No update...
Seems there's no auto update available to some places yet at least... The "Update Now" function within the java control panel still insists I have no update available, despite the download clearly being available on their website.
Under criticism for not patching a critical vulnerability in its recently acquired Java virtual machine, Oracle on Thursday released an emergency update that eliminates the zero-day threat. Functionality in the Java Web Start component made it trivial for attackers to remotely execute malicious code on end-user machines. Tavis …
Yes, I go to Control Panel and ask and it says "no problemo". But if I go and manually execute the *other* javacpl.exe it says "Ayeee! Get 20 quicko!" See, on my Win7 system, there are *two* "Program Files" folders, one for 32-bit Java and one for 64-bit Java. Nice, huh? They don't know about each other. Really nice, eh?
C:\Program Files (x86)\Java\jre6\bin\javacpl.exe
C:\Program Files\Java\jre6\bin\javacpl.exe
Twice as nice! I'm doubly blessed I'm sure.
I have just upgraded from JRE 6u19 to JRE 6u20.
When I check the version that is installed, 6u20 shows up.
When I check the version through Firefox 3.6.3, 6u19 shows up.
JRE 6u19 was completely removed on my Linux box. I'm guessing Oracle didn't change the version in libnpjp2.so, so if they forgot something *that* simple, perhaps they also forgot to *really* fix the bug?
The problem and bitch I have with java updates is they don't remove the OLD versions. When I install Java JRE I turn OFF automatic updates every time. And every time I am forced to drill down through sun////oracle's menus to find the proper download. Sometimes Secunia PSI gives me a direct download. If oracle's sun's java's jre's automatic update worked proper there would be no c:\Program Files\Java directory before the install. But obviously it's simply dumping files over the top.
At least it's not as bad as the Quicktime update where the latest breaks .mov import in Sony Vegas.
My workaround is based on testing the harmless exploit proof of concept against some methods of protection.
1. Cripple IE from running via Security Panel
2. Don't run opera, since JAVA and JAVASCRIPT are tied together on the same stupid switch! Oh dear Opera...
3. Install The Firefox extension Quick Java 1.7.2 https://addons.mozilla.org/en-US/firefox/addon/123... Which gives me switches for all this broken nonsense--except the quicktime!
~peace
> 2. Don't run opera, since JAVA and JAVASCRIPT are tied together on the same stupid switch! Oh dear Opera...
What on earth are you talking about? Java & JavaScript disable have been separate switches for as long as I can remember -- at least as far back as Opera 5.02 (2001-02-27).
I downloaded Opera 3.62 (2000-02-27) just for laughs. It has a "disable scripting languages" setting that might apply to both. So your information is somewhere between 9 and 10 years out of date. (Actually it has separate "Enable Plugins" and "Enable Scripting Languages" settings, and it used a Java plugin, so I think even 10 years ago it had separate killswitches -- though it's true that killing Java would kill any other plugins as well.)