Another Java update! Oracle brings Patch Tuesday forward to close in-the-wild hole...

Filed Under: Featured, Malware, Oracle, Security threats, Vulnerability

I'll keep this one short, but I feel I ought to tell you.

"Yet another Java update! Get it while it's hot."

In calmer times, this update would have appeared on 19 February 2013.

Oracle's Critical Patch Updates for Java normally come out on the Tuesday closest to the 17th day in every fourth month. (Yes, I find that a little Byzantine, too.)

But Oracle brought its February 2013 Java patch forward, noting the "active exploitation 'in the wild' of one of the vulnerabilities affecting the Java Runtime Environment (JRE) in desktop browsers":

Oracle isn't saying which of the RCE (remote code execution) holes is the one that's actively being exploited, but bringing the patch forward is probably a good idea anyway.

According to the latest Oracle Risk Matrix there are 50 fixes, 49 of which might be remotely exploitable. That means merely visiting a web page might be enough to infect your computer.

The quick way to grab the latest version is to head over to Java.com and click the big red Free Java Download button.

That should work out your operating system and offer you the latest-and-greatest version. On my Mac, for example, I get this:

If you don't actually have Java installed, of course, you may not want to install it for the first time right now, but whether you're updating or installing for the first time, you need to remember that Java has two main functions on your computer:

1. Java lets you run applications that you install and download just like regular Windows or OS X software packages. Java applications don't run natively, so you need the Java system installed first.

There is no particular reason why a Java application puts your computer at any greater risk than an application based on Windows .EXE files or OS X native binaries.

Some Java applications you might have heard of are: Eclipse, a powerful IDE (integrated/interactive development environment) for programmers; Weka, a data mining and machine learning toolkit; and Tomcat, a web server platform.

2. Java lets you run applets that are delivered in web pages, directly into your browser. There's obviously a huge security risk here, so applets run in controlled environment called a sandbox to contain that risk.

The Java sandbox has suffered from numerous holes over the years. These have allowed malicious applets to escape from your browser and install malware on your computer without your knowledge or permission.

As a result, cybercrooks have especially targeted Java as a vehicle for infection. Java is inherently cross-browser and cross-platform, so attacking it is a high-yield exercise for the Bad Guys.

Ironically, however, browser-based software these days tends to use a mixture of JavaScript (which is not related to Java at all, despite the name), Flash and HTML5 to achieve the sort of results that would have needed Java a decade or more ago.

Fortunately, you can have Java installed so you can run applications, but shut the door on applets by disabling it in your browser.

Our recommendations are therefore simple:

  • Don't install any software you don't actually need or use. That includes Java.
  • By all means, install Java if you want or need to. But keep it up-to-date.
  • Turn Java support off in your browser, unless you are sure that you need it and cannot manage without it.

Some Naked Security readers who need Java applets, but only occasionally, install two browsers and enable Java support in one, but not the other.

This adds complexity, since there is more to update, but it means that simply by making the non-Java-enabled browser your default, you greatly reduce the risk of innocently ending up in harm's way when you spend time on the web.

The latest official updates are Java 7 Update 13 (the latest-and-greatest flavour), and Java 6 Update 39 (the previous version, still needed by some applications).

As I said, "Grab it while it's hot."

Apple OS X 10.6 (Snow Leopard) users who have Apple's own version of Java should use Apple Menu | Software Update...

Confusingly, Apple's latest update is called Java for Mac OS X 10.6 Update 12.

The "6" refers to OS X 10.6, not to Java 6, and the "Update 12" refers to Apple's internal sequence numbering. It isn't one short of Oracle's Update 13.

Indeed, Apple's latest Update 12 takes OS X 10.6 users to Java 6 Update 39, if that doesn't leave you even more bewildered.

, , , , , , ,

You might like

11 Responses to Another Java update! Oracle brings Patch Tuesday forward to close in-the-wild hole...

  1. Chester Wisniewski · 444 days ago

    As if Oracle's crazy scheduled patching isn't oddly random enough. Thanks Duck. I suppose since most people can't figure out when Oracle is supposed to release fixes there is no harm in it being early/off schedule.

  2. futguy11 · 444 days ago

    Every time I see Java news, I laugh now.

  3. David Pottage · 444 days ago

    I have just installed the this latest java update, and I noticed that it did not attempt to foist any toolbars or similar crapware on my computer?

    Have Oracle changed their ways on shovelware as well?

  4. Grush · 444 days ago

    Do not forget to pay attention and UNCHECK the checkbox of that unhappy ASK toolbar and other useless garbage!

  5. JimboC_Security · 443 days ago

    Thanks for the info on this update Paul as well as providing the clarification about the Mac version being numbered differently.

  6. Larry M · 443 days ago

    Maybe they are issuing updates sooner and more frequently in order to have more opportunities to sneak the Ask toolbar onto your computer.

    • I thought they no longer install Ask toolbar. I updated and they no longer try to sneak in the Ask toolbar.

  7. Mike M. · 443 days ago

    I have disabled Java and will keep it disabled. Java leaves the door open for hackers, and disabling it has produced no ill side effects to the programs I run on my system.

  8. Mandy · 443 days ago

    Instead of jumping on the lets bash Java bandwagon, why don't you sort out your own security issues first Sophos?

    • Paul Ducklin · 443 days ago

      We thought we'd look for your missing punctuation marks first.

      Only kidding.

      Being serious for a moment, I'm not sure how writing, "There is no particular reason why a Java application puts your computer at any greater risk than an application based on Windows .EXE files or OS X native binaries" can be construed as "let's bash Java."

      Nor yet how we're taking against Java by saying, "By all means, install Java if you want or need to. But keep it up-to-date."

      I stand by my advice. Don't install software you aren't going to use and don't need, especially as a browser plug-in that is unstintingly being targeted by crooks.

      (If we're going to bash anyone here, it ought not to be Oracle, or, for that matter, Sophos. It ought to be the crooks!)

  9. bungfish · 443 days ago

    I use two browsers on my work OS X 10.6 laptop, Chrome (in Incognito mode as my default browser) for internal stuff that needs Java and Firefox with NoScript, AdBlock Plus, Disconnect, and QuickJava extensions. I use QuickJava to disable Java and other nutter plugins. It works well and I'm experienced enough that the added complexity is easy to track and maintain. -bungfish

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Paul Ducklin is a passionate security proselytiser. (That's like an evangelist, but more so!) He lives and breathes computer security, and would be happy for you to do so, too. Paul won the inaugural AusCERT Director's Award for Individual Excellence in Computer Security in 2009. Follow him on Twitter: @duckblog