Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Java 6.25 Is Now Available SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms: https://isctv.sans.edu

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Java 6.25 Is Now Available

Thanks to reader Rob for notifying us that a new version of Java has been released.  Remove all older versions of Java before installing this update.

From Java's website:

We highly recommend users remove all older versions of Java from your system.
Keeping old and unsupported versions of Java on your system presents a serious security risk.
Removing older versions of Java from your system ensures that Java applications will run with the most up-to-date security and performance improvements on your system.

www,java.com/en/download/index.jsp

Deb Hale

Deborah

278 Posts
ISC Handler
Note that according to http://www.oracle.com/technetwork/java/javase/6u25releasenotes-356444.html:

"Java SE 6u25 does not add any fixes for security vulnerabilities beyond those in Java SE 6u24. Users who have Java SE 6u24 have the latest security fixes and do not need to upgrade to this release to be current on security fixes."

It looks like the big change is adding support for SP1 for Server 2008 SP2 / Windows 7 as well as IE 9 / Firefox 4 / Chrome 10 / etc.
Anonymous
@KevinMitnick spotted last night that they've changed the way self-signed applets are handled; see https://twitter.com/#!/kevinmitnick/status/64516430888058880 (though he seems to have the version numbers mixed up(?))
Anonymous
"Java SE 6u25 does not add any fixes for security vulnerabilities..."
Yes, but (there's always a "but") there -are- 193 Bug fixes:
- http://www.oracle.com/technetwork/java/javase/2col/6u25bugfixes-356453.html
It's been out for a week already, and that's 'lots of time for the hacks to do
their dirt in reverse-engineering. I say do it.
.
Jack

160 Posts
If you're using the JDK/SDK, there is also a update for 6u25 which can be downloaded from the following URL:

hxxp://www.oracle.com/technetwork/java/javase/downloads/jdk-6u25-download-346242.html
Jack
6 Posts
Although I was running jre-6u24, the update applet on all my Windows systems (Win 7x64, Vista, XP) claimed I had the latest version, so home users may not get 6u25 for awhile yet . . . unless they go hunting for it.
Only the Win7x64 did not delete the 6u24 version 'automatically' when I upgraded manually and that was because it was the 32bit jre version previously and I installed the 64bit version this time.
Jack
13 Posts

Sign Up for Free or Log In to start participating in the conversation!