critical Java security update

[be]

Chaos, I tell you! Chaos.
This is a stupid maze.

Clicking on "Download" at the top of that page, if you have Java installed, redirects you to:
http://java.com/en/download/installed.jsp

LOL.
The other link worked fine.
Why on earth does Sun NOT offer the latest Java to users on Java.com?

[American Finn]

No, with _06 installed, i got http://java.com/en/download/windows_xpi.jsp, and when i clicked on download there, i got 5.0. Now when i go there again after installing 5.0, the old page flashes for an instant and then switches to http://java.com/en/download/installed.jsp and the announcement "Java softaware installed. Congratulations..."

[be]

No, with _06 installed, i got http://java.com/en/download/windows_xpi.jsp, and when i clicked on download there, i got 5.0. Now when i go there again after installing 5.0, the old page flashes for an instant and then switches to http://java.com/en/download/installed.jsp and the announcement "Java softaware installed. Congratulations..."

I guess it doesn't matter in the end, since both 1.4.2_06 and the latest one are immune to the latest security issue. Now if something SIMPLE and consistent could be communicated to the poor masses, this would be nice. In the meantime, Sun needs to work on the usability of its website and general consistency and common-sense regarding its Java releases.

[American Finn]

Maybe figured out the installation problem. Not only does the KB http://kb.mozillazine.org/index.phtml?t ... stall_Java
forget to mention the need to first uninstall old Java versions (because Java is so badly written that it doesn't do that itself, even after a critical update). The KB also doesn't mention the apparent need to first close Thunderbird, which is not surprising since it doesn't even mention the need to close FF (and a possible FF quick launch ).

BTW, the Sun website confusion seems to be part of a time-honored tradition at Sun:
http://www.javagaming.org/cgi-bin/JGNet ... 1098187745
Sun's webmasters are known to frequently make shockingly newbie mistakes like this, so I wouldn't worry - it's one of those things it'll take them a few weeks to sort out, no matter how much we shout at them.
.

[Mikey_C]

You could argue that this is all Sun's responsibility, since Java is a plug-in. If you take that side, then really what do Mozilla have to do with it? (though, yes, I do agree with your point really - patches for common things need to be advertised)

[prandal]

Things are worse than it first appears. You need to uninstall older versions of the JVM, as it is apparently possible for malicious applets to insist they run on older VMs. See the Bugtraq posts here and here.

JRE 1.5.0 is available from java.sun.com - follow the "Download JRE" link.

[IceDogg]

what if you deleted the older version manually. Like under c:/program files/jave/ whatever the version?? Will it still be able to be exploited?

[prandal]

It's this bit which worries me (from Sun's plugin FAQ):

"Question: What happens when the user has a newer version of the plug-in installed (e.g., 1.4) but opens an applet whose HTML specifies an older version (1.3.1 or 1.2.1)? Will the user be prompted to install the older one? If so, what happens when the user returns to the newer applet?

Answer: This is similar to the question above. If the clsid:CAF ... is used, then the older version will be installed and run. However, if the clsid:8AD is used, then the newer version will run the applet."

[sy64004]

American Finn. Why are you taking this out on FF and their PR??? have you seen anything about this on any other browser PR pages??

Java isn't just for FF it is for IE, Opera, etc so anyone installing Java is affected.

Java should have updated this and an autoupdate should have been set up.

Just my 2 cents

[American Finn]

American Finn. Why are you taking this out on FF and their PR??? have you seen anything about this on any other browser PR pages??

Java isn't just for FF it is for IE, Opera, etc so anyone installing Java is affected.

Java should have updated this and an autoupdate should have been set up.

Just my 2 cents

Firefox is not any other browser; it's the best.

Microsoft's and even Opera's PR policies are not anything worth emulating or being compared to!

Mainstream media will misunderstand/misrepresent this Java problem as proof that all browsers are equally vulnerable. Mozilla needs proactive PR that gives Mozilla the reputation of providing security information on *any* new security issue that affects Firefox (and TB, once 1.0 is released).

If technical journalists provide incorrect info on FF
(the newest example: http://forums.mozillazine.org/viewtopic.php?t=173999 )
normal journalists will do so even more, and by the time most news gets to normal users, they'll be convinced that FF is just another browser, requiring unnecessary time and effort to switch to.

Mozilla could have pulled a wonderful PR coup by reporting on its main page about the problem and the solution before it got into mass media. That way, many normal journalists would have faithfully copied that Mozilla info saying something like "This is not a Firefox problem, but we wish to ensure that users have a safe browsing experience." (Better not mention the word "plugin" etc. too much because then someone will say that Java + FF is just like ActiveX and IE).

Even more inexcusable is the fact that info about a critical Java update is not provided in a sticky on the Mozilla forums. It's not important that Java is not a part of FF; i would hope that Mozilla would report on its front page and in a sticky in the forums about any serious security issue in a "real" FF plugin or extension too!
.

[glacia]

American Finn. Why are you taking this out on FF and their PR??? have you seen anything about this on any other browser PR pages??

Java isn't just for FF it is for IE, Opera, etc so anyone installing Java is affected.

Java should have updated this and an autoupdate should have been set up.

Just my 2 cents

Ya know, I have to agree with this and want to add one thing to it... The jist of this thread seems to be that Mozilla should somehow communicate to its users that another company's software has flaws. That by itself sounds like a pretty wild idea.

My first thought is how would they communicate it when most people are probably like me 'not a browser zealot' and will probably go to the Mozilla site once every blue moon for major updates. I don't care who puts the word out about a security issue

My second is that the software you're using will always be one step behind the people who really want to be malicious. No way around it can not be solved. So you have to take it upon yourself to keep yourself safer.

Change your passwords regularly, don't use anything related to you or a dictionary word. Keep your antivirus defs up to date (weekly), use spybot software regularly (more than one type) Learn how to turn off things in your browser like javascript and cookies and keep em off unless you really need to use it on a trusted site. Use a firewall and learn how it works. Distrust every piece of mail with an attachment. Just because your broadband connection is always on doesn't mean your computer needs to be. Learn how to check what's being loaded by your OS when you boot up your computer and learn what those things are.


You can't be 100% safe online unless you toss the computer. And don't have to be 100% safe. You only have to be safer than say the people who take no precautions - and there're are a bunch. "You don't have to outrun the bear you just have to outrun the other guy running from the bear." Do 50% of that and you've outrun probably 90% of the people online.

[American Finn]

Glacia, it seems you didn't read or at least understand anything i wrote. You are confusing three completely different things.

1) People won't switch to Firefox if they hear (incorrect) claims that Firefox is just as vulnerable as IE. Mozilla has to be proactive in providing correct info and ahead of mainstream media in the well-founded hope that this will help circulate (in mainstream media) correct info too about FF's relation to future (and past) security issues. In case you didn't know, most journalists just copy their info from somewhere, very few are not too lazy to actually do some investigating. Even if you don't read the news on Mozilla's home page every morning, technology reporters do, and they will then report incorrect info about FF less often *if* Mozilla bothers to talk about new issues soon enough!

2) On a technically oriented forum such as these Mozilla forums, it is ridiculously stupid and unnecessary to not inform about the need to stop using or to update any kind of FF plugin or extension that has a major security problem, and that definitely includes Java.

3) This (#2) has nothing to do with any of the many other security issues confronting computer users. People expect to find information about browser issues when they come to the Firefox forum. A Java critical security issue is definitely an issue that affects browsers and is therefore a browser issue. It is not logical comparing this to information about viruses, passwords, and other general security issues, which no one is expecting to find here.
.

[glacia]

As I said I'm not a browser (or any other technology) zealot and I don't have an agenda. Like most people I'll use it if the features I like are there. And it won't matter a whole lot if Mozilla posts it first because I'm not looking to Mozilla or any other software company to keep me safe. Because like every other software company they will always be one step behind in security so it falls as it always has and will to the individual user.

There is without any doubt a security flaw in the current version of Java you're using right now. I'm not saying that pessimistically it's simply a fact that someone has or will eventually find a way to work around any security. If people used things like Java as a tool instead of a checkbox it probably would be a non-issue.

I have java and java script turned off right now because it's not necessary. But as you say this is a technically oriented forum so obviously everyone else has it turned off also.

Lastly if you think Mozilla is making ridiculously stupid and unnecessary decisions - why use their product?

Glacia , it seems you didn't read or at least understand anything i wrote. You are confusing two completely different things.

1) People won't switch to Firefox if they hear (incorrect) claims that Firefox is just as vulnerable as IE. Mozilla has to be proactive in providing correct info and ahead of mainstream media in the well-founded hope that this will help circulate also correct info about FF's relation to coming security issues

2) On a technically oriented forum such as these Mozilla forums, it is ridiculously stupid and unnecessary to not inform about the need to stop using or to update any kind of FF plugin or extension that has a major security problem. This has nothing to do with any of the many other security issues confronting computer users.

[teedoff087]

I use Java (5.0 by the way) and I keep javascript on as a lot of websites I visit (such as Gmail) absolutely require them. You just have to look at the links you're clicking. I have had no spyware/adware/trojans/malware on my comp in the last year and a half, even after my comp crashed earlier this year (after installing SP2... meh). You can still have functionality and be secure at the same time... it just comes with practice I guess.

[the-edmeister]

Just my 2 cents:

1) Some of the above posted links took me to jre-1_4_06 downloads; be careful which links you follow.

2) Sun numbering of Java releases makes it very confusing for people. I am currently running what Sun calls JAVA 2 Platform Standard Edition in their "About Java" box - it also says Version 1.5.0-beta (build 1.5.0-beta-b32c).

So JAVA 2 is really Version 1.5.0 beta and I guess jre-1_5_0-windows-i586.exe is really Java 5.0?

Could they even make it more confusing if they tried? I don't think so.

I found Java 1.5.0 at the following link - from the Java icon in the System Tray -context menu selection - "Go to JAVA.COM"
http://www.java.com/en/index.jsp