JAVA 1.6 Update 4

SANS blogged about the latest JAVA 1.6 Update 4 release back on January12th. Brian Krebs today wrote a piece in his Washington Post blog Security Fix.
I admit it. I have no idea whether or not this update is critical. SANS seemed to say ‘you might want to do this soon.’ Brian said ‘it contains some security fixes. You should update.’ I’m looking around to see how SUN categorizes this fix. Microsoft would be letting me know if its critical or important, if exploits are available and how an attack might occur. Cisco would use the CVSS standard, which is pretty cool. Even after reviewing SUN’s release notes I dont have a clue.
I kind of want to say no news is good news. We need to keep the enterprise wide reboots caused by software updates to a minimum. I just hope I dont open my RSS reader one day and read about a exploit in the wild that would have been patched if I had deployed this. I’ll keep this one on the back burner and deploy it if Adobe, Flash and Quicktime slow their vulnerability circus for a while.


  1. The Register is claiming that some of the 370 bug fixes are security-related.
    Wish they’d said more.
    They also remark on another note I read on Sun’s release notes page that you’d linked to, that as of 5.0_6, applets are unable to request to be run in earlier (more vulnerable) versions of JRE. I don’t think Register has quite the right spin on that note; what I got from reading Sun’s page was that you MUST uninstall everything prior to 5.0_6. Unless, of course, you have to have 1.4 in which case you’d better have only the latest of the 1.4 train installed.

  2. Perhaps the compromise is to only pull the 1.5 prior to build 6. I haven’t touched 1.4.2 and earlier versions.

  3. Roger,
    How are you handling the uninstall of previous JRE versions? I’m currently using a dated vbscript I found on myITforum but I’ve recently noticed that it is having a problem uninstalling certain versions.

  4. I created a SMS Installer Script. I started with something from myitforum as well. I used a test machine in vmware to install old version of java to verify the appropriate registry keys. The script tests for the appropriate version and then runs the uninstall command for that version with a switch to not reboot. After all versions are removed, I install the latest version and reboot.
    It sounds convoluted but the only problems I’ve had are a few people people with crappy apps that neded the old version of java.
    To minimize the mayhem, I have one package for 1.6, one for 1.6 and one for 1.4.2. I dont think I’ve deployed the 1.4.2 although it worked fine in testing. I decided so few people had those versions, I’d leave it alone.
    I have not dealt with pre-MSI installs of JAVA either.

Comments are closed.