Forum Thread:

You are currently viewing a forum thread in the Secunia Community Forum. Please note that opinions expressed here are not of Secunia but solely reflect those of the user who wrote it.

This thread was submitted in the following forum:
All Threads

This user no longer exists
Member 1st Jan, 1970 01:00
Ranking: 0
Posts: 0
User Since: 1st Jan, 1970
System Score: N/A
Location: N/A
Last edited on 1st Jan, 1970 01:00


taffy078 RE: JAVA Security Update
Contributor 16th Feb, 2012 08:58
Score: 408
Posts: 1,464
User Since: 26th Feb 2009
System Score: 100%
Location: UK
thank you Maurice for this. Frightening!

(1) Why hasn't PSI picked this up as 'vulnerable'?
(2) Is Java something that is included in the Auto-update?
(3) Mr Krebs says
"Each time Oracle ships a security update, I urge readers who have this program installed to reevaluate whether they need it at all. Failing to keep Java updated leaves you dangerously vulnerable to attacks.

For those who need Java for the occasional site or service, disconnecting it from the browser plugins and temporarily reconnecting when needed is one way to minimize issues with this powerful program. Leaving the Java plugin installed in a secondary browser that is only used for sites or services that require Java is another alternative
".

(3a) How can we check which programs require Java? From previous threads here, the only one that I can immediately think of is Firefox.
(3b) and how do we disconnect it from the browser plug-ins?

Hoping this makes sense.

PS On a lighter note, when Java was installing, I noted that amongst other things it's used on Kindle and car parking meters. I hope my new Kindle is not at risk!

--
taffy078, West Yorkshire, UK

HP Envy Win10 PC and Compaq Presario screwed up by forced upgrade to Win10 from WIn7
Was this reply relevant?
+0
-0
Leendert Kip RE: JAVA Security Update
Member 16th Feb, 2012 09:19
Score: 89
Posts: 552
User Since: 22nd Jan 2009
System Score: 100%
Location: NL
Last edited on 16th Feb, 2012 09:20
[quote=p44047]thank you Maurice for this. Frightening! (1) Why hasn't PSI picked this up as 'vulnerable'?[/b]

Java was yesterday afternoon auto-updated to the new version. I haven't seen it was marked
vulnerable beefore auto-update took place.


--
PC: PWA Computers
Intel Core I3 2100 3.1Ghz
Kingston DDR3 ValueRam 4GB 1333
Kinston SSD SV300S 240GB
Windows 7 Home Premium 64bits SP1
Secunia PSI 3.0.0.11005
Internet Explorer 11
Mozilla Firefox 48.0.1NL

Laptop: MSI GT780DX
Intel Core I5-2450
DDR3 RAM 6GB
Windows 7 Home Premium 64bits SP1
Secunia PSI 3.0.0.11005
Internet Explorer 11
Mozilla Firefox 48.0NL
Was this reply relevant?
+0
-0
Maurice Joyce RE: JAVA Security Update
Handling Contributor 16th Feb, 2012 10:35
Score: 12085
Posts: 9,366
User Since: 4th Jan 2009
System Score: N/A
Location: UK
Last edited on 16th Feb, 2012 10:38
@taffy78

Your post makes total sense to me.

1. Unless the PSI experts actually research & find a verifiable vulnerability they must rely on proper disclosure from elsewhere. From the statement made by @Leendert Kip clearly this disclosure has not taken place.
My test machine is now showing as vulnerable under SA 48009 dated 15/2/2012 which implies that this vulnerability report was disclosed "after the horse had bolted".

2. As U know I do not use any programme auto updaters. I cannot test the PSI auto feature because I only have JAVA running on a test PC that uses PSI version 1.5.0.2 but as far as I am aware:
a. PSI caters for auto updating of JAVA.
b. JAVA have there own auto updater. It runs under Jusched (JAVA update scheduler) - JAVA settings are controlled via the Windows Control Panel.
EDIT: I have made this a bit clearer for U.

3. If U do not have JAVA installed a message will appear if U try to use a programme dependant on it. OSI uses JAVA. For a demonstration of the type of warning messages click this link:

http://secunia.com/vulnerability_scanning/online/

now click OK on the message that appears. Now try to use the scanner.

4. To manage JAVA in IE8 go to tools>manage addons>JAVA & disable it. No idea on other third party browsers because I do not use them.

Surprised to here about Kindle. I manage my Kindle & have the Windows version installed. Works like a dream without JAVA.

Hope this helps.

On a lighter note to U my understanding is that Adobe & Oracle will merge on the lst April 2012. Early indications are that the re branded collective name will be NightmareWare!

Now that PSI are monitoring JAVA I consider my Thread to be historical dross & I will delete it once @taffy78 has had time to read my reply.




--
Maurice

Microsoft Surface 4 Intel i7 64Bit
Windows 10 Pro version 1607
16 GB RAM
IE & Edge Only
Was this reply relevant?
+3
-0
ddmarshall RE: JAVA Security Update
Dedicated Contributor 16th Feb, 2012 11:05
Score: 1250
Posts: 992
User Since: 8th Nov 2008
System Score: 98%
Location: UK
I can confirm that Firefox does not need Java. I think that many people install Java because they confuse Javascript with Java.

Kindle doesn't need Java on the PC. It uses it internally. I wonder if anyone's tried to take over a Kindle. Android also uses a variant of Java. That's why Oracle are suing Google.

I stopped installing Java a while ago. I can do without anything that says it needs it; BT Speedtest site, for example.

--
Was this reply relevant?
+0
-0
taffy078 RE: JAVA Security Update
Contributor 16th Feb, 2012 16:23
Score: 408
Posts: 1,464
User Since: 26th Feb 2009
System Score: 100%
Location: UK
Last edited on 16th Feb, 2012 16:26
thanks again, Maurice.

I'll get cracking to disable/uninstall Java. Glad to hear about Kindle!

edit: Perhaps the big bang merged company should be called Krakatoa.

--
taffy078, West Yorkshire, UK

HP Envy Win10 PC and Compaq Presario screwed up by forced upgrade to Win10 from WIn7
Was this reply relevant?
+0
-0
wr RE: JAVA Security Update
Contributor 16th Feb, 2012 17:11
Score: 308
Posts: 739
User Since: 30th Mar 2008
System Score: 100%
Location: US
Hi all

I agree with ddmarshall-JAVA(tm) is not needed
for Firefox to properly function & that JAVA(tm) is confused with Javascript. I uninstalled JAVA(tm) over 4 years ago-also got rid of Quicktime(oem installation)
RealPlayer & NIS 360 which I had to 'dig' carefully
through the Registry to rid the machine of even after
using the uninstaller from Norton.
Having said that, my machine seems to properly
function & I don't think I've missed anything while
surfing the net or reading emails. If I have it probably
wasn't noteworthy.

Regards, wr


--
HP Pavilion Slimline s3020n
Windows Vista Home Premium SP2 32 bit
AMD 64 Athlon X2
Firefox 31.4.0 ESR
The weakest link of a computer system is always sitting in front of the monitor.
Was this reply relevant?
+1
-0