AutoPatcher Forum

Sun Java 6 Update 7 (JRE) Stand-alone module

Download locations

X86 - Download module here / Download jre-6u7-windows-i586-p.exe here
X64 - Download module here / Download jre-6u7-windows-x64.exe here

Instructions

• Download the latest update to the AutoPatcher Extras Addon Pack *Updated July, 9th
  
• Download the module and place it under \modules\AddOns\
  
• Follow the link to jre-6u6-windows-i586-p.exe -or- Download jre-6u6-windows-x64.exe
  
• Under Platform, choose either Windows or Windows X64 -Will be added soon
  
• Agree to the license and click continue
  
• Download the Offline installation and save it to:
  • X86 - modules\AddOns\SunJava_x86_files\jre-6u7-windows-i586-p.exe
    
  • X64 - modules\AddOns\SunJava_x64_files\jre-6u7-windows-x64.exe

If I recall correctly, somone recently offered hosting service to AP, if you take him up on it, you could host Sun's JRE's there and have apup download them directly.

Cyrus, on Apr 19 2008, 11:46 PM, said:

There are copyright issues involved with this, though.

M2Ys4U, on Apr 19 2008, 10:35 PM, said:

Not allowed to have APUP download direct from Java.com / sun.com?

This seems to be a valid link:
Sun Java 6u6

I can probably dig up an FTP link if that is needed.

--Scott.

Addendum: See my post below:

Quote

Edited by KilleenWizard, 26 April 2008 - 10:54 PM.

I meant the copyright issues would be a problem if we were hosting it ourselves. If that link is stable, seems good.

Let's give it a day or two in order to see if it sticks. All my past tests showed all the gunk around:
BundledLineItemUUID=5bhIBe.mdzIAAAEZi5JIcmpF&OrderID=GJhIBe.mEL4AAAEZfpJIcmpF&ProductID=fU5IBe.nalwAAAEZyWklHgvk&FileName=/jre-6u6-windows-i586-p.exe

Would always differ and you had to be reissued a link.

Erik Ramey, on Apr 20 2008, 02:20 PM, said:

I thought I had an FTP link at work, but I don't. I've always been able to get an executable from Java.com, unlike Flash, for which I had to agree to a license in order to get a link to an executable (I see that you're using the same link for Flash in APUP).

I notice that the Java link is still working today, even after tossing my cookies.

Maybe a change to APUP to support a fallback (or manual) link?

Speaking of changes, I'd also like to see the startup speed greatly increased (that looong delay in APUP and AP), and merge APUP with AP.

*****

Ok, I just grabbed WGET (which I'd been intending to do for a while, had been looking to see if MS had something that would do the same), and WGET works just fine:

C:\>wget "http://javadl.sun.com/webapps/download/AutoDL?BundleId=18713"
--19:28:57--  http://javadl.sun.com:80/webapps/download/AutoDL?BundleId=18713
		   => `AutoDL@BundleId=18713'
Connecting to javadl.sun.com:80... connected!
HTTP request sent, awaiting response... 302 Moved Temporarily
Location: http://sdlc-esd.sun.com/ESD39/JSCDL/jdk/6u5b/jre-6u5-windows-i586-p-s.exe?AuthParam=1208737885_427b49ac909879e4c56eaf60ceda64a6&GroupName=JSC&BHost=javadl.sun.com&FilePath=/ESD39/JSCDL/jdk/6u5b/jre-6u5-windows-i586-p-s.exe&File=jre-6u5-windows-i586-p-s.exe [following]
--19:28:57--  http://sdlc-esd.sun.com:80/ESD39/JSCDL/jdk/6u5b/jre-6u5-windows-i586-p-s.exe?AuthParam=1208737885_427b49ac909879e4c56eaf60ceda64a6&GroupName=JSC&BHost=javadl.sun.com&FilePath=/ESD39/JSCDL/jdk/6u5b/jre-6u5-windows-i586-p-s.exe&File=jre-6u5-windows-i586-p-s.exe
		   => `jre-6u5-windows-i586-p-s.exe&File=jre-6u5-windows-i586-p-s.exe'
Connecting to sdlc-esd.sun.com:80... connected!
HTTP request sent, awaiting response... 200 OK
Length: 15,918,488 [application/x-sdlc]

	0K -> .......... .......... .......... .......... .......... [  0%]
...
15500K -> .......... .......... .......... .......... .....	  [100%]

19:29:16 (818.18 KB/s) - `jre-6u5-windows-i586-p-s.exe&File=jre-6u5-windows-i586-p-s.exe' saved [15918488/15918488]

All you have to do is fix the filename, removing the "&" and everything following. Will this work with APUP, or can it be adapted?

--Scott.

On a related topic, thought it might be worth adding that to the best of my knowledge, installing the latest Java runtime does not protect you from Java exploits.

This is because (I am told) Java programs have a mechanism for setting a preference as to which runtime to use if several are available, and the new runtime's installer doesn't remove the old ones, which remain present as attack-vectors. (I'm not a Java coder so I'm relying on expert opinion here, but it makes sense) So, all the malware author has to do is to specify a preference for a runtime-version which is known to be exploitable.

This is a very good reason to NOT install Java unless it's needed (which it usually isn't) and therefore a good reason not to use Windows Update, which installs Java on computers regardless of need. If you DO need Java, then it's important to remove old, exploitable runtimes, not just update them.

If you were already aware of this, sorry for pointing-out the obvious.

The same problem may or may not apply to Flash, where version nine installs into a new location in the Windows folder-tree, whereas older versions were in the (Mozilla) browser's plugins folder. Likewise the old versions aren't removed. I'm not sure if there is any way that an animation could specify "Use Version x if available" but the possibility exists. It would also lead to an exploitable situation if the latest NPSWF32.DLL were removed, since then a fallback to the exploitable DLL in the browser's plugins-folder would take place.

Became concerned about these issues after a couple of computers using Firefox got hit by malware (which I think we agree by rights should very rarely happen) and this led me to investigate what attack-vectors were likely. One had a whole string of Java runtimes, and I think the answer lay there.

Nice project, BTW. Keep up the good work.

Anteaus, on Apr 26 2008, 12:33 PM, said:

Yes, specific applications are designed to use specific versions of Java; the app may not work properly on other versions. Nevertheless, I think AP should remove old versions of Java by default. I have a batch file which removes older versions of Java before installing a new version. Unfortunately, I need to list each version infividually; I don't know of a way to simply remove all versions (well, there might be a way; I'd have to check, just haven't been able to justify the time yet). If an AP developer is interested, I can submit it to be adapted for AP.

Installing a new version does little good without removing the old versions, when malware authors are presumably aware of how to use the versoin(s) that they want to use.

I've seen a couple of PC apps which simply have their own private version of Java, which seems to be the safe way to go for non-web apps.

What does WindowsUpdate have to do with Java? As far as I know, it runs entirely on ActiveX.

Anteaus, on Apr 26 2008, 12:33 PM, said:

http://www.secunia.org always reports the IE version of Flash as installed in %WINDIR%\system32\macromed\flash, and it always reports the old versions when the new ones are installed, so I think AP should remove old Flash by default also. I have a batch file that uninstalls old Flash also; I can submit it for use with AP also, if an AP developer is interested.

--Scott.

KilleenWizard, on Apr 20 2008, 12:25 AM, said:

Ok, I just tried this link again, and got this error message:

Quote

So, I guess this link is not an option, unfortunately.

--Scott.

http://javadl.sun.co...?BundleId=18713 seems to work for me through firefox in xp.
Don't know if it's just my ISP caching but it only sends me to update 5 though.

BrainDedd, on May 8 2008, 02:45 PM, said:

Works with IE in Vista.

What's wrong with update 5? It's the current one, last I checked.

How did you get the link? They seem to be making it hard to find such reusable links. It's no good if can't get a new link for a new version.

--Scott.

> What's wrong with update 5? It's the current one, last I checked.
it was replaced some time ago. take a look in this link:
https://cds.sun.com/is-bin/INTERSHOP.enfini...S-CDS_Developer

by the way: this link is the exact same that erik has posted above. you only need select system and check "i agree". those so called "direct links" doesn't work for too long with Sun. believe me, we already tried that...

[]s

Cristiano, on May 14 2008, 11:26 AM, said:

According to java.com, 6u5 is current. I'd expect 6u6 to be "we're not yet certain enough of it to make it the default version".

http://javadl.sun.co...?BundleId=18713 still works, and there's no personalization stuff, so it should always be valid until they yank it.

Upon re-reading older posts, I discovered that *I* was the source of that particular link. Unfortunately, I have no idea where I got that link from.

Ahh, just found out: go to the manual downloads page, and then copy the shortcut that you want.

So, you can have AP automatically download the current widely-available version, or you could provide a link to manually download the bleeding-edge version. Personally, I'd prefer the widely-available version, unless there's a known flaw with it that the bleeding-edge version doesn't have.

If it's possible to have the add-on detect which (or both) executables are present and provide the appropriate option(s), that would seamlessly let you have either or both. As far as I'm concerned, this is what it should do, if possible.

--Scott.

> I'd expect 6u6 to be "we're not yet certain enough of it to make it the default version"
no. that only means that they don't update his own page, despide internal site infos about the new version

> I have no idea where I got that link from
by your last link, i believe that i know. yes, that last link has an link that lead to another one. in fact, that link is just an redirect that works, but so far i know, it doesn't work with apup. so, you find the redirected link and post it also valid. that in fact, is. but when that link reaches an limit, it isn't anymore

> or you could provide a link to manually download the bleeding-edge version
that we did, if you check internal infos at sun.com:
http://java.sun.com/...loads/index.jsp

take a look at "Java Runtime Environment (JRE) 6 Update 6"

[]s

Cristiano, on May 16 2008, 08:05 AM, said:

You seem to be missing my point. My point is that I think AP should automatically download the version that CAN be atomatically downloaded (6u5 looks-permanent link), while people who want 6u6 can download it manually.

--Scott.

sorry, but i believe that you didn't read my previews post, but here i go again, trying to be more clear: APUP currently can't deal with redirected links that the one that you posted. it crashes at once. so, we can't add any automatic download to java. if so, the people still will need download java manually and so, makes no difference if you point an outdated version or not. besides, java6u5 is completely outdated. soon you will see why: from times to times, someone that updates sun download links go in vacations or has some sort of issue that forget to update their own links. but that guy will remember that when the beta test for the new version of sunjava becomes the final version. so, you will see the link at java.com skip one version or stay with an outdated version for a few days then replace that outdated version by the new one

by other hand, those that wish an outdated version of something always can manually download his outdated version, open the .apm file with notepad, take a look at file name to run and detections and replace that up-to-date version that we provide with his own obsolete version and everything will be fine to all. but just remember: in sunjava, you need edit that noicon.apf file too

[]s

Cristiano, on May 16 2008, 09:47 PM, said:

As I mentioned earlier, WGET.EXE handles it just fine. If AP could be modified to be able to run external programs in order to get updates, it could call both WGET.EXE and IEXPLORE.EXE; the first to utomatically get the widely-available version and the second to load up the manual link for the user.

I really don't believe that they're able to keep the developer page up-to-date but not the public page. Furthermore, if a security flaw is discovered, I'm sure that the public page would definitely get updated; failing to do so would REALLY open the floodgates. I really doubt that the version on the public page would have a flaw but not the version on the developer page; I'd expect both to get updated. Thus, from my viewpoint, there's no advantage, aside from one being easier to retrieve automatically.

The only updates that *I* am concerned with are the ones for security flaws or other critical issues. A version that you consider "completely outdated" is perfectly fine with me if it doesn't have any known critical issues. And, chances are very high that a security update would come out well before some program actually wanted to use a new feature that the "completely outdated" version didn't have.

--Scott.

> WGET.EXE handles it just fine
we don't aim wget. we aim apup

> I really don't believe that they're able to keep the developer page up-to-date but not the public page
take a look at:
http://www.sun.com/
check "downloads, java SE"
it looks like an developer page to you? besides, do you have read this:

Quote

the current version of Sun Java is 6u10, but it's beta. but almost all sun downloads links have an "developer" tag at the end. it doesn't that kind of software to developers only. also now i suppose that you have readed that Java 6U6 is aimed to end-users, you still think that just because an link have an "developer" at the end it is intented to develop something?

besides, MS does the exact same thing and nobody complains about. take a look at MSIE page, do you saw an "hey there! we did an new version of our browser!" but in fact they did. MSIE 7 released a couple of months ago isn't the same that you get now and you don't see any notice about.

> if a security flaw is discovered, I'm sure that the public page would definitely get updated
if a security flaw is discovered, update java doesn't help a bit. i suppose that you are reading the posts about people saying that "java installer should remove the previews version first". do you know why this? i will tell you: any APP java based can set to run any of the previews versions of sun java. so, suppose that someone had discovered an security issue regarding sun java 5u10. you have now sun java 6U5, but you had once that version. you are safe? no. anyone can do an malicious software invoking that sun java 5u10 and hack you. by other hand, also developer, someone can very well develop something that will works better in an up-to-date version, like sun java 6u6 is. besides, if you uninstall the previews versions first, you will be safe even from the security issues regarding Java 6u5. by the way: long, long time ago, MS did an huge mistake and did his own version of java. until now, there's some banks that still works fine only with MS Java, that have issues with Sun java. do you think that we should add that obsolete version?

> I'm sure that the public page would definitely get updated
so, ask sun why they called java6u6 of final. say to them that you know more than them and if isn't at main page, it's beta, despide sun call it of final

once, long time ago, an guy named Spok said something like "The needs of many (like have everything up-to-date, without have an beta version) outweigh the needs of the few or one" (have an obsolete version and complains about new versions that like a child does to keep that).

Cristiano, on May 17 2008, 09:51 AM, said:

You seem to be trolling, so I probably won't bother replying to you after this.

Any halfway competent programmer can shell out to another program to do special tasks instead of whining about how hard it is to navigate double redirections, reinvent wheels, and so forth. I regularly write applications that shell out to other programs.

Cristiano, on May 17 2008, 09:51 AM, said:

When someone needs Java, I tell them to go to java.com. Click a button or two and it automatically starts the install of the most current version. Definitely intended for the public. I wouldn't dare tell a normal user to go to any of the other pages; they are not public-friendly. They are intended for people who have half an idea of what they're looking for.

Cristiano, on May 17 2008, 09:51 AM, said:

Microsoft does this; they make certain things available on TechNet and so forth for a while, and after it seems stable, they put it on Windows Update. Just because something is out of beta doesn't mean that no proboms will be found when exposed to a wider audience. Prudent vendors will take their time, if speed is not of the essence.

Cristiano, on May 17 2008, 09:51 AM, said:

You're confusing the proverbial apples and oranges again. Microsoft releases security patches and other critical updates with proactive announcements. For other things, it's usually just the techies who are interested. Most regular users wouldn't bother with non-critical uprades unless there was a noticeable (to them) improvement in functionality.

Cristiano, on May 17 2008, 09:51 AM, said:

Again, that is irrelevant. Installing 6u6 instead of 6u5 would have no effect on this. Also, if you'll bother to take a closer look at those messages, you'll notice that I'm one of the people responding to the subject. I'm well aware that the old versions need to come out.

The point of AP, and the reason that I use it, it to save me from downloading all of the stuff mnaually, and installing it all manually, and ideally, uninstalling old versions, like Java (and sometimes Shockwave and Adobe Reader) manually. You seem to be arguing in favor of retuning to manual procedures.

This is what I'm arguing that you should make a reasonable efort to do:

1. Have an option to uninstall old versions (some people need to keep the old versions for specific applications, so can't make it automatic). This page has code to do this: http://forum.java.su...threadID=692662.

2. Use WGET as an accessory to get the latest no-problems-found-YET Java for which you can get a stable link. No, it's usually not the latest version available from Sun, but most end users will never see a difference between the two.

I'd like for AP to be able to remove old versions automatically, since I'm likely to forget to do it manually. I'd also like for it to download Java automatically; the link that appears to be permanent will do fine for this, since, as I explain above, most end users will never notice a difference.

I know that it may offend your sensibilities to some extent, calling a third-party program to do something when everything else is built-in (BTW, source code appears to be available for WGET), and not getting the absolute latest version of java, but it's the results that really matter. Calling WGET gives end-results consistent with everything else, and using the java.com version of java MIGHT actually be safer becase a lot more people have used it.

--Scott.