Defensive Computing Subscribe to Defensive Computing
February 8, 2008 10:52 AM PST

Sun's Java sloppiness

Posted by Michael Horowitz

In researching assorted postings on this blog I've dealt with security firm Secunia and thus ended up on their mailing list. They sent a notice yesterday warning that QuickTime has a security problem and everyone should upgrade to the newest version. A new bug in QuickTime certainly comes as no shock.

But the email was about more than just QuickTime. Secunia said this latest fix was the "...fourth major security update during the last two days required to protect private PCs against criminal attacks ... Users of Skype, Adobe Reader, and Java also run a risk of falling victim to online criminals ..."

The message is both a warning and a plug for Secunia. They offer a free online Software Inspector service for Windows that I'm a big fan of. It examines a computer and reports on software that is missing important bug fixes. It's not perfect, but any computer that passes the test is safer than one that doesn't. Highly recommended.

According to Secunia, anyone running Java version 1.6.0_03 from Sun should upgrade to version 1.6.0_04. They issued a pair of advisories about bugs in Java, one on Feb 6th and one on Feb 1st.

You can visit my website, www.javatester.org to see which version of Java you are running. I describe many ways to determine the version number, but the straight from the horse's mouth method runs a Java program (technically an applet) that reports the version number and the vendor directly from Java. This simple, reliable method works on any computer with Java installed, be it Windows, Macs, Linux or anything else. Sample output is shown below.

Javatester.org reporting on Java version 1.6.0_03

Be aware that if you use multiple web browsers you need to check the Java version from each browser. It is possible for two different browsers to be using different versions of Java on the same computer. Also, Sun is not the only company offering a Java runtime environment. This posting is only about Sun's versions of Java. Versions from other vendors will have their own issues. ThinkPad owners may find their Java came from IBM/Lenovo.

Note: The biggest drawback to Secunia's Software Inspector is that it requires Java. This requirement is listed as "Sun Java JRE 1.5.0_12 or later". JRE is nerd talk for the Java Runtime Environment, which is the part of Java that lives on your computer and lets you run Java programs. It is the logical equivalent of the Adobe Flash player. Like the Flash Player, the Java Runtime Environment is free.

If you run the Secunia Software Inspector on a Windows machine with Java version 1.6.0_03 you get this message: "This installation of Sun Java JRE 1.6.x / 6.x is insecure and potentially exposes your system to security threats! The detected version installed on your system is 6.0.30.5, however, the latest secure version released by the vendor, fixing one or more vulnerabilities, is 6.0.40.0." A screenshot of this is below.

Screen shot of Secunia Software Inspector for v1.6.0_03

Who's On First? What's On Second?

I know what you're thinking. How did we get from version 1.6.0_03 displayed by my JavaTester.org site to version 6.0.30.5 that Secunia reports? How is anyone supposed to realize that 6.0.30.5 translates to 1.6.0_03? How can it be both version 1 and version 6?

A while back I complained to Secunia that their version numbering scheme for Java was confusing. They basically said, don't shoot the messenger. Secunia looks at files and they get the version number from the Java executable itself. In this case, on a Windows XP machine, the executable is file java.exe in C:\Program Files\Java\jre1.6.0_03\bin. The version number is shown below. Sure enough, that's what Secunia reports. Don't ask me why software released in 2007 is copyright 2004.

Properties of file java.exe on Windows XP for v1.6.0_03

For years Sun has referred to a single version of Java with multiple names. It's as if they just don't care.

In the Windows XP Control Panel, the Add/Remove Programs feature refers to this same version of Java with a third format "Java (TM) 6 Update 3". The Java Control Panel in the Windows Control Panel has yet another format for the version number as shown below:

Java Control Panel for version 1.6.0_03

Pushing Old Software

Regardless of the many names, Java version 1.6.0_03 is old, the latest version from Sun is 1.6.0_04. Here is your reward for reading this far:

Sun still offers version 1.6.0_03 for download and recommends it no less!


Get old Java software at java.com

Go to sun.com and click on "Java for your computer" off the Java menu at the top. You end up at java.com/download/ where the latest version (see screenshot above) is said to be Version 6 Update 3. It's as if one division at Sun didn't tell another division that there's a new release of the software. If you're keeping score at home, this is naming format number three.


Another offering of old software at java.com

Clicking on the "Do I have Java?" link took me to a page with a big green "Verify Installation" button. On an XP machine running IE6 with version 1.5.0_12 installed, the verification correctly identified the version of Java and warned that it was old. But rather than offer to install the latest version, it offered to install Version 6 Update 3. A screen shot is above. Note the use of naming format number one and number three only inches apart on the same web page.


Sun recommends the old version 1.6.0_03

On an XP machine with version 1.6.0_03 installed, I went to the java.com home page and let the website test the installed version of Java. As shown above, it again recommended Version 6 Update 3.

There seems to be a failure to communicate at Sun, both within the company itself and to the outside world. We're left to guess whether to go with Sun's recommendation or that from Secunia. I asked Sun to comment on this a couple days ago and got no response.

What To Do?

I'd install the latest version, be it referred to as "1.6.0_04" or "Version 6 Update 4" or "6.0.40.0".

Back on January 23rd Brian Krebs wrote in his Security Fix column that version 1.6.0_04 fixed 370 bugs. As proof he linked to java.sun.com/javase/6/webnotes/ReleaseNotes.html where you can count the bug fixes for yourself.

To get the latest Java version, you can follow the link provided by the Secunia Software Inspector or you can go to java.sun.com/javase/downloads/index.jsp and look for "Java Runtime Environment (JRE) 6 Update 4" (yes, that's naming format number five).


Note: If you are running Java version 1.5.x, Secunia says version 1.5.0_12 is not secure but that version 1.5.0_14 is.

See a summary of all my Defensive Computing postings.

Topics:

Software,

Gripes

Tags:

java,

sun,

secunia

Bookmark:
Digg
Del.icio.us
Reddit
advertisement
 
Zune Pass
Discover unlimited music for the price of one CD a month
Learn more at Zune.net

 

Recent posts from Defensive Computing
Judging techies
Converting an Adobe Acrobat PDF file into a Word document
A word of warning about 'free' public Wi-Fi
Organizing the Start button
A Linux ThinkPad
Add a Comment (Log in or register) 3 comments (Page 1 of 1)
by FrankTurd February 9, 2008 7:06 AM PST
Excellent post. Thanks for the info. This has been a very helpful blog. The Java download site is down at the moment. I'm getting a "We're Doing Maintenance" screen. I'll hit it later. I have a Java question if you have a minute (or if anyone knows). Can we un-install all previous versions of the JSE Runtime Environment? Like J2SE Runtime Environment 5.0 Update 6 and Java(TM) 6 Update 2? Does WinXP need the old versions? I'd love the free up the space. May be a dumb question (and a bit off topic), but I thought I'd ask. Thanks for any info. Cheers. =^.^=
Reply to this comment
by mhinnewyork February 9, 2008 9:32 AM PST
To:Frank To answer your question, yes, you certainly can un-install old versions of Java (technically the Java Runtime Environment or JRE). Many people, myself included, would say you should un-install older versions of Java. There is, however, a small chance that an application on your computer requires a specific version of Java. So, just in case, make a note of what you un-installed. Michael Horowitz
Reply to this comment
by siddiqullah16 February 17, 2008 10:14 PM PST
Hi Every one ... I want to create a new language for mobile phone.. so any body can help me i would be very very very very thankful to them . i have got the alpahbets of the that language ... if u people just let me know how can i put then in a mobile compatibility language support file . it will be well appreicated . mail me on . siddiqullah16@gmail.com Siddiqullah sardar
Reply to this comment
Powered by Jive Software
advertisement
Click Here

  • About Defensive Computing

  • Michael Horowitz is an independent computer consultant and the author of several classes on Defensive Computing. He views Defensive Computing as taking steps, when things are running well, to avoid or minimize the inevitable problems down the road. It's about educating yourself to the level where you can make your own intelligent decisions about keeping your computers and data happy and healthy. If you depend on computers, yet are on your own, without an IT department or nearby nerd, this blog's for you. His personal web site is michaelhorowitz.com.

    He is a member of the CNET Blog Network and is not an employee of CNET.

    Disclosure.

Add this feed to your online news reader
Google
Yahoo
MSN

Defensive Computing topics

advertisement
Click Here.
Welcome (log out) |View profile
Log in | Sign up Why join?
On BNET: Clean the gunk from your PC
advertisementStart Doing More with Windows Mobile
Visit other CNET Networks sites: