Future Java 7 security patches will work on Windows XP despite end of official support

Windows XP users will continues to receive Java 7 security updates until at least April 2015, Oracle says

Oracle has dispelled rumors that the upcoming security update for Java 7 and those it will release in the future might not work on Windows XP.

"We expect all versions of Java that were supported prior to the Microsoft de-support announcement to continue to work on Windows XP for the foreseeable future," said Henrik Stahl, vice-president of product management in the Java Platform Group at Oracle, in a blog post Friday.

"Security updates issued by Oracle will continue to be pushed out to Windows XP desktops," he said.

The next security updates for Java 7 will be released Tuesday and will address 20 security issues that can be exploited remotely without authentication. Some vulnerabilities to be patched in the update have the highest criticality rating (10.0) in the Common Vulnerability Scoring System, Oracle said in an advance notification.

Microsoft ended general support for Windows XP on April 8, leaving users of the 12-year-old OS without access to future security updates. As a result, Oracle announced earlier this year that it too will stop providing official support for Windows XP.

"Users may still continue to use Java 7 updates on Windows XP at their own risk, but support will only be provided against Microsoft Windows releases Windows Vista or later," the company said on its Java website.

Some people interpreted that to mean that future Java 7 updates will not work on Windows XP, which would have had serious security implications for the thousands of companies and organizations that still use the OS with or without custom support contracts from Microsoft.

However, the implications of Oracle's announcement is that customers who find issues on Windows XP need to replicate them on later versions of Windows in order to ensure that the company will develop a patch, Stahl said. If the issue only affects Windows XP "Oracle is not required to (and may be unable to) issue a patch or a workaround," he said.

Java vulnerabilities are frequently targeted by hackers in drive-by download attacks and past reports showed that Java is still widely used in enterprise environments where it's needed for a variety of business applications.

If Oracle had stopped issuing working Java 7 security updates for Windows XP, it would have forced users of the OS to run outdated and vulnerable versions of the software, but according to Stahl, that won't happen.

"Don't believe everything you read on the Internet," he said in the blog post, referring to rumors that the Java 7 security update will not work on the aging OS. Windows XP users will continue to receive automatic security updates for Java 7 until at least April 2015, when public updates for this version of Java are scheduled to stop, he said.

"We will continue [to] monitor the uptake of Java 7 updates on Windows XP," Stahl said. "If usage remains high when we get close to that milestone, we will take measures to keep Java users safe."

The situation is not the same with Java 8, which doesn't officially support Windows XP and cannot be installed on systems running the OS without manual intervention.

"We are looking at possible ways to address this issue but may decide not to -- if you are on Windows XP it's not clear that it's worth updating to Java 8 without also updating the OS," Stahl said.

Join the CSO newsletter!

Error: Please check your email address.

Tags patchesonline safetyMicrosoftsecuritypatch managementExploits / vulnerabilitiesOracle

More about MicrosoftOracle

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Lucian Constantin

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts