Java 8.0 update via FileHippo

debitcardmayhem

Broadwood wrote: »

USB hard drive and USB memory sticks. I ran out of space to store photos on the desktop PC many years ago.

Remember this is MSE....;)

Install Linux it's free , test it out first to see if you can work happily with it, you can run it from a USB/CD to try it first. As closed said XP will still work , as does Windows 3.1 / 95 / 98 / ME / Vista etc but newer hardware will not interface with most of them.

debitcardmayhem

securityguy wrote: »

Java 8 came out yesterday. The chances of you having applications which need a Java8 JRE (presumably to support closures) are approximately zero unless you're a bleeding edge developer. Indeed, with some exceptions (Crashplan springs to mind) the chances of you needing a JRE at all are pretty small.

Downloading security sensitive software from FileHippo is insane.

Otherwise, keep up the good work.

Citrix also springs to my mind ....wife's useless employers.....

securityguy

debitcardmayhem wrote: »

Citrix also springs to my mind ....wife's useless employers.....

Always struck me as a bizarre solution: "improve your security by running applications on a central server farm under strong management! Surf along to this IIS-hosted website with a self-signed certificate, download an unsigned (they have now fixed that) Java app and load it into a self-maintained JRE on a user-managed PC, type your login credentials and you're good to go!"

Supplying users with the Citrix native client on a CD would be safer. I mean, there's a lot that could go wrong with that as well, but it's a damned sight safer than using Citrix Receiver as an applet embedded in a web browser on a self-managed device, which a frightening number of people do.

Jivesinger

securityguy wrote: »

Java 8 came out yesterday. The chances of you having applications which need a Java8 JRE (presumably to support closures) are approximately zero unless you're a bleeding edge developer.

The reason I would normally update to the latest version of Java is that it often patches security issues in the previous version.

If the lack of support for XP is a long-term direction then it might mean that Java vulnerabilities would remain un-patched for XP, although I guess Oracle might keep updating the 7.x versions in parallel for a while longer.

As stated it isn't required for many things these days, but annoyingly there are a couple of things I do which do require it.

securityguy

Jivesinger wrote: »

The reason I would normally update to the latest version of Java is that it often patches security issues in the previous version.

The chances of Release (X+1).0 of a product containing patches for problems not fixed in Release (X).latest are approximately zero. The development will have branched off multiple maintenance releases ago, and it's actually more likely that (a) not all the updates in the Release X train have been taken across and (b) being an early release of new functionality, there are extensive (albeit occult) new problems. The old IBM joke about people willing to run initial releases being "the lunatic fringe" applies.

If the lack of support for XP is a long-term direction

Obviously. Why would you go to the effort testing on a release with a month left to run, while also denying yourself access to facilities found in more recent operating systems?

then it might mean that Java vulnerabilities would remain un-patched for XP, although I guess Oracle might keep updating the 7.x versions in parallel for a while longer.

Java 6 is still being patched, albeit only for OEMs: the last release was Update 71 in January. Update 65 was shipped in October last year for OSX 10.6 through 10.8 (after, I think, 10.6 security updates ceased, but I might be wrong about that).

You can read the support timescales here: http://www.oracle.com/technetwork/java/eol-135779.html

Java 7 will continue to receive public updates until at least April 2015. If you're a commercial customer they'll continue to provide critical fixes until 2022 (11 years from release) but your pockets had better be deep.

As stated it isn't required for many things these days, but annoyingly there are a couple of things I do which do require it.

I'd take some convincing that the risks of using Java to run commercial products, as opposed to applets and stuff downloaded at random, are as high as is made out. The chain of exploitation is quite complex: the attacker has to have a remotely exploitable bug in the product before they can attack the underlying VM, and not only do I not see why that remotely exploitable bug is any more likely than in some other infrastructure, but at least software written in Java is spared some of the more egregious problems with buffer overflows and the like. If you're running Java applets off websites and relying on the sandbox, it's a nightmare. If you're using the JRE to run commercial products, I would be relatively relaxed.

Broadwood

John_Gray wrote: »

Additionally to aerostar's comments, are you sure you really need the Java Runtime Environment? Few programs now use JRE, which is often attacked by malware authors. If you are not sure, try uninstalling it and see if any program objects; you can always reinstall it very rapidly.

Thanks everyone for your input. It's given me much useful food for thought. I use the Chrome browser and have uninstalled Java completely for now and so far have noticed no negative consequences.

If necessary I'll reinstall Java 7 version 51 when I've weighed up the pros and cons.