Feeds

Oracle releases emergency security patch for Java

Code-execution threat no more

Choosing a cloud hosting partner with confidence

Under criticism for not patching a critical vulnerability in its recently acquired Java virtual machine, Oracle on Thursday released an emergency update that eliminates the zero-day threat.

Functionality in the Java Web Start component made it trivial for attackers to remotely execute malicious code on end-user machines. Tavis Ormandy, one of the researchers who first discovered the threat, said he alerted Java handlers inside Oracle's Sun division, but they decided no patch was necessary before the next update release scheduled for July.

It would appear that Oracle officials had a change of heart. On early Thursday, they pushed out Java 6, update 20, which makes changes to the Java Network Launch Protocol, according to release notes. The JNLP is closely associated with Java Web Start, which makes it easy for end users to install custom libraries needed to run Java applications.

There are unconfirmed reports that the patch doesn't completely eliminate the threat, most notably in this Google translation of a report from Heise. A researcher who asked not to be named said there may be upgrade problems with the npapi plugin used by Firefox that may leave a stale version behind. Internet Explorer should be safe, however.

The out-of-cycle update is a smart move, but Oracle still has unfinished work to make Java patching more seamless. First, Java needs to stop flogging the Yahoo Toolbar each time an update is available. Patches are about security, not marketing the unwanted bloat of partners.

Another gripe we've long had about Java updates is that they reset some default settings. A case in point: If you have Java configured to check for updates daily, instead of monthly as the program does by default, you'll have to reset that preference each and every time you update. That means it could take a full 30 days to get critical security patches like the one released Thursday.

To install the patch immediately, use Java's manual update feature. In Windows, this can be done by selecting Start > Control Panel > Java > Update tab and clicking the Update Now button. And don't forget to uncheck the Yahoo installation box. ®

Remote control for virtualized desktops

More from The Register

next story
Webcam hacker pervs in MASS HOME INVASION
You thought you were all alone? Nope – change your password, says ICO
Patch NOW! Microsoft slings emergency bug fix at Windows admins
Vulnerability promotes lusers to domain overlords ... oops
You really need to do some tech support for Aunty Agnes
Free anti-virus software, expires, stops updating and p0wns the world
Mozilla, EFF, Cisco back free-as-in-FREE-BEER SSL cert authority
Let’s Encrypt to give HTTPS-everywhere a boost in 2015
Meet OneRNG: a fully-open entropy generator for a paranoid age
Kiwis to seek random investors for crowd-funded randomiser
USB coding anarchy: Consider all sticks licked
Thumb drive design ruled by almighty buck
Attack reveals 81 percent of Tor users but admins call for calm
Cisco Netflow a handy tool for cheapskate attackers
prev story

Whitepapers

Choosing cloud Backup services
Demystify how you can address your data protection needs in your small- to medium-sized business and select the best online backup service to meet your needs.
Getting started with customer-focused identity management
Learn why identity is a fundamental requirement to digital growth, and how without it there is no way to identify and engage customers in a meaningful way.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Security and trust: The backbone of doing business over the internet
Explores the current state of website security and the contributions Symantec is making to help organizations protect critical data and build trust with customers.
Storage capacity and performance optimization at Mizuno USA
Mizuno USA turn to Tegile storage technology to solve both their SAN and backup issues.