Home Forums Discussions General Discussion You should make time to do your Java update

Since this is perceived by security folks as high risk, I'm posting this in the General Discussion area.

http://allthingsd.com/20111202/why-today-is-a-very-good-day-to-update-java-on-your-computer/

a pull quote:
"Consider yourself warned: Today is a very good day to update the version of Java running on your computer. This applies to you whether you run Windows, Mac OS X or Linux. If you?ve noticed your machine suggesting that you update Java, do it right away.

The reason? A scary vulnerability in Java that was detected over the summer, and which Oracle has subsequently fixed, is being exploited by people who create the malware and crimeware that causes so many headaches for home users and corporate IT departments."

This is going on the top of the list for our maintenance this weekend.

Indy,
Thanks for the heads-up. Somehow it seems that we are doing a Java update every other day, anyway. If only Windows and AC updates were as easy as Java...

Just an update now that I have seen a machine with the attack in a production environment.

When you do the "Verify Java" step, in some cases there will come up a small notification in the text that there are vulnerable versions still on the machine that need to be installed.

The attacks are specifically calling previous vulnerable Java versions, so they need to be removed as well as installing the latest version [currently 6 v30].

Soooo .. take the time to follow the link to see the versions you need to remove, then open up your Control Panel, Add/Remove Programs, and remove the vulnerable versions of Java.

In this particular machine, it was one of the first done, I missed the dialog the first time, so it was attacked. Sophos caught it, reported it to the Management Server, and I used the Management Server to finish the cleanup remotely.

Everything worked the first time other than the operator who missed the dialog. nothing like layered protection.

Indy,
I did the Java update as you suggested, thanks for the heads up.

The is also Java Runtime environment in the list; is that something that gets updated?

Donna

More news from the Microsoft Security Blog:

http://blogs.technet.com/b/security...-of-keeping-all-software-up-to-date.aspx

JamesNT

The latest version of Java for the Windows OS is Version 6 Update 30. You can see what version of Java your computer is running here. All versions of Java can be downloaded here.

Be observant when clicking through the several windows when installing Java. There is an option to install the "Ask Toolbar" on your browser, marked "yes" by default. Be sure to click off the checkbox before installing.

I am still a little confused.
I have installed the latest version, and then when I go back to Add/Remove programs, this is what I see:

J2SE Runtime Environment 5.0 update 16

Java(TM) 6 update 30

Is the top one an old version that should be removed?
Is there anything that would depend on an old version to run?

Donna

The Java Runtime Environment (JRE) is created on your computer when you download Java software. The JRE consists of the Java Virtual Machine (JVM) & Java platform core classes and libraries. The Java Plug-in software (which is what Indy is suggesting be updated) is a component of the Java Runtime Environment (JRE). The JRE allows applets written in the Java programming language to run inside various browsers.

Donna,

When you run the Java verification there is a link that will indicate which versions of the Java updates that are vulnerable and should be un-installed. It often varies from machine to machine as different machines will often have Java installed at different times and versions.

The other thing that makes this more confusing is that the Java nomenclature has changed over time. There is a story behind it, but probably not of interest.

On several machines I have seen version 5 update 1 [ and others in version 5] tagged, and several of the earlier version 6 [IIRC including 1,5,6,7,11]. Since the Java Applet runs during verify, it will tag the versions you want to uninstall - I'd leave that browser window up and toggle between that and the add-remove programs.

When this all started it was Java 6 v29, we are now already to 6 v30 as mentioned above.

Donna,

And for the record, I'll be cheering the Ravens on today, San Diego fans are weak sauce.

Thanks, John and Indy!

Good choice, Indy. There will be lots of tired folks here in Baltimore tomorrow after the late game tonight. Go Ravens!

The fans may be weak, but they were not playing :^)
Where has that Chargers team been the rest of the year :^(
But we are still in the hunt for a playoff berth.

Greg

Go Chargers! I was at that game. For once the Chargers had a decent game. Baltimore was favored to win too.

Playoff hopes are still slim. Need some help from other teams!

Indy, thought you would be a Charger fan based on your proximity?

Grrrr....
That game was definitely not what we expect from our Ravens!
Especially in a season where we have defeated Pittsburgh twice.

Your Ravens hadn't allowed anyone to score on first possession in a long time. Chargers scored on their first five possessions. I really thought the Raven's Defense was going to squash the Chargers.

Greg,

You sound like a real fan, and I know Marty, so no disrespect meant. From when I was based in San Diego and later, I found many SD fans to be fair-weather only.

.... and yes, you really should update your Java AND uninstall the vulnerable versions.

Indy,

No disrespect taken. I've only been a Charger fan for the last 9 years or so. From their history, I missed out on the really bad years. The year before I bought season tickets, the team only won one game the whole year. Imagine it was painful to be a Charger fan (actually still is...ha ha)

Happy Holidays to you!