Click here to get back home

Vulnerability thru old versions of Java?
 HomeNewsGroups | Search | About
Login Password
Register Now!
 microsoft.public.security.virus    Post an article   get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content
Subject Author Date
Vulnerability thru old versions of Java? Gotde T Shirt 09-10-2008
Get Chitika Premium
Posted by Gotde T Shirt on September 10, 2008, 9:01 am
Please log in for more thread options

A well-known 'feature' of the Sun Java update process is that it leaves
older versions still installed. Could an old version with a vulnerability
be exploited by the baddies, even when the fixed version has been
installed?

Posted by Malke on September 10, 2008, 9:39 am
Please log in for more thread options

Gotde T Shirt wrote:

> A well-known 'feature' of the Sun Java update process is that it leaves
> older versions still installed. Could an old version with a vulnerability
> be exploited by the baddies, even when the fixed version has been
> installed?

Yes. That's why you should remove the older versions and then install the
latest one.

Malke
--
MS-MVP
Elephant Boy Computers - Don't Panic!
FAQ - http://www.elephantboycomputers.com/#FAQ


Posted by Kayman on September 10, 2008, 10:22 am
Please log in for more thread options


On Wed, 10 Sep 2008 13:01:27 GMT, Gotde T Shirt wrote:

> A well-known 'feature' of the Sun Java update process is that it leaves
> older versions still installed. Could an old version with a vulnerability
> be exploited by the baddies, even when the fixed version has been
> installed?

Yes.
JavaRa at http://raproducts.org/
It's a neat little free utility that removes all remnants of Java.

Posted by David H. Lipman on September 10, 2008, 4:47 pm
Please log in for more thread options



| A well-known 'feature' of the Sun Java update process is that it leaves
| older versions still installed. Could an old version with a vulnerability
| be exploited by the baddies, even when the fixed version has been
| installed?

I actually posed this question to Information Assurance (IA) experts who use
Harris Stat
and Digital eEye Retina on a regular basis. The subject matter was why older,
vulnerable,
versions of Sun Java are not removed if there are say 7 ~ 9 versions of Sun Java
in;
C:\Program Files\Java and listed in the Control Panel applet "Add/Remove
Programs". The
answer is this, when you install the latest version of Sun Java it will find the
other
versions of Sun Java and patch them to mitigate the vulnerability and thus there
is no
requirement toremove older versions of Sun Java to comply with IA requirements.

At this point I will SUGGEST removing old versions but, it is not required to
mitigate
vulnerabilities, just install the LATEST version to mitigate the existing
vulnerabilities.

You should also NOT manually delete remnant folders if you remove older versions
of Sun
Java from the the Control Panel applet "Add/Remove Programs". Such software
such as Apple
Quicktime will drop a Java Jar in the folder and set an environemntal variable
pointing to
said Java Jar in that folder. If you manually remove the folder [ such as
"C:\Program
Files\Java\jre1.6.0_06" when you have v6 update 7 installed ] you will delete
the Java
Jar and break Apple Quicktime use of said Java Jar.

For example...
You installed Apple Quicktime when you had JRE v6 update 5 installed. Apple
Quicktime
will drop its Java Jar in "C:\Program Files\Java\jre1.6.0_05" and set and
evironmental
variable to the Java Jar in "C:\Program Files\Java\jre1.6.0_05".

The only question I have now is when a program bundles an older version of Sun
Java with
its application such as Adobe Acrobat v9.
C:\Program Files\Adobe\Acrobat 9.0\Designer 8.2\jre

The question is if you install say JRE v6 update 7 will it find JRE in;
C:\Program
Files\Adobe\Acrobat 9.0\Designer 8.2\jre and patch it even though it is not in
C:\Program Files\Java

--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp



Posted by Gotde T Shirt on September 10, 2008, 5:49 pm
Please log in for more thread options


On Wed, 10 Sep 2008 16:47:01 -0400, David H. Lipman wrote:

>
>| A well-known 'feature' of the Sun Java update process is that it leaves
>| older versions still installed. Could an old version with a vulnerability
>| be exploited by the baddies, even when the fixed version has been
>| installed?
>
> I actually posed this question to Information Assurance (IA) experts who use
Harris Stat
> and Digital eEye Retina on a regular basis. The subject matter was why older,
vulnerable,
> versions of Sun Java are not removed if there are say 7 ~ 9 versions of Sun
Java in;
> C:\Program Files\Java and listed in the Control Panel applet "Add/Remove
Programs". The
> answer is this, when you install the latest version of Sun Java it will find
the other
> versions of Sun Java and patch them to mitigate the vulnerability and thus
there is no
> requirement toremove older versions of Sun Java to comply with IA requirements.
>
No offence intended to you personally, but that explanation is improbable
to say the least.

1) It wastes disk space and other resources willy-nilly for no good reason.

2) It is much more complex and therefore fragile than a simple replacement
strategy.

So why the hell would you adopt such a bizarre strategy? But the real
killer observation is:

3) It doesn't stack up with reality - the file sizes and modification dates
are unchanged for earlier JRE editions after a subsequent update has been
applied.

> At this point I will SUGGEST removing old versions but, it is not required to
mitigate
> vulnerabilities, just install the LATEST version to mitigate the existing
vulnerabilities.
>
I'm not so sure.

> You should also NOT manually delete remnant folders if you remove older
versions of Sun
> Java from the the Control Panel applet "Add/Remove Programs". Such software
such as Apple
> Quicktime will drop a Java Jar in the folder and set an environemntal variable
pointing to
> said Java Jar in that folder. If you manually remove the folder [ such as
"C:\Program
> Files\Java\jre1.6.0_06" when you have v6 update 7 installed ] you will delete
the Java
> Jar and break Apple Quicktime use of said Java Jar.
>
> For example...
> You installed Apple Quicktime when you had JRE v6 update 5 installed. Apple
Quicktime
> will drop its Java Jar in "C:\Program Files\Java\jre1.6.0_05" and set and
evironmental
> variable to the Java Jar in "C:\Program Files\Java\jre1.6.0_05".
>
Agreed.

> The only question I have now is when a program bundles an older version of Sun
Java with
> its application such as Adobe Acrobat v9.
> C:\Program Files\Adobe\Acrobat 9.0\Designer 8.2\jre
>
> The question is if you install say JRE v6 update 7 will it find JRE in;
C:\Program
> Files\Adobe\Acrobat 9.0\Designer 8.2\jre and patch it even though it is not in
> C:\Program Files\Java

...which sounds like DLL-hell reinvented.

Similar ThreadsPosted
Two Java Versions ??? August 14, 2006, 5:09 pm
Sun Java vulnerability update - Sun Alert ID: 102557 August 26, 2006, 8:13 am
WMF Vulnerability, Info. January 2, 2006, 4:54 pm
Avast AV critical vulnerability (FrSIRT) July 21, 2005, 11:26 am
Internet Explorer Vulnerability Problematic September 21, 2006, 5:24 am
Is NT4 affected by the new MS05-039 Plug-n-Play Vulnerability? August 15, 2005, 9:33 am
Re: Microsoft Security Advisory (912840): Vulnerability in Graphics Rendering Engine Could Allow Remote Code Execution December 29, 2005, 2:21 pm
New Sun JAVA JRE Available April 11, 2007, 5:34 pm
JAVA BYTEVER.A June 20, 2005, 5:10 pm
What is Java/Shinwow.Be June 4, 2006, 1:46 am

Our other projects:

Art Dolls, Fairies and Mermaids - Sunnyfaces.net

Roy's Linux, Programming and Search Engines messages

1-Script XML SitemapXML Sitemap