Thursday, January 20, 2011

Multiple Java Updates Installed == Vulnerable!

Update: We're now up to version 7.5 . . . and Oracle has added a page in the Java site to assist with removing old versions.

Over the last year security researchers have been tracking a major rise in the use of Java exploits to plant malware on unsuspecting users.  Many of them have blamed security vulnerabilities in IE or (pick your browser) . . . and truth be told that's still going on too.  But the big surprise is that Java exploits are eclipsing "plain jane" browser exploits, across all browsers and in some cases across platforms.

Bottom line: many Java exploits go after vulnerabilities that have been patched. Since Java runs on a wide variety of platforms, this makes it a very serious vector. You should stay alert for and accept automatic Java updates. You should remove old Java versions as they allow older - vulnerable - Java scripts to run even when you are patched to the most current version.  You should also check the Java test page to make sure the latest version installed successfully.

Not to put too fine a point here:  Java Updates are notorious for leaving previous versions on your system instead of upgrading in place.  Those old Java versions are alive and vulnerable until they are removed.

Worse, many times the Java setup or update process offers end users some form of crapware:  additional toolbars, "free" virus scans, etc.  I personally recommend that during any install - of any plugin (and I include Adobe products etc here) that you watch for these unneeded add-ons and UNcheck them during installation. If you allow every update of every plugin you use to install these extra craplets, your system will quickly be bogged down to a slow, sad mess. 

Action Steps:

1) Check in Control Panel:  Add/Remove Programs (Windows XP) or Uninstall a Program (Windows 7) for older Java or J2SE or Java Runtime versions and remove ALL of them.  You'll gain back on average around 120MB of disk space per outdated version removed.  And you'll close some serious holes in your security.

Example of multiple old Java versions.
Get rid of them!

2) The current Java version as of this writing is "Java 6 Update 23"   That should be the ONLY version you have listed in "Remove Programs." You can install the latest version of Java:  www.java.com

What you want to see.
Only one Java, and it's the most recent version.

3) Test your installation: http://www.java.com/en/download/testjava.jsp

Oh hey there!
I passed, or did I?

Note that this test only reports the latest working version installed on your system.  It does not reveal whether your system has older versions still installed.  For that see Step 1 above . . .

A note on x86 versus 64-bit:  If you - like most people - use a 32-bit browser when running a true 64-bit operating system, then you only need to install the 32-bit version of Java.  In fact I recommend that if you see a 64-bit version of Java in your "Remove Programs" window, you zap it away.

Additional reading:

http://itmanagement.earthweb.com/secu/article.php/3921441/Cisco-Java-Attacks-on-the-Rise-As-Spam-Declines.htm


http://blogs.technet.com/b/mmpc/archive/2010/10/18/have-you-checked-the-java.aspx