Category Archives: Java

Java 8 Update 121 released, and a mystery solved

On January 17, Oracle published a Critical Patch Update Advisory for January 2017. The advisory lists Java 8 Update 111 as an ‘affected product’ but says nothing at all about a new version or what has changed. For that information, you have to dig around on the Oracle site: a good starting point is the main page for Java SE. There you’ll find links to news, release notes, and downloads for new Java versions.

The new version — Java 8 Update 121 — includes fixes for seventeen security vulnerabilities and eleven other bugs in previous versions. If you use a web browser with an enabled Java add-on, you should install the new version as soon as possible.

Mystery solved

On a related note: I missed the previous Java update (October 18, 2016) because the Oracle Security Advisory RSS feed stopped working in my RSS reader, Feedly. In Feedly, the last post shown from that feed is from July 2016.

To rule out a problem with the feed itself, I checked it in another RSS reader, The Old Reader, where it worked perfectly.

Feedly provides support via Uservoice, so I headed over there and looked for anyone reporting similar issues. And found someone with the exact same problem, which he reported in the form of a suggestion. Rather than create my own report, I added a comment with my observations, and applied as many upvotes as I could to the existing suggestion.

Hopefully the Feedly folks will see this and do something about it. I depend on RSS feeds to stay on top of technology news, and if my RSS reader is unreliable, I can’t use it.

Meanwhile, I’ll continue to rely on other sources for Java update news, including the CERT feed, which is how I learned of the January 2017 Oracle advisory.

Update 2017Jan20: I reported the feed problem to Feedly, and they immediately responded, saying that Oracle appears to be blocking Feedly for some reason. They are working on the problem.

Java 8 Update 111

Well, this is embarrassing. Way back in October, Oracle released another version of Java. Somehow I contrived to miss the announcement, if there was one.

Oracle’s quarterly Critical Patch Update for October 2016 includes information about Java, but doesn’t mention the new version. It only lists affected versions. The release notes for Java 8 Update 111 make it clear that the new version includes fixes for several security issues.

Anyone who still runs a web browser in which Java is enabled should make sure they’re running version 8 Update 111 (or 112, which is basically the same thing but with some new features). Default Java runtime installations are configured to update themselves automatically, but it’s a good idea to check.

I’ve noticed that the pace of Java security fixes seems to have slowed somewhat, which is a relief. There’s also slightly less urgency about Java updates because many popular Java-based software packages (e.g. Minecraft) now include their own embedded version instead of using any available system-wide version.

Java 8 Update 101

Oracle released Java 8 Update 101 a couple of weeks ago, and I somehow managed to miss it. The Oracle Critical Patch Update Advisory for July 2016 includes the details, and I’m still subscribed to the Oracle Security Alerts RSS feed, so I can only assume that I failed to notice it. Mea culpa.

The new version includes fixes for at least thirteen security vulnerabilities, as well as several other bug fixes.

Anyone with Java enabled in their web browser should update Java as soon as possible. Hopefully most of you noticed the update and installed it before I did.

Java 8 Update 91

If you visit the main Java page and click the Free Java Download button, it will give you Java 8 Update 91. That version was just released, along with Java 8 Update 92. The difference? Both address nine security vulnerabilities – and over 60 bugs in total – in versions earlier than 8u91, but 8u92 adds a few uninteresting enhancements.

This is Java we’re talking about here; since it’s still a popular target for malicious activity, if you use a browser with Java enabled, you should update the Java plugin right away. It’s also a good idea to configure the plugin as ‘click-to-play’. It’s an even better idea to disable it completely, if that’s an option for you.

Java 8 Update 77

A single major security bug fix appears to be the reason for the newest version of Java 8: Update 77.

The release notes don’t provide much useful information, and neither does the security alert for the bug addressed in the new version.

If you’re still using a web browser with Java enabled, you should consider disabling it. At least configure it as ‘click to play’, so that Java content doesn’t load and play automatically on any web page you visit. If you’re not sure whether Java is enabled in your browser, find out by visiting Check-and-Secure.

Old Java vulnerability still not fixed

A serious security vulnerability affecting current versions of Java, originally reported in 2012 (PDF), remains only partially fixed, according to Adam Gowdiak of Security Explorations.

When Oracle released Java 7 Update 40 in October 2013, the original issue appeared to have been fixed. Subsequent testing showed that while the fix addressed the original Proof of Concept code provided by Mr. Gowdiak, changing the PoC code slightly revealed that the fix was incomplete.

Until recently, Gowdiak was reluctant to announce his discovery of the partial fix, because of his own organization’s disclosure policies. On March 7, 2016, those policies were updated: “A recent change to those policies means that if an instance of a broken fix for a vulnerability we already reported to the vendor is encountered, it gets disclosed by us without any prior notice.”

Mr. Gowdiak revealed his findings (PDF) at the recent Javaland conference, and on the Full Disclosure security email list. The original PoC code was altered slightly to demonstrate the vulnerability and provided to Oracle.

Whether we will ever see a complete fix for this issue remains to be seen. Meanwhile, our advice about Java is unchanged: if you don’t need it, uninstall it. If you need it to run a specific application, remove Java from your web browsers, or leave it enabled in a browser you only use for specific applications. At the very least, make sure your browsers are configured so that Java content does not run automatically (i.e. enable click-to-play).

You can read more about the history of this and other Java security vulnerability research conducted by Adam Gowdiak at his Security Explorations web site.

Other references: Ars Technica.

Java 8 Update 74

There’s no particular need to install the very latest Java, version 8 Update 74. According to Oracle, “Java SE 8u74 is a patch-set update, including all of 8u73 plus additional features (described in the release notes).” The release notes don’t shed much light on the differences between 8u73 and 8u74, but they don’t appear to be of any importance for regular users.

In other words, if you’re already running Java 8 Update 73, you’re fine.

New Java versions address installation vulnerability

Java 8 Update 73, Java 7 Update 97, and Java 6 Update 113 were announced yesterday by Oracle. The new versions fix a serious vulnerability in the Windows installer for all previous versions of Java.

Although technically you don’t need to install the latest versions of Java if you were already up to date, you should at least make sure that you have uninstalled any older versions of Java on your Windows computers. Also, if you have any previously-downloaded Java installers, you should remove those as well.

And finally, be very careful about where you obtain Java. Always make sure that you’re getting it from Oracle, via the main Java download page or using the Windows Java Control Panel.

A security alert for the new Java versions provides additional information.

End in sight for Java browser plugin

Oracle is finally throwing in the towel for Java browser plugins. A never-ending source of security problems, the Java plugin will be phased out in the near future. Browser software developers like Mozilla and Google made this move inevitable when they started removing plugin functionality in recent months.

This will cause headaches for organizations that use a lot of browser-based Java. They’ll be faced with a decision. Many will presumably stall for time, and continue to use existing Java applets in increasingly-outdated browsers. Others may decide to switch to another platform entirely, which is likely to be very costly. The best alternative is to – where possible – change browser-based Java applets to use the Java Web Start technology. According to a white paper from Oracle (PDF): “The conversion of an applet to a Java Web Start application provides the ability to launch and update the resulting application without relying on a web browser… Desktop shortcuts can also launch the application, providing the user with the same experience as that of a native application.”

Regular users will only notice the loss of the Java browser plugin if they happen to use one or more Java applets. Site operators have been aware that this change is coming for a while, and have been scaling back their use of Java applets, but they may still be found on some banking and financial sites, web site builders, and so on. One Java applet-based service that I find extremely useful is Berkley’s ICSI Netalyzer, which analyzes your network connection and reports on any issues it finds. I’m hoping that Netalyzer’s developers will convert it to use Java Web Start, or do something else to keep the service online.

Duo Security has additional related information.

Java 8 Update 71 released

Oracle seems to be jealous of Microsoft’s ability to confuse the heck out of users. Of late, Java releases seem to come in two distinct versions, with the later version being typically unavailable to most users.

The latest update is a good example: the release announcement talks about Java 8u71 and 8u72, and says that 8u71 contains security fixes. It goes on to say that 8u72 contains the same bug fixes plus ‘additional features’.

If you use the Windows Java Control Panel to update Java on your computer, you’ll end up with Java 8u71. If you go to the main Java download page and choose one of the versions for Windows, again you’ll end up with 8u71. So what’s 8u72 for?

The release notes page for Java 8u71 describes a few non-security bug fixes. Oracle’s Critical Patch Update Advisory for January 2016 shows about eight security vulnerabilities that are addressed in Java 8u71. So if you use Java, you should install 8u71 as soon as possible.