Sun Issues Java Security Update
Sun Microsystems has issued an update to plug a pair of security holes in its Java Runtime Environment software. JRE is a widely installed software bundle that Web sites use to serve visitors with multimedia, interactive content.
One of the security holes could be exploited to break into Windows machines by convincing a user to visit a corrupt Web site. It's a popular problem because if you're running Microsoft Windows, a version of this is installed on your machine. Ninety-eight percent of all visitors to washingtonpost.com had a version of JRE installed, according to numbers we pulled on Thursday, although the site's statistics tool couldn't break it down by installed version number.
The latest version of Sun's JRE is not vulnerable, but Sun doesn't make it easy for the average user to determine which version is installed on his machine. Additionally, each user probably has more than one version of Java per machine.
The majority of Windows users likely have either JRE 6 or JRE 5.0 installed. The latest patched versions are JRE 6 Update 1, or JRE 5.0 Update 11. To see which version you have installed, go to "Start," "Control Panel," then "Add/Remove Programs," and scroll halfway down the list. If you find older versions of Java already installed, you should uninstall them.
The last time Security Fix wrote about Java updates, a reader asked whether any bad guys bothered to exploit Java vulnerabilities. I replied that criminals would be foolish to ignore it, given the massive installation base of this program. The SANS Internet Storm Center recently posted an alert about a malicious Web site capitalizing on a Java vulnerability that Sun patched in January to silently install a password-stealing program on machines whose users visited the site with outdated versions of Java.
Unless you have a very old version of Java installed, you should be able to update by clicking "Start," "Control Panel," and then double-clicking on the "Java" icon. In the box that pops up, click on the "Update," tab, and then the "Update Now," button. Alternatively, Windows users can download the update titled "Java Runtime Environment (JRE) 6u1" from this link.
By Brian Krebs |
June 8, 2007; 2:59 PM ET
From the Bunker
, Latest Warnings
, Misc.
, New Patches
, Safety Tips
Previous: Substitute Teacher Granted New Trial in Porn Case |
Next: Microsoft to Issue Six Security Updates
Posted by: OhioMC | June 8, 2007 9:57 PM
I've had 6.1 installed for some time now.
Why the update warning now?
Posted by: FreewheelinFrank | June 9, 2007 4:33 AM
"Ninety-eight percent of all visitors to washingtonpost.com had a version of JRE installed"
Wow, that's a high percentile. Didn't think Java was that widely used. May be many of those are old outdated versions that were pre-installed. Count me in the 2% range! I absolutely refuse to install Sun Java on my personal systems and recommend against it at work. As such, I've rarely found a need for it. I understand that's not the case for everyone. But, the point being it's a better practice to follow the philosophy of less is more and knowledge is power. Reduce your attack surface by limiting the software installed on a system. While it increases your security, it also lowers the amount of patching required. Also, the more you know about what is installed on a system and how it's configured, the better you are able to secure it. Any well-managed system is a more secure one.
Posted by: TJ | June 9, 2007 6:08 PM
FYI.
The old Microsoft version of java is not included with Windows XP SP1a, Windows XP SP2, Windows Serverâ„¢ 2003, or any future Microsoft software.
Thus, any clean install of the above systems will be Java free.
For more info, see http://www.microsoft.com/mscorp/java/
Posted by: TJ | June 9, 2007 6:18 PM
Disclosure: I do work for Sun on the Java PR team.
It is actually pretty easy to determine if you have the latest version of the Java Runtime Environment installed.
If you go to http://java.com (the Java technology site for consumers) at the top of the page you can click the "Do I have Java?" link to see what version you're running and if you have the latest.
You can also click the "Free Java Download" button to download the latest Java Runtime Environment.
Posted by: Jacki | June 11, 2007 11:22 AM
Brian
Much like TJ above, I only have Java installed on one machine. In your article, I would have liked to see you write about what we miss without Java. For one, I can't play the Post video on this computer. (Yeah, I have given up on Flash a long time ago!) Also, what about the Mac versions?
@Jacki
It would really be nice if Sun removed the old versions when we update. I thought I previously read some where that we should keep the older updates. But after using Secunia once I realize that's not true.
Posted by: umm.huh | June 11, 2007 1:20 PM
Again, thank you Brian.
Found out I had 4 versions in Add/Remove.
You make this stuff understandable.
Posted by: Emilie | June 12, 2007 10:12 AM
Just checked their website. It says:
Have you heard the news? Be the first to get ZoneAlarm for Vista - security suite, antivirus, or our free firewall.
Get it here when we go live Thursday, June 14.
Click here for an email notification or for more information.
I run Vista and dislike the Trend Mirco firewall. I use Zonealarm on my XP machines and am happy. But I like the Checkpoint Firewall Accesspoint that does much of the work at the router level and not on my machine.
Posted by: Doug | June 14, 2007 8:32 AM
The comments to this entry are closed.
Hi Brian,
Keep up the great work. Given the worthlessness of security certificates these days, should browsers & Java be set to check revocation lists? Is this a worthwhile or insignificant step?
Thanks!