Oracle’s latest Critical Patch Update (CPU) Advisory — for July 2018 — as usual includes a section about Java.

A new version of Java (8 Update 181) addresses eight security vulnerabilities in earlier versions. The Release Highlights page for Java 8 provides additional details on changes in Update 181, most of which are likely only of interest to developers.

If you use Java, and in particular if you use a web browser that has Java enabled, you should install Java 8 Update 181 as soon as possible. Note that the only modern browser that still runs Java applications is Internet Explorer. The easiest way to update Java is to run the Java applet in the Windows Control Panel: on the Update tab, click the Update Now button.

Released as part of Oracle’s January 2018 Critical Patch Update, Java 8 Update 161 fixes twenty-one security vulnerabilities in previous versions.

You’re much less likely to be affected by Java vulnerabilities these days, as most web browsers no longer support Java. The only mainstream browser that still runs Java code is Internet Explorer. If you use Internet Explorer with Java enabled, you should update Java as soon as possible, via the Java Control Panel applet, or by visiting the official Java download page.

Although it’s rapidly losing its relevance, Java still poses a security risk for any computer on which it’s installed. Java’s dangers are significantly lower now than in the past, because of all the major browsers, only Internet Explorer still runs Java code. All the others have stopped supporting Java completely.

Those of you still using Java, especially in Internet Explorer, should install Java 8 Update 151, because it includes fixes for twenty-two security vulnerabilities.

The easiest way to update Java is to visit the official Verify Java Version page, which will provide an update link if you’re running an out of date version.

References:

• Oracle Critical Patch Update Advisory – October 2017
• Java 8 Release Highlights
• JDK 8u151 Update Release Notes
• JDK 8u151 Bug Fixes

On January 17, Oracle published a Critical Patch Update Advisory for January 2017. The advisory lists Java 8 Update 111 as an ‘affected product’ but says nothing at all about a new version or what has changed. For that information, you have to dig around on the Oracle site: a good starting point is the main page for Java SE. There you’ll find links to news, release notes, and downloads for new Java versions.

The new version — Java 8 Update 121 — includes fixes for seventeen security vulnerabilities and eleven other bugs in previous versions. If you use a web browser with an enabled Java add-on, you should install the new version as soon as possible.

Mystery solved

On a related note: I missed the previous Java update (October 18, 2016) because the Oracle Security Advisory RSS feed stopped working in my RSS reader, Feedly. In Feedly, the last post shown from that feed is from July 2016.

To rule out a problem with the feed itself, I checked it in another RSS reader, The Old Reader, where it worked perfectly.

Feedly provides support via Uservoice, so I headed over there and looked for anyone reporting similar issues. And found someone with the exact same problem, which he reported in the form of a suggestion. Rather than create my own report, I added a comment with my observations, and applied as many upvotes as I could to the existing suggestion.

Hopefully the Feedly folks will see this and do something about it. I depend on RSS feeds to stay on top of technology news, and if my RSS reader is unreliable, I can’t use it.

Meanwhile, I’ll continue to rely on other sources for Java update news, including the CERT feed, which is how I learned of the January 2017 Oracle advisory.

Update 2017Jan20: I reported the feed problem to Feedly, and they immediately responded, saying that Oracle appears to be blocking Feedly for some reason. They are working on the problem.

Well, this is embarrassing. Way back in October, Oracle released another version of Java. Somehow I contrived to miss the announcement, if there was one.

Oracle’s quarterly Critical Patch Update for October 2016 includes information about Java, but doesn’t mention the new version. It only lists affected versions. The release notes for Java 8 Update 111 make it clear that the new version includes fixes for several security issues.

Anyone who still runs a web browser in which Java is enabled should make sure they’re running version 8 Update 111 (or 112, which is basically the same thing but with some new features). Default Java runtime installations are configured to update themselves automatically, but it’s a good idea to check.

I’ve noticed that the pace of Java security fixes seems to have slowed somewhat, which is a relief. There’s also slightly less urgency about Java updates because many popular Java-based software packages (e.g. Minecraft) now include their own embedded version instead of using any available system-wide version.

Oracle released Java 8 Update 101 a couple of weeks ago, and I somehow managed to miss it. The Oracle Critical Patch Update Advisory for July 2016 includes the details, and I’m still subscribed to the Oracle Security Alerts RSS feed, so I can only assume that I failed to notice it. Mea culpa.

The new version includes fixes for at least thirteen security vulnerabilities, as well as several other bug fixes.

Anyone with Java enabled in their web browser should update Java as soon as possible. Hopefully most of you noticed the update and installed it before I did.

If you visit the main Java page and click the Free Java Download button, it will give you Java 8 Update 91. That version was just released, along with Java 8 Update 92. The difference? Both address nine security vulnerabilities – and over 60 bugs in total – in versions earlier than 8u91, but 8u92 adds a few uninteresting enhancements.

This is Java we’re talking about here; since it’s still a popular target for malicious activity, if you use a browser with Java enabled, you should update the Java plugin right away. It’s also a good idea to configure the plugin as ‘click-to-play’. It’s an even better idea to disable it completely, if that’s an option for you.