Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8013177

Insecure Java Version Popup messages

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: P3
    • Resolution: Duplicate
    • Affects Version/s: 7u21
    • Fix Version/s: None
    • Component/s: deploy
    • Labels:

      Description

      FULL PRODUCT VERSION :


      ADDITIONAL OS VERSION INFORMATION :
      Windows XP SP3
      Windows 7 SP1

      A DESCRIPTION OF THE PROBLEM :
      We are a large corporation rolling out JRE version 1.7.017.


      As we have in the past, we packaged 1.7.0.17 for distribution via SCCM. We disable Auto Updates during the install process since we need to control versions of the JRE released, and our users do not have admin rights to install Java on there own.
      We went through our QA and Pilot testing without incident until last week, when JRE 1.7.012 was released.

       Remember, our package was set to turn Java auto-update off. Once a user hits a webpage that uses Java, they will most likely see the " Your version of Java is Insecure " prompt, indicating their Java Version is insecure and they are prsented with options to update, cancel, or wait until later. This is presenting several major problems for our deployment.

      REGRESSION. Last worked in version 6u45

      STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
      Install a version of Java that is older than current version. When you hit a webpage that uses the Java plugin you will receive the " your version of java is insecure " prompts.

      EXPECTED VERSUS ACTUAL BEHAVIOR :
      EXPECTED -
      Users should NOT be prompted to update their Java version as they cannot. This is why we suppress Java Auto Update.

      ERROR MESSAGES/STACK TRACES THAT OCCUR :
      No known error messages

      REPRODUCIBILITY :
      This bug can be reproduced always.

      CUSTOMER SUBMITTED WORKAROUND :
      None.... This is a very critical issue for us we cannot upgrade Java in the present situation. We undersatnd that this may be a new feature to keep Java updated, however, large corporations need to manage teir code rollouts even if they cannot alway have the latest version of Java in place. It is impossible to test and deploy Java to tens of thousands of desktops in a short timeframe when there are hundreds of Java applications that need to be validated before any rollout can start.
      Some problems:

      ?The procedures many corporations use to manage our Java deployments and suppress unofficial updates are not working.
      ?Users cannot update Java themselves unless they have admin rights, nor would we want this scenario.
      ?Choosing ?update? then being unable to may cause an associate to be sent to the Java.com update site when they launch an particular application using a Java plugin, or cause another error to be thrown by the application (we are still researching this issue).
      ?If the Java update Message is dismissed or ?Later? is chosen, they will re-appear whenever Oracle releases a new version, or the currently installed JRE reaches an ?expiration? date.

      Please understand the severity of this issue for us and feel free to contact me. I will be glad to provide additional information or demo the issue.

      Thanks!

      Joe Donovan

        Attachments

          Activity

            People

            • Assignee:
              ddehaven David Dehaven (Inactive)
              Reporter:
              webbuggrp Webbug Group
            • Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: