Ho hum, more security weakness issues have just been discovered in the desktop Java Runtime Environment (JRE).
See for example Yet another Reflection API flaw affecting Oracle's Java SE …
“The new flaw was verified to affect all versions of Java SE 7 (including the recently released 1.7.0_21-b11). It can be used to achieve a complete Java security sandbox bypass on a target system. Successful exploitation in a web browser scenario requires proper user interaction (a user needs to accept the risk of executing a potentially malicious Java application when a security warning window is displayed).
What's interesting is that the new issue is present not only in JRE Plugin / JDK software, but also the recently announced Server JRE as well.”
Wow, a chink in the armor of Java servers. That should raise a few eyebrows!
Back to desktop Java, however. I’ve been assiduously trying to keep my desktop JRE up to date, and it’s annoying that you have to go to the trouble of navigating to the Control Panel of Windows and then and click on Java (when Java for one of several reasons has not automatically presented the Update dialog in a timely manner).
Actually, it’s more than just annoying: I’d call it a significant shortcoming in the Java security maintenance regime, enabling Java updates to fall way behind if you’re not careful. I reckon that Oracle should improve the ‘reliable timeliness” of this entire process.
Well now, a month or two ago I was puzzled by not finding the Update tab to be present in the Java Control Panel, which I expected to look like the following:
A few months I lost some valuable time hunting around to find why this tab does not always appear. Take a look at What is Java Auto Update? How do I change notify settings? Notice that you have to read this page very carefully and about half way down the page you come across the clincher:
Why is the Update tab missing from the Java Control Panel?
Java Auto Update is currently not available for 64-bit versions of Java. 64-bit versions of Java do not include the Update tab in the Java Control Panel.
This is rather slack behavior by Oracle.
It seems that when I got my new desktop system (in late 2012) I slipped up and indeed did have the 64-bit version installed when, like the vast bulk of users, I only needed the 32-bit version. So I dutifully hunted for, downloaded and installed the latest 32-bit JRE version and left it at that.
Last week, after reading about the latest pile of Java exploits, I decided that it was time to update Java again. However I kept getting the following dialog box:
Why no Update tab? I pondered this for a while and after checking Programs and Features realized that, as noted in bold font on the above image, I still had 64-bit JRE installed (as well as the 32-bit JRE).
After uninstalling the 64-bit JRE the Update tab re-appeared, meaning that Oracle needs to update that statement at What is Java Auto Update? How do I change notify settings? to mention that the mere presence of the 64-bit JRE suppresses the Update tab even if you do have the 32-bit JRE installed.
Trivial? . . . Possibly, but I’d say still worth being described so that other people might save some time and frustration.