Category Archives: Java

New Java version: 8 Update 131

Earlier this week Oracle posted its quarterly Critical Patch Advisory for April 2017. Most of the Oracle software affected by these updates is likely only of interest to system administrators and developers, but buried in the advisory is a list of eight security vulnerabilities in Java 8 Update 121. Although it’s not mentioned in the advisory, those Java vulnerabilities are addressed in a new version of Java: 8 Update 131.

Anyone who uses a web browser with a Java plugin enabled should install Java 8 Update 131 as soon as possible. These days, Firefox, Chrome, and other Chrome-similar browsers like Vivaldi don’t support Java at all, so that leaves Internet Explorer. You can check whether Java is enabled in Internet Explorer by pointing IE to the official Java version test page.

Even if you don’t use a browser with Java enabled, you may have a version of Java installed on your computer, in which case you should consider updating it. You can find out whether Java is installed by looking for the Java applet in the Windows Control Panel. If it’s there, Java is installed; go to the Update tab and click Update now to install the new version.

Oracle sued by the FTC

If you visit the main Java page, you may notice a large all-caps message at the very top of the page: IMPORTANT INFORMATION REGARDING THE SECURITY OF JAVA SE. The message links to a page that discusses an ongoing lawsuit:

The Federal Trade Commission, the nation’s consumer protection agency, has sued us for making allegedly deceptive security claims about Java SE. To settle the lawsuit, we agreed to contact you with instructions on how to protect the personal information on your computer by deleting older versions of Java SE from your computer.

This is a good reminder that Java installers tend to leave old versions and related junk on Windows computers, and that you should always check for and remove old versions of Java after you install a new version. Visit the Java uninstall page and the Java uninstall help page to get started.

Java 8 Update 121 released, and a mystery solved

On January 17, Oracle published a Critical Patch Update Advisory for January 2017. The advisory lists Java 8 Update 111 as an ‘affected product’ but says nothing at all about a new version or what has changed. For that information, you have to dig around on the Oracle site: a good starting point is the main page for Java SE. There you’ll find links to news, release notes, and downloads for new Java versions.

The new version — Java 8 Update 121 — includes fixes for seventeen security vulnerabilities and eleven other bugs in previous versions. If you use a web browser with an enabled Java add-on, you should install the new version as soon as possible.

Mystery solved

On a related note: I missed the previous Java update (October 18, 2016) because the Oracle Security Advisory RSS feed stopped working in my RSS reader, Feedly. In Feedly, the last post shown from that feed is from July 2016.

To rule out a problem with the feed itself, I checked it in another RSS reader, The Old Reader, where it worked perfectly.

Feedly provides support via Uservoice, so I headed over there and looked for anyone reporting similar issues. And found someone with the exact same problem, which he reported in the form of a suggestion. Rather than create my own report, I added a comment with my observations, and applied as many upvotes as I could to the existing suggestion.

Hopefully the Feedly folks will see this and do something about it. I depend on RSS feeds to stay on top of technology news, and if my RSS reader is unreliable, I can’t use it.

Meanwhile, I’ll continue to rely on other sources for Java update news, including the CERT feed, which is how I learned of the January 2017 Oracle advisory.

Update 2017Jan20: I reported the feed problem to Feedly, and they immediately responded, saying that Oracle appears to be blocking Feedly for some reason. They are working on the problem.

Java 8 Update 111

Well, this is embarrassing. Way back in October, Oracle released another version of Java. Somehow I contrived to miss the announcement, if there was one.

Oracle’s quarterly Critical Patch Update for October 2016 includes information about Java, but doesn’t mention the new version. It only lists affected versions. The release notes for Java 8 Update 111 make it clear that the new version includes fixes for several security issues.

Anyone who still runs a web browser in which Java is enabled should make sure they’re running version 8 Update 111 (or 112, which is basically the same thing but with some new features). Default Java runtime installations are configured to update themselves automatically, but it’s a good idea to check.

I’ve noticed that the pace of Java security fixes seems to have slowed somewhat, which is a relief. There’s also slightly less urgency about Java updates because many popular Java-based software packages (e.g. Minecraft) now include their own embedded version instead of using any available system-wide version.

Java 8 Update 101

Oracle released Java 8 Update 101 a couple of weeks ago, and I somehow managed to miss it. The Oracle Critical Patch Update Advisory for July 2016 includes the details, and I’m still subscribed to the Oracle Security Alerts RSS feed, so I can only assume that I failed to notice it. Mea culpa.

The new version includes fixes for at least thirteen security vulnerabilities, as well as several other bug fixes.

Anyone with Java enabled in their web browser should update Java as soon as possible. Hopefully most of you noticed the update and installed it before I did.

Java 8 Update 91

If you visit the main Java page and click the Free Java Download button, it will give you Java 8 Update 91. That version was just released, along with Java 8 Update 92. The difference? Both address nine security vulnerabilities – and over 60 bugs in total – in versions earlier than 8u91, but 8u92 adds a few uninteresting enhancements.

This is Java we’re talking about here; since it’s still a popular target for malicious activity, if you use a browser with Java enabled, you should update the Java plugin right away. It’s also a good idea to configure the plugin as ‘click-to-play’. It’s an even better idea to disable it completely, if that’s an option for you.

Java 8 Update 77

A single major security bug fix appears to be the reason for the newest version of Java 8: Update 77.

The release notes don’t provide much useful information, and neither does the security alert for the bug addressed in the new version.

If you’re still using a web browser with Java enabled, you should consider disabling it. At least configure it as ‘click to play’, so that Java content doesn’t load and play automatically on any web page you visit. If you’re not sure whether Java is enabled in your browser, find out by visiting Check-and-Secure.

Old Java vulnerability still not fixed

A serious security vulnerability affecting current versions of Java, originally reported in 2012 (PDF), remains only partially fixed, according to Adam Gowdiak of Security Explorations.

When Oracle released Java 7 Update 40 in October 2013, the original issue appeared to have been fixed. Subsequent testing showed that while the fix addressed the original Proof of Concept code provided by Mr. Gowdiak, changing the PoC code slightly revealed that the fix was incomplete.

Until recently, Gowdiak was reluctant to announce his discovery of the partial fix, because of his own organization’s disclosure policies. On March 7, 2016, those policies were updated: “A recent change to those policies means that if an instance of a broken fix for a vulnerability we already reported to the vendor is encountered, it gets disclosed by us without any prior notice.”

Mr. Gowdiak revealed his findings (PDF) at the recent Javaland conference, and on the Full Disclosure security email list. The original PoC code was altered slightly to demonstrate the vulnerability and provided to Oracle.

Whether we will ever see a complete fix for this issue remains to be seen. Meanwhile, our advice about Java is unchanged: if you don’t need it, uninstall it. If you need it to run a specific application, remove Java from your web browsers, or leave it enabled in a browser you only use for specific applications. At the very least, make sure your browsers are configured so that Java content does not run automatically (i.e. enable click-to-play).

You can read more about the history of this and other Java security vulnerability research conducted by Adam Gowdiak at his Security Explorations web site.

Other references: Ars Technica.

Java 8 Update 74

There’s no particular need to install the very latest Java, version 8 Update 74. According to Oracle, “Java SE 8u74 is a patch-set update, including all of 8u73 plus additional features (described in the release notes).” The release notes don’t shed much light on the differences between 8u73 and 8u74, but they don’t appear to be of any importance for regular users.

In other words, if you’re already running Java 8 Update 73, you’re fine.

New Java versions address installation vulnerability

Java 8 Update 73, Java 7 Update 97, and Java 6 Update 113 were announced yesterday by Oracle. The new versions fix a serious vulnerability in the Windows installer for all previous versions of Java.

Although technically you don’t need to install the latest versions of Java if you were already up to date, you should at least make sure that you have uninstalled any older versions of Java on your Windows computers. Also, if you have any previously-downloaded Java installers, you should remove those as well.

And finally, be very careful about where you obtain Java. Always make sure that you’re getting it from Oracle, via the main Java download page or using the Windows Java Control Panel.

A security alert for the new Java versions provides additional information.

End in sight for Java browser plugin

Oracle is finally throwing in the towel for Java browser plugins. A never-ending source of security problems, the Java plugin will be phased out in the near future. Browser software developers like Mozilla and Google made this move inevitable when they started removing plugin functionality in recent months.

This will cause headaches for organizations that use a lot of browser-based Java. They’ll be faced with a decision. Many will presumably stall for time, and continue to use existing Java applets in increasingly-outdated browsers. Others may decide to switch to another platform entirely, which is likely to be very costly. The best alternative is to – where possible – change browser-based Java applets to use the Java Web Start technology. According to a white paper from Oracle (PDF): “The conversion of an applet to a Java Web Start application provides the ability to launch and update the resulting application without relying on a web browser… Desktop shortcuts can also launch the application, providing the user with the same experience as that of a native application.”

Regular users will only notice the loss of the Java browser plugin if they happen to use one or more Java applets. Site operators have been aware that this change is coming for a while, and have been scaling back their use of Java applets, but they may still be found on some banking and financial sites, web site builders, and so on. One Java applet-based service that I find extremely useful is Berkley’s ICSI Netalyzer, which analyzes your network connection and reports on any issues it finds. I’m hoping that Netalyzer’s developers will convert it to use Java Web Start, or do something else to keep the service online.

Duo Security has additional related information.