Oracle Updates Java

Oracle has released a critical patch update for Java Standard Edition (SE). Oracle recommends that customers apply the fixes as soon as possible. Release Java SE 7u21 includes 42 new and important security fixes.

Oracle has two products that implement Java SE: Java SE Development Kit (JDK) 7 and Java SE Runtime Environment (JRE) 7. JDK 7 is a superset of JRE 7 and contains everything that is in JRE 7, plus tools such as the compilers and debuggers necessary for developing applets and applications.

Users running Java SE with a browser can download the latest release here. Users on the Windows and Mac OS X platforms can also use automatic updates to get the latest release.

Java 8 may be delayed while Oracle works out these issues with Java 7. The release group’s focus suggests they will be releasing a stable, polished version of Java 8. The scheduled date for Java 8 is June 18, 2013.

—

In related Java news, Apple’s most recent update for Safari includes functionality that allows users to decide whether to enable the Java plug-in on a site-by-site basis. The new feature is available for the latest versions of Safari 5 and 6. Apple has also released an update for the Java browser plug-in that addresses 21 vulnerabilities in the browser and in Java.

Microsoft Security Updates for April 2013

Today, April 9th, Microsoft is planning to release nine new security bulletins, two are rated critical and seven are rated important. Restarts may be required for these patches and they will affect the following software:

• Internet Explorer
• Microsoft Windows
• Microsoft SharePoint Server
• Microsoft Office
• Windows Defender for Windows 8 and RT

The updates will be available from the Windows Update tool, the Windows Server Update Services or the Download Center. Microsoft will also release an updated version of the Microsoft Windows Malicious Software Removal Tool. MIT WAUS subscribers will receive the updates as soon as they have been tested and released.

Still on Windows XP? Be Prepared to Migrate.

Are you prepared for the de-support of Windows XP? Microsoft support for Windows XP is ending April 8, 2014 and those users running the operating system after support ends will not receive security updates for Windows. Why are security updates important?

IS&T now provides and supports Windows 7 in full and offers limited support for the business-class versions of Windows 8 (including Pro and Enterprise). The IS&T Software Grid shows which versions are available for download.

There are known issues running some software on Windows 8 machines, so if you rely on an application that is not yet fully compatible with Windows 8, you should hold off on upgrading or purchasing a new machine with Windows 8. Until software vendors have released versions of their applications that are compatible with Windows 8, IS&T will be unable to support them.

Oracle Releases New Version of Java (Again)

Last week Oracle released Java 7 Update 13 to address vulnerabilities.

Systems affected:

• Java Platform Standard Edition 7 (Java SE 7)
• Java SE Development Kit (JDK 7)
• Java SE Runtime Environment (JRE 7)

Users of Java can download the free update here or via the Windows Java console on their machines.

Mac users

MITSIS users

Apple has blocked Java completely in OS X 10.6 and above. Oracle admits there are some serious problems with Java, but says that those problems lie with the browser plug-ins and that server-side, desktop, and embedded Java are not vulnerable to the same attacks.

Read the story in the news here and here.

Apple Releases iOS 6.1

Last week’s Apple iOS update 6.1 addresses more than 20 vulnerabilities, including a serious flaw in the kernel and a number of bugs in the WebKit framework. The company also revoked trust in the bad TurkTrust certificates discovered late last year.

Read the story in the news.

About Java and its Risks

Last week a vulnerability in Oracle’s Java 7 Update 10 and earlier was detected. Apple subsequently addressed the issue through the anti-malware system built into OS X, disabling Java 7 plug-ins on Macs where it is already installed.

Oracle has now released Java 7 Update 11 to address the vulnerability. Users of Java can access the free update here.

What is Java and its risks?

This Java issue brings up possible questions in people’s minds. What is Java and why do I need it? Java is a programming language and computing platform first released by Sun Microsystems in 1995. It is the underlying technology that powers programs including utilities, games, and business applications. To learn more about Java and to answer some of these questions, see the Oracle website or the PDF of this month’s issue of OUCH! from SANS.org, dedicated entirely to Java.

Java has become a popular target for cyber criminals and they will use weaknesses in Java to attack computers that have it installed.

What do I do now?

You may have a plug-in for Java running in your browser. This was my experience with Java:

Within my Firefox browser I had a plug-in installed for Java Applet 14.5.0. I clicked the option “Check to see if your plug-ins are up to date” and was told by Mozilla that my Java Applet Plug-in is outdated. Clicking “Update” linked me to Oracle where the latest update is available. Instructions followed for how to update Java on my Mac. After I ran the installation, the plug-in in Firefox changed from Applet 14.5.0 to Java 7 Update 11.

Note that experiences will vary depending on the browser you have installed (Safari, Firefox, and Chrome address plug-ins differently from one another) and its version.

If you are unsure about whether you need to update Java, you can use this link. If no message appears about the status of Java on your system, you can do what I did and see if you have a plug-in for Java in your browser (these will reside in what might be called “add-ons”). Then follow the steps above to update it. If you don’t have Java installed on your system, you can access it from Oracle here.

If you can do without Java, don’t install it or go ahead and disable Java. If you can’t do without it, the best thing to do is to make sure it is current. Windows users can do this by checking the Java icon in the Control Panel and confirming it is the latest version and is set for automatic updating. Mac users will need to update their version of Java themselves by going to the Oracle website.

Adobe Flash Player Issues Addressed

On October 8, Adobe released updates for its Flash Player software on all platforms. The fixes cover 25 different vulnerability disclosures.

You want to apply the update released by Adobe if you are running the following versions of Adobe Flash Player:

• Adobe Flash Player 11.4.402.278 and earlier for Windows (other than Windows 8)
• Adobe Flash Player 11.4.402.265 and earlier for Macintosh

After applying the patch, the correct version on both platforms should be 11.4.402.287.

Later that day Microsoft released Security Advisory 2755801 to update the vulnerability of Flash Player in Internet Explorer 10 (to be released with Windows 8 later this month).

Read the full story in the news.

Apple Update 2012-005 Fixes Java for OS X

Java for OS X 2012-005 and Java for Mac OS X 10.6 Update 10 are now available for 10.6.8, 10.7 or later and 10.8 or later. An opportunity for security-in-depth hardening is addressed by updating to Java SE 6 to 1.6.0_35. Quit any web browsers and Java applications before installing the update, which is available through Software Updates on the Mac OS X system or from the Apple website.

Silent Updates Now Available for Firefox

Firefox 12 is now available. The newest version of the browser incorporates an element of its planned silent updates. Users of Windows Vista and Windows 7 will notice that after the initial installation of the newest version of Firefox, the updates will no longer trigger the user account control prompt, which requires users to agree when programs are installed. The final components necessary for silent updating will appear in Firefox 13 or 14, which are slated to ship on June 5 and July 17, respectively.

On April 24 Mozilla also retired Firefox 3.6; users who have admin rights to their computers and who have not already updated will find themselves automatically updated to Firefox 12.

IS&T will be supporting Firefox ESR (Extended Support Release) for the MIT community. It allows IT admins who maintain a desktop environment to manage updates of Firefox. An announcement about this from IS&T is to be released soon.

Read the story in the news.

Macs No Longer Malware-Free?

Unless you don’t read much news on the Internet, you have likely heard about Flashback (Flashfake), a virus targeting Mac computers specifically using a vulnerability in Java. The malware is estimated to be running on 600,000 machines around the world and is judged to be the largest Mac malware threat ever.

If you’re using a Mac computer, be sure to download and apply the patches for Java released by Apple this past week. You can find them through your Software Update utility or on the Apple Downloads website.