|By Bill Curci, September 2007|
Sun Microsystems, Inc., is announcing two new Java SE security response features, each designed to strengthen the Java platform's position as one of the most widely used, secure software platforms available. The new features include Sun's synchronized release of Java SE security fixes, and advance customer notification of those releases. They are designed to complement Sun's existing Sun Alert notifications, as well as the built-in Java Auto Update tool for Microsoft Windows users, and build a foundation for additional Sun Connection services and a customized Java SE platform for production environments that are expected in 2008.
Starting with the next series of Java updates, Sun will begin delivering synchronized security releases across its most widely used Java SE product release families for all supported operating environments. For the first time, critical security fixes will be released simultaneously for the Java SE 6, J2SE 5.0, and J2SE 1.4.2 versions of the Java SE platform. Sun plans to extend the synchronization to the J2SE 1.3.1 release family in 2008. Each update is expected to contain the same critical security fixes that are recommended for all enterprise and consumer users of the affected product families.
Sun continues to recommend that customers use the latest release, Java SE 6, to leverage the latest performance, reliability, and look-and-feel improvements. However, the advent of synchronized security fixes is welcome news for consumers and enterprise administrators running on older operating systems, or other software requiring the use of older versions of the Java platform. These individuals will now have the opportunity to receive and install synchronized updates with all the same critical fixes as in the latest release.</->
Sun Microsystems will start by releasing a set of security updates for the Java SE platform that include the following releases:
Sun will also release SDK and JRE 1.3.1_21 soon after the more recent family release updates. Note that SDK and JRE 1.3.1 have completed the Sun "End of Life" (EOL) process and are only supported for Solaris 8 Operating Environment and customers on Sun's Vintage Support Offering.
All customers are encouraged to download the latest update of the product release families they have in use.
Sun also plans to begin posting advance notification of security updates on the Sun Security Blog. Each notification will summarize the releases planned and the expected time frame for their release.
Advance notification will help customers plan for successful and timely deployment of critical Java fixes and updates. The notification will normally be made available up to a week before the synchronized Java security update releases. Sun Alerts will be released following the availability of the security updates and will contain the definitive summary of the issues resolved by those releases.
System administrators and IT managers interested in receiving the advanced notification are encouraged to leverage the Sun Security blog RSS feed to receive notification of future plans for security updates.
System administrators and IT managers will continue to benefit from Sun Alert notifications for Java SE. Sun Alert notifications provide up-to-date details on an issue that has been fixed or is otherwise publicly known, an issue that could present a risk to security, availability, or reliability of customers systems and/or software. Each Sun Alert summarizes the area or areas of the product impacted by the issue, and the known workarounds or fixes recommended for resolving the issue.
Customers can subscribe to Sun Alerts for Java SE and Sun's full range of products, in addition to exploring the growing range of support services and self-help information provided by visiting SunSolve Online. Customers interested in the details will be able to review them directly on SunSolve Online, or can sign up today to receive Java Sun Alerts by email.
What Is SunSolve Online?
SunSolve Online is an informational and patch database service. It is used by system administrators, network administrators, and others who are responsible for maintenance of Sun hardware and software. SunSpectrum Contract customers have access to the entire SunSolve informational and patch database.
SunSolve allows you access to the latest patches and updates, as well as the support forums and other security resources. Registered users also have access to the Sun System Handbook, which includes product information, specifications, and parts, as well as documentation, system management tools, and the system administration community.
Part of the SunSolve service is to offer subscriptions to the Sun Alert Weekly Summary Report. The Sun Alert program is for contract Sun customers to receive weekly notification advising them of new and updated Sun Alerts. They detail important hardware and software issues that may pose a risk to your computing environment.
After the synchronized security updates are made available, Sun plans to release Java Sun Alerts to provide detailed documentation of the issues resolved in the recent updates.
The Java Auto Update tool for Microsoft Windows users is a feature that keeps desktop computers up-to-date automatically with the latest Java releases. Installing the Java Runtime Environment automatically installs the Java Auto Update feature. The Java Auto Update feature connects to java.com at a scheduled time (by default, once a month) to verify if you have the latest release. If a new update is available, users will be notified via a pop-up bubble on the Windows system tray (see Figure 1).
Clicking on the bubble text will bring up the auto-update dialog box (see Figure 2), which provides users the capacity to download, install, and get more information about the recommended update.
Note: This feature is available only on Microsoft Windows XP, 2003, 2000 (SP2 or higher) and set by default for these operating systems.
Sun Microsystems is looking ahead at ways to further enhance its capacity to respond and enable secure and reliable computing with Java.
Sun Microsystems is currently building the Sun Connection site to enable customers to electronically register products with Sun. Once customers have registered, Sun can automatically communicate personalized news and product-specific updates to users across the Internet. This information will be available both through the Sun Connection site as well as product-specific feeds that can be read through any RSS reader. Java SE will enable this electronic registration model in the coming quarters, providing a powerful, instant, closed-loop communication system between Sun and the community using Sun products.
Also in development, Sun Microsystems is designing a new Java release for production use. The new offering is being designed to provide faster access to critical fixes, as well as offering extended support capacities into the platform. With a focus on customizing distribution, deployment, and support features for Sun's Java platform, the new release is expected to be a 100% compatible offering that will offer new flexibility to system administrators and IT managers to extend the life of their Java applications, and reduce the cost of management of Java in the enterprise. More information is available in the Java in Production blog.