Michael Horowitz

Java security flaw: yada yada yada

August 31, 2012 12:18 AM EDT
Java is at an unusual state. Oracle, the company behind Java, is currently maintaining both version 6 and 7 with bug fixes. Version 7 has more features, but anyone that doesn't need these features can safely use version 6.
 
Back in June, when I blogged about Defensive Computing with Java, I suggested sticking with version 6 because of its maturity. From a Defensive Computing perspective, new software is always suspect. Since it had been around longer, I argued that version 6 was less likely to have compatibility issues with existing software that required Java.  
 
It turned out that some of the new features in version 7 were not sufficiently debugged. As a result, anyone running Java 7 could get infected with a virus simply by viewing a malicious web page. Since Java 7 runs on Windows, OS X and Linux, that meant that the flaw in Java 7 could be abused on Macs and Linux machines too. 
 
Today, after a flood of bad press, Oracle released updates to both Java 6 and 7, with assorted bug fixes. 
 
WINDOWS 
 
Anyone running Java on Windows should now be at either version 6 Update 35 or version 7 Update 7. Anything else is dangerous. Too see which, if any, version of Java is installed, visit my www.JavaTester.org site. 
 
Windows users, since May, have been getting Java 7 installed by default. In my June blog, I suggested downloading Java 6 here, but it can also be downloaded here. I continue to prefer Java 6 over Java 7. 
 
OS X 
 
The situation on OS X is more complicated than Windows.
 
Java 6 is supplied to Mac users by Apple, whereas Java 7 is supplied by Oracle. Mac users that get all their software via the OS X self-update mechanism will have Java 6. The only OS X users running Java 7 are those that went out of their way to download it from Oracle and install it. 
 
Today, Oracle updated Java 7 for OS X to Update 7 and anyone running Java 7 on OS X should install this update. However, chances are that very few Mac users were running Java 7.
 
For one thing, Java 7 is only available on the two Lion editions, it is not available on Leopard or Snow Leopard. In addition, it only works with 64 bit browsers, which means it does not work with Chrome. For more about Java on OS X, see How do I get Java support for Mac? from Oracle. 
 
Apple has not yet updated Java 6 for OS X to Update 35. 
 
Java 6, while immune to this weeks big security flaw, still needs a security update. Oracle's Update 35 to Java 6 includes a "security-in-depth fix." Exactly what this means, I don't know. How vulnerable this leaves Java 6 Mac users is not clear. I have not yet seen anything online that addresses this. 
 
LINUX 
 
Linux users too, have a choice of Java suppliers. From what I read, this weeks security flaw only existed in Java 7 from Oracle. Java from other sources, was safe. 
 
DEFENSIVE STEPS 
 
At this point, Java security flaws remind me of the movie Ground Hog day.
 
If you don't need Java, remove it. Sadly, as I mentioned previously, it's not simple to determine if you need it. The home page of my JavaTester.org site links to an Ed Bott article that lists some apps that require Java, and, extends his list too. If you don't use anything on these lists, then remove Java and see if anything breaks. 
 
Also, Java is used both by websites and by native OS applications. The security flaws this week only applied to website usage. Java used by, Open Office or the OS X version of Crashplan, for example, was never a problem. If you need Java solely for native applications, then disable it in every web browser. 
 
If Java is needed inside a browser, then it's now an unquestioned best practice, to disable Java in the browser you normally use and have it enabled in a second browser that is exclusively used on the site(s) where it's needed. 
 
The only gotcha here is that it's virtually impossible to disable Java in Internet Explorer version 9. There is lots of bad advice about this online. In fact, almost everything written on the subject is wrong. The gory details are best explained by US-CERT in Vulnerability Note VU#636312. Even there, the section on disabling Java in IE has been completely re-written twice, at least. 
 
 
VERSIONS 
 
Oracle takes a simple thing, identifying the version of their software, and complicates it terribly. So much so, that it confuses people who don't possess the secret Oracle decoder ring. Here's a cheat sheet for identifying Java 6 Update 35. 
 
 
On my JavaTester.org site, it is reported as 1.6.0_35. The decoder ring tells you to ignore the first and third digits. 
 
In the Windows 7 Control Panel, it is identified as version 6.0.35.0. No more leading "1", still the useless "0" in the middle and a new useless zero at the end. 
 
In their Release Notes Oracle says "The full version string for this update release is 1.6.0_35-b10 (where "b" means "build") and the version number is 6u35." 
 
The Mozilla Plugin Check identifies it as "Java(TM) Platform SE 6 U35".  
 
Secunia's Online Software Inspector identifies it as 6.0.350.10. Again we see the useless zero in the middle and the decoder ring tells you to ignore the 10 at the end. Oh, and 350 is really 35. 
 
Not to mention the many articles that refer to Java 6 as version 1.6 (or Java 7 as 1.7), which indicates the author does not have an Oracle decoder ring. 
 
BAD ADVICE 
 
These last few days have seen more than their fair share of bad Java advice. 
 
Just today, the "staff" at AppleInsider wrote "Because Java came bundled with older versions of OS X like Leopard or Snow Leopard, Macs running the legacy software are potentially more vulnerable to the attack than those with the latest 10.8 Mountain Lion". Since the Leopard family of OS X can't run Java 7, they were actually safer all along. 
 
Over at CNET, Topher Kessler wrote "... this vulnerability is in new features in the Java 7 runtime ... so if you have older Java runtimes installed on your system then you will not need to patch them." On the contrary, Java 6 on Windows should be updated to Updated 35. And, if Apple releases an update to Java 6 for OS X, it too, should be installed. 
 
And speaking of Java 6 Update 35, the Mozilla Plugin Check says that it is "outdated". It is current and safe.
 
 
But the best example of this comes from Oracle's own java.com site. The page, How do I test whether Java is working on my computer? not only reports on the installed version of Java but also tells you if its up to date or not. 
 
When it comes to Java 6 Update 35, the verdict is mixed. The page reports both that "An old version of Java has been detected on your system" and that the "Latest Java is installed". 
 
Finally, anyone running a Chromebook or Chromebox has been safe all along. They don't support Java at all, which is looking more and more like a good decision by Google.

 
UPDATE: August 31, 2012.  Just hours after Oracle released a patch to Java 7, it has been found to be buggy again. For more see Despite new patch, Java 7 is still dangerous. Go with version 6.