Secunia CSI7
Advisories
Research
Forums
Create Profile
Our Commitment
PSI
PSI API
CSI
OSI
xSI
Vulnerabilities
Programs
Open Discussions
My Threads
Create Thread
Statistics
About

Forum Thread: Java Update

You are currently viewing a forum thread in the Secunia Community Forum. Please note that opinions expressed here are not of Secunia but solely reflect those of the user who wrote it.

This thread was submitted in the following forum:
PSI

This thread has been marked as locked.
Nikilet Java Update
Member 9th Apr, 2010 07:57
Ranking: 7
Posts: 282
User Since: 15th Jul, 2008
System Score: N/A
Location: N/A
Secunia PSI tells me I have two Java items that are insecure.

They both appear to be exactly the same: Sun Java JRE 1.6.x / 6.x

When I expand and click on Download Solution under each of these, the description of the download is exactly the same for both items:
jre-6u19-windows-i586-s.exe.
So, why do I have to install two updates that appear to be exactly the same?

Also, I presently have Java(TM)6 Update 17 and this update is 6.0.170.4. I assume since we are still on build 17 I don't have to uninstall what I have to run these updates, do I?

Thanks for any help.


This user no longer exists RE: Java Update
Member 9th Apr, 2010 08:41
Hi,

It is very likely that the PSI is detecting several installed instances. Some programs - including Sun Java - don't always remove older versions of itself when updates are installed, and the PSI is picking up the old and current version. To find out where the old and new runtimes are located, you can click the "+" button to expand the entry, and read the field called "Installation Path". Please post your Installation path here. The solution you can download will most likely only patch the newest version installed.

hope this helps.
Was this reply relevant?
+0
-0
TiMow RE: Java Update
Dedicated Contributor 9th Apr, 2010 08:46
Score: 737
Posts: 728
User Since: 26th Jun 2009
System Score: N/A
Location: CH
Last edited on 9th Apr, 2010 08:53
Hi Nikilet

I'm not techie enough to tell you why there are 2 Java's showing in PSI, but their file paths/locations are different and both are required. But you will only find one entry for Java under your program list in add/remove (control panel).

The latest update is 6.0.190.4 and you do need to upgrade to this by clicking on download solution on PSI.

You only need to do this once however, as both entries are dealt with together (as will be Java console, extn for Ff., if you use Firefox).

All previous Java builds show as insecure, but you don't need to uninstall the old ones as the new update overwrites (except Java console for Ff.).

TiMow

EDIT: My post crossed wit E.P. from Secunia, but as there has been a recent Java update, and your scenario is very similar to my own was (and others who posted here with similar questions), I would try the update first (all due respect to Emil).

--
Computing is not yet a perfect science - it still requires humans.
Was this reply relevant?
+1
-0
Nikilet RE: Java Update
Member 9th Apr, 2010 08:57
Score: 7
Posts: 282
User Since: 15th Jul 2008
System Score: N/A
Location: N/A
Thank you for taking time to try and help me. I only had one version of Java installed. The next answer I received was right on and it seems to be taken care of now.
Was this reply relevant?
+0
-0
Nikilet RE: Java Update
Member 9th Apr, 2010 09:01
Score: 7
Posts: 282
User Since: 15th Jul 2008
System Score: N/A
Location: N/A
TiMow: Thanks for your help. You were right on the mark. I only had one version installed and I didn't have to install both of the files offered. After I ran the first one both entries disappeared from the insecure programs tab.

E.Peterson answered also but was working on the premise that I had two versions installed and psi was picking up both, which was not correct.

Again, thanks!
Was this reply relevant?
+0
-0
Maurice Joyce RE: Java Update
Handling Contributor 9th Apr, 2010 09:08
Score: 11309
Posts: 8,726
User Since: 4th Jan 2009
System Score: N/A
Location: UK
Last edited on 9th Apr, 2010 09:09
@Nikilet,
Long time no see.

I see U are fixed up - info withdrawn.

--
Maurice

Windows 7 SP1 64 Bit OS
HP Intel Pentium i7
IE 11 for Windows 7 SP1
16GB RAM
Was this reply relevant?
+0
-0
Nikilet RE: Java Update
Member 9th Apr, 2010 09:15
Score: 7
Posts: 282
User Since: 15th Jul 2008
System Score: N/A
Location: N/A
Maurice -- I've been here a couple of times but you were never a responder. I thought maybe you weren't doing this anymore. I really missed you!
Was this reply relevant?
+0
-0
Maurice Joyce RE: Java Update
Handling Contributor 9th Apr, 2010 12:33
Score: 11309
Posts: 8,726
User Since: 4th Jan 2009
System Score: N/A
Location: UK
@Nikilet,
I have taken a second look at the details & just want to make sure U are OK.

The reason U could see two downloads offered is explained here:

http://secunia.com/community/forum/thread/show/394...

Nothing technical about it. In essence, Secunia were pointing U to the wrong download site from their toolbox until Emil corrected it.

To be absolutely sure U do have the correct Java version installed go to add/remove & double check the entry.

If my memory is correct U have XP or Vista running on a 32 Bit system. If that is the case U should see one entry:

JAVA(TM) 6 Update 19 with a file size of 94.5 MB.

If U have got JSE installed instead of JRE it will show differently.

If it does look odd it is no big deal. Just uninstall all the Java entries in Add/remove then install the 32 Bit version from here:

http://www.filehippo.com/download_jre_32/



--
Maurice

Windows 7 SP1 64 Bit OS
HP Intel Pentium i7
IE 11 for Windows 7 SP1
16GB RAM
Was this reply relevant?
+0
-0
Anthony Wells RE: Java Update
Expert Contributor 9th Apr, 2010 16:20
Score: 2384
Posts: 3,280
User Since: 19th Dec 2007
System Score: N/A
Location: N/A
Last edited on 9th Apr, 2010 16:23
At the risk of adding confusion , on my XP SP3 , PSI shows two installation entries for Sun Java JRE 1.6x/6.x . One entry points to files in C:\Program Files\Java\.. and the other to C:\WINDOWS\System32\java.exe

This is normal .

My current up to date version is 6.0.190.4 and shows the two entries in the PSI "patched" tab ; as and when Java becomes vulnerable , both installations show in the "insecure" tab and each solution offered by Secunia/PSI leads (me) to the same "updater" . I only need to run this once and both installations are updated ; the previous versions are usually un-installed for me at the same time .

I have only one entry for Java (TM) 6 Update 19 in "Add & Remove" in my Control Panel sized at 94.53 MB .

As I run Firefox , then PSI also displays Java Console 6.x (extension for Firefox)

Take care
Anthony

--


It always seems impossible until its done.
Nelson Mandela
Was this reply relevant?
+0
-0
Maurice Joyce RE: Java Update
Handling Contributor 9th Apr, 2010 17:30
Score: 11309
Posts: 8,726
User Since: 4th Jan 2009
System Score: N/A
Location: UK
That is correct - my post only points to add/remove not PSI or anywhere else.

Over the Easter weekend Secunia's download pointed to the JSE & not JRE hence confusion with some not least @Nikilet until Emil sorted it out on Tuesday.

All I am trying to establish is that he has in fact downloaded & installed JRE & not JSE.





--
Maurice

Windows 7 SP1 64 Bit OS
HP Intel Pentium i7
IE 11 for Windows 7 SP1
16GB RAM
Was this reply relevant?
+0
-0
TiMow RE: Java Update
Dedicated Contributor 9th Apr, 2010 18:25
Score: 737
Posts: 728
User Since: 26th Jun 2009
System Score: N/A
Location: CH
Last edited on 9th Apr, 2010 18:46
Evening all,

This is from Nikilet's original post, at the top.

In the absence of them reappearing 'til now, I hope this may help to clarify.

on 9th Apr, 2010 07:57, Nikilet wrote:
Secunia PSI tells me I have two Java items that are insecure.

They both appear to be exactly the same: Sun Java JRE 1.6.x / 6.x

When I expand and click on Download Solution under each of these, the description of the download is exactly the same for both items:
jre-6u19-windows-i586-s.exe.
So, why do I have to install two updates that appear to be exactly the same?

Also, I presently have Java(TM)6 Update 17 and this update is 6.0.170.4. I assume since we are still on build 17 I don't have to uninstall what I have to run these updates, do I?

Thanks for any help.



I think the post to which you (M.J.) were referring, was the exception and not the rule, as the the majority of us had a trouble free update to JRE (I believe).

TiMow

EDIT: If it's not broken, don't mend it.
Just out of curiosity, I've just checked the Java (TM) 6. file size in add/remove, and mine shows 97.23MB. I would have guessed the small additional may be related to Java console for Ff. - but Anthony runs Ff. too, and his file size is 94.5MB.

--
Computing is not yet a perfect science - it still requires humans.
Was this reply relevant?
+0
-0
Maurice Joyce RE: Java Update
Handling Contributor 9th Apr, 2010 19:16
Score: 11309
Posts: 8,726
User Since: 4th Jan 2009
System Score: N/A
Location: UK
That is because U may well have installed JSE.

No one is suggesting there has been trouble installing Java. The frequent posts on the Forum were the same as that of @Nikilet.

Secunia posted the wrong download link in the toolbox hence if U used that U are liable to have JSE installed.

On reading my post on Tuesday Emil acknowledge the problem & pointed the download link to JRE.

JSE will still work but it has additions on it that could be described as dross to a normal home user.

I am also in no doubt the error messages 1606 & 1723 that I dealt with over the weekend were linked to the same Secunia download site error.

If U are unsure whether it is broken double check.




--
Maurice

Windows 7 SP1 64 Bit OS
HP Intel Pentium i7
IE 11 for Windows 7 SP1
16GB RAM
Was this reply relevant?
+0
-0
Anthony Wells RE: Java Update
Expert Contributor 9th Apr, 2010 20:24
Score: 2384
Posts: 3,280
User Since: 19th Dec 2007
System Score: N/A
Location: N/A
I updated going to the Java site direct using my Firefox browser . The "Online" installer I downloaded is referred to as "jxpinstall-rv.exe Java(TM) Platform SE binary Sun Microsystems Inc." version 6.0.190.4 and is sized as 900 ko . It appears to be the standard one on offer and it installed JRE 6 and the Firefox extension satisfactorily - uninstalling and replacing U 18 correctly .

FileHippo currently offers the standard JRE 32 bit update as " jre-6u19-windows-i586-s.exe" , the same as that mentioned by @Nikilet , and has a file size of 15.76 MB ; this is also suggested by Maurice Joyce in his last but two post ,

This seems to mirror the problem referred to in the thread quoted above (locked on a reply offering the FileHippo link) :-

http://secunia.com/community/forum/thread/show/394...

The relevant disk spaces are pointed up here :-

http://www.java.com/en/download/faq/java_size.xml

I am not sure , but I get the impression that Java(TM) SE covers both JDK and JRE :-

http://java.sun.com/javase/6/webnotes/install/wind...

Perhaps Secunia can advise whether the original file they pointed to - equivalent to the one currently on offer from FileHippo - was only a problem/complication for some people .

If @Nikilet's original query concerning "two installatione" of JRE showing as insecure has been answered and the new installation is satisfactory , then it only remains for the curious to ask and the gifted to explain why the two different installers are still extant .

As you may guess , I have absolutely no idea :)

Take care
Anthony

--


It always seems impossible until its done.
Nelson Mandela
Was this reply relevant?
+0
-0
Maurice Joyce RE: Java Update
Handling Contributor 9th Apr, 2010 21:26
Score: 11309
Posts: 8,726
User Since: 4th Jan 2009
System Score: N/A
Location: UK
@Anthony,
I think all that really happened is some like @Nikilet were concerned when the link produced by Secunia gave two downloads & they were unsure what to do (not helped by a couple who gave actual error codes when attempting to update).

The ones I dealt with used the direct Java link in lieu & some went to FileHippo & succeeded with JRE.

I am unsure when the Secunia download link was inserted but I did not noticed it as pointing "the wrong way"until Easter Monday when I was investigating an error code. The slight mishap was corrected on Tuesday by Emil.

I suspect many were outside the "time scale window" to have been affected hence little Forum activity asking for help.

I have dealt with @Nikilet at length in the past & am only really concerned that he has got the correct version.

As far as I am concerned the rest is history.

--
Maurice

Windows 7 SP1 64 Bit OS
HP Intel Pentium i7
IE 11 for Windows 7 SP1
16GB RAM
Was this reply relevant?
+0
-0
Nikilet RE: Java Update
Member 9th Apr, 2010 23:34
Score: 7
Posts: 282
User Since: 15th Jul 2008
System Score: N/A
Location: N/A
Last edited on 9th Apr, 2010 23:44
Add/Remove shows Java(TM) 6 Update 19 so all is well. Thanks, tho, for watching out for me.

However, it does not show file size that I could see.

I am a she, not a he. ;.)
Was this reply relevant?
+0
-0
Maurice Joyce RE: Java Update
Handling Contributor 9th Apr, 2010 23:52
Score: 11309
Posts: 8,726
User Since: 4th Jan 2009
System Score: N/A
Location: UK
Whoops - sorry!

Looks like U are OK - that is the main event.

--
Maurice

Windows 7 SP1 64 Bit OS
HP Intel Pentium i7
IE 11 for Windows 7 SP1
16GB RAM
Was this reply relevant?
+0
-0
TiMow RE: Java Update
Dedicated Contributor 10th Apr, 2010 10:58
Score: 737
Posts: 728
User Since: 26th Jun 2009
System Score: N/A
Location: CH
Last edited on 10th Apr, 2010 11:31
Morning all,

Just got up to speed with the latest replies from yesterday evening - this is opening up a bit of a can of worms.

I updated Java on Weds. before Easter, using the Secunia download solution link - everything was as normal as per previous updates.

Under patched tab I have the following:

Sun Java JRE 1.6.x / 6.x 6.0.190.4 C:\WINDOWS\system32\java.exe

Sun Java JRE 1.6.x / 6.x 6.0.190.4 C:\Program Files\Java\jre6\bin\java.exe

So, I was confident everything was as it should be - but now my confidence has taken a small dent.

It was the discrepancy in file sizes (@ Nikilet - found on r.h.s. in add/remove), and @ Maurice Joyce's penultimate reply, which made me investigate further.

In both the above file locations for Java, under properties, the description is as follows:

Java(TM) Platform SE binary

Now for me, if Java and SE are written on the same line, this implies JSE, so Maurice's suspicions could be founded - but I think for people like me, who updated early, using the PSI download link, before the bug was identified and subsequently fixed; - and not those who updated after Easter.

If I do in fact have Java JSE installed and not JRE, despite the fact that PSI (patched tab) is showing JRE, I wonder how many others may be effected too?

The first clue is to check file size in add/remove (as detailed above in previous posts).

For me, to be sure, I will probably uninstall Java, then re-install from the correct site.

TiMow

EDIT: I've just re-read Anthony's last post and he refers to the following for his installation download: "jxpinstall-rv.exe Java(TM) Platform SE binary Sun Microsystems Inc." - I missed this the first time. This also refers to Java(TM) Platform SE binary - so now I don't know what to think. Obviously the file size discrepancy is still an issue.

--
Computing is not yet a perfect science - it still requires humans.
Was this reply relevant?
+0
-0
Anthony Wells RE: Java Update
Expert Contributor 10th Apr, 2010 13:03
Score: 2384
Posts: 3,280
User Since: 19th Dec 2007
System Score: N/A
Location: N/A
Last edited on 10th Apr, 2010 13:29
Hello TiMow ,

If you look here :-

http://java.sun.com/javase/downloads/index.jsp

You will see that Java now reference the term Java SE to cover JRE and JDK download/installation options .

There used to be a "JSE" format which contained the extras Maurice Joyce referred to , but it seems to have been missing as an option for a while now - I cannot find it , but it's equivalent may be elsewhere .

So seeing/having the Java(TM) Platform SE binary notation with JRE would seem to be normal .

The only question I have is that PSI , as in Emil , changed the file solution offered from that still offered by FileHippo to another file , which may or may not be the same as , but is probably similar to the one I used (using Firefox) . So quite a lot of people may be (unknowingly) affected . @Nikilet actually mentions the same file as the one PSI "changed" and that still in FileHippo !!

The difference may be a link to the JRE direct , so to speak , and the other to the JRE which is part of the development network . It may account for the file size showing in "Add/Remove" it might not .

It seems unlikely to be of any significance if you are happily installed for now ; so you could either live with it or do a clean uninstall/reinstall .

"If it ain't broke , don't fix it" or as another member of the Forum signs "if it ain't broke , tweak it some more" - take your pick .

I guess only Secunia or Java will be able to easily clarify .

Take care
Anthony

PS ; perhaps a new (second) thread on the specific subject could be opened , the previous one is locked . @Nikilet seems to be happy enough as for now , so maybe she could close this thread , if she so wishes :)

--


It always seems impossible until its done.
Nelson Mandela
Was this reply relevant?
+0
-0
Maurice Joyce RE: Java Update
Handling Contributor 10th Apr, 2010 13:39
Score: 11309
Posts: 8,726
User Since: 4th Jan 2009
System Score: N/A
Location: UK
@Timow,
I think we are all looking at this too deeply. My only concern was @Nikilet who I have dealt with at length in the past.

In your case I would not be overly concerned at what version U have.

It is working & secure. It will not be long before Java updates again. Just uninstall your current version (whether JSE or JRE) and then go to the Oracle Java site & put a new version on.

File size does give a clue in some instances. It is not an exact science &,for example, Vista may be different to XP & Windows 7 which are about 94+MB.


The lack of Forum activity since Monday merely proves it is not something to lose sleep over. It was a slight blip & has long since past.

The Java Console is also frequently mentioned but is a bit of a red herring.

The Java Console is controlled via:

Start>Control Panel>Java>Advanced>Default Java For Browsers and therefore is updated as & when. U just adjust the settings depending on what U want. Whether it shows in the Firefox Browser is an individual choice.

If U are using the Gizmo (Add On) from the Mozilla Add Ons download page that could be a different story. Version 6.0.02 for example is no longer supported by Java.

I am signing off - all history & not worth spending any more time on.

Hope this helps.

--
Maurice

Windows 7 SP1 64 Bit OS
HP Intel Pentium i7
IE 11 for Windows 7 SP1
16GB RAM
Was this reply relevant?
+0
-0
TiMow RE: Java Update
Dedicated Contributor 10th Apr, 2010 14:01
Score: 737
Posts: 728
User Since: 26th Jun 2009
System Score: N/A
Location: CH
Hi Anthony,

Thanks for coming back on this. I agree, this thread has probably run it's course (don't forget the National 5:15 our time), but as a postscript, I've come up with the following assumptions (rightly or wrongly) - you're probably already aware of them.

From support info for Java, on add/remove, the readme has the following heading:

Java(TM) Platform, Standard Edition
Runtime Environment
Version 6

So my assumptions are Java(TM) Platform, SE (for Standard Edition), and
JRE - Java Runtime Environment (I've seen this many times, but hadn't seen the obvious).

So I think I'm going to stop chasing my tail.

Maurice's update has just come in - "The lack of Forum activity since Monday......" probably means that we're a bit guilty of over analysing and looking for shadows in the dark, that aren't there anyway.

Quote from M.J.:

"In your case I would not be overly concerned at what version U have.

It is working & secure. It will not be long before Java updates again. Just uninstall your current version (whether JSE or JRE) and then go to the Oracle Java site & put a new version on."

Unquote.

This is where I'd got to.

Quote from A.W.:

"If it ain't broke , don't fix it" or as another member of the Forum signs "if it ain't broke , tweak it some more" - take your pick ."

Unquote.

And this is the big dilemma.

Regards to both, and thanks

TiMow

--
Computing is not yet a perfect science - it still requires humans.
Was this reply relevant?
+0
-0
mbphvice RE: Java Update
Member 11th Apr, 2010 01:58
Score: -2
Posts: 2
User Since: 4th Mar 2008
System Score: 100%
Location: US
it can also be that you need both active x controls:
for IE.

And plugin for Firefox. http://support.mozilla.com/en-US/kb/Using+the+Java...
Was this reply relevant?
+0
-0

This thread has been marked as locked.


 Products Solutions Customers Partner Resources Company
 
 Corporate
Vulnerability Intelligence Manager (VIM)
Corporate Software Inspector (CSI)
Consumer
Personal Software Inspector (PSI)
Online Software Inspector (OSI)
 Industry
Compliance
Technology
Integration
 Customers
Testimonials
 VARS
MSSP
Technology Partners
References
 Factsheets
Reports
Webinars
Events
 About us
Careers
Memberships
Newsroom


 
© 2002-2014 Secunia ApS - Rued Langgaards Vej 8, 4th floor, DK-2300 Copenhagen, Denmark - +45 7020 5144
Terms & Conditions and Copyright - Privacy - Report Vulnerability