Blog: Opinions

Oracle wants you to run vulnerable Java to remove vulnerable versions of Java

Pedro Venda 03 Jul 2015

JavaUpdate

Today Firefox recommended that I should update my Flash and Java plugins. The Java update requires updating the entire Java RE/SE stack, for which a link is kindly provided. So, as both Flash and Java are affected by known vulnerabilities it’s time to patch!

While on the Oracle website the Java SE update page recommends that older versions of Java are removed, which makes sense (Good Oracle!).

They state that “Out of date versions of Java on your computer present a serious security risk” and they’re right. The fact that the uninstall button appears above the install/update buttons for current Java versions suggested to me that I should do this first. For the record I had Java SE 8.0.31 and was running Java SE 8.0.40 at the time.

JavaUpdate11

Nearby there’s the ‘yeah, go on, uninstall older Java versions for me’ button which triggers this action. But what technology have Oracle chosen to uninstall the older vulnerable versions of Java SE? Well, Java of course.
… which has to execute using the unsafe JRE on my computer. (Bad Oracle!)

JavaUpdate21

After being hit with warnings on the Java website and my local Java framework I was offered an upgrade (Yes, thanks, I’m trying!) I managed to uninstall the older Java SE 8.0.31.

JavaUpdate31

JavaUpdate41

So this chicken and egg problem that they’ve created actually had me run (in their own words) vulnerable versions of Java because it’s a good idea to not have or use unsafe versions of Java. (Confused? I was!)

I mean, it’s not as if immediately after I downloaded an executable that installed the latest Java SE (8.0.45) followed by uninstalling the older version it replaced (8.0.40)… oh wait, it did just that! So what’s the point of having a Java based uninstaller?

My point is this: If Oracle are serious about security and are helping users replace their vulnerable installations of Java SE, please be serious and do this independently of the very technology that is potentially vulnerable! Otherwise the update mechanism would lead a portion of users to run their current vulnerable Java frameworks. And this is already implemented in the binary installer/updater, so why Oracle? Why?

JavaUpdate51