Category Archives: Java

Java 8 Update 181

Oracle’s latest Critical Patch Update (CPU) Advisory — for July 2018 — as usual includes a section about Java.

A new version of Java (8 Update 181) addresses eight security vulnerabilities in earlier versions. The Release Highlights page for Java 8 provides additional details on changes in Update 181, most of which are likely only of interest to developers.

If you use Java, and in particular if you use a web browser that has Java enabled, you should install Java 8 Update 181 as soon as possible. Note that the only modern browser that still runs Java applications is Internet Explorer. The easiest way to update Java is to run the Java applet in the Windows Control Panel: on the Update tab, click the Update Now button.

Java 8 Update 171 (8u171)

The only major browser that still officially supports Java is Internet Explorer, although there are workarounds for some of the other browsers. For example, you can switch to Firefox ESR (Extended Support Release), but even that support is likely to disappear before long. Google Chrome, and other browsers that use the same engine, can only be made to show Java content by installing an extension that runs Internet Explorer in a tab.

Java’s impact on security is diminishing, but it’s still being used on older systems where upgrading to newer O/S versions is not possible. There are still a lot of Windows XP systems out there, and most of them are either running older versions of Internet Explorer or Firefox ESR.

If you’re still using Java, you should install the latest version, Java 8 Update 171 (8u171), as soon as possible. The easiest way to check which version you’re running and install any available updates is to visit Oracle’s ‘Verify Java’ page. You’ll need to do that with a Java-enabled browser. Another option is to visit the third-party Java Tester site. Again, this site won’t work unless Java is enabled.

Java 8 Update 171 includes fixes for fourteen security vulnerabilities. Other changes are documented in the Java 8 release notes and the Java 8u171 bug fixes page.

Java 8 Update 161

Released as part of Oracle’s January 2018 Critical Patch Update, Java 8 Update 161 fixes twenty-one security vulnerabilities in previous versions.

You’re much less likely to be affected by Java vulnerabilities these days, as most web browsers no longer support Java. The only mainstream browser that still runs Java code is Internet Explorer. If you use Internet Explorer with Java enabled, you should update Java as soon as possible, via the Java Control Panel applet, or by visiting the official Java download page.

Java 8 Update 151: twenty-two security fixes

Although it’s rapidly losing its relevance, Java still poses a security risk for any computer on which it’s installed. Java’s dangers are significantly lower now than in the past, because of all the major browsers, only Internet Explorer still runs Java code. All the others have stopped supporting Java completely.

Those of you still using Java, especially in Internet Explorer, should install Java 8 Update 151, because it includes fixes for twenty-two security vulnerabilities.

The easiest way to update Java is to visit the official Verify Java Version page, which will provide an update link if you’re running an out of date version.


New Java version: 8 Update 131

Earlier this week Oracle posted its quarterly Critical Patch Advisory for April 2017. Most of the Oracle software affected by these updates is likely only of interest to system administrators and developers, but buried in the advisory is a list of eight security vulnerabilities in Java 8 Update 121. Although it’s not mentioned in the advisory, those Java vulnerabilities are addressed in a new version of Java: 8 Update 131.

Anyone who uses a web browser with a Java plugin enabled should install Java 8 Update 131 as soon as possible. These days, Firefox, Chrome, and other Chrome-similar browsers like Vivaldi don’t support Java at all, so that leaves Internet Explorer. You can check whether Java is enabled in Internet Explorer by pointing IE to the official Java version test page.

Even if you don’t use a browser with Java enabled, you may have a version of Java installed on your computer, in which case you should consider updating it. You can find out whether Java is installed by looking for the Java applet in the Windows Control Panel. If it’s there, Java is installed; go to the Update tab and click Update now to install the new version.

Oracle sued by the FTC

If you visit the main Java page, you may notice a large all-caps message at the very top of the page: IMPORTANT INFORMATION REGARDING THE SECURITY OF JAVA SE. The message links to a page that discusses an ongoing lawsuit:

The Federal Trade Commission, the nation’s consumer protection agency, has sued us for making allegedly deceptive security claims about Java SE. To settle the lawsuit, we agreed to contact you with instructions on how to protect the personal information on your computer by deleting older versions of Java SE from your computer.

This is a good reminder that Java installers tend to leave old versions and related junk on Windows computers, and that you should always check for and remove old versions of Java after you install a new version. Visit the Java uninstall page and the Java uninstall help page to get started.

Java 8 Update 121 released, and a mystery solved

On January 17, Oracle published a Critical Patch Update Advisory for January 2017. The advisory lists Java 8 Update 111 as an ‘affected product’ but says nothing at all about a new version or what has changed. For that information, you have to dig around on the Oracle site: a good starting point is the main page for Java SE. There you’ll find links to news, release notes, and downloads for new Java versions.

The new version — Java 8 Update 121 — includes fixes for seventeen security vulnerabilities and eleven other bugs in previous versions. If you use a web browser with an enabled Java add-on, you should install the new version as soon as possible.

Mystery solved

On a related note: I missed the previous Java update (October 18, 2016) because the Oracle Security Advisory RSS feed stopped working in my RSS reader, Feedly. In Feedly, the last post shown from that feed is from July 2016.

To rule out a problem with the feed itself, I checked it in another RSS reader, The Old Reader, where it worked perfectly.

Feedly provides support via Uservoice, so I headed over there and looked for anyone reporting similar issues. And found someone with the exact same problem, which he reported in the form of a suggestion. Rather than create my own report, I added a comment with my observations, and applied as many upvotes as I could to the existing suggestion.

Hopefully the Feedly folks will see this and do something about it. I depend on RSS feeds to stay on top of technology news, and if my RSS reader is unreliable, I can’t use it.

Meanwhile, I’ll continue to rely on other sources for Java update news, including the CERT feed, which is how I learned of the January 2017 Oracle advisory.

Update 2017Jan20: I reported the feed problem to Feedly, and they immediately responded, saying that Oracle appears to be blocking Feedly for some reason. They are working on the problem.

Java 8 Update 111

Well, this is embarrassing. Way back in October, Oracle released another version of Java. Somehow I contrived to miss the announcement, if there was one.

Oracle’s quarterly Critical Patch Update for October 2016 includes information about Java, but doesn’t mention the new version. It only lists affected versions. The release notes for Java 8 Update 111 make it clear that the new version includes fixes for several security issues.

Anyone who still runs a web browser in which Java is enabled should make sure they’re running version 8 Update 111 (or 112, which is basically the same thing but with some new features). Default Java runtime installations are configured to update themselves automatically, but it’s a good idea to check.

I’ve noticed that the pace of Java security fixes seems to have slowed somewhat, which is a relief. There’s also slightly less urgency about Java updates because many popular Java-based software packages (e.g. Minecraft) now include their own embedded version instead of using any available system-wide version.

Java 8 Update 101

Oracle released Java 8 Update 101 a couple of weeks ago, and I somehow managed to miss it. The Oracle Critical Patch Update Advisory for July 2016 includes the details, and I’m still subscribed to the Oracle Security Alerts RSS feed, so I can only assume that I failed to notice it. Mea culpa.

The new version includes fixes for at least thirteen security vulnerabilities, as well as several other bug fixes.

Anyone with Java enabled in their web browser should update Java as soon as possible. Hopefully most of you noticed the update and installed it before I did.

Java 8 Update 91

If you visit the main Java page and click the Free Java Download button, it will give you Java 8 Update 91. That version was just released, along with Java 8 Update 92. The difference? Both address nine security vulnerabilities – and over 60 bugs in total – in versions earlier than 8u91, but 8u92 adds a few uninteresting enhancements.

This is Java we’re talking about here; since it’s still a popular target for malicious activity, if you use a browser with Java enabled, you should update the Java plugin right away. It’s also a good idea to configure the plugin as ‘click-to-play’. It’s an even better idea to disable it completely, if that’s an option for you.

Java 8 Update 77

A single major security bug fix appears to be the reason for the newest version of Java 8: Update 77.

The release notes don’t provide much useful information, and neither does the security alert for the bug addressed in the new version.

If you’re still using a web browser with Java enabled, you should consider disabling it. At least configure it as ‘click to play’, so that Java content doesn’t load and play automatically on any web page you visit. If you’re not sure whether Java is enabled in your browser, find out by visiting Check-and-Secure.