Java: Patching’s good, but removal is better

Topic

New Reply

	PATCH WATCH Java: Patching’s good, but removal is better
	By Susan Bradley A new, in-the-wild Java exploit caused a few anxious days while we waited for an update. Although the update is now available, the real decision is whether you really need to have Java installed!

---

The full text of this column is posted at windowssecrets.com/patch-watch/java-patching-s-good-but removal-is-better/ (opens in a new window/tab).

Columnists typically cannot reply to comments here, but do incorporate the best tips into future columns.[/td]

[/tr][/tbl]

Reply | Quote

Replies

Thank you for your excellent columns. I have a question about your recent article “A quick test checks whether Java is current”. At least 2 applications in my Adobe CS5 Creative Suite (Dreamweaver, Flash Catalyst) along with Adobe Acrobat 9.5 use archaic java.exe, dll, etc. files located in their …/JRE/BIN folder, evidently for updating purposes. Since these do not appear in the default JAVA installation location, these never get updated. My best defense has been to rename the java.exe file until I need to run the updaters. Is this sufficient protection?

Reply | Quote

Thanks for the link to the java version test site, however I get a completely different message concerning the version. What should I do?-
[h=3]Congratulations![/h]You have the recommended Java installed (Version 6 Update 35).

Reply | Quote

Note should be taken of
http://blogs.computerworld.com/cybercrime-and-hacking/20926/despite-new-patch-java-7-still-dangerous-go-version-6
August 31, 2012
…It seems that in the Update 7 patch, Oracle blocked the road to the bug, but did not fix the underlying problem. In part, that may explain how Oracle issued a patch so quickly. From what these articles report, Security Explorations was able to find another path to exploiting the same flaw. A detour, if you will.

As I wrote last time, Windows users can download the latest edition of Java 6, Update 35, from Oracle hereand here.

For anyone that needs Java, the path is now brutally obvious, go with version 6 rather than 7. Version 6 has fewer features (the bug is in a new feature that only exists in Java 7) and Security Explorations found they could not (yet at least) break it.

Reply | Quote

You indicate in your article that the latest version of Java is 7/7. When I follow the link to Java’s version verification site it shows I have Java 6, update 35 as the latest version (“recomended version”).
Thanks

Reply | Quote

With OpenOffice/LibreOffice, there are some features which still require Java (JRE). This runs against the advice to uninstall Java and see if anything doesn’t run. Since these features may not be frequently used, the OOO issues (after Java removal) may take some time to be noticed.

-- rc primak

Reply | Quote

If Java is removed, Secunia will not run.

Which is worse, a possible attack via Java, or via outdated software?

Reply | Quote

Secunia 3.0 runs fine for me without Java.

Reply | Quote

Secunia 3.0 runs fine for me without Java

Secunia OSI (Online Software Inspector) requires Java. You’re probably running the off line version, PSI which doesn’t require Java. Some of us prefer OSI.

Jerry

Reply | Quote

In the control panel’s “Programs and Features” section, the program version numbers will be displayed on the far right side of the section.
All one needs to do is compare what you have currently with any potential software version updates on offer.
Most, if not all software will also provide a means of checking under “help” whether an update is provided or on offer.
So no need for any automated programs like Secunia.
You can sacrifice a bit of convenience for a little work can’t you?

Because that’s basically all it’s about: convenience.

Reply | Quote

In the control panel’s “Programs and Features” section, the program version numbers will be displayed on the far right side of the section.
All one needs to do is compare what you have currently with any potential software version updates on offer.
Most, if not all software will also provide a means of checking under “help” whether an update is provided or on offer.
So no need for any automated programs like Secunia.
You can sacrifice a bit of convenience for a little work can’t you?

Because that’s basically all it’s about: convenience.

Not really. Secunia only identifies updates which are necessary due to recently discovered security flaws, but not any which are cosmetic or even bug-fixes. Trying to keep on top of which updates are actually needed to maintain security for hundreds of programs is virtually impossible without such a tool.

Bruce

Reply | Quote

Sometimes bug-fixes are a good thing. Even when they do not involve security issues. In addition to Secunia, it may be convenient to use a more general updates checker. I don’t like to do extra work. Neither PSI (installed) nor most updates checkers require Java in any form whatsoever.

I just don’t accept every Beta which comes my way through updates checkers. And NEVER update OEM or driver-related software from these tools!

-- rc primak

Reply | Quote

Different topic in the same column: Further down in the column, Susan warns us that we should be sure that Office 2010 is up to date before installing Windows 8 over Win7. Does this mean that Office 2007 can’t be used with Win8?

Thanks, Gary

Reply | Quote

Different topic in the same column: Further down in the column, Susan warns us that we should be sure that Office 2010 is up to date before installing Windows 8 over Win7. Does this mean that Office 2007 can’t be used with Win8?

No.

Bruce

Reply | Quote

Uh…no, it can’t or no, it doesn’t mean that. Sorry if that sounds a little dense.

Gary

Reply | Quote

Different topic in the same column: Further down in the column, Susan warns us that we should be sure that Office 2010 is up to date before installing Windows 8 over Win7. Does this mean that Office 2007 can’t be used with Win8?

Thanks, Gary

But make sure Office 2007 or 2010 is up to date (fully patched) before upgrading to Windows 8. Probably also would apply to Office 2003, if that version still works under Windows 8, and I see no reason why it shouldn’t work.

-- rc primak

Reply | Quote

I installed the security updates yesterday with no problem. However, after restarting, it almost immediately suggested 8 security updates for Office 2007. I do not, and have never had, O2007 on this computer. I’m using Office XP (2002). Last week, I installed the Word compatibility pack to be able to view .docx documents. Sorry, but I do not know the version. It is an old download that my office had and used 3 or 4 years ago for Office XP. Could the compatibility pack be the reason for the O2007 updates? I will ignore them but I’m wondering why they were offered. My computer is Win7 64-bit. Thanks in advance for your help.

Reply | Quote

Could the compatibility pack be the reason for the O2007 updates?

Yes, the Office Compatibility Pack has had several service packs and security updates.

I will ignore them but I’m wondering why they were offered.

It would be extremely rare for Microsoft/Windows Update to offer you updates you don’t need (apart from Bing!).

Bruce

Reply | Quote

No, it can.

Bruce

Reply | Quote

I have the PowerPoint Viewer on both of my laptops. This alone gets me Office 2007 patches, though not every one of them.

I tried to uninstall Office 2007 from my Windows 7 installation, but it seems never to have been fully installed, and will not fully uninstall (This was an OEM Free Trial, which I never activated). This also causes me to get Office 2007 patches.

I apply the patches just to play it safe, but none of my laptops, and none of my Windows OSes actually has Office 2007 fully installed.

These are just a few ways the Office 2007 patches might be getting offered. There are other reasons, I’m sure.

In any event, I think it’s best to install all critical and important patches, even if you aren’t sure why they are being offered. Optional patches can be safely ignored. Recommended Patches may need closer scrutiny. These are the categories I’ve seen — there may be more. This applies to Windows and Office patches about equally.

-- rc primak

Reply | Quote

One of the updates is a SP for the compatibility pack so I will do that one. Thanks for your info. However, the remainder are specifically for Office 2007, which I do not have so I’m reluctant about those. This is my home computer and I do very little Office work on it. If it were my work computer, I would have no hesitation whatsoever about installing all of them. Again, thanks for your help.

Reply | Quote

Either way, I’ve had no issues with installing Office 2007 updates on a computer which no longer has a running Office 2007 installation. I suppose the choice is yours, but I err on the side of caution and install those patches anyway. It takes very little additinal time, and this way I know I’m fully patched.

-- rc primak

Reply | Quote