icio.us   StumbleUpon   Technorati   Google Buzz   Previous: Web Sites Disrupted By Attack on Register.com
Next: Microsoft: Dramatic Rise in 'Scareware' Infections

Comments

This update has been out for 2 weeks: http://isc.sans.org/diary.html?storyid=6067

Posted by: fastoy | April 7, 2009 9:50 PM | Report abuse

I recommend not using Java at all since it is an ongoing security problem. Javascript (something very different despite the similar name) is needed but not Java for those who use the internet for e-mail, news, etc. I never allowed it with Firefox and recently removed it from my small ASUS EEE (4GB) hard drive; it's a big program for my machine and I find no loss with my internet use. Such things as the Netflix instant play video (a purchase I strongly recommend) require their own download.

Posted by: byron11 | April 8, 2009 4:12 AM | Report abuse

When I check the Java site using Firefox and IE7, it says I'm up to date. But when I check it with Chrome, it says I "don't have the recommended java installed."

There aren't any old Java versions on my PC. Tried reinstalling Java using Chrome but still get the same error message.

Anybody else having this problem with Chrome?

Posted by: Booyah5000 | April 8, 2009 4:29 AM | Report abuse

The only security problem fixed is that it includes two new root certificates. byron11 is right that normal users don't ever need it, but it's not an "ongoing security problem".

Booyah5000: see http://www.chromeplugins.org/plugins/make-java-work-on-google-chrome/

Posted by: hesaid | April 8, 2009 10:57 AM | Report abuse

The java.com link was not really useful to us Mac guys. Clicking on the "Do I need an update?" link directed me to use the standard MacOS software update link. I did, and the only update I needed was iTunes 8.1.1. I'm not a Java developer, but inevitably software that runs on my systems use Java, and I still don't know if I'm up to date. C'mon, Sun (or whoever owns Java these days) - try being proactive for us Mac users as well.

Posted by: lpryluck1 | April 8, 2009 11:15 AM | Report abuse

To lpryluck1 the java updates are done exclusively through MAC updates or MAC support. You will not be updating via the Sun site.

As for the installation instructions in the article, I recommend checking for older Java versions first. If you have them, uninstall those then go to the Sun site and install a fresh new version. Installing the new update and then deleting the older versions, as instructed above, can cause instabiliy with Java applications.

Posted by: CharlotteJim | April 8, 2009 12:48 PM | Report abuse

@booyah -- I don't think that is correct. Sun's mystifying security blog appears to suggest otherwise. From that blog:

@"Sun Alert 254569 Security Vulnerabilities in the Java Runtime Environment (JRE) LDAP Implementation may Allow a Denial of Service (DoS) and Malicious Code to be Executed "
http://blogs.sun.com/security/entry/sun_alert_254569_security_vulnerabilities

"Sun Alert 254570 Integer and Buffer Overflow Vulnerabilities in the Java Runtime Environment (JRE) "unpack200" JAR Unpacking Utility May Lead to Escalation of Privileges "
http://blogs.sun.com/security/entry/sun_alert_254570_integer_and

"Sun Alert 254608 Security Vulnerabilities in the Java Runtime Environment (JRE) With Storing and Processing Font Files May Allow Denial of Service (DOS) "
http://blogs.sun.com/security/entry/sun_alert_254608_security_vulnerabilities

"Sun Alert 254611 Multiple Security Vulnerabilities in Java Plug-in May Allow Privileges to be Escalated "
http://blogs.sun.com/security/entry/sun_alert_254611_multiple_security

"Sun Alert 254610 A Security Vulnerability in the Java Runtime Environment (JRE) Virtual Machine With Code Generation May Allow Escalation of Privileges "
http://blogs.sun.com/security/entry/sun_alert_254610_a_security

"Sun Alert 254571 Buffer Overflow Vulnerabilities in the Java Runtime Environment (JRE) with Processing Image Files and Fonts may Allow Privileges to be Escalated "
http://blogs.sun.com/security/entry/sun_alert_254571_buffer_overflow

"Sun Alert 254609 A Security Vulnerability in the Java Runtime Environment (JRE) HTTP Server Implementation May Allow a Denial of Service (DoS) Condition on a JAX-WS Service Endpoint "
http://blogs.sun.com/security/entry/sun_alert_254609_a_security

Posted by: BTKrebs | April 8, 2009 2:38 PM | Report abuse

Good advice to update Java. But what does none do about Java 6 Updates 2,3,4,7,12 which reside on the hard disk.
Does one have to keep them all or can one remove the older updates?
Are the newest updates cumulatively inclusive and have everything th older ones provided??

Spring Cleaning the Program List would be useful if one could get information on what can be tossed.
I have a total of more than 78 updates, hotfixes and security updates from Microsoft. That does not count that I have Framework 2 SP2, Framework 3 SP2 and
3.5 SP1. Lots of space used up.

Posted by: beagun27 | April 8, 2009 5:02 PM | Report abuse

@beagun27 - Someone else asked this question privately, so I'll answer it here.

You can and should remove older versions of Java. Prior to Java 6 Update 10, Sun's updater did not remove older versions. If you have had Java installed for a while and have been keeping up with the updates (i.e., you now have Java Version 6 Update 13), you may find that your system still has Update 5, 6, 7, 8, and 9, but not 10, 11 and 12.

In any case, it's safe to simply remove those via the Add/Remove programs. And you'll free up about 100 MB of disk space per version.

Clear?

Posted by: BTKrebs | April 8, 2009 5:12 PM | Report abuse

Thanks yet again, Brian. The NYTimes crossword uses Java so the update is important!

Posted by: JBV1 | April 8, 2009 10:02 PM | Report abuse

When using my administrator account (thank you for that advice!),PSI Secunia (and thank you also for that advice) tells me that I need to add multiple Java updates. When I run my non-administrator account and log in to Java, it tells me I am up to date:

Verifying Java Version
Congratulations!
You have the recommended Java installed (Version 6 Update 13).

I am confused and would appreciate any advice. Thank you (and thank you for all the help you have provided all of us in keeping our computers secure).

Posted by: ajaxthewonderdog | April 10, 2009 8:18 PM | Report abuse

The comments to this entry are closed.

 
 
RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company