Secunia CSI7
Advisories
Research
Forums
Create Profile
Our Commitment
PSI
PSI API
CSI
OSI
xSI
Vulnerabilities
Programs
Open Discussions
My Threads
Create Thread
Statistics
About

Forum Thread: Updating Sun Java 1.6x to 1.6.0.290.3 does not stick.

You are currently viewing a forum thread in the Secunia Community Forum. Please note that opinions expressed here are not of Secunia but solely reflect those of the user who wrote it.

This thread was submitted in the following forum:
CSI

This thread has been marked as locked.
cguinasso Updating Sun Java 1.6x to 1.6.0.290.3 does not stick.
Member 1st Feb, 2012 04:37
Ranking: 0
Posts: 2
User Since: 1st Feb, 2012
System Score: N/A
Location: US
Last edited on 1st Feb, 2012 04:37

Please help. I am trying to update Sun Java 1.6x to 1.6.0.290.3. The package appears to deploy and install correctly. However, once on the client machines, Windows Update continues to indicate that Java 1.6 needs to be updated.

No amount of "install now" or reboots appears to fix this.

Apolgis if this has been posted numerous times but I search did not have any positive hits for what I was looking for.

Thank you.

cguinasso RE: Updating Sun Java 1.6x to 1.6.0.290.3 does not stick.
Member 1st Feb, 2012 04:49
Score: 0
Posts: 2
User Since: 1st Feb 2012
System Score: N/A
Location: US
I think I found a clue: http://secunia.com/community/forum/thread/show/119...
Was this reply relevant?
+0
-0
taffy078 RE: Updating Sun Java 1.6x to 1.6.0.290.3 does not stick.
Contributor 1st Feb, 2012 09:38
Score: 408
Posts: 1,314
User Since: 26th Feb 2009
System Score: 100%
Location: UK
and this as well?

http://secunia.com/community/forum/thread/show/120...

--
taffy078, West Yorkshire, UK

Desktop: Compaq Presario (OEM) 32 bit / AMD Athlon / 2 GB RAM
XP Home - SP3/ IE8/ Norton IS - Secunia PSI v2.0.0.3003

Laptop: Win 7 / IE11 / PSI v2.0.0.3003
Was this reply relevant?
+1
-0
jlbalvanz RE: Updating Sun Java 1.6x to 1.6.0.290.3 does not stick.
Member 7th Feb, 2012 15:48
Score: 3
Posts: 12
User Since: 19th May 2011
System Score: N/A
Location: US
Part of the difficulty may be the way that Java is installed. Java can install in two different ways: "patch-in-place" and static. Patch-in-place works the way you'd normally expect programs to install; Java is installed in "C:\Program Files[ (x86)]\Java\jre6" and when a new version is installed it replaces the old version.
However, there are applications that require an older version of Java to function. Because of that, it's also possible to install Java as static; an application requiring the older version can access a static version directly even though a newer version is the default. Static installs go in directories like "C:\Program Files[ (x86)]\Java\jre1.6.0_24", and when a newer version of Java is installed it does not remove the static versions.
Malicious software can also request the older, vulnerable version of Java as well, and so having the older version installed is still a security risk. The CSI agent scans the entire drive and reports the static versions as vulnerable. The problem is, just installing the newest version of Java won't remove the static versions.
The problem we were running into was that we had updates from the 1.5 version of Java that CSI had recommended still on our SUS server that were installing an older version of Java 1.6 (like Java 6 Update 23, aka 1.6.0.230.x). When you install Java and a newer version of Java is already installed on the system, that older version is automatically installed static. On the next scan, CSIA reported the old version of 1.6, which SUS then tried to fix, but it couldn't because of the static install. I finally had to write an SCCM task sequence to remove the older versions and install 6 Update 30, and I'm still in the process of cleaning that mess up.
I think Secunia CSI 5.0 (which we haven't updated to yet) classifies these as zombie files (the files that are out there on the drive but can never get executed, so can be ignored) but they're not really zombies because malware can request the older Java versions when it executes. Check the Installations list in the CSI console for Sun Java JRE 1.6.x / 6.x and see where java.exe is showing up.

--
Jeff Balvanz -- Iowa State University Information Technology Services
Ames, IA, USA
Was this reply relevant?
+1
-0

This thread has been marked as locked.


 Products Solutions Customers Partner Resources Company
 
 Corporate
Vulnerability Intelligence Manager (VIM)
Corporate Software Inspector (CSI)
Consumer
Personal Software Inspector (PSI)
Online Software Inspector (OSI)
 Industry
Compliance
Technology
Integration
 Customers
Testimonials
 VARS
MSSP
Technology Partners
References
 Reports
Webinars
Events
 About us
Careers
Memberships
Newsroom


 
© 2002-2014 Secunia ApS - Rued Langgaards Vej 8, 4th floor, DK-2300 Copenhagen, Denmark - +45 7020 5144
Terms & Conditions and Copyright - Privacy - Report Vulnerability