Java users can verify their computer system’s Java version on this page. Affected by the security vulnerabilities are all JDK and JRE 7, and JDK and JRE Update 27 and earlier versions.

The risk matrix highlights each individual patch, the affected components, attack vectors and scores.

End users can make use of the automatic updating routine or download the new Java versions directly from the Oracle website. Windows users can check manually for updates from the Java Control Panel applet. They need to switch to the Update tab of the applet and click on the Update Now button there to run an update check and install the update on the system.

Users running the Java Runtime Environment 6 (who want to stay on 6 and not switch to 7) can download the JRE 6 Update 29 from this page. The new version is available for all supported operating systems. Windows users can download online or offline installers of the JRE.

Users who are already running the Java Runtime Environment 7 can download the new version that brings their version to JRE 7 Update 1 here.

Developers can download the Java Development Kit 7 Update 1 from the Java SE Downloads page. Additional developer related downloads are provided on that page as well.

Oracle classifies the patch update as critical. Users running either the JDK or JRE on their computer system should update the systems as quickly as possible to protect their operating systems from potential attacks and exploits.

Oracle notes that 19 of the 20 vulnerabilities can be remotely exploited without the need for authentication. System administrators who need more information should start with the official patch update advisory linked above. It includes temporary workaround suggestions that may mitigate potential attacks on computer systems.

The JRE is needed to execute Java applications on the local system and in the web browser. I use it for instance for the excellent RSS reader RSSOwl.

The JDK, Java Development Kit, has also been released as version 7.0 Final. The Java SE 7 Features and Enhancements page lists the highlights, changes and known issues. The page, which acts as the release notes, is highly technical. It links to additional pages with the most important changes in the new release, which makes it that much harder to compile an overview of important changes.

Probably most important from an end users point of view are security improvements and changes. Some weak ciphers have for instance been disabled in the Java 7 release to enhance the security.

This release includes new features such as small language changes for improved developer productivity, a new Filesystem API, support for asynchronous I/O, a new fork/join framework for multicore performance, improved support for dynamic and script languages, updates to security, internationalization and web standards and much more.

Java developers find all the information they need in the release notes and documentation. This includes updated installation and troubleshooting guides as well as JDK 7 and JRE 7 specific development guides and API documentations.

The Java Runtime Environment 7 has been released for all supported operating systems. Users can download the JRE 7 for supported 32-bit and 64-bit editions of Windows, Solaris and Linux from the official download page.

The Java offline installers have a size of about 20 Megabytes under Windows, and between 12 and 35 Megabytes under Linux and Solaris.

Developers can download the latest Java SE Development Kit 7 from Oracle as well. JDK 7 is offered for the same set of operating systems. It’s download size varies between 80 and 160 Megabytes.

Oracle today released the critical patch update Java 6 Update 24 to the public. The update fixes several critical vulnerabilities including the previously discovered vulnerability that causes hangs when parsing strings like “2.2250738585072012e-308″ to binary floating point numbers.

The risk matrix shows lists all 21 security fixes included in the update with information about the versions of Java affected, the access vector and if they are remotely exploitable.

Out of these 21 vulnerabilities, 13 affect Java client deployments. 12 of these 13 vulnerabilities can be exploited through Untrusted Java Web Start applications and Untrusted Java Applets, which run in the Java sandbox with limited privileges. One of these 13 vulnerabilities can be exploited by running a standalone application.

In addition, one of the client vulnerability affects Java Update, a Windows-specific component.

3 of the 21 vulnerabilities affect client and server deployments. These vulnerabilities can be exploited through Untrusted Java Web Start applications and Untrusted Java Applets, as well as be exploited by supplying malicious data to APIs in the specified components, such as, for example, through a web service.

3 vulnerabilities affect Java server deployments only. These vulnerabilities can be exploited by supplying malicious data to APIs in the specified Java components. Note that one of these vulnerabilities (CVE-2010-4476) was the subject of a Security Alert released on February 8th.

Finally, one of these vulnerabilities is specific to Java DB, a component in the Java JDK, but not included in the Java Runtime Environment (JRE).

(via)

System administrators and users who have Java installed, either in the form of the Java Runtime Environment (JRE) or the Java Development Kit (JDK) should update the software as soon as possible to protect their systems from possible exploits.

Users who have applied the manual command line patch need to uninstall Java before they can install the new updated version.

The vulnerability is triggered when 2.2250738585072012e-308 is converted to a binary floating number. It can be exploited to allow unauthenticated network attacks which can “cause a hang or frequently repeatable crash (complete Denial of Service) of the Java Runtime Environment”. Oracle notes that “Java based application and web servers are especially at risk from this vulnerability”.

The Java SE Floating Point Updater Tool has been created to “address the hang that occurs when parsing strings like “2.2250738585072012e-308″ to a binary floating point number”. The file is offered for download at this page. It is best to unpack the file directly into the /bin/ directory of the Java installation since it is necessary to run a command from the command prompt that references that file.

Windows users need to open an elevated command prompt and switch to the directory of their Java installation. The directory is located in the program files directory, in the case of a 64-bit operating system in the program files (x86) directory. The full path on my Windows 7 64-bit test system is C:\Program Files (x86)\Java\jre6\bin.

The command that needs to be entered is java -jar fpupdater.jar -u -v. The path of fpupdater.jar needs to be added if the file is not in the same directory as the java executable. The command assumes that the user is in the bin directory mentioned above. The path needs to be added to the command as well if that is not the case.

It can take up to two minutes before the patch is fully applied to the JRE or JDK. It is necessary to run the patch against any instance of JAVA on the system, for instance if the JDK with JRE and a standalone JRE are installed on the system.

The program should display that the patch was applied successfully in the end. Another indication are two files that are placed inside the lib folder by the application.

/lib/rt.jar.fpupdater Copy of rt.jar before the fix.
/lib/.fpupdater.log Zero-length file indicating that the update has taken

Users who have Java installed should patch the vulnerability as soon as possible. (thanks Dante for the tip, via)

Among the plugins that are exploited the most are Adobe plugins, and Java. Recent findings in Microsoft’s latest Security Intelligence Report suggest that Java exploits have increased steadily, and caused a huge spike in the second quarter of 2010, rising from under 500,000 to more than 6 million in quarter 3.

In comparison, pdf exploits stayed well below the 100,000 mark in that time.

Holly Stewart analyzed the causes of the spike and came to the conclusion that the attacks were driven by three vulnerabilities. Interestingly enough, patches are available for some time for those vulnerabilities. This suggests that many users do not update Java on their computer system regularly.

Those exploit attempts pale in comparison to other threats on the Internet. Malware trends of the report show exploits making up less than 5% of all infected computers. Still, exploits have risen from less than 2% in the third quarter of 2009 to almost 5% in the second quarter of 2010.

Why is Java that dominant in the exploits category? The main cause seems to be because people do not update Java as frequently as other browser plugins. Up until recently, researchers and reporters did not mention Java nearly as often as Adobe Flash or Adobe Reader when it came to third party plugins being exploited. This may be the core reason, but there are others.

Java, which usually means the Java Runtime Environment, is installed on the majority of computer systems. Coupled with the fact that Java is barely used by most Internet users, and that update notifications are non-existent make it a prime target for attackers.

Some browser developers have started to add plugin checks either during updates of the browser or in the plugin listing.

So what can you do to protect your system? First, if you do not need Java you can simply disable it in the web browser. This protects the browser from possible exploits. You may also want to consider uninstalling Java completely, considering that there is no good reason to keep it on the system if it is not needed.

Users who need to work with Java need to monitor JRE updates. They can do this manually, by reading news sites that report on security updates, or by installing a third party software like Secunia PSI that will inform them of updates.

The Update release notes list the full external version as 1.6.0_22-b04, and the external version as 6u22. It lists a total of 16 different bugs that have been fixed in the update.

• 6897143 – hotspot – garbage_collector – Stress test crashes during HeapInspection using ParallelGC
• 6919638 – hotspot – garbage_collector – CMS: ExplicitGCInvokesConcurrent misinteracts with gc locker
  6837842 hotspot jni JNI_CreateJavaVM crashes under impersonation
• 6948223 – idl – orb – Corba issue, fail to reload object
• 6969236 – java build – Regression: JRE identification fails due to Oracle rebranding in java.exe
• 6893325 – java – classes_awt – JComboBox and dragging to an item outside the bounds of the containing JFrame is not selecting that
• 6974093 – java – classes_lang – Thread.clone should NOT invoke addUnstarted on started threads
• 6959911 – java – classes_security -Update Entrust.net CA (2048) root and add new Entrust Root CA-G2
• 6725789 – java – classes_util_concurrent – ScheduledExecutorService does not work as expected in jdk7/6/5
• 6547241 – java – imageio – JPEGImageReader.readImage crash
• 6557086 – java – imageio – Attempt to dispose jpeg reader form another thread may cause crash
• 6944981 – java_deployment – general – Name field missing in mix code security warning dialog for Java Webstart application
• 6869937 – java_plugin – plugin2 – New Plugin – Vista&XP Focus never returned to browser
• 6846148 – jaxb-xsd – runtime – Namespace gets lost for null scope while using RetQName
• 6946312 – jaxp – sax – XML parser omits characters callback to ContentHandler since 6u18
• 6957378 – jmx – classes – JMX memory leak

Users who have Java installed should download it as soon as possible from the official website. A script on the site will detect the installed Java version, and display a download link if the installed version is not the latest. The release notes are accessible here.

But Ghacks readers know more, downloads for the Java Runtime Environment and Java SDK are already enabled in the Sun Download Center.

Users who work with the JRE can download the latest version from this download center page. The software is available for Windows, Linux and Solaris.

java 6 update 21

The Java Developer Toolkit has also been updated and can be downloaded from this page instead. It raises the version to 6 Update 21 as well and is available for the same platforms.

The release notes list the changes in the Java Update. Among the new features is support for additional system configurations including Google Chrome 4, performance improvements in Java VisualVM and at least one security fix. Developers and interested users can take a closer look at all the bugfixes of Java 6 Update 21 on this web page.

The security issue that has been fixed in this update makes it a recommended update for every user who has Java installed on a computer system.

The portable Java installer can be downloaded from the Portable Apps website. It then needs to be executed to download the latest JRE to a location on the computer system.

The portable Java Runtime Environment provides the Java environment for applications of the apps suite.

Probably more interesting than this is the fact that portable apps offer a Java Portable Launcher which can be used to launch third party Java programs as well.

It can be that those third party apps are not necessarily portable in nature but that is the only difference there is. One benefit of this approach is that background processes like jqs.exe are not automatically running on the computer system.

java portable launcher

It is important to download and install the applications in the right sequence. Here is how it is done. Start by downloading the Portable Apps suite from the main website. It is sufficient to download the bare bones version but other versions are fine as well.

Install the Portable Apps suite on your computer, preferably on a USB stick or other portable storage device.

Download portable Java [link] and Java portable launcher [link] now.

It is now possible to launch (the now portable) launcher. This launcher is used to start applications that are linked to it and to install new applications from the Options > Install A New App menu.

java portable

Select the executables of Java Portable and Java Portable Launcher one after the other. Both applications will be placed in the Portable Apps suite directory structure. They are also portable from that moment on.

Third party Java applications can now be launched from the portable apps start menu or by dragging and dropping the JAR files directly on the JavaPortableLauncher.exe file in the directory structure.

It basically boils down to this: If you want to execute Java programs you need the JRE. It does not really matter here if the Java program is executed in a web browser or locally on the computer system as both need the JRE to be installed. The Java Runtime Environment is often referred to by users as Java, Java Virtual Machine or Java VM which is technically not correct.

JRE Download refers to the download of said Runtime environment. Computer users have several options to download and verify the Java Runtime Environment which we would like to address in the following paragraphs.

JRE Downloads

Sun, which recently has been bought by Oracle, is providing free downloads of the Java Runtime Environment on their website. The easiest way to find the most recent version of the JRE is to visit this redirecting link on Java.com. The JSP script will automatically detect the web browser and operating system and load the right download for the user.

The latest version of the JRE is currently Java 6 Update 20. The Runtime Environment gets regular updates which means that this version will go up in the future.

Another option to download Java is to open the download page for all operating systems instead. The user needs to select the right operating system on that page and install the JRE manually after downloading the installer to the local computer system.

Windows users can download an offline or online installer. We suggest to download the offline installer as it contains all the files needed to install Java right away while the online installer downloads components from the web after the initial download.

Java will be added as a plugin to installed web browsers and available in the desktop environment to execute Java programs. The installation will also add the Java Quick Starter (jqs.exe) to the startup programs. You might want to consult the article above for more information on JQS.exe and why it might be a good idea to remove it from the startup programs list.

Verify that the JRE is installed

It is now time to verify that the JRE is properly installed after downloading and installing it on the computer system. This can be done on the Verify Java Version page at the Java website. Just visit that website and click the Verify Java version button.

The next page will execute a small Java program that detects the current version of the Java Runtime Environment that is installed on the computer system.

The page links to the Java download page in case an older version was detected.

Troubleshooting Java

Things can go wrong sometimes. The best approach in our experience is to completely wipe Java from the computer system to install it anew to ensure that no old files are still present on the computer.

This can be done manually or by using the software program Java Ra which provides the means to remove older Java versions from the computer system.

Computer users who have Java installed might want to start with the verification first to see if their JRE version is the latest available one. JRE downloads are also available on many download portals in case the Java website is temporarily not accessible.

The changelog lists all the bug fixes of the latest version including changes to root certificates, an interim fix for the Transport Layer Security (TLS) Man-in-the-Middle Attack and the raising of a warning dialog if a signed application contains signed and unsigned components.

All the changes and fixes including links to further information can be accessed at the changelog page.

Users can visit the JRE download page to test their version of the Java Runtime Environment to evaluate if an update is necessary.

Users with outdated versions of the JRE can download it immediately from the download page for their operating system. The Java Runtime Environment is offered as an offline and online installer for Windows on the standard download page.

It is recommended to check the verify Java page again after the update to make sure it was applied successfully.

Four different versions of the Java Runtime Environment were installed on my system and JavaRa removed the three versions of JRE that were the oldest from the system. I started by scanning my system for old versions of Java which were removed, then checked if there was a Java update available. I should have done it the other way round because an update was found and a new version of Java was installed on my system.

Which led to the fact that the previously newest version was not the newest anymore so I had to run the cleanup process again to remove that version. The best way to use the application is therefor to run the Update first and check for old versions once the software has checked for and installed possible updates.