Sophos Cloud Optix
Oracle’s official patch frequency for Java is rather unusual: once every four months.
There’s no succinct adjective for that, as there is for monthly or quarterly updates: the easiest way to work out Oracle’s official dates is simply to remember, “Around the middle of February, June and October.”
→ Oracle increasingly frequently issues security patches between regular updates, so those aren’t the only fixes you’ll need each year. But they’re the ones that are going to come out no matter what, so you may as well diarise them.
There’s definitely an update coming next Tuesday, 18 June 2013, and you might as well get ready for it now if you haven’t already.
The details of what will be fixed aren’t a matter of public record yet, so we can’t spell them out for you in detail.
Nevertheless, Oracle has published a very brief pre-announcement to remind us of the importance of this month’s fixes.
(Yes! I know! It’s a misnomer – what is a “pre-announcement” if not merely an “announcement” – but don’t shoot the messenger!)
The good news is that lots of security vulnerabilities have been repaired – 40 in total, of which all but three are RCEs, or remote code execution holes.
That’s where untrusted content sent over the network might be able to trick Java into performing operations that really ought to be limited to already-installed, trusted code.
In short, an RCE means that you could get infected by malware simply by looking around online, without explicitly downloading, authorising or even noticing the malware being installed.
There are two handy ways to reduce this RCE risk:
- Apply Oracle’s patches as soon as practicable. You can turn on fully-automatic updating if you like.
- Turn off Java in your browser, so that web-based Java applets can’t run at all.
In the future, Oracle expects to switch Java onto a quarterly update cycle, keeping it aligned with other Oracle products.
For the time being, just keep your eyes open on Tuesday 18 June 2013, or engage auto-updating before then: this update sounds important.
We’ll spell out the detail of what’s changed once Oracle’s updates have gone public.
Sophos vulnerability assessments can be found on the official SophosLabs Vulnerabilties page.
You recommend turning JAVA off. I have and I am unable to watch YouTube videos. I do have issues with the JAVA. My computer freezes up occasionally, I've narrowed it down to JAVA as the cause. Any suggestions?
That doesn't sound right. YouTube videos don't rely on Java. They rely on Adobe Flash or JavaScript. Turning off Java seems unlikely to have anything to do with your video problem…
You didn't perhaps turn off JavaScript rather than Java?
http://nakedsecurity.sophos.com/2013/01/16/java-i…
You were right. I did kill JavaScript, not Java. It’s off now. Thank you.
I ditched Java quite some time ago due to all the risks. Recently I had an opportunity to download two seperate programs that were free for a day, after starting the install, I noticed they required Java so I stopped the install. It’s time programmers find another way around the use of Java.
The dangerous part in Java is the browser plugin, a part that you can disable easily. If so many holes are discovered in JAVA it's simply because it's one of the most interesting thing to attack for hackers at the moment…
Uh, shouldn't the fact that there's 37 RCE's be highlighted in bold?
That seems like an awful lot- maybe I just haven't been paying attention to the counts from previous patch cycles?
"There's no succinct adjective for that…"
The best I could come up with was "triannually." Not very pithy though I grant you. 🙂
I usually avoid adjectives of that form – do you mean three times a year, or once every three years?
I guess "three times a year" is clear enough. "Every four months" would do. And, as I said, it's easy enough just to say "Feb, June and Oct" to make it superclear 🙂
A single application requiring 40 fixes. Where are the snide remarks? Or are they just reserved for Microsoft which updates far more than just an app.
Where are the snide remarks aimed at Microsoft?
Have I made any lately? (That's not meant as a rhetorical question, though I hope it ends up being one.)
And if we are scrupulously fair, Java is more than "just an app", and the updates apply to more than just the Java runtime. I'm not offering that as an excuse or an explanation, just as a fact. There's the runtime, the compiler, a raft of supporting tools – after all, Java is meant to be a "cross-platform platform."
Just saying.
I don't have anything to add to the conversation other than this humorous Javapocalypse trailer: http://youtu.be/E3418SeWZfQ
WORTHY OF NOTE: This release is the first one where Java 6 is no longer public. You can't download the latest, patched Java 6 without a subscription. Only Java 7. If you are stuck supporting an app in an enterprise environment that still only works with Java 6… Oracle now wants you to pay up or live with the vulnerabilities.
I believe that you just need to register for a FREE account on Oracle's website; I was able to download JRE 6 U45 without having to pay for anything.
Java 6 U45 was public. Java 6 U51 (the one JUST released) is not. Your information is based upon the previous update, not the current one. 🙂