Network News

X My Profile
View More Activity

Massive Java Update Includes Security Fixes

Sun has released another update to its Java software that brings some 370 bug fixes, including a number of security updates.

For most home users, this update brings the latest version of the software to Java 6 Update 4. Most Windows users will have some version of Java on their systems, and since there are no shortage of malware samples that exploit older Java security holes to break into systems, it's a good idea to patch this software even if you never remember using it.

The update is available for Windows, Linux and Solaris systems, from this link here.

To see if you have Java installed, check out the Add/Remove Programs listing from the Windows control panel. Sun calls it Java SE Runtime Environment 6, but it's displayed in the Windows Add/Remove Programs list as Java(TM) 6). You could also just visit Sun's Java homepage and click on the "Do I have Java" link at the top, then the "Verify Installation" button. When I did that on a machine with Java 6 Update 3 installed, the page came back with a message congratulating me for having the latest version installed.

If you're a home user and have any versions older than this latest update installed (most Windows users will probably have multiple Java versions installed, as the installer doesn't remove previous versions), remove them after installing this update.

By Brian Krebs  |  January 23, 2008; 1:42 PM ET
Categories:  Latest Warnings , New Patches , Safety Tips  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   Del.icio.us   StumbleUpon   Technorati   Google Buzz   Previous: Report: 51 Percent Of Malicious Web Sites Are Hacked
Next: Just Say No To Work-At-Home Money Mule Scams

Comments

Brian - is this a true update to Java 6.3 already installed on a machine? Or do we have to uninstall 6.3 before installing 6.4, as was the case when upgrading to previously new Java versions?

Posted by: SSMD | January 23, 2008 2:07 PM | Report abuse

@SSMD -- I don't think it matters what order you do the install in. You can install the new version first and uninstall the old one afterward, or vice versa.

Posted by: Bk | January 23, 2008 2:22 PM | Report abuse

As a reminder, new versions of Java do not uninstall old ones automatically. This preserves some backwards compatibility issues with the software and older java applications that were version specific.

However, malware can make calls to older versions that still reside on your system, and many trojans are spread this way. Unless you know that you need an older version, you should uninstall all older versions from the system.

Posted by: BelchSpeak | January 23, 2008 2:46 PM | Report abuse

Thanks, Bk and BS. Note to self - always uninstall old Java versions.

Do you know of any other major software packages that install new versions while leaving old versions intact on the machine? Still seems strange to me, in spite of BS's explanation.

Posted by: SSMD | January 23, 2008 3:04 PM | Report abuse

370 fixes? Three hundred seventy freaking fixes? OMG.

Posted by: Rick | January 23, 2008 3:07 PM | Report abuse

I don't know if this has happened to anyone else, but Control Panel and Sun/Java homepage said my .3 was the latest. Only Brian's "this link here" has the update.

Posted by: Keith Warner | January 23, 2008 3:52 PM | Report abuse

A SSMD: Flash also has a habit of sticking around. Do a scan at Secunia (BK has linked to the site before) to see if you have old versions. Unfortunately you cannot use add/remove programs to get rid of old Flash versions. There's a specific removal tool available at www.macromedia.com/go/14157

Posted by: A | January 23, 2008 4:29 PM | Report abuse

Gee, that was interesting. I selected on-line install, but it downloaded the installer to the Firefox program folder. After I got that straightened out and went to Add & Remove and started to get rid of .3 Spybot S&D asked if I wanted to remove .4! I took a chance and Allowed. Then went to the Java site and it says .4 is working. Phew!

Posted by: Keith Warner | January 23, 2008 5:35 PM | Report abuse

One other thing about Flash... In my experience, you have to update Flash separately for Firefox and IE. For the last several updates, whenever I've gone to Adobe's site, the browser I was using (Firefox) was the only one updated, and tools like Secunia's PSI reminded me to update the relatively unused copy installed for IE...

Posted by: Scott | January 23, 2008 5:53 PM | Report abuse

@BelchSpeak,

Your advice is not correct.

http://sunsolve.sun.com/search/document.do?assetkey=1-26-102557-1

"Prior to 5.0 Update 6, an applet could specify the version of the JRE on which it would run. With 5.0 Update 6 and later installed on the Windows platform, all applets are executed with the latest version of the JRE."

So, as long as you are using at least build 1.5.6, java applets cannot call older, vulnerable versions of Sun Java.

That being said, each version of Sun Java takes up over 100 megabytes of space on the hard drive - just that fact is sufficient reason to remove old builds.

Posted by: Sandi Hardmeier | January 23, 2008 6:00 PM | Report abuse

I should note:

"Prior to 5.0 Update 6, an application could specify the version of the JRE on which it would run. With 5.0 Update 6 and later installed, unsigned Java Web Start applications that specify a version other than the latest installed will trigger a warning, requiring explicit user permission before the application will run. Signed Java Web Start applications are not affected."

Posted by: Sandi Hardmeier | January 23, 2008 6:03 PM | Report abuse

Java 6u4 appears to be a BETA -- the title of the download page that your link leads to is this: "Download Java SE Runtime Environment 6 Update 4 First Customer Ship for Windows, English"

"...First Customer Ship..." sure *_SONDS_* like a beta test.

Posted by: Angus Scott-Fleming | January 23, 2008 6:34 PM | Report abuse

Angus Scott-Fleming, FCS is the live version, not a beta. It is Sun's way of saying that it is the first version worthy of public consumption, First Customer Ship. Sun has a beta, early access and alpha classification, and you will see them marked appropriately.

http://docs.sun.com/app/docs/doc/805-4368/gavxi?a=view

I would know. I released Java SE 6u4 that you are reading about.

- Mark, Sun Microsystems

Posted by: Mark | January 23, 2008 6:49 PM | Report abuse

Me again (sorry Brian).

I've had a closer look at the technical documentation for Java.

When I first read BlechSpeak's comment, and responded, my thinking was that advice is incorrect. Now, I see that it is correct, but only with the proviso
that the user must specifically approve the applet to run and ignore the prompt to update. The most problematic versions of Java in each family are certainly below the security baseline, so there are layers
of protection there.

Posted by: Sandi Hardmeier | January 23, 2008 9:24 PM | Report abuse

Mark, Sun:

I've tried repeatedly to update to 6u4 on multiple systems which have 6u3 installed and they have invariably told me that I don't need an update. The only way to get 6u4 right now is to download it manually and install it. When is it going to be released as a formal update? That IMHO is when it's no longer a (late-stage) beta ;-)

Posted by: Angus S-F | January 23, 2008 10:03 PM | Report abuse

Java SE 6u4 is a formal update, I assure you. Update releases always go on java.sun.com, but they may or may not go on java.com and auto-update. It is not because the software is unfinished in any way. It is a careful decision made by people wiser then myself, which takes in a large number of factors.

Naturally, I cannot talk about future release dates. :)

Posted by: Mark | January 23, 2008 10:24 PM | Report abuse

thanks

Posted by: abdoal | January 24, 2008 7:57 AM | Report abuse

Should I also remove older versions of "J2SE Runtime Environment 5.0"? I have Updates 10, 11, 4, and 6 in my Add/Remove.

Posted by: firsttimefixer | January 24, 2008 8:59 AM | Report abuse

@Mark

Wow - it's not often that you get a chance to communicate directly to a developer working for a major vendor.

So here's my feedback about java updates which I have to try and manage in an enterprise environment...some of which have been raised already.

1. Java versions are confusing. Is it v6 or 1.6.0? What's 1.6.0_03-b05? Why is this so complicated? I do not see this with any other vendor.

2. Old versions of Java are left behind when new versions are installed.

3. Why is it that, sometimes several weeks after a new release, the java.com website reports that you have the current & latest version when this is clearly not the case. This is not only misleading, it could be highly dangerous as users could be misled into thinking that they are totally up to date when in fact their machines could easily be exploited by fast-moving malware writers.

cheers!

Nick

Posted by: Nick | January 24, 2008 10:16 AM | Report abuse

Confirmed, my formerly up-to-date version of the Java SE installation thinks that it is still up-to-date when I use the built-in 'check for updates' feature (OS: fully patched version of Win XP Pro).

Beta or public release, this update needs to be tweaked. Or something is awry in the rev 1.6 build 3 code and the update needs to be downloaded manually.

Heading off to check a few other machine types in our environment...

Posted by: C.B. | January 24, 2008 11:06 AM | Report abuse

Does anyone know if the new JAVA update fixes the slowness of maximo.

Posted by: Rick Frain | January 24, 2008 11:25 AM | Report abuse

I have a similar question as firsttimefixer re: J2SE Runtime Environment 5.0. Should I leave it or remove it?

Posted by: Wayne | January 24, 2008 11:49 AM | Report abuse

Nick,

To clarify things, I am not a developer of Java SE, but a releaser. I set up new Java software to be downloaded.

To answer your questions:

1. I understand the confusion. The official version is "6u4" or "6 Update 4". The 1.6.0_04 is a left-over naming convention from when we had 1.4.2. We use "6u4" whenever possible, but some of the download mechanisms require the 1.X.X_XX format for consistency. If you look back, it went from 1.4.2 -> 5.0 -> 6. So the difference is a matter of the download software not able to fully keep up with the evolution of the branding.

2. I personally don't know. I used to handle some customer e-mails and the standard response was that you can remove older versions.

3. In one of my previous posts here, I explained how sometimes the latest release does not always go to java.com and auto-update, but it always goes to java.sun.com. So you will sometimes have a later version on java.sun.com, which is the "latest version". As I said, there are good and specific reasons for these decisions. Something to keep in mind is that java.sun.com caters to Java developers, where java.com and auto-update is for users. So it may be decided that some updates are appropriate for programmers to play with, but not for 100 million+ Java users to have right away. If a person is really that concerned about having the latest version, he or she will know to go to java.sun.com. In the end, it all works out, since it is rare for java.com / auto-update to miss out on two updates in a row. Following past history, it is likely that 6u5 will go on java.com and auto-update, which also includes all the changes in 6u4, and much more.

I work with the people that make these decisions and I can assure you that the security of Java on user's machines is a top priority.

Posted by: Mark | January 24, 2008 11:54 AM | Report abuse

Mark, I agree with Nick ; it really is a great pleasure to see you appear on this forum ! I appreciate your frank admission of lack of knowledge as to why new jre updates don't auto-remove older ones, but you will understand that this reply still leaves Sun users like myself wondering. Could you please convey a request to those who do make decisions about this sort of thing to make an explanation of this policy, which I know strikes many users as odd, available on the Sun website ? It would be much appreciated....

Henri

Posted by: M Henri Day | January 24, 2008 12:28 PM | Report abuse

I actually think I will need to bow-out here, and leave further questions unanswered. This will be my last post.

I originally posted to clarify a mis-conception, but it has expanded into a back-and-forth discussion. It really is not appropriate for me to carry on like this, and in this venue. Sorry to leave you hanging. :/ I did let the right people know about the concern about previous installations. Maybe that will add momentum to the issue.


Posted by: Mark | January 24, 2008 1:24 PM | Report abuse

While I understand it is not always possible, the BEST solution is to forego Java all together.

As policy, Java is NOT installed on any work systems UNLESS there is a specific need that can be justified! Such a policy should be highly considered for home users as well. Be sure to evaluate other software too (ex. QuickTime, RealPlayer, Adobe Reader. etc.)

Overall, this will lower a system's attack surface and reduce the need to patch many pieces of software.

Posted by: TJ | January 24, 2008 1:57 PM | Report abuse

@ Mark and his employer: I hope that Mark isn't in-trouble for communicating directly with the user community. Tech implementors can be good communicators, too! :-)

@ Brian Krebs: While Sun considers this new version of Java Standard Edition to be a public release, none of Sun's typical client-side updater or version checking mechanisms are pointing people towards this update. I have confirmed this on multiple Win XP Pro machines with a couple different and older versions of this software. Please consider clarifying this point in your blog posting above -- that is not clear.

As always, thank you for helping to keep the IT community informed of security related news and changes.

Posted by: C.B. | January 24, 2008 3:37 PM | Report abuse

I've uninstalled Java, Quicktime, and Realplayer from all of my systems.

These three seem to reveal security holes each month. And I rarely use them. Java is only needed for custom applications. Quicktime is used mainly for movie trailers. Any site which has Realplayer-formatted content typically offers it in other formats as well.

Flash is an annoying necessity but I only install it in Firefox; the Flashblock extension keeps Flash at bay until I see fit. Never install it in I.E.

Posted by: Ken L | January 24, 2008 4:21 PM | Report abuse

Brian,
Your link to download Java 6U4 shows two ways to install, (for a 32bit machine) one is an on-line install with a file size of less than 1MB and the other is an offline install with a file size of more than 15MB. I don't know why there is such a big difference in file sizes and I don't know which one to install. Need your advice. Thanks

Posted by: Krisha P | January 25, 2008 11:25 AM | Report abuse

@Krisha -- It doesn't much matter whether you do an offline or online install. The offline one will probably be faster, though. The difference in file size is that one is a compression version of the program, whereas the 1mb installer downloads most of the components to be installed from Sun's site.

Posted by: Bk | January 25, 2008 12:50 PM | Report abuse

The online installer is initially only around 400KB. It will download only the files that it thinks you need, based on the env. It usually only downloads about 9MB total, which is much less than the 15MB offline installer.

Posted by: Bill | January 25, 2008 2:00 PM | Report abuse

what about macintosh? does it affect macs OS X/OSX?

Posted by: Mac User | January 25, 2008 7:16 PM | Report abuse

Krishna asked what I was mystified over too. Answered.

Do I not need this then as I am user of email, read overseas newspapers, forums but not movies or other stuff.

5 years retired used so not hip like some - but learning via comments and sites like this.

Posted by: BigVal | January 25, 2008 7:17 PM | Report abuse

@macuser-- Apple licenses the Java client but Apple itself is responsible for incorporating fixes into its version of Java. Apple does not have a stellar track record of timeliness in shipping Java patches, and has been known to wait more than a year after Sun has fixed the bugs to ship an update that fixes the same flaws in the version for OS X.

See: http://blog.washingtonpost.com/securityfix/2007/12/apple_releases_massive_java_se.html

Posted by: Bk | January 25, 2008 8:31 PM | Report abuse

@Rick - 376 individual fixes are listed on the Release Notes page:
http://java.sun.com/javase/6/webnotes/ReleaseNotes.html#160_04

Keep in mind that those are just the fixes. There are plenty of bugs left outstanding! You can go look them up at bugs.sun.com. (It appears that people "vote" on them to bump up their priority.) And of course there are also probably bugs that no one has discovered or reported yet.

All of which is Very Good News. By publishing its bug list, Sun encourages everyone to contribute their own observations and even suggest how to fix the problems. It also gives anyone who wants it, a healthy glimpse of the complexity of the product - kind of like a tour of the sausage factory. In the end, it surely produces a better product, and better-informed consumers, than if the bug list were hidden.

Posted by: Anonymous | January 26, 2008 9:38 PM | Report abuse

Warning about uninstalling old versions of Java... While I've not yet encountered an issue removing out of date versions of 5 or 6, there ARE a number of programs out there that WILL break unless 1.4.2 is available!

To quote another entry here "Or do we have to uninstall 6.3 before installing 6.4, as was the case when upgrading to previously new Java versions?"

In my experience that has never been necessary in the Java 5 and 6 series... Older versions remove cleanly before or after the new version is in place.

Posted by: Brian Knoblauch | January 29, 2008 1:39 PM | Report abuse

As Brian indicated there can be problems with uninstalling older versions of the JRE as some applications that include the JRE have a static pointer (path) to the JRE (the path has the version number in it so changing it changes the path) and uninstalling it will render the application useless.

There are also issues where an app will install the JAVA JRE in a subfolder of the application rather than in the standard folder that it will normally install.

Posted by: Fred Dunn | February 1, 2008 10:33 AM | Report abuse

@BigVal -- Java is one of those programs that will sit on your system until you visit a Web site that serves up some content that requires Java to run. Usually, when that happens (at least on Windows XP) you'll see the little Java icon suddenly pop onto your system tray, along with a little text balloon that says Java TM, and something else.

So you see, it is enough just to have Java on your machine for it be vulnerable. Do as I suggested and check to see if you have Java installed. If you do, apply this update (or get rid of Java).

Posted by: Bk | February 8, 2008 3:50 PM | Report abuse

The comments to this entry are closed.

 
 
RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company