See my Defensive Computing blog at Computerworld.com  

Java News

NOTE: The most recent Java news is on the home page.

 2016

April 19, 2016: Java 8 Update 91 has been released.

March 23, 2016: Java 8 Update 77 has been released. It is the new security baseline and is due to expire April 19, 2016.

March 11, 2016: Two-year-old Java flaw re-emerges due to broken patch by Lucian Constantin of IDG News Service.

February 8, 2016: Java installer flaw shows why you should clear your Downloads folder by Lucian Constantin for Computerworld.

February 5, 2016: Java 8 Update 73 and Update 74 are released. The security baseline remains Update 71. Both versions will expire on April 19, 2016.

January 28, 2016: I have seen the future and it does not include Java running inside a web browser. Oracle blames web browsers for no longer supporting the quite-old NPAPI plug-in standard. Why Oracle can't move Java to a different plug-in interface is not discussed. As a substitute for Java applets, Oracle suggests Java Web Start apps. These are full blown apps, written in Java that are downloaded to a Java cache on your computer and run from there, outside of any web browser. Java Web Start apps can automatically self-update and the run in a sandbox by default. User action is required for them to break out of the sandbox. Different Java Web Start apps can run concurrently and use different versions of Java. The security issues with Java were always tied to the web browser interface, the language itself was never a security issue. More.

January 19, 2016: Java 8 Update 71 is released. It fixes critical security flaws, as usual, and is now the Security Baseline. Update 71 is scheduled to expire on April 19, 2016. Also released was Update 72, described by Oracle as "a patch-set update, including all of 8u71 plus additional features". Then too, there is a BPR (Bundled Patch Release) and a public edition of Update 72.

 2015

November 16, 2015: Java 8 Update 66 is released. Although the Release Notes say "This release contains fixes for security vulnerabilities," the security baseline, however, remains at Update 65. Update 66 is scheduled to expire on January 19, 2016.

October 20, 2015: Java 8 Update 65 is released. It fixes a bunch of bugs and is the new security baseline. It is due to expire January 19, 2016.

Undated: Java and Google Chrome Browser from Oracle. Starting with Chrome version 45, released in Sept. 2015, Java applets are no longer supported because they use an old plugin interface known as NPAPI. Java web starts apps continue to work fine. IE and Safari still support NPAPI so Java applets work with these browsers.

September 29, 2015: How to Uninstall Java on Mac OS X by Lowell Heddings of HowToGeek

September 30, 2015: Insider: Oracle has lost interest in Java by Paul Krill of Infoworld

September 7, 2015: Oracle cuts Java execs by Barb Darrow in Fortune

August 18, 2015: Java 8 Update 60 is released.

July 14, 2015: Java 8 Update 51 is released.

July 12, 2015: From Trend Micro - First Java Zero-Day Attack in Two Years Targets NATO & US Defense Organizations

May 6, 2015: Just a reminder: Java 7 is dead. Oracle will not release any more bug fixes for it.

April 14, 2015: Three new versions of Java were released today: Java 7 Update 79, Java 7 Update 80 and Java 8 Update 45. These releases fix 14 security flaws. Quoting Oracle: "All of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. "

April 14, 2015: Chrome version 42 will pour your Java coffee down the drain: Plugin blocked by default by Shaun Nichols in The Register. Chrome version 42 blocks the Java plugin by default because it uses an old deprecated plugin API. For the time being, you can tweak Chrome to run Java but that will end in September 2015.

January 21, 2015: CPU vs. PSU: According to the tech press, Oracle yesterday released Update 75 for Java version 7. This is only part of the story, as they also released Update 76 for Java 7. Update 75 is the CPU, Update 76 is the PSU. This is now a permanent thing for Oracle and Java. According to Oracle "Most users should choose the CPU release ... Java SE Patch Set Updates (PSU) contain all of fixes in the corresponding CPU, as well as additional non-critical fixes. Java PSU releases should only be used if you are being impacted by one of the additional bugs fixed in that version."

January 20, 2015: Oracle fixed 19 bugs in Java today, 13 of them were remotely exploitable. The latest versions are: Java 7 Update 75 and Java 8 Update 31. Java 7 is slated to die in April, and as part of this, the Java auto-update function will start updating version 7 installations to version 8.


 2014

October 31, 2014: I blogged about What 's new with Java. Perhaps the big news here is that a "very high" security level setting for Java does not prevent unsigned applets from running. Tested on Windows 7 with both Java 7 and 8. Also, just what does it mean when the Java runtime expires.

October 14, 2014: Oracle released three new versions of Java: version 7 Update 71, version 7 Update 72 and version 8 Update 25. Also, version 8 Update 25 is now the default for new installations. Java 8 should work on Windows XP but Oracle does not officially support it.

October 14, 2014: Java version 7 is scheduled to die on April 2015.

Aug 4, 2014: Java version 7 Update 67 was released. No security related bugs were fixed. One non security bug was fixed.

July 15, 2014: Java version 7 Update 65 (a.k.a. version 1.7.0_65) was released to fix 20 security related bugs. See the Release Notes for Update 65 and the list of bugs.

July 14, 2014: It was reported that Java 7 would no longer be supported on Windows XP. This is not true, Java 7 will continue to be supported on XP. However, Java 8 will not be supported on XP.

May 29, 2014: Java version 7 Update 60 (a.k.a. version 1.7.0_60) was released. Although it contains a large number of bug fixes, none of them seem to be security related. The security baseline remains Update 55. See the Release Notes for Update 60.

May 29, 2014: The number of bugs in Java keeps increasing. According to Greg Sinclair, there were 58 Java flaws in 2010, 65 in 2011, 68 in 2012 and a whopping 208 in 2013.

April 15, 2014: Java version 7 Update 55 (a.k.a. version 1.7.0_55) was released to fix 37 bugs. See the Release Notes.

March 18, 2014: Java version 8 was released. It is not yet offered by default. It can be downloaded here and here.

Feb 12, 2014: On the Feb 11th edition of Steve Gibsons Security Now podcast he reported that a clean installation of Java 7 Update 51 on Windows disabled Java in all browsers system wide. This is not true. A clean install picks up prior configuration settings left over by previously installed copies of Java. It will also pick up previously whitelisted websites.

Jan 27, 2014: Java 7 Update 51 changed the default security rules for Java and it caught many people by surprise. I mention this because the new security rules prevent the tester applet on this site from running. A longer explanation is on the Version page.

Jan 14, 2014: Oracle updated Java 7 from Update 45 to Update 51 today. This update fixes the usual, disgracefully high, number of bugs (36 or so). Get the latest version at java.com/en/download/manual.jsp to avoid add-on software such as Ask.com.


 2013

Dec 10, 2013: Firefox version 26, now blocks Java by default, which puts it on par with Chrome. The hassle factor of running Java in a browser keeps getting higher. Java is fine for use with installed applications, but its use in web browsers has no future. To run a Java applet in a web browser, this first has to be allowed system-wide in the Java Control Panel, then Java security levels need to be dealt with to permit different types of applets, then Firefox and Chrome warn about Java being dangerous and finally Java itself warns about it being dangerous. Firefox puts out two warnings for each applet. Java warnings are worded in such a way as to be confusing. Want fewer messages? Java, Chrome and Firefox each keep separate whitelists of sites allowed to run Java. Is this a Marx Brothers movie?

Nov. 2, 2013: Mozilla is working on changing Firefox to block Java by default. A couple articles written Oct 22nd said this was introduced with Firefox v24 but this is not true. People hate the specific way Firefox implemented this, saying the user interface was too confusing.

Oct. 17, 2013: OS X Snow Leopard (10.6) clarification: I have seen it reported twice on websites with many readers that Apple does not allow Java 6 to run applets (Java programs embedded in web pages, such as the Version page on this site). This is not true on OS X 10.6. It is true on OS X 10.7 and 10.8. I have personally verified that Java 6 Update 65 runs applets just fine on Snow Leopard.

Oct. 15, 2013: Bug fixes released today for Java 7 from Oracle and Java 6 from Apple. The new Java 7 from Oracle, Update 45, fixes 51 bugs. It runs on Windows, Linux and OS X v10.7.3 and above. It is set to expire on Feb. 14, 2014. Oracle also released Java 6 Update 65, but only to their customers with extended support (paid) contracts. Apple today released Java 6 Update 65 (see About the security content of Java for OS X 2013-005 and Mac OS X v10.6 Update 17), which runs on OS X Snow Leopard 10.6.8, Lion 10.7, and Mountain Lion 10.8.

Sept. 11, 2013: Oracle released a new version of Java 7, Update 40 with a huge amount of bug fixes. The new version runs on Windows, Linux and OS X v10.7.3 and above. It is set to expire on Dec. 10, 2013.

Aug. 29, 2013: Apple bans older versions of Java on OS X. On Snow Leopard, Lion and Mountain Lion only the latest versions of Java are now allowed to run.

Aug. 28, 2013: Before Java runs a digitally signed applet, it asks if you want to run the thing. The message that Java issues includes the name of the applet. Jerry Jongerius of Duckware reports that the name can be forged. In fact, he found two separate ways to make the Java warning message lie to an end user. And that's just for starters. Jongerius also describes other security flaws in Java 7 Update 25. Really damning stuff.

Aug. 28, 2013: Jack Tang of Trend Micro warns that bad guys are getting more sophisticated in exploiting bugs in Java. See Java Native Layer Exploits Going Up.

Aug. 27, 2013: Wolfgang Kandek of Qualys writes about a bug in the Java 2D subcomponent, that was fixed in Java 7 but not in Java 6. F-Secure has seen the bug being exploited in the wild. Kandek says that Java 6 is installed on over 50% of computers with Java. Oracle does patch Java 6 but the fixes are only availalbe to companies that pay for them.

July 18, 2013: It just never ends. Yet another Java bug, yet again in the Reflection API and yet again, discovered by Adam Gowdiak, the CEO of Security Explorations.

July 18, 2013: The title says it all. Most enterprise networks riddled with vulnerable Java installations. From Bit9.

June 18, 2013: Oracle released a new version of Java 7, Update 25 for Windows, Linux and OS X 10.7.3 and above. They did not update Java 6. Apple updated their copy of Java 6 that is used on OS X 10.6 Snow Leopard to Update 51.

June 14, 2013: A new version of Java, fixing 40 bugs, is scheduled to be released June 18, 2013. Oracle refers to clumps of bug fixes as "Critical Patch Updates" which some people, sadly, abbreviate as CPU. PC World and Threatpost describe the coming changes. In April 2013 Oracle fixed 42 bugs. In February 2013, they fixed 55. This is disgraceful.

June 12, 2013: Disabling Java in web browsers used to be a browser by browser thing. Then, Sun added a new option to Java 7 that let you disable Java system-wide in all browsers. But, Windows users that needed Java in a browser still had a problem. While Java was easy to disable in Firefox and Chrome, Internet Explorer was a miserable mess. Though many articles are available online detailing many different ways to disable Java in IE, they are wrong. It couldn't be done. Until May 29, 2013. See Java: A Fix it for when you cannot let go.

May 6, 2013: Although the Java spotlight shines on Oracle, other companies have also created Java runtimes. IBM ships Java for Linux, AIX (their version of Unix) and z/OS (mainframe operating system) and it's buggy too. Adam Gowdiak, the CEO of Security Explorations, just found new bugs in the Linux edition (he doesn't address AIX or z/OS) and confirmed that old bugs (dating back to Sept. 2012) were not properly fixed.

April 26, 2013: Oracle is expected to release a new version of Java on May 10, 2013 to fix some bugs.
Update: As of May 29, 2013 there is still no new version of Java.

April 23, 2013: A bug that was fixed last week in Java 7 Update 21 is being actively exploited by bad guys. Be sure to update to the latest Java. See Java users beware: Exploit circulating for just-patched critical flaw.

April 23, 2013: It all starts again. The first public acknowledgement of a bug in the latest edition of Java (v7 Upate 21) came from Adam Gowdiak, the CEO of Security Explorations, who has found many previous bugs in Java. As usual, the bug lets malware break out of the Java sandbox. Interesting new twist, the bug can be exploited on any system with Java installed, even if Java is disabled in all browsers. See Serious flaw in Java Runtime Environment for desktops, servers.



JAVA UPDATES RELEASED BY ORACLE

April 16, 2013: Reuters quotes Oracle Executive Vice President Hasan Rizvi as saying that the patches released on April 16th, fix the vast majority of known critical bugs. Not all of them, however. Here we go again.

April 16, 2013: Oracle updates both Java 6 and 7 to fix around 40 bugs. The latest versions are now Java 7 Update 21 and Java 6 Update 45. Apple also updated the version of Java 6 that they supply for OS X Snow Leopard to Update 45. And, Apple updated Java 6 on Lion and Mountain Lion to Update 45. This is the second time Oracle updated Java 6 after saying there would be no more updates. The updates to Java 7 introduce new warnings about Java security and changes to the Java Control Panel security options.



March 14, 2013: Apple fixed a bug in OS X Lion and Mountain Lion that let Safari run Java web start applications even if the Java plugin had been disabled in Safari.

March 8, 2013: For those of you keeping score at home, there are now 12 unpatched bugs in the latest and greatest version of Java (v7 update 17) which was released on March 4th. An even dozen. Four bugs were demonstrated at the Pwn2Own contest, 7 were discovered last week by Adam Gowdiak of Security Explorations and the failure to check the certificates of signed applets is from Eric Romang. For more, see my blog There are a dozen known flaws in Java.

March 7, 2013: Another Java flaw was demonstrated today at the Pwn2Own contest. This one is from Ben Murphy.

March 6, 2013: Three new Java 7 bugs were demonstrated today at the Pwn2Own contest (part of the CanSecWest 2013 security conference in Vancouver). The bugs were discovered by James Forshaw, Joshua Drake and security company VUPEN. I found comments by Chaouki Bekrar, CEO and head of research at VUPEN, particularly interesting. He said: "Writing exploits in general is getting much harder. Java is really easy because there's no sandbox. Flash is a different thing and it's getting updated all the time and Adobe did a very good job securing it ... We see that criminals are moving from Flash to Java. ... I think Java they need to redesign. The code base is too big."

March 6, 2013: All the bugs in Java have been related to unisgned applets running in a browser. But Java applets can also be digitally signed and signed applets run outside of the normal Java sandbox by design. In other words, they don't need to depend on a bug in Java, they are purposely given free reign to do whatever they want. An example of a signed Java applet is the Secunia Online Software Inspector. Eric Romang found that, by default, Java does not check for digital certificates that have been revoked.



JAVA UPDATES RELEASED BY ORACLE

March 4, 2013: Oracle updates both Java 6 and 7 to address the FireEye bug that first became public Feb. 28th (and a related flaw). The latest versions are now Java 7 Update 17 and Java 6 Update 43 and they are available on Windows, Linux, OS X Lion and Mountain Lion. Apple also updated the version of Java 6 that they supply for OS X Snow Leopard to Update 43 (although Apple refers to it as Update 14). There were not supposed to be any more bug fixes for Java 6, but, there were.

March 4, 2013: Five, yes I said FIVE, new flaws in Java 7 (Issues 56-60) are identified by Adam Gowdiak of Security Explorations. He sent documentation on the bugs to Oracle and did not test if the bugs also exist in Java 6. See original source.

February 28, 2013: FireEye finds a bug in both Java 6 and Java 7. Unlike the bugs from Security Explorations, this is currently being used by bad guys. The good news is that "the exploit is not very reliable". So far, the bad guys only seem to be attacking Windows, not OS X or Linux. CyberESI is also credited with finding the bug.

February 27, 2013: Oracle responds to Security Explorations that Issue 55 is indeed a new bug, but claims that Issue 54 is not a vulnerability.

February 25, 2013: The ball starts rolling again. Security Explorations reports finding two new bugs in Java (Issues 54 and 55) and sends Oracle documentation on the flaws. The bugs only exist in Java version 7.



JAVA UPDATES RELEASED BY ORACLE

February 19, 2013: Bug fixes were released for both Java 6 and 7 (on schedule). The latest edition of Java 7 is Update 15, the latest update to Java 6 is Update 41. Apple kept in step with Oracle, they also updated their copy of Java 6 to Update 41. Oracle says this really is the end of the line for Java 6, no more bug fixes going forward.

February 10, 2013: More bug fixes to Java will be issued on Feb 19, 2013



JAVA UPDATES RELEASED BY ORACLE

February 1, 2013: New Java from Oracle: Version 7 Update 13 and Version 6 Update 39. Apple also released Java 6 Update 39 for OS X Snow Leopard.

January 31, 2013: Apple has again used their XProtect feature to block Java. They blocked Java 7 from running applets in Lion and Mountain Lion and blocked Java 6 in Snow Leopard. Why? None of our business, Apple doesn't seem to feel a need to explain themselves.

January 29, 2013: Mozilla is getting sick of this. They plan on modifying Firefox so that no Java applets ever run automatically. That is, they plan to force click-to-play for Java and other plug-ins.

January 27, 2013: Adam Gowdiak claims to have found yet another security flaw in Java 7 Update 11. The flaw lets a malicious applet execute even on the "Very High" security setting. See my blog Yet another Java security flaw discovered - Number 53.

January 22, 2013: Ed Bott comes very close to calling Java spyware because of the sneaky way it tries to install software from Ask.com when Java is installed. See A close look at how Oracle installs deceptive software with Java updates.

January 22, 2013: Woody Leonhard writes in InfoWorld: Disabling Java in Internet Explorer: No easy task. Great article. 99% of what you read online about this is wrong. Woody nailed it.

January 21, 2013: While testing the new security rules in Java 7 Update 11, I find that blocking Java in all web browsers and then re-enabling it, breaks IE8 on Windows XP and IE9 on Windows 7. IE8 won't run any applets (even when it should) and IE9 runs unsigned applets when it should not.

January 20, 2013: Adam Gowdiak claims to have found two more security flaws in Java version 7 Update 11. See Java 7 Update 11 confirmed to be vulnerable and Critical Java vulnerabilities confirmed in latest version.

January 17, 2013: Trend Micro reports finding Windows based malware that pretends to be "Java Update 11" in order to trick people into installing it. It is not Java software. When a Windows computer suggests installing an update to Java, what is a non-techie supposed to do?

January 16, 2013: Yet another confirmation that Java remains buggy, this time from Trend Micro (Java Fix for Zero-Day Stirs Questions). They say "Based on our analysis, we have confirmed that the fix for CVE-2013-0422 is incomplete ... the issue in [the] findclass method still leaves a hole that could be used with another new vulnerability". That is, the remaining flaw can not be directly exploited but can be combined with an as-yet-to-be-discovered flaw to put us right back where we started, yet again. Quoting Trend: " ...the message is clear: Java remains a big risk".

January 15, 2013: Further confirmation that Java remains buggy comes from Adam Gowdiak. Mr. Gowdiak, a researcher with Security Explorations, has discovered many flaws in Java. He said that Java 7 Update 11 "leaves unfixed several critical security flaws".

January 14, 2013: It has been reported that while Java 7 Update 11 fixed the known exploits, it failed to fully correct one of the two known flaws. This invites bad guys to find a new way to exploit the remaining bug. If you need Java only for installed applications, the safest thing to do is disable Java in all web browsers with the new checkbox introduced in Java 7 Update 10. Or, use Java version 6 while it's still available.



JAVA UPDATES RELEASED BY ORACLE

January 13, 2013: Oracle released Java 7 Update 11 to address the latest flaw. Java 6 was not updated as the current problem was limited to Java 7. You can download the latest Java 7 here.

January 13, 2013: See my blog: How to be as safe as possible with Java.

January 12, 2013: Apple has remotely disabled Java 7 on OS X, which required no action on the part of the end user. Mozilla has done something similar for Firefox 17 and 18 using click-to-play. How interesting.

January 11, 2013: Here we go again. There is yet another (in a long line) of Java security flaws. Java 7 is vulnerable to this latest bug, Java 6 is not. Thus, the advice I offered back in August on my Computerworld blog, still applies - if you need Java, go with version 6 on Windows. OS X users running Snow Leopard are safe, as Java 7 is not supported. OS X users running Lion and Mountain Lion with Java 7, should disable Java in their browers. To that end see How do I disable Java in my web browser? from Oracle. Everyone should see the section below on whether they need Java in the first place.



 2012

October 17, 2012: Oracle released Java 6 update 37 and Java 7 Update 9 to fix a lot of bugs. Apple followed suit and released Java 6 Update 37 for the last three editions of OS X. But, not all known bugs were fixed. For more on this and other "issues" with these latest Java updates see my blog The ugly side of the latest Java updates.

Heise Security spoke to Adam Gowdiak, the security researcher who found many recent flaws in Java. Gowdiak told them "that a critical security hole that allows attackers to break out of the Java sandbox continues to exist in Java". Gowdiak claims that Oracle told him that the just-released package of bug fixes was "already in its final testing phase" when he reported the latest problem. So, this newest flaw, no doubt the one from September 25th, will not be fixed until February 19, 2013.


Sept. 25, 2012: Both Java 6 and 7 have a big security flaw that has not been patched by Oracle. According to security firm Security Explorations, the bug is in the latest versions of Java (version 6 Update 35 and version 7 Update 7) as well as the older Java 5. The bug was found to be exploitable from Chrome 21, Firefox 15, IE 9, Opera 12 and Safari 5. For more see Another critical Java vulnerability puts 1 billion users at risk. If you need Java, there is no defense. In what is now a best practice, disable Java in the browser you normally use and have it enabled in another browser that is only used on sites that need Java. But, bear in mind, its all but impossible to disable Java in Internet Explorer.


Sept. 6, 2012: Apple today released Java 6 Update 35 for OS X.

Sept. 1, 2012: Just hours after Oracle released Java 7 Update 7, it was found to still contain a security flaw (probably more than one). If you need Java, version 6 is the obvious choice. I blogged on these latest Java security flaws:
  Despite new patch, Java 7 is still dangerous. Go with version 6.
  Java security flaw: yada yada yada

Aug. 30, 2012: Oracle has released updates to both Java version 6 and 7. Anyone running Java 7 should update to Java 7 Update 7, which was released today. Likewise, anyone running Java 6 should update to Update 35, also released today. See Oracle's notice.

Aug. 28, 2012: Java version 7 has a security flaw that can be exploited on Windows, OS X and Linux. The flaw appears to be in all versions of Java 7, not just the latest (Update 6). The flaw does not exist in Java version 6, so anyone who needs Java (see below) can safely run Java version 6. Anyone running Java 7 on Windows or Linux, can fall back to Java 6 by downloading the JRE (Java Runtime Environment) at Oracle's Java Runtime Environment 6 Downloads page. Apple OS X users that get their Java software from Apple (via OS X software update) are running the safe version 6. Mac users that installed Java 7 from Oracle should fall back to Java 6 from Apple.