Category Archives: Java

Java 8u221 – ten security fixes

If you still use Java, and particularly if Java is enabled in Internet Explorer, it’s important to keep it up to date. Security vulnerabilities in Java are still a somewhat popular target for malicious hackers and malware purveyors.

If you’re not sure whether Java is even installed on your computer, look for a Java entry in the Windows Control Panel. If you see one, Java is installed. The Java Control Panel has an Update tab that allows you to check for pending updates and install the latest version.

You can check whether Java is enabled in Internet Explorer by using that browser to visit Oracle’s Verify Java Version page.

This is what you should see on the Verify Java Version page if you are using IE and Java is up to date.

Oracle issues quarterly updates for a wide range of software products, and that includes Java. The July 2019 update describes ten security vulnerabilities that are addressed in the latest version of Java, 8 update 221.

Java 8 Update 211

Oracle’s quarterly Critical Patch Update for Q2 2019 documents vulnerabilities and updates for its entire product line. As usual, it’s the updates to Java that are important to most users.

The Patch Update details five distinct security vulnerablities in Java 8 Update 202 and earlier versions. A new release, Java 8 Update 211, addresses these vulnerabilities. The new version includes numerous other changes, most of which are of little interest to anyone aside from developers.

Keeping Java up to date is less urgent than in the past, since most of the major web browsers stopped supporting it in recent years.

If you do use a web browser with Java enabled, which is still possible with Internet Explorer and older, unsupported versions of many other browsers, you should make sure to install the new version as soon as possible.

The simplest way to update Java is to head to the Windows Control Panel, look for the Java icon, and — if you see one — open it, then go to the Update tab and click the Update Now button. Follow the prompts to complete the process.

Java 8 Update 201 fixes five security bugs

Oracle just released their first quarterly Critical Patch Update Advisory for 2019.

These advisories cover a lot of Oracle software, most of which is likely of very little interest for ordinary users. But buried in each of these reports you’ll usually find a reference to a new version of Java.

It’s increasingly unlikely that you have a shared Java installation on your Windows computer. You may run Java applications, such as Minecraft and some network and Internet tools, but these often include their own, separate installs of Java now.

The easiest way to see whether you have a shared install of Java on your Windows 7 or 8.x computer is to go to the Control Panel and look for a Java entry. If you see one, open it up and go to the Update tab, then click the Update Now button. If there’s an update available, you’ll be able to install it from there.

You can also visit the Verify Java Version page, but unless you’re using Internet Explorer, it won’t be able to tell you if you’re even running Java. If you’re on Windows 10, that’s also the easiest way to check your version.

Java 8 Update 201 addresses five security vulnerabilities in earlier versions. The details are listed in the quarterly advisory.

Java Version 8 Update 191

Earlier this week, Oracle released its quarterly Critical Patch Update Advisory for October 2018. As usual, there’s a new version of the Java runtime Engine (JRE): Version 8, Update 191 (Java 8u191).

The new version of Java fixes at least twelve security issues affecting earlier versions.

If you use Java, I encourage you to update it as soon as it’s convenient. Java is not the target it once was, but it’s still a good idea to reduce your exposure to Java-based threats by keeping it up to date. The only web browser that officially still supports Java is Internet Explorer. If you use Internet Explorer with Java enabled, you should update Java immediately.

The easiest way to check your Java version and download the latest is to go to the Windows Control Panel, open the Java applet, click the Update tab, then click the Update Now button. If you’re already up to date, you’ll see a message to that effect.

Java 8 Update 181

Oracle’s latest Critical Patch Update (CPU) Advisory — for July 2018 — as usual includes a section about Java.

A new version of Java (8 Update 181) addresses eight security vulnerabilities in earlier versions. The Release Highlights page for Java 8 provides additional details on changes in Update 181, most of which are likely only of interest to developers.

If you use Java, and in particular if you use a web browser that has Java enabled, you should install Java 8 Update 181 as soon as possible. Note that the only modern browser that still runs Java applications is Internet Explorer. The easiest way to update Java is to run the Java applet in the Windows Control Panel: on the Update tab, click the Update Now button.

Java 8 Update 171 (8u171)

The only major browser that still officially supports Java is Internet Explorer, although there are workarounds for some of the other browsers. For example, you can switch to Firefox ESR (Extended Support Release), but even that support is likely to disappear before long. Google Chrome, and other browsers that use the same engine, can only be made to show Java content by installing an extension that runs Internet Explorer in a tab.

Java’s impact on security is diminishing, but it’s still being used on older systems where upgrading to newer O/S versions is not possible. There are still a lot of Windows XP systems out there, and most of them are either running older versions of Internet Explorer or Firefox ESR.

If you’re still using Java, you should install the latest version, Java 8 Update 171 (8u171), as soon as possible. The easiest way to check which version you’re running and install any available updates is to visit Oracle’s ‘Verify Java’ page. You’ll need to do that with a Java-enabled browser. Another option is to visit the third-party Java Tester site. Again, this site won’t work unless Java is enabled.

Java 8 Update 171 includes fixes for fourteen security vulnerabilities. Other changes are documented in the Java 8 release notes and the Java 8u171 bug fixes page.

Java 8 Update 161

Released as part of Oracle’s January 2018 Critical Patch Update, Java 8 Update 161 fixes twenty-one security vulnerabilities in previous versions.

You’re much less likely to be affected by Java vulnerabilities these days, as most web browsers no longer support Java. The only mainstream browser that still runs Java code is Internet Explorer. If you use Internet Explorer with Java enabled, you should update Java as soon as possible, via the Java Control Panel applet, or by visiting the official Java download page.

Java 8 Update 151: twenty-two security fixes

Although it’s rapidly losing its relevance, Java still poses a security risk for any computer on which it’s installed. Java’s dangers are significantly lower now than in the past, because of all the major browsers, only Internet Explorer still runs Java code. All the others have stopped supporting Java completely.

Those of you still using Java, especially in Internet Explorer, should install Java 8 Update 151, because it includes fixes for twenty-two security vulnerabilities.

The easiest way to update Java is to visit the official Verify Java Version page, which will provide an update link if you’re running an out of date version.


New Java version: 8 Update 131

Earlier this week Oracle posted its quarterly Critical Patch Advisory for April 2017. Most of the Oracle software affected by these updates is likely only of interest to system administrators and developers, but buried in the advisory is a list of eight security vulnerabilities in Java 8 Update 121. Although it’s not mentioned in the advisory, those Java vulnerabilities are addressed in a new version of Java: 8 Update 131.

Anyone who uses a web browser with a Java plugin enabled should install Java 8 Update 131 as soon as possible. These days, Firefox, Chrome, and other Chrome-similar browsers like Vivaldi don’t support Java at all, so that leaves Internet Explorer. You can check whether Java is enabled in Internet Explorer by pointing IE to the official Java version test page.

Even if you don’t use a browser with Java enabled, you may have a version of Java installed on your computer, in which case you should consider updating it. You can find out whether Java is installed by looking for the Java applet in the Windows Control Panel. If it’s there, Java is installed; go to the Update tab and click Update now to install the new version.

Oracle sued by the FTC

If you visit the main Java page, you may notice a large all-caps message at the very top of the page: IMPORTANT INFORMATION REGARDING THE SECURITY OF JAVA SE. The message links to a page that discusses an ongoing lawsuit:

The Federal Trade Commission, the nation’s consumer protection agency, has sued us for making allegedly deceptive security claims about Java SE. To settle the lawsuit, we agreed to contact you with instructions on how to protect the personal information on your computer by deleting older versions of Java SE from your computer.

This is a good reminder that Java installers tend to leave old versions and related junk on Windows computers, and that you should always check for and remove old versions of Java after you install a new version. Visit the Java uninstall page and the Java uninstall help page to get started.

Java 8 Update 121 released, and a mystery solved

On January 17, Oracle published a Critical Patch Update Advisory for January 2017. The advisory lists Java 8 Update 111 as an ‘affected product’ but says nothing at all about a new version or what has changed. For that information, you have to dig around on the Oracle site: a good starting point is the main page for Java SE. There you’ll find links to news, release notes, and downloads for new Java versions.

The new version — Java 8 Update 121 — includes fixes for seventeen security vulnerabilities and eleven other bugs in previous versions. If you use a web browser with an enabled Java add-on, you should install the new version as soon as possible.

Mystery solved

On a related note: I missed the previous Java update (October 18, 2016) because the Oracle Security Advisory RSS feed stopped working in my RSS reader, Feedly. In Feedly, the last post shown from that feed is from July 2016.

To rule out a problem with the feed itself, I checked it in another RSS reader, The Old Reader, where it worked perfectly.

Feedly provides support via Uservoice, so I headed over there and looked for anyone reporting similar issues. And found someone with the exact same problem, which he reported in the form of a suggestion. Rather than create my own report, I added a comment with my observations, and applied as many upvotes as I could to the existing suggestion.

Hopefully the Feedly folks will see this and do something about it. I depend on RSS feeds to stay on top of technology news, and if my RSS reader is unreliable, I can’t use it.

Meanwhile, I’ll continue to rely on other sources for Java update news, including the CERT feed, which is how I learned of the January 2017 Oracle advisory.

Update 2017Jan20: I reported the feed problem to Feedly, and they immediately responded, saying that Oracle appears to be blocking Feedly for some reason. They are working on the problem.