Sun's Java sloppiness

Sun is offering up an old buggy version of their Java software

In researching assorted postings on this blog I've dealt with security firm Secunia and thus ended up on their mailing list. They sent a notice yesterday warning that QuickTime has a security problem and everyone should upgrade to the newest version. A new bug in QuickTime certainly comes as no shock.

But the email was about more than just QuickTime. Secunia said this latest fix was the "...fourth major security update during the last two days required to protect private PCs against criminal attacks ... Users of Skype, Adobe Reader, and Java also run a risk of falling victim to online criminals ..."

The message is both a warning and a plug for Secunia. They offer a free online Software Inspector service for Windows that I'm a big fan of. It examines a computer and reports on software that is missing important bug fixes. It's not perfect, but any computer that passes the test is safer than one that doesn't. Highly recommended.

According to Secunia, anyone running Java version 1.6.0_03 from Sun should upgrade to version 1.6.0_04. They issued a pair of advisories about bugs in Java, one on Feb 6th and one on Feb 1st.

You can visit my website, www.javatester.org to see which version of Java you are running. I describe many ways to determine the version number, but the straight from the horse's mouth method runs a Java program (technically an applet) that reports the version number and the vendor directly from Java. This simple, reliable method works on any computer with Java installed, be it Windows, Macs, Linux or anything else. Sample output is shown below.

Javatester.org reporting on Java version 1.6.0_03

Be aware that if you use multiple web browsers you need to check the Java version from each browser. It is possible for two different browsers to be using different versions of Java on the same computer. Also, Sun is not the only company offering a Java runtime environment. This posting is only about Sun's versions of Java. Versions from other vendors will have their own issues. ThinkPad owners may find their Java came from IBM/Lenovo.

Note: The biggest drawback to Secunia's Software Inspector is that it requires Java. This requirement is listed as "Sun Java JRE 1.5.0_12 or later". JRE is nerd talk for the Java Runtime Environment, which is the part of Java that lives on your computer and lets you run Java programs. It is the logical equivalent of the Adobe Flash player. Like the Flash Player, the Java Runtime Environment is free.

If you run the Secunia Software Inspector on a Windows machine with Java version 1.6.0_03 you get this message: "This installation of Sun Java JRE 1.6.x / 6.x is insecure and potentially exposes your system to security threats! The detected version installed on your system is 6.0.30.5, however, the latest secure version released by the vendor, fixing one or more vulnerabilities, is 6.0.40.0." A screenshot of this is below.

Screen shot of Secunia Software Inspector for v1.6.0_03

Who's On First? What's On Second?

I know what you're thinking. How did we get from version 1.6.0_03 displayed by my JavaTester.org site to version 6.0.30.5 that Secunia reports? How is anyone supposed to realize that 6.0.30.5 translates to 1.6.0_03? How can it be both version 1 and version 6?

A while back I complained to Secunia that their version numbering scheme for Java was confusing. They basically said, don't shoot the messenger. Secunia looks at files and they get the version number from the Java executable itself. In this case, on a Windows XP machine, the executable is file java.exe in C:\Program Files\Java\jre1.6.0_03\bin. The version number is shown below. Sure enough, that's what Secunia reports. Don't ask me why software released in 2007 is copyright 2004.

Properties of file java.exe on Windows XP for v1.6.0_03

For years Sun has referred to a single version of Java with multiple names. It's as if they just don't care.

In the Windows XP Control Panel, the Add/Remove Programs feature refers to this same version of Java with a third format "Java (TM) 6 Update 3". The Java Control Panel in the Windows Control Panel has yet another format for the version number as shown below:

Java Control Panel for version 1.6.0_03

Pushing Old Software

Regardless of the many names, Java version 1.6.0_03 is old, the latest version from Sun is 1.6.0_04. Here is your reward for reading this far:

Sun still offers version 1.6.0_03 for download and recommends it no less!


Get old Java software at java.com

Go to sun.com and click on "Java for your computer" off the Java menu at the top. You end up at java.com/download/ where the latest version (see screenshot above) is said to be Version 6 Update 3. It's as if one division at Sun didn't tell another division that there's a new release of the software. If you're keeping score at home, this is naming format number three.


Another offering of old software at java.com

Clicking on the "Do I have Java?" link took me to a page with a big green "Verify Installation" button. On an XP machine running IE6 with version 1.5.0_12 installed, the verification correctly identified the version of Java and warned that it was old. But rather than offer to install the latest version, it offered to install Version 6 Update 3. A screen shot is above. Note the use of naming format number one and number three only inches apart on the same web page.


Sun recommends the old version 1.6.0_03

On an XP machine with version 1.6.0_03 installed, I went to the java.com home page and let the website test the installed version of Java. As shown above, it again recommended Version 6 Update 3.

There seems to be a failure to communicate at Sun, both within the company itself and to the outside world. We're left to guess whether to go with Sun's recommendation or that from Secunia. I asked Sun to comment on this a couple days ago and got no response.

What To Do?

I'd install the latest version, be it referred to as "1.6.0_04" or "Version 6 Update 4" or "6.0.40.0".

Back on January 23rd Brian Krebs wrote in his Security Fix column that . As proof he linked to where you can count the bug fixes for yourself.

To get the latest Java version, you can follow the link provided by the Secunia Software Inspector or you can go to java.sun.com/javase/downloads/index.jsp and look for "Java Runtime Environment (JRE) 6 Update 4" (yes, that's naming format number five).


Note: If you are running Java version 1.5.x, Secunia says version 1.5.0_12 is not secure but that version 1.5.0_14 is.

See a summary of all my Defensive Computing postings.

About the author

    Michael Horowitz wrote his first computer program in 1973 and has been a computer nerd ever since. He spent more than 20 years working in an IBM mainframe (MVS) environment. He has worked in the research and development group of a large Wall Street financial company, and has been a technical writer for a mainframe software company.

    He teaches a large range of self-developed classes, the underlying theme being Defensive Computing. Michael is an independent computer consultant, working with small businesses and the self-employed. He can be heard weekly on The Personal Computer Show on WBAI.

    Disclosure.

     

    ARTICLE DISCUSSION

    Conversation powered by Livefyre

    Don't Miss
    Hot Products
    Trending on CNET

    Hot on CNET

    Saving your life at speed and in style

    Volvo have been responsible for some of the greatest advancements in car safety. We list off the top ways they've kept you safe today, even if you don't drive one.