Jeff Rivett has worked with and written about computers since the early 1980s. His first computer was an Apple II+, built by his father and heavily customized. Jeff's writing appeared in Computist Magazine in the 1980s, and he created and sold a game utility (Ultimaker 2, reviewed in the December 1983 Washington Apple Pi Journal) to international markets during the same period. Proceeds from writing, software sales, and contract programming gigs paid his way through university, earning him a Bachelor of Science (Computer Science) degree at UWO. Jeff went on to work as a programmer, sysadmin, and manager in various industries. There's more on the About page, and on the Jeff Rivett Consulting site.
Oracle has quietly stopped updating Java 6, sort of. A page on the Java download FAQ site states that updates for Java 6 will no longer be publicly posted, and recommends upgrading to Java 7. Updates for Java 6 will still be available to customers who have support contracts from Oracle.
Switching from Java 6 to Java 7 is going to be a problem for anyone who uses Java-based software that is not yet compatible with Java 7. Large organizations with such Java 6 dependencies will either start paying for support (if they aren’t already), or deal with the consequences of allowing their Java 6 based software to become increasingly vulnerable. Smaller organizations and individuals with Java 6 dependencies who cannot afford to pay for Oracle support may want to consider switching to alternative software.
There’s likely to be a certain amount of backlash against this move. At the very least, if Oracle doesn’t back down from this stance, expect a ‘black market’ in Java 6 updates to start up fairly soon: people with access to the official Java 6 patches will make them available to the public. The main problem with this, besides annoying Oracle, is that nefarious persons are likely to use the need for Java 6 patches as a way to spread malware.
I predict that Oracle will relent; as long as they are still developing updates for Java 6, those updates will end up being publicly available.
Oracle has released a new version of Java that addresses a large number of vulnerabilities. This is a scheduled “Critical Patch Update” (CPU) for June 2013.
This moves Java 7 from Update 21 to Update 25 (1.7.0_21 to 1.7.0_25).
Anyone using Java in a web browser should install this update immediately.
A Flash vulnerability supposedly already fixed by Adobe is still a problem in some browser/platform combinations. This clickjacking exploit works by hiding a Flash security dialog under other page content, enticing the user into unintentionally clicking the dialog and allowing remote access to the user’s camera and microphone. Be careful what you click!
Oracle has announced an update for Java that is scheduled for release later today. The new version will fix a whopping 40 security vulnerabilities in current versions of Java, with 37 of those being remotely exploitable without authentication.
Adobe has just announced another Flash update. The new version is 11.7.700.224. As always, this update addresses “vulnerabilities that could cause a crash and potentially allow an attacker to take control of the affected system.”
An equivalent patch for Internet Explorer 10 on Windows 8 will be available from Microsoft Update. The new version of Flash in IE10 will be 11.7.700.224.
Google Chrome has also been updated to include a new version of Flash: 11.7.700.225. Chrome normally updates its own version of Flash automatically.
This month there are five bulletins, addressing 23 vulnerabilities in Windows, Office and Internet Explorer. Only one (MS13-047, affecting Internet Explorer) is marked as Critical.
Unfortunately, aside from using strong, unique passwords, running anti-malware software, and being generally careful in one’s online activities, there’s not much an individual can do to protect oneself from these techniques. Most of the responsibility for protecting users is in the hands of the people who run the web sites that use your credentials. When they make mistakes, we all lose.
Actually, there is one sure-fire way to avoid these problems: just don’t use any online service that requires a password. Not too practical, but still better than getting rid of all your computers.
This month’s Patch Tuesday arrives on June 11. Updates should become available from about 10am PST on that date.
The bulletins: there are five this month, including one for Internet Explorer that’s marked Critical. More technical details are available on the official announcement page.
Rants and musings on topics of interest. Sometimes about Windows, Linux, security and cool software.
Close
Ad-blocker not detected
Consider installing a browser extension that blocks ads and other malicious scripts in your browser to protect your privacy and security. Learn more.
boot13