How To: Update Sun Java

Java LogoLike Adobe Flash Player, Sun’s Java development environment helps super-charge web pages and create applications for everything from copy machines to smart phones. But Java is like Flash in another way; it’s an incredibly bug-ridden security hole. It was once popular to install it “just in case” you needed it on your computer. But what we now know is that having it on your system can lead to all kinds of problems. We recommend you uninstall Java if it isn’t business-critical. For some folks, however, Java is needed. In those cases, it’s critical that you keep it updated.

Here’s how.

Check For Update

Newer versions of Java have an automatic update checker that checks for new versions weekly. If it detects an available update, you’ll have a notification in your task bar (Figure 1).

Figure 1: Update Available

Figure 1: Update Available

If a Java patch has been released and you don’t want to wait for your weekly update check (I wouldn’t!), you can manually update by heading over to Control Panel and double-clicking the Java icon (Figure 2).

Figure 2: Java Control Panel Icon

Figure 2: Java Control Panel Icon

When you do, the Java control panel applet will appear. Click on the “Update” tab. There are several options available here (we’ll cover these later), but for now we’re concerned with the “Update Now” button at the bottom of the dialog (Figure 3).

Figure 3: Java Control Panel Applet

Figure 3: Java Control Panel Applet

Update Java

Click the button and Java will download the installation files for the update (Figure 4) and launch the installation.

Figure 4: Download Update

Figure 4: Download Update

Like Adobe Flash, the update attempts to install crapware on your PC (Figure 5). I can’t tell you how many times I’ve been called by customers asking me how a Yahoo! or Google or Ask toolbar got installed on their PC when, in fact, it was installed by one of these updaters. Deplorable. Make sure you click the button labeled “Do not update browser settings” before you click Next.

Figure 5: Crapware Installation Options

Figure 5: Crapware Installation Options

Once the update installation package has completed you’ll get a dialog telling you as much. Clicking the “Close” button on the dialog launches a browser that navigates to the Java web site and loads a web page with an embedded Java object. Depending on your Java plug-in settings, you may receive a series of prompts to enable the Java plug-in when the object attempts to run. Click through and you should get yet another notification that the update was successful (Figure 6).

Figure 6: Installation Successful

Figure 6: Installation Successful

Automatic Update Options

Because having Java on your system is such a dangerous proposition, checking for updates only once a week is too lax. I recommend changing the default setting for automatic updates. Go back to the Java Control Panel applet and click on the “Update” tab (Figure 3). Click on the “Advanced” button. The “Automatic Update Advanced Settings” dialog gives you much more granular control over your Java updates. I recommend checking daily at a time that you know your machine will be on and available. I’ve chosen 4 p.m. (Figure 7).

Figure 7:  Automatic Update Advanced Settings

Figure 7: Automatic Update Advanced Settings

The final change involves the “Notify Me” setting in Figure 2. The default is notification “Before Downloading”. I prefer to have the download cached and ready to go, rather than having to wait on it at installation time, so I have changed my notifications to pop up “Before Installing”. It has no security implication, but it makes it more convenient when it’s time to apply the update.

Final Thoughts

There is more you can do to secure a machine that has Java installed. You can disable the plug-in in your browser. You can choose to run Google Chrome as your default browser (Chrome doesn’t support Java), and only use Internet Explorer or Firefox (which do support Java) only when you need to access a secure Java-enabled site. You can tweak Java’s security settings so that Java only runs on web sites you specify. And if you’re uber-paranoid, I’ve seen some people keep a virtual machine on hand that they only use for Java applications. That way if they happen to get infected with something nasty it won’t affect their main computer. All of these are valid, and I use a combination of them all.

What about you? Do you still use Java? What’s keeping you from uninstalling it? Let us know in the comments below.

Network ninja, dad, husband, rugby player. I help you secure your digital stuff.