Secunia CSI7
Advisories
Research
Forums
Create Profile
Our Commitment
PSI
PSI API
CSI
OSI
xSI
Vulnerabilities
Programs
Open Discussions
My Threads
Create Thread
Statistics
About

Forum Thread: insecure but still waiting for "scheduled update"

You are currently viewing a forum thread in the Secunia Community Forum. Please note that opinions expressed here are not of Secunia but solely reflect those of the user who wrote it.

This thread was submitted in the following forum:
Programs

Relating to this vendor:
Oracle Corporation
And, this specific program:
Oracle Java JRE 1.7.x / 7.x

This thread has been marked as locked.
taffy078 insecure but still waiting for "scheduled update"
Contributor 9th May, 2012 18:22
Ranking: 408
Posts: 1,322
User Since: 26th Feb, 2009
System Score: 100%
Location: UK
Hi.

After having installed 19 Microsoft updates on my XP desktop, I checked my Win7 laptop. There were only a couple so I installed them.

Then PSI scanned and reported that both of my Oracle Java programs were vulnerable - it showed I had v 7.0.10.8 and v.7.0.20.13 (64 bit).

Both were showing as "update scheduled". But that was at 7 am UK time. It's now 5.15 pm and they haven't been updated.

Is there a problem that has stopped the automatic update process or do I simply not understand how the automatic aupdates are run?




--
taffy078, West Yorkshire, UK

Desktop: Compaq Presario (OEM) 32 bit / AMD Athlon / 2 GB RAM
XP Home - SP3/ IE8/ Norton IS - Secunia PSI v2.0.0.3003

Laptop: Win 7 / IE11 / PSI v2.0.0.3003

mogs RE: insecure but still waiting for "scheduled update"
Expert Contributor 9th May, 2012 21:34
Score: 2265
Posts: 6,266
User Since: 22nd Apr 2009
System Score: 100%
Location: UK
Hello taffy !

As follows is a copy/note I kept of a reply to a similar question :-
The Auto-updates are scheduled as soon as the PSI becomes aware that you are missing a patch (ie. when you run scan).

However, to prevent the PSI from disturbing your workflow, it will perform a check before installing: such as whether or not the program is running, or a certain file is locked. This should prevent auto-updates from interfering with normal program usage.

Hope this helps.
Kind regards,
Emil R. Petersen


Could it be that you've had the program in use ?

--
Was this reply relevant?
+0
-0
tingwing RE: insecure but still waiting for "scheduled update"
Member 10th May, 2012 03:38
Score: 0
Posts: 1
User Since: 10th May 2012
System Score: N/A
Location: CN
thank you...
Was this reply relevant?
+0
-0
taffy078 RE: insecure but still waiting for "scheduled update"
Contributor 10th May, 2012 09:05
Score: 408
Posts: 1,322
User Since: 26th Feb 2009
System Score: 100%
Location: UK
Hi Mogs. How are you? Bored now that the snow has gone?!! ;o)

I've just powered up my lapytop - still no updates.

I know from many earlier occasions here that the older JRE stuff should still be there because older programs might still use them; they will have had any earlier vulnerabilities corrected.

I also recall some weeks ago that a JRE update appeared in a FileHippo Update check; it may have been these. But they were shown as 'for use by developers', weren't security risks and so didn't get picked up by PSI.

My problem is that I've no idea what program(s) use(s) this JRE.. The only program that was running yesterday and also now is PSI. Does PSI use this JRE? If not, how can I check which of my programs use it, please?

--
taffy078, West Yorkshire, UK

Desktop: Compaq Presario (OEM) 32 bit / AMD Athlon / 2 GB RAM
XP Home - SP3/ IE8/ Norton IS - Secunia PSI v2.0.0.3003

Laptop: Win 7 / IE11 / PSI v2.0.0.3003
Was this reply relevant?
+0
-0
Maurice Joyce RE: insecure but still waiting for "scheduled update"
Handling Contributor 10th May, 2012 10:27
Score: 11630
Posts: 8,917
User Since: 4th Jan 2009
System Score: N/A
Location: UK
Last edited on 10th May, 2012 10:28
U should not be storing old versions of JAVA on a PC.

See this & note the Oracle advice in red ink.
http://java.com/en/download/faq/remove_olderversio...

Why have U got JAVA installed? It is not required by Windows.

If a programme ever requires it a warning will appear on the screen notifying U to install it.

Secunia OSI uses JAVA as does Open Office.

As an example, I have not had JAVA installed for years. At no time have I ever been requested to install JAVA to use or see something except the odd test with OSI.

Entirely a personal choice but my advice would be to purge JAVA from a PC & see what happens.

Many good Security minded vendors are supporting this excellent advice:

http://krebsonsecurity.com/2010/10/java-a-gift-to-...

Hope this helps & excuse spelling edit.

--
Maurice

Windows 7 SP1 64 Bit OS
HP Intel Pentium i7
IE 11 for Windows 7 SP1
16GB RAM
Was this reply relevant?
+0
-0
taffy078 RE: insecure but still waiting for "scheduled update"
Contributor 11th May, 2012 09:58
Score: 408
Posts: 1,322
User Since: 26th Feb 2009
System Score: 100%
Location: UK
Last edited on 11th May, 2012 09:59
thank you Maurice.

My Java problems also happened last October & November:

http://secunia.com/community/forum/thread/show/116...

http://secunia.com/community/forum/thread/show/117...

(This thread opened a can of worms, especially re the FileHippo Update Checker. It was recommending updating to v7 which at that time was effectively a beta version although not flagged as such. And it was on their forum and others that I saw that keeping older versions of JRE was sometimes necessary.)

However, I will follow your advice. I will remove Java using Revo and see what other programs subsequently demand that I need it!

Fingers crossed yet again.

--
taffy078, West Yorkshire, UK

Desktop: Compaq Presario (OEM) 32 bit / AMD Athlon / 2 GB RAM
XP Home - SP3/ IE8/ Norton IS - Secunia PSI v2.0.0.3003

Laptop: Win 7 / IE11 / PSI v2.0.0.3003
Was this reply relevant?
+0
-0
mogs RE: insecure but still waiting for "scheduled update"
Expert Contributor 11th May, 2012 10:10
Score: 2265
Posts: 6,266
User Since: 22nd Apr 2009
System Score: 100%
Location: UK
@taffy

Morning !
I didn't answer as soon as able, as Maurice had given you a full reply.
I too have managed without Java for some considerable time...and havn't missed it. By far the most "dangerous" prog. to be using.
Just in the last few days put another post on CClips concerning....you may have read post 48 this month ? :-
So many recent exploits have used Java as their attack vector, you might conclude Java should be shown the exit

Have done a few miles since the snows.....close shaves most mornings as well !!

--
Was this reply relevant?
+0
-0
Maurice Joyce RE: insecure but still waiting for "scheduled update"
Handling Contributor 11th May, 2012 10:25
Score: 11630
Posts: 8,917
User Since: 4th Jan 2009
System Score: N/A
Location: UK
Last edited on 11th May, 2012 10:26
As a test on what happens try pressing the OSI scan button.. Just click Cancel to the information box but do not download JAVA. That will give U a clue as to what happens when a programme "calls on" JAVA to work in the future.

Did U use Revo Pro traced method? If not some JAVA elements may remain.

Right click start>Open Windows Explorer>C>Program Files>Common Files & look for Sun

then look in Program Files>Sun

Do the same in Program Files(x86)

Right click & delete any Sun or Java entries.

Although U should not see any entries DO NOT get confused & delete anything named JAVASCRIPT.

U are now perfectly safe so the above actions are a minor clean up operation that can be ignored.


--
Maurice

Windows 7 SP1 64 Bit OS
HP Intel Pentium i7
IE 11 for Windows 7 SP1
16GB RAM
Was this reply relevant?
+0
-0

This thread has been marked as locked.


 Products Solutions Customers Partner Resources Company
 
 Corporate
Vulnerability Intelligence Manager (VIM)
Corporate Software Inspector (CSI)
Consumer
Personal Software Inspector (PSI)
Online Software Inspector (OSI)
 Industry
Compliance
Technology
Integration
 Customers
Testimonials
 VARS
MSSP
Technology Partners
References
 Reports
Webinars
Events
 About us
Careers
Memberships
Newsroom


 
© 2002-2014 Secunia ApS - Rued Langgaards Vej 8, 4th floor, DK-2300 Copenhagen, Denmark - +45 7020 5144
Terms & Conditions and Copyright - Privacy - Report Vulnerability