Another Java update! Oracle brings Patch Tuesday forward to close in-the-wild hole…

I’ll keep this one short, but I feel I ought to tell you.

“Yet another Java update! Get it while it’s hot.”

In calmer times, this update would have appeared on 19 February 2013.

Oracle’s Critical Patch Updates for Java normally come out on the Tuesday closest to the 17th day in every fourth month. (Yes, I find that a little Byzantine, too.)

But Oracle brought its February 2013 Java patch forward, noting the “active exploitation ‘in the wild’ of one of the vulnerabilities affecting the Java Runtime Environment (JRE) in desktop browsers”:

Oracle isn’t saying which of the RCE (remote code execution) holes is the one that’s actively being exploited, but bringing the patch forward is probably a good idea anyway.

According to the latest Oracle Risk Matrix there are 50 fixes, 49 of which might be remotely exploitable. That means merely visiting a web page might be enough to infect your computer.

The quick way to grab the latest version is to head over to Java.com and click the big red Free Java Download button.

That should work out your operating system and offer you the latest-and-greatest version. On my Mac, for example, I get this:

If you don’t actually have Java installed, of course, you may not want to install it for the first time right now, but whether you’re updating or installing for the first time, you need to remember that Java has two main functions on your computer:

1. Java lets you run applications that you install and download just like regular Windows or OS X software packages. Java applications don’t run natively, so you need the Java system installed first.

There is no particular reason why a Java application puts your computer at any greater risk than an application based on Windows .EXE files or OS X native binaries.

Some Java applications you might have heard of are: Eclipse, a powerful IDE (integrated/interactive development environment) for programmers; Weka, a data mining and machine learning toolkit; and Tomcat, a web server platform.

2. Java lets you run applets that are delivered in web pages, directly into your browser. There’s obviously a huge security risk here, so applets run in controlled environment called a sandbox to contain that risk.

The Java sandbox has suffered from numerous holes over the years. These have allowed malicious applets to escape from your browser and install malware on your computer without your knowledge or permission.

As a result, cybercrooks have especially targeted Java as a vehicle for infection. Java is inherently cross-browser and cross-platform, so attacking it is a high-yield exercise for the Bad Guys.

Ironically, however, browser-based software these days tends to use a mixture of JavaScript (which is not related to Java at all, despite the name), Flash and HTML5 to achieve the sort of results that would have needed Java a decade or more ago.

Fortunately, you can have Java installed so you can run applications, but shut the door on applets by disabling it in your browser.

Our recommendations are therefore simple:

  • Don’t install any software you don’t actually need or use. That includes Java.
  • By all means, install Java if you want or need to. But keep it up-to-date.
  • Turn Java support off in your browser, unless you are sure that you need it and cannot manage without it.

Some Naked Security readers who need Java applets, but only occasionally, install two browsers and enable Java support in one, but not the other.

This adds complexity, since there is more to update, but it means that simply by making the non-Java-enabled browser your default, you greatly reduce the risk of innocently ending up in harm’s way when you spend time on the web.

The latest official updates are Java 7 Update 13 (the latest-and-greatest flavour), and Java 6 Update 39 (the previous version, still needed by some applications).

As I said, “Grab it while it’s hot.”

Apple OS X 10.6 (Snow Leopard) users who have Apple’s own version of Java should use Apple Menu | Software Update...

Confusingly, Apple’s latest update is called Java for Mac OS X 10.6 Update 12.

The “6” refers to OS X 10.6, not to Java 6, and the “Update 12” refers to Apple’s internal sequence numbering. It isn’t one short of Oracle’s Update 13.

Indeed, Apple’s latest Update 12 takes OS X 10.6 users to Java 6 Update 39, if that doesn’t leave you even more bewildered.