Category Archives: Patches and updates

Massive Java security update

Oracle/Sun has released update 13 for Java 7 (Java 7u13).

The update was originally scheduled for release on February 19, but given all the recent security issues, Oracle decided to get the latest patch out there as soon as possible.

The update includes fifty bug and security fixes. The issues addressed are listed on the associated Critical Patch Update Advisory. Oddly, the update version (7u13) is never mentioned once on that lengthy page.

Recommendations:

  • If you use Java, update it ASAP.
  • Don’t depend on the Java auto-updater to update Java: do it manually.
  • Don’t assume Java is now safe. Until security researchers like Adam Gowdiak give Java 7u13 a thumbs-up, assume it’s still vulnerable.
  • Disable Java plugins in your web browser unless you have no choice.
  • Continue to be extremely careful when browsing the web.

Java: now with nasty crapware

As if Java didn’t have enough problems, Oracle/Sun recently started packaging it with the Ask Toolbar. Anyone installing Java must opt out of installing the Ask toolbar, or it will show up in their web browser and hijack their browser’s search settings.

Ed Bott at ZDNet took a close look at the Java installation process and posted his findings. He starts by saying:

Java is the new king of foistware, displacing Adobe and Skype from the top of the heap.

And it earned that place with a combination of software update practices that are among the most user-hostile and cynical in the industry.

It’s an excellent article, well worth reading.

To make matters worse, I recently discovered that I can no longer disable the Java auto-updater using the Java Control Panel in Windows 7. I can uncheck the checkbox and save the settings, but if I go back to the Java Control Panel, the option has re-enabled itself. My only option is to disable the SunJavaUpdateSched (jusched.exe) startup entry using a tool like Autoruns.

I’m starting to get a bad feeling about Oracle’s management of Java. Oracle may feel that they have the world by the throat, given the prevalence of Java, but at some point, the world is going to revolt and start looking at alternatives.

No surprise: latest Java still not secure

It looks like Java is currently the target of choice for malware authors, which must be a relief for Microsoft, since Windows was the target of choice for years. That means Java’s developer (Oracle/Sun) is in for a rough ride: the rate at which new Java vulnerabilities are found and exploits developed to use them is going to increase. The only thing that will reverse the trend is a big push by Oracle/Sun to make the core of Java a lot more healthy in terms of security. Until that happens, you’re going to keep hearing the same advice: don’t enable Java in your web browser unless you need it, limit Java use in the browser to sites and applications that require it, and even remove Java completely if you really don’t need it at all.

Relevant links:

Java Update (hopefully) fixes recent 0-day vulnerability

A new update for Java (Version 7, Update 11) was released today. This update is supposed to fix the serious 0-day vulnerability discovered last week. Anyone using Java 7 in a web browser should install this update immediately. Given the recent track record of Oracle/Sun (Java’s developer), it remains to be seen whether this update actually fixes the vulnerability. I will wait for Adam Gowdiak to weigh in before I’m certain one way or the other.

Technical details:

Update 2013Jan17: An interesting post over at NetworkWorld reviews what’s being said about the state of Java’s vulnerability.