Java 7 Update 7 emergency patch released
You have probably heard about the latest Java vulnerability that is being exploited in the wild right now. The vulnerability, made public a few days ago, is affecting Java 7.06 and earlier. One of the best suggestions so far was to disable Java in the Internet browser to protect the system from exploits, a more radical approach to uninstall Java on the system.
Oracle a few minutes ago has released an update for Java that brings the version of the Java Runtime Environment to 7 Update 7. This update fixes the vulnerability and it is therefor recommended for all Java 7.06 and earlier users. You can visit the following web page to test the version of Java installed on your computer. Please note that you only get a result if Java is installed and enabled in the web browser.
You can download the Java update from the official website where it is available for all supported operating systems. You can alternatively visit the manual download page to download Java offline installers. To update, simply download Java 7 Update 7 from the Java.com website and run the installer afterwards. This will update all existing versions of Java on the system to the latest version. Keep in mind that it may activate Java in the browser after doing so.
Java 6 users do not need to download and install the Java 7 update. They can instead download Java 6 Update 35 which has also been released today by Oracle. It is available on the old Java 6 download page.
The updates fix the security issues on systems with Java 7 Update 6 or earlier:
This Security Alert addresses security issues CVE-2012-4681 (US-CERT Alert TA12-240A) and two other vulnerabilities affecting Java running in web browsers on desktops. These vulnerabilities are not applicable to Java running on servers or standalone Java desktop applications. They also do not affect Oracle server-based software.
These vulnerabilities may be remotely exploitable without authentication, i.e., they may be exploited over a network without the need for a username and password. To be successfully exploited, an unsuspecting user running an affected release in a browser will need to visit a malicious web page that leverages this vulnerability. Successful exploits can impact the availability, integrity, and confidentiality of the user's system.
In addition, this Security Alert includes a security-in-depth fix in the AWT subcomponent of the Java Runtime Environment.
You can access the security alert here for additional information on the issue.Advertisement
When I test main new update on the page (from the link from your article today “How to disable Java in your web browser” to see or main Sun java is save) I am still getting ( Are you vulnerable to the latest 0-day exploit: Yes) that main new updated
Sun Java Runtime Environment 7 Update 7 (32 & 64 Bit) (from today 2012-08-30) is not save?
What is happening here? Is the new update also not save?
It has probably not been updated, but good question.
To Paul(us): Oracle has a history of not uninstalling the old version before installing the new version when they’re rushing a job. If you’re still seeing vulnerability, try uninstalling all java first. Than install the new one.
Thanks for the heads up on the availability of the patch, Martin.
Thanks for the update martin
I would still recommend leaving the Java web browser plugin disabled, even after updating, and enable it on demand when you absolutely need it. Most people rarely ever run into Java web applets. To put it into perspective, if you use Chrome, all plugins other than Flash and the Chrome PDF plugin lack Chrome’s sandboxing technology. Given that the security group that reported the security flaws in Java to Oracle reported about 16 of them, I’m not even sure if they’ve patched all of them yet. Especially considering Java’s track record and lack of Chrome sandboxing for Java, I still consider it a serious vulnerability. I wish your article reflected this. Telling users to re-enable it doesn’t reflect the reality of Oracle, who took 4 months to address these security flaws after they were reported.
I agree with @Greyfox. This update 7 for Java 7 resolves only a few issues and there are still a bunch of vulnerabilities open. We have to see whether there comes another emergency patch, or that Oracle is patching this stuff on October 12th.
I agree with Greyfox as well.
I’ll also make mine the advice from nakedsecurity :
QUOTE from http://preview.tinyurl.com/9o4gwjh
“The bigger question is, “Do you really need Java?” If you can get by without it, you should. That is true for any application that interfaces with the internet. Fewer programs means fewer vulnerabilities.”
it seems i always have problems with streaming quotes from
my broker when i update java and the same happened when
i did the last update, not the newest one. so my question is:
if i run my browser sandboxed, can i be compromised with
a java exploit? thanks
Yes, you can.
There is a nasty trojan that installes in VM , “Crisis for Windows” so, neither your Windows or any sandboxed
app in immune.
If they use a kernel exploit, yes, but it’s harder. If you must run java active nonstop, something like sandboxie might increase your security. Better solution would be enable on demand either manually or via click to play which both chrome and firefox support (although such support is flaky).
I downloaded/updated 7.7 couple of times but the page when I’m in Chrome still says that Java is at the latest level, but it says I’m at 7.6, not 7.7. I rebooted but that didn’t change anything.
so still using Chrome I went here: http://www.java.com/en/download/testjava.jsp
and it says I’m at 7.7
I cannot for the life of me…get my freejavachat to work since this last update??? I have also went into the exceptions list and added it http://freejavachat.com and it still won’t allow me into my christian chatroom?? Followed the directions for days now and would really be appreciative for some sort of help…I understand that they removed the medium setting and now only have high and very high so is that why it doesn’t work when I add it into the exception list????