Security → Java SE 7u45 Security Update - Oct 15, 2013

This Critical Patch Update Pre-Release Announcement provides advance information about the Oracle Critical Patch Update for October 2013, which will be released on Tuesday, October 15, 2013.

Oracle Java SE Executive Summary
This Critical Patch Update contains 51 new security fixes for Oracle Java SE. 50 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password.

The highest CVSS Base Score of vulnerabilities affecting Oracle Java SE is 10.0

The Oracle Java SE components affected by vulnerabilities that are fixed in this Critical Patch Update are:
Java SE
Java SE Embedded
JavaFX
JRockit

Update via Control Panel > Java

Java 7 Update 45 at Java.com

More information, read the Release Notes.
--
Gladiator Security Forum

The update is now up on the Oracle Site:
»www.oracle.com/technetwo ··· dex.html
--
Gladiator Security Forum

Ah, I was wondering where that Mcafee folder in Programdata was coming from.

Thank you.

I have more trouble updating java than anything else. Next time I will go to the add/remove and remove all java then download the new version. Today I fumbled around at the site to do so and...
Today I had Java in both the Program Files and Program Files(x86) somehow.

Is there any info as to when or what version Java will refuse to run unsigned apps? I normally keep Java disabled in the browser and only enable as needed, but there are some speed test sites that require Java, and they usually are not signed (I often use myspeed.visualware.com).

Also released by Apple: »lists.apple.com/archives ··· 001.html

I'd like to know also. I only use Java for speed tests and they are all UNsigned. Visualware's MySpeed is one of them and the other is NDT Web100 tests.
--
When governments fear people, there is liberty. When the people fear the government, there is tyranny. Thomas Jefferson

Updating the software reinstates MSCONFIG item jusched.exe which sets your Java Control Panel to ping the update servers automatically - (not needed) -

Edit: Java 7 update 25 was release where apps were required to be signed.
An interesting read: Don't Sign that Applet!
»www.cert.org/blogs/certc ··· let.html
--
Gladiator Security Forum

update 25? Is that a typo? We just got update 45 so how can update 25 be the one that will refuse to run unsigned apps?
--
When governments fear people, there is liberty. When the people fear the government, there is tyranny. Thomas Jefferson

thanks bud

You have installed both the 32bit and 64bit versions.

I find it interesting that the Java™ SE Development Kit 7 Update 45 Release Notes mention the security baseline for Java 6 (no longer supported) is now at "1.6.0_65" but the latest downloadable version is 1.6.0_45 (6u45).

»feedproxy.google.com/~r/ ··· orld.php

Why is anyone even using software from this incompetent company?
--
Sarcasm is the body's natural defense against stupidity.

Yep, got it here too. First time I have seen it.

Good catch.

FYI: They first did the Start Menu group the last version (7u40).

I just noticed that Mozilla has blacklisted 7u45 in Firefox. Anyone know what is going on?

Edit: Checked the link on Mozilla, and it's deliberate. Java will ALWAYS be marked as such, even if new:
»bugzilla.mozilla.org/sho ··· d=914690

Thanks for the link. The only person in the bug thread who had anything SENSIBLE say was Dave Dyer who pointed out that blocking is totally redundant (thus absurd and makes you wonder about the sanity of the Mozilla devs) because Oracle already provides a big red box warning if you try to run an unsigned applet. Plus, Oracle will be blocking unsigned applets in the future and, since I have never seen a signed applet, I can't fathom why Mozilla thought it necessary to DUPLICATE what Oracle has already done.

What I got from the bug thread was that the Mozilla devs don't even know what Oracle is doing currently. That's scary and sad.

The last post in the bug thread is from someone who says that Java cannot not now be enabled for Pogo. That's going to upset a lot of users. As for me, I am now afraid to upgrade to Fx 24 ESR as what if Mozilla's idiocy has made it impossible for me to do my speed tests? Mozilla is going to lose users with this heavy handed, completely unnecessary tactic.
--
When governments fear people, there is liberty. When the people fear the government, there is tyranny. Thomas Jefferson

To add to what Mele says above, there's a certain irony at play here. Mozilla is all worried about Java security, while a number of us feel the same way about Mozilla with their social integration and other recent changes. Perhaps they need to get out in the real world more ...

That's because 6u45 is the last public (i.e. free) release for Java 6. While Java 6 is no longer publicly supported, Java 6 updates are still available via a support contract. So that's why the newer security version for Java 6. See the Java SE Support Roadmap (»www.oracle.com/technetwo ··· 779.html) for more details.