Feeds

Big Java security fixes on the way – but not so fast, Windows XP users

Didn't you hear? Oracle quit testing Java on XP months ago

Internet Security Threat Report 2014

As if running Windows XP after Microsoft withdrew support wasn't risky enough, XP users who have Java installed may soon have even more to worry about.

Oracle is due to issue its next Critical Patch Update – the massive, quarterly fix-it fests that deliver security updates across the company's entire product line, including Java – on July 15. But when those next Java patches arrive (whatever they might be), there's no guarantee that they will even work on XP.

That's because unlike Microsoft, which spent two years hollering from the rooftops for Windows XP users to upgrade, Oracle hasn't made much of a fuss about the fact that it has already discontinued support for Java on XP.

Support for Java 7 ended on April 8, to be precise. And Java 8 – the current version – won't even install on the outdated OS.

Updates for Java 7 will keep coming – at least until April 2015, when Oracle plans to wind down support for that version. The most recent Critical Patch Update, which included fixes for Java 5 through 8, shipped on April 28, weeks after Oracle's Windows XP support had expired.

The catch is that because Oracle is no longer testing Java on XP, there may come a day when one of its security patches actually breaks Java on that platform, rather than fixing it.

At that point, Java users will be left in a similar position as they are with XP itself – unable to apply any more security patches and stuck using a platform that has well-known, exploitable vulnerabilities (because Oracle itself has made them known, in the form of published security fixes).

And that would be bad. In its 2014 annual security report, published in January, networking giant Cisco found that a dizzying 91 per cent of all web-based exploits throughout 2013 targeted Java.

So, while we know you've already been told a thousand times, we would be remiss if we didn't offer a word of friendly advice to all Windows XP users who also use Java: Upgrade to Windows Vista. Oracle plans to maintain support for that platform for the foreseeable future. ®

Internet Security Threat Report 2014

More from The Register

next story
George Clooney, WikiLeaks' lawyer wife hand out burner phones to wedding guests
Day 4: 'News'-papers STILL rammed with Clooney nuptials
Shellshock: 'Larger scale attack' on its way, warn securo-bods
Not just web servers under threat - though TENS of THOUSANDS have been hit
Apple's new iPhone 6 vulnerable to last year's TouchID fingerprint hack
But unsophisticated thieves need not attempt this trick
PEAK IPV4? Global IPv6 traffic is growing, DDoS dying, says Akamai
First time the cache network has seen drop in use of 32-bit-wide IP addresses
Oracle SHELLSHOCKER - data titan lists unpatchables
Database kingpin lists 32 products that can't be patched (yet) as GNU fixes second vuln
Researchers tell black hats: 'YOU'RE SOOO PREDICTABLE'
Want to register that domain? We're way ahead of you.
Stunned by Shellshock Bash bug? Patch all you can – or be punished
UK data watchdog rolls up its sleeves, polishes truncheon
prev story

Whitepapers

Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Storage capacity and performance optimization at Mizuno USA
Mizuno USA turn to Tegile storage technology to solve both their SAN and backup issues.
The next step in data security
With recent increased privacy concerns and computers becoming more powerful, the chance of hackers being able to crack smaller-sized RSA keys increases.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.
A strategic approach to identity relationship management
ForgeRock commissioned Forrester to evaluate companies’ IAM practices and requirements when it comes to customer-facing scenarios versus employee-facing ones.