Secunia CSI7
Advisories
Research
Forums
Create Profile
Our Commitment
PSI
PSI API
CSI
OSI
xSI
Vulnerabilities
Programs
Open Discussions
My Threads
Create Thread
Statistics
About

Forum Thread: Sun Java Insecure Browser Plugin

You are currently viewing a forum thread in the Secunia Community Forum. Please note that opinions expressed here are not of Secunia but solely reflect those of the user who wrote it.

This thread was submitted in the following forum:
Programs

Relating to this vendor:
Sun Microsystems
And, this specific program:
Oracle Java JRE 1.6.x / 6.x

This thread has been marked as locked.
TiMow Sun Java Insecure Browser Plugin
Dedicated Contributor 13th Apr, 2010 10:39
Ranking: 737
Posts: 728
User Since: 26th Jun, 2009
System Score: N/A
Location: CH
For those who may not yet be aware, as of yesterday (12 Apr '10), Sun Java JRE version 6 Update 19, Deployment Toolkit browser plugin, is reported as Insecure, no solution; for all browsers - SA39260 applies.

All 3 of my installed browsers are boxed in red under Secure Browsing tab - cat. 4 threat.

Until a vendor solution/patch is available, it is now even more important to maintain safe browsing practices, as outlined by Secunia (and others) in the Secure Browsing tab.

Safe surfing,

TiMow

--
Computing is not yet a perfect science - it still requires humans.

mogs RE: Sun Java Insecure Browser Plugin
Expert Contributor 13th Apr, 2010 11:40
Score: 2265
Posts: 6,266
User Since: 22nd Apr 2009
System Score: 100%
Location: UK
Thanks for drawing attention to the vulnerability TiMow. As you know, I use Chrome dev , so rarely consult the Secure Browsing tab to view IE8 in seemingly perpetual stagnation !

--
Was this reply relevant?
+1
-2
Anthony Wells RE: Sun Java Insecure Browser Plugin
Expert Contributor 13th Apr, 2010 12:13
Score: 2412
Posts: 3,309
User Since: 19th Dec 2007
System Score: N/A
Location: N/A

The specific Java Plug-in can be disabled in Firefox via Tools->Add-ons->Plugins->

This is not mentioned as a "workaround" in the SA (only setting ActiveX killbits) but it may help - I do not know if it is "essential" like the other Java Plug-in ; no problem encountered so far .

Cannot find the same option in Chrome .

Take care
Anthony

--


It always seems impossible until its done.
Nelson Mandela
Was this reply relevant?
+7
-0
mogs RE: Sun Java Insecure Browser Plugin
Expert Contributor 13th Apr, 2010 12:54
Score: 2265
Posts: 6,266
User Since: 22nd Apr 2009
System Score: 100%
Location: UK
Last edited on 13th Apr, 2010 13:10
Hello Anthony.....hope you are well.
There does seem to exist such a facility within Chrome dev. Tho' I havn't familiarized myself with it before ( the option may have only become available this morning with the dev update ).
In another thread, indeed, I had noted my setting of:-
"Allow all sites to use plug-ins (recommended).
Following your remarks, I've just looked at it again.....there is an Exceptions tab.
Clicking on that produces a panel where one needs to insert "Pattern"....whatever and wherever that is to be found ? Then one can Block or Allow. Any ideas ?

PS......Have just discovered that I can indeed disable individual plug-ins in Chrome, with the Java one in contention clearly shown.
Spanner/Options/Privacy/Content Settings/Plug-ins and underneath Exceptions:-
Disable Individual Plug-ins.
I'm just wondering to what extent this may affect things.

--
Was this reply relevant?
+1
-0
Anthony Wells RE: Sun Java Insecure Browser Plugin
Expert Contributor 13th Apr, 2010 13:27
Score: 2412
Posts: 3,309
User Since: 19th Dec 2007
System Score: N/A
Location: N/A
Last edited on 13th Apr, 2010 13:32
Hello Mogs ,

Thank you for that .

Had been (just re-checked) to the same location as you , but in my current Chrome version 4.1.249.1045 I only have the all/none/exceptions for plug-ins and no individual choice .

It "should" do no harm to your computer to disable the particular plug-in , whether it is effective only Secunia or someone in the Dev channel will be able to tell you .

Is there a second Java plug-in like the two in Ff ??

Take care
Anthony

--


It always seems impossible until its done.
Nelson Mandela
Was this reply relevant?
+0
-0
mogs RE: Sun Java Insecure Browser Plugin
Expert Contributor 13th Apr, 2010 13:42
Score: 2265
Posts: 6,266
User Since: 22nd Apr 2009
System Score: 100%
Location: UK
Perhaps you ought to try a move to the Dev channel version Anthony ? A little bit of "excitement " now and again?
To answer your question :-
Yes, Java(TM) Platform SE 6 U19 Version 6.0.190.4 is the other shown.
Tho' disabling the first may be a workaround....I'll have to look into how it may affect performance. Haps I'm safe enough already with my browser practices ?

--
Was this reply relevant?
+0
-0
Anthony Wells RE: Sun Java Insecure Browser Plugin
Expert Contributor 13th Apr, 2010 13:53
Score: 2412
Posts: 3,309
User Since: 19th Dec 2007
System Score: N/A
Location: N/A
Last edited on 13th Apr, 2010 16:46
Mogs ,

I have asked Secunia if the disabling in Ff is a "solution/workaround" in another thread - so far I have not asked about Chrome . My query has received two "thumbs down" - I mean , whatever I think of the voting system and anonymous judgement , my question is pertinent and saves me sending an Email to Secunia asking the same question ; and allows others (hopefully) to contribute to an important security situation .

You might want to wait to see what Secunia have to say on either thread .

Just checked and I'm 1 vs 2 :)

Other things to do .

Take care of yourself.
Anthony

EDIT: This Secunia blog entry (last paragraph) appears to specifically endorse restricting access to the Plug-in . This may be all that Secunia is able to say for now :-

http://secunia.com/blog/95

--


It always seems impossible until its done.
Nelson Mandela
Was this reply relevant?
+0
-0
mogs RE: Sun Java Insecure Browser Plugin
Expert Contributor 13th Apr, 2010 17:42
Score: 2265
Posts: 6,266
User Since: 22nd Apr 2009
System Score: 100%
Location: UK
Found this description of the plug-in on the Java site:-
Takes the guesswork out of determining what versions of the Java Platform end users have installed on their pc's.It greatly increases the ease of detection of user's Java Environment....as well as ease of Java Platform deployment.
Have read the blog and SA39260.
It does seem that Secunia are in favour of disabling the plug-in and also to " Set the killbit for affected ActiveX controls.....could someone please explain to me what that entails exactly ?
I'm gonna see if I can find any more on the subject within Chrome help.

--
Was this reply relevant?
+0
-0
Anthony Wells RE: Sun Java Insecure Browser Plugin
Expert Contributor 13th Apr, 2010 17:55
Score: 2412
Posts: 3,309
User Since: 19th Dec 2007
System Score: N/A
Location: N/A
Last edited on 13th Apr, 2010 18:00
Mogs ,

ActiveX essentially applies to IE .

This M$ article may help a little :-

http://support.microsoft.com/kb/240797

I'm sticking to Ff and Chrome so will leave the bits for now .

Anthony

--


It always seems impossible until its done.
Nelson Mandela
Was this reply relevant?
+0
-0
mogs RE: Sun Java Insecure Browser Plugin
Expert Contributor 13th Apr, 2010 18:01
Score: 2265
Posts: 6,266
User Since: 22nd Apr 2009
System Score: 100%
Location: UK
Can't find anything pertaning to this particular problem in Chrome Help. I have an Enable/Disable toggle for each plug in, so I'm just gonna see how I get on without it for now. I hope I don't develop a limp !!
So when Secunia advise the setting of killbits it's extra measures for IE?

--
Was this reply relevant?
+0
-0
taffy078 RE: Sun Java Insecure Browser Plugin
Contributor 13th Apr, 2010 18:07
Score: 408
Posts: 1,307
User Since: 26th Feb 2009
System Score: 100%
Location: UK
Anthony - thanks for Firefox "disable Java add-on" tip.
I found two in my Firefox (v.3.6.3): Java Console 6.0.19 and Java Quick Starter 1.0. I've disabled both - I assume that is the correct thing to do.

--
taffy078, West Yorkshire, UK

Desktop: Compaq Presario (OEM) 32 bit / AMD Athlon / 2 GB RAM
XP Home - SP3/ IE8/ Norton IS - Secunia PSI v2.0.0.3003

Laptop: Win 7 / IE11 / PSI v2.0.0.3003
Was this reply relevant?
+0
-0
TiMow RE: Sun Java Insecure Browser Plugin
Dedicated Contributor 13th Apr, 2010 18:12
Score: 737
Posts: 728
User Since: 26th Jun 2009
System Score: N/A
Location: CH
Evening guys,

Work in progress - I'm looking from the other side:

Control panel>Java>Advanced tab - there's a few settings here that are browser related, but before I start tinkering, I was wondering if you had previous knowledge or any ideas in general, regarding these settings.

TiMow

--
Computing is not yet a perfect science - it still requires humans.
Was this reply relevant?
+0
-0
mogs RE: Sun Java Insecure Browser Plugin
Expert Contributor 13th Apr, 2010 18:12
Score: 2265
Posts: 6,266
User Since: 22nd Apr 2009
System Score: 100%
Location: UK
Thanks for the MS link Anthony.....had a browse, and first thoughts were " I'm not getting into all that !" Someone will have to guess what Java I've got, and I'll see if deployment is really that much slower.....in no time at all perhaps!

--
Was this reply relevant?
+0
-0
Anthony Wells RE: Sun Java Insecure Browser Plugin
Expert Contributor 13th Apr, 2010 18:21
Score: 2412
Posts: 3,309
User Since: 19th Dec 2007
System Score: N/A
Location: N/A

Hi taffy ,

The answer is no :((

You can re-enable them ; they are in Tools/Add-ons/Extensions .

Look in Tools/Add-ons/Plugins and look for the Java Deployment Toolkit plug-in and highlight and disable it ; you can leave the second Java plug-in enabled for now as I understand it is "essential" for Java to work and has not been incriminated , as far as I can understand .

Java is not essential to your computer and is not so widespread and "useful" as Javascript . Java is used by "many "game" websites .

Ask if you are still unsure .

Anthony

--


It always seems impossible until its done.
Nelson Mandela
Was this reply relevant?
+1
-0
mogs RE: Sun Java Insecure Browser Plugin
Expert Contributor 13th Apr, 2010 18:28
Score: 2265
Posts: 6,266
User Since: 22nd Apr 2009
System Score: 100%
Location: UK
Havn't delved into the area much TiMow: ( to be honest, I don't very often answer to the term guy.....tho' I too have been "guilty" of the occasional slip ! Ha!): following a peek, I found myself wondering if I really needed the Temporary files referred to ? What do you think ?

--
Was this reply relevant?
+0
-0
TiMow RE: Sun Java Insecure Browser Plugin
Dedicated Contributor 13th Apr, 2010 18:52
Score: 737
Posts: 728
User Since: 26th Jun 2009
System Score: N/A
Location: CH
Hi mogs

Some Americanisms have stuck, from my time across the pond, and it's also non gender specific in it's colloquial usage - sorry if it didn't do it for you.

If you're referring to the temporary files under the General tab, I think they're fine to have.

M.J. once advised that the Java cache should, from time to time, be removed by clicking Delete Files and the storage amount (slider) should be reduced from default 1000MB, to about 150 - 250 MB.

It's under the Advanced tab, where the browser settings are, that I was looking at - but after a second look, I think these are too general to the specific issue, to mess around with, at the moment.

For now, I'll just leave the problem plugin disabled in Ff.

Have you seen the post from @pc.tech1, in the other official Secunia related thread?

Regards

TiMow

--
Computing is not yet a perfect science - it still requires humans.
Was this reply relevant?
+0
-0
mogs RE: Sun Java Insecure Browser Plugin
Expert Contributor 13th Apr, 2010 19:33
Score: 2265
Posts: 6,266
User Since: 22nd Apr 2009
System Score: 100%
Location: UK
Last edited on 13th Apr, 2010 19:39
It's probably that I grew up with very gender-specific terminology.....tho' my ears have probably gotten used to the more recent spoken changes....my eyes aren't any bluer, and first learned is what often has with me stayed. Having "said"that,
I too probably do use some favourable expressions. Don't mean to be the cause of any grammatical contention. I learned to write quite straight with my left hand. They've got lots of other names for it !!!
I'm sure I've set that slider in Java before ! 500mb again for however long it lasts !
Yes, did read the post about Java's comment: I hope I'm not easily duped ?

--
Was this reply relevant?
+0
-0
Anthony Wells RE: Sun Java Insecure Browser Plugin
Expert Contributor 13th Apr, 2010 20:19
Score: 2412
Posts: 3,309
User Since: 19th Dec 2007
System Score: N/A
Location: N/A
Last edited on 13th Apr, 2010 20:22
Hello again Mogs ,

I was going to wait for Chrome 5 to go stable , but the Java plug-in issue plus the fact that latest Dev channel version has both the individual plug-in control and Flash (Beta version) embedded/enabled by default means that I am moving up now .

Such excitement :)) hope all my extensions work !!

Take care
Anthony

--


It always seems impossible until its done.
Nelson Mandela
Was this reply relevant?
+0
-0
taffy078 RE: Sun Java Insecure Browser Plugin
Contributor 13th Apr, 2010 20:30
Score: 408
Posts: 1,307
User Since: 26th Feb 2009
System Score: 100%
Location: UK
on 13th Apr, 2010 18:21, Anthony Wells wrote:
Hi taffy ,

The answer is no :((

You can re-enable them ; they are in Tools/Add-ons/Extensions .

Look in Tools/Add-ons/Plugins and look for the Java Deployment Toolkit plug-in and highlight and disable it ; you can leave the second Java plug-in enabled for now as I understand it is "essential" for Java to work and has not been incriminated , as far as I can understand .

Java is not essential to your computer and is not so widespread and "useful" as Javascript . Java is used by "many "game" websites .

Ask if you are still unsure .

Anthony

Many thanks, Anthony. All done. I'm glad that I asked.
BTW I thought I'd take a peep at IE8's "Manage Add-Ons". Every time I tried to open it, it crashed! That'll teach me to be too inquisitive.

--
taffy078, West Yorkshire, UK

Desktop: Compaq Presario (OEM) 32 bit / AMD Athlon / 2 GB RAM
XP Home - SP3/ IE8/ Norton IS - Secunia PSI v2.0.0.3003

Laptop: Win 7 / IE11 / PSI v2.0.0.3003
Was this reply relevant?
+0
-0
Anthony Wells RE: Sun Java Insecure Browser Plugin
Expert Contributor 13th Apr, 2010 20:51
Score: 2412
Posts: 3,309
User Since: 19th Dec 2007
System Score: N/A
Location: N/A
Last edited on 13th Apr, 2010 20:54
Glad you are sorted , taffy ,

Cannot help with IE8 I'm afraid .

Even tho' you have disabled the plug-in , PSI won't "see" that you have done so and Ff (and other browsers) will continue to show as "not secure for browsing" until Java produce a "security update" ; this is not expected for sometime , apparently :(

Take care
Anthony

--


It always seems impossible until its done.
Nelson Mandela
Was this reply relevant?
+1
-0
taffy078 RE: Sun Java Insecure Browser Plugin
Contributor 14th Apr, 2010 08:21
Score: 408
Posts: 1,307
User Since: 26th Feb 2009
System Score: 100%
Location: UK
cheers, Anthony.

--
taffy078, West Yorkshire, UK

Desktop: Compaq Presario (OEM) 32 bit / AMD Athlon / 2 GB RAM
XP Home - SP3/ IE8/ Norton IS - Secunia PSI v2.0.0.3003

Laptop: Win 7 / IE11 / PSI v2.0.0.3003
Was this reply relevant?
+0
-0
mogs RE: Sun Java Insecure Browser Plugin
Expert Contributor 14th Apr, 2010 19:16
Score: 2265
Posts: 6,266
User Since: 22nd Apr 2009
System Score: 100%
Location: UK
Hello today Anthony ! So far so good.....havn't anything noticeable to report for the Java plug-in disablement.
How you finding the Dev Chrome?
I used to think of myself as possibly minimalistic.....tho' so many extentions these days. I tried the sound effects the other day ( the wife was rich with complaints): as tapping on the keyboard made me sound like a professional "writer" !
Best wishes for now,

--
Was this reply relevant?
+0
-0
mogs RE: Sun Java Insecure Browser Plugin
Expert Contributor 14th Apr, 2010 19:16
Score: 2265
Posts: 6,266
User Since: 22nd Apr 2009
System Score: 100%
Location: UK
Hello today Anthony ! So far so good.....havn't anything noticeable to report for the Java plug-in disablement.
How you finding the Dev Chrome?
I used to think of myself as possibly minimalistic.....tho' so many extentions these days. I tried the sound effects the other day ( the wife was rich with complaints): as tapping on the keyboard made me sound like a professional "writer" !
Best wishes for now,

--
Was this reply relevant?
+0
-0
Anthony Wells RE: Sun Java Insecure Browser Plugin
Expert Contributor 14th Apr, 2010 20:12
Score: 2412
Posts: 3,309
User Since: 19th Dec 2007
System Score: N/A
Location: N/A


Hello Mogs ,

Chrome update to Dev 5.0.375.3 went perfectly ; everything transferred correctly (made a profile back up , but not needed).

Both Ff and Chrome now have their Java Deployment Toolkit plug-in disabled with no apparent unpleasant side effects (to date) . I notice that Chrome lists and likely borrows several of my Ff plug-ins !!

I thought one or the other had "killed" my Sandboxie , but that was the M$ update for XP patch KB979683 . A couple of hours of seriously wasted time , at least quickly remedied by tzuk , as a patched version of Sanboxie # 3.45.07 is already out :-

http://www.sandboxie.com/phpbb/viewtopic.php?t=773...

Adobe Reader update to v9.3.2.163 was also quick and easy :) (crosses fingers)

Have not yet become a musical writer , but it's high in my priorities :)

Thanks for your interest .

Take care
Anthony

--


It always seems impossible until its done.
Nelson Mandela
Was this reply relevant?
+0
-0
mogs RE: Sun Java Insecure Browser Plugin
Expert Contributor 14th Apr, 2010 21:29
Score: 2265
Posts: 6,266
User Since: 22nd Apr 2009
System Score: 100%
Location: UK
Who borrows or develops what? No, I don't think I'll get into that. Some are quicker heeding and some are more responsive......some don't need to read music: it's taken me years sometimes to get the pot out of my ears ?! When I was in my teens my father was playing Puccini......I could never afford the European Tour ! How pleasant is a word in Season ? Not too many butterflies over here ?!
The written word can sometimes enhance one's enjoyment ?
Take care,



--
Was this reply relevant?
+0
-0
Anthony Wells RE: Sun Java Insecure Browser Plugin
Expert Contributor 15th Apr, 2010 12:11
Score: 2412
Posts: 3,309
User Since: 19th Dec 2007
System Score: N/A
Location: N/A

It would appear that simply disabling the plug-in is not a solution according to the original disclosure ;(( I have posted it on the SA thread as well :-

http://seclists.org/fulldisclosure/2010/Apr/119

Take care
Anthony

--


It always seems impossible until its done.
Nelson Mandela
Was this reply relevant?
+0
-0
ddmarshall RE: Sun Java Insecure Browser Plugin
Dedicated Contributor 15th Apr, 2010 12:33
Score: 1198
Posts: 953
User Since: 8th Nov 2008
System Score: 98%
Location: UK
I see 6.20 has just been released. Can someone interpret the release notes and tell us if it fixes this vulnerability?

--
This answer is provided “as-is.” You bear the risk of using it.
Was this reply relevant?
+0
-0
Anthony Wells RE: Sun Java Insecure Browser Plugin
Expert Contributor 15th Apr, 2010 12:47
Score: 2412
Posts: 3,309
User Since: 19th Dec 2007
System Score: N/A
Location: N/A
@ddmarshall

The disclosure and the 6U20 both refer to JNLP files ; it would seem that developers need to now include a (new) codebase parameter regarding them when U20 is in place .

Whether that is sufficient will need Tavis Ormandy or Secunia to confirm , I guess .

It is definitely a "security" update .

Anthony

--


It always seems impossible until its done.
Nelson Mandela
Was this reply relevant?
+0
-0
pengwyn RE: Sun Java Insecure Browser Plugin
Member 16th Apr, 2010 05:57
Score: 5
Posts: 24
User Since: 6th Mar 2009
System Score: N/A
Location: Sacramento, N/A
Last edited on 16th Apr, 2010 06:03
Just wiped java RE off all my systems, then downloaded the new java JRE's x86 and 64bit, seems PSI still show as 6.0.190.4 (e.g. No changes were detected)

When indeed physically review of java.exe shows version 6.0.200.2

Java(TM) Platform SE 6 U20

I'll assume it's just a PSI update glitch.

It matters since I already have several other problems with flash and apple quicktime (which the security update broke the import and edit of .mov files in sony vegas--I was forced to roll back to Quicktime v7.65 (1327.80 ) But hell I am getting off topic here.. Sometimes it's a small world eh...

My solution so far is...
1. Cripple IE from running via Security Panel
2. Don't run opera, since JAVA and JAVASCRIPT are tied together on the same stupid switch! Oh dear Opera...
3. Install Quick Java 1.7.2 https://addons.mozilla.org/en-US/firefox/addon/123... Which gives me switches for all this broken nonsense--except the quicktime!

Not much of a solution.
In hindsight, yesterday I went through this with Java(TM) Platform SE 6 19 and then ran the exploit test on a win7 box, and it CAUGHT the guy's exploit. a.) It attempted to install that lower version of java (easily stopped) It couldn't execute calc.jar (happy) and it had a Security Bar Warning at the top of the page preventing the Java Install. So I showed that to my users and said, if you see ever see stuff that looks like this, stop and call me. Sadly my XP workstations got OWNED by it.. thank god it was only a harmless proof of concept. Yeah, my XP fired up calc... (I hate to admit that)

Obviously NoScript isn't going to be a help here if you have JAVA/JavaScript turned on. ergo, I added Quick Java extensions on everything.

Hopes this helps... I'll be watching and waiting...
Was this reply relevant?
+0
-0
Anthony Wells RE: Sun Java Insecure Browser Plugin
Expert Contributor 16th Apr, 2010 12:07
Score: 2412
Posts: 3,309
User Since: 19th Dec 2007
System Score: N/A
Location: N/A
Last edited on 16th Apr, 2010 12:25
Hello ,

Well the SA now confirms Java 6 U 20 is the solution and Java (on my WP) is clear to surf in IE and Firefox (and by extrapolation , my Dev channel Chrome).

When i downloaded U 20 it left behind the old U 19 .dll file in the C:\program files\..\bin\new_plugin\.. folder and so the U 19 plug-in still shows in Ff Plugins (& my Chrome).

Java say that in general you can leave old versions if you so wish - I have emailed them for specific advice ; but as I am not good at holding my breath (tho' a good swimmer) I will delete the "npdeploytk.dll" version 6.0.190.4 file manually to err on the side of safety .

I'll update if Java support get back to me .

Take care
Anthony

PS: I also had U 19 version of the Ff "extenson" Java Console left behind (that has also been deleted manually)

--


It always seems impossible until its done.
Nelson Mandela
Was this reply relevant?
+0
-0
pengwyn RE: Sun Java Insecure Browser Plugin
Member 16th Apr, 2010 17:15
Score: 5
Posts: 24
User Since: 6th Mar 2009
System Score: N/A
Location: Sacramento, N/A
"Java say that in general you can leave old versions if you so wish"

While that may be true, I would always uninstall the old version. I know hard drive space is no longer a problem these days, and it may in fact be easier for the less adept to upgrade in place, but if by any chance it leaves old files around, it won't be hard to write a path to maliciously exploit known locations of those
file[s] .

After an uninstall, I physically look to see the dir is gone. If it ain't gone, I delete it.

Obviously this is my opinion.


Was this reply relevant?
+0
-0
Anthony Wells RE: Sun Java Insecure Browser Plugin
Expert Contributor 16th Apr, 2010 17:36
Score: 2412
Posts: 3,309
User Since: 19th Dec 2007
System Score: N/A
Location: N/A
Last edited on 16th Apr, 2010 17:39
Hi pengwyn ,

I would agree with you certainly as best advice for an "average" non-developer user (like me :))

I mailed Java out of curiosity*** , as the date/time stamp for the three "bin" files are (were for U 19) the same with U 20 file showing just before U 19 and the M$ file ; so I did not want to be too dogmatic with my knowledge gap .

Anthony

PS : *** idle hands and the devil etc :(



--


It always seems impossible until its done.
Nelson Mandela
Was this reply relevant?
+0
-0
TiMow RE: Sun Java Insecure Browser Plugin
Dedicated Contributor 16th Apr, 2010 18:50
Score: 737
Posts: 728
User Since: 26th Jun 2009
System Score: N/A
Location: CH
Evening Anthony (and others),

I have another variant to throw in the mix.

As my last Java update (v.19) was a bit heavy on the file size (97+ MB, as opposed to 95.4ish), I followed M.J.'s suggestion of uninstalling from add/remove prior to updating to v.20.

Tried a link from Maurice from another thread, which gave the following download file:

jre-6u20-windows-i586-1ftw-rv.exe; 901kb - sun.com;

** Downloaded/installed, re-booted, re-scanned, checked in add/remove, which showed as following:

Java (TM) 6 update 20; file size - 90.61MB

Add on and plugin for Ff. showed v.20, as normal.

BUT there was nothing showing in PSI - No Java console for Ff., or the usual 2x entries for Sun Java in patched; and no listings for Java for any browser (I have 3) under secure browsing. ***

Uninstalled, then navigated, via Google, to Java download site which gave a different download file:

jxpinstall.exe; 900kb - java.com

Everything exactly as above from ** to ***, with the same net result.

By default, because PSI isn't reporting Java as patched, all my browser boxes are green and clean.

It leaves me a little perplexed, but the only logic I can draw is, because I uninstalled first, then there was nothing to update or patch, as it created anew - but I think that's a bit weak.

So that's where I'm at right now - updated to v.20; showing in programs list on add/remove, correct entries for Ff. add-ons/plugins, but nothing in PSI.

Very strange.

Regards

TiMow

--
Computing is not yet a perfect science - it still requires humans.
Was this reply relevant?
+0
-0
Anthony Wells RE: Sun Java Insecure Browser Plugin
Expert Contributor 16th Apr, 2010 19:25
Score: 2412
Posts: 3,309
User Since: 19th Dec 2007
System Score: N/A
Location: N/A

Hi TiMow ,

Java "download" gave me the installers jxpinstall.exe with Ff and chromeinstall.exe with Chrome ; they weigh in at 899ko (900ko on disc) and have "exactly" the same properties . I used (only) the former and all browsers and PSI were satisfied - the U 19 "problem" was as described above and was resolved by manual deletion of the files "left behind" .

"Add/Remove" shows Java(TM) 6 Update 20 sized as previously at 94.53 MB .

If your directory folders/files for 6 U 20 are "normal" then , after the "will she won't she" and leaden server links to Secunia of the past two days , you "probably" need to shut down and restart your computer and/or reload PSI interface and/or do a full rescan and/or wait until tomorrow and/or un-install Java and wait until a programme/software pops up and says it wants Java :))

Take care
Anthony

--


It always seems impossible until its done.
Nelson Mandela
Was this reply relevant?
+0
-0
TiMow RE: Sun Java Insecure Browser Plugin
Dedicated Contributor 16th Apr, 2010 19:44
Score: 737
Posts: 728
User Since: 26th Jun 2009
System Score: N/A
Location: CH
Last edited on 16th Apr, 2010 19:45
Thanks for that

We both used the same download file (jxpinstall.exe; 900kb - java.com)

My irregularities may be due to the uninstall of v.19, which may have also cleared out some residual files - hence the lower file size in add/remove (90.61MB) - maybe (??). This file size was the same with both of the different downloads, I detailed above.

Too late for further messing about; will see what tomorrow brings - but have already done as you suggested re. rebooting and re-scanning, - maybe the valves need to cool down.

(Touch wood - haven't experienced problems with PSI, as reported by others; and my scans are done and dealt with in about 5 mins).

Have a good evening - I'm due a cold one.

TiMow

--
Computing is not yet a perfect science - it still requires humans.
Was this reply relevant?
+0
-0
al1939 RE: Sun Java Insecure Browser Plugin
Member 16th Apr, 2010 22:19
Score: 0
Posts: 2
User Since: 16th Apr 2010
System Score: N/A
Location: US
I am having the same problem and psi says it is insecure and there is no fix from the vendor yet. I use IE and Firefox. Both say the same thing. Disabling them is the only thing you can do for now.

--
AL
Was this reply relevant?
+0
-0
mogs RE: Sun Java Insecure Browser Plugin
Expert Contributor 17th Apr, 2010 00:24
Score: 2265
Posts: 6,266
User Since: 22nd Apr 2009
System Score: 100%
Location: UK
I've got in to the habit of uninstalling Java each time at update, using Revo, before reinstalling. All looks well here tonight , as regards Java. Enabled plug-in in Chrome, and showing as patched, and secure in IE8. Version 6.0.200........... showing as 94.54MB in Revo and same in Install/Uninstall ! I havn't always been able to agree those figures.

--
Was this reply relevant?
+0
-0
TiMow RE: Sun Java Insecure Browser Plugin
Dedicated Contributor 17th Apr, 2010 11:10
Score: 737
Posts: 728
User Since: 26th Jun 2009
System Score: N/A
Location: CH
I think I must have an anomaly with Java.

Again, uninstalled u.20, from add/remove; downloaded old version, u.18 (u.19 wasn't showing on Java archive site), this also showing file size of 97+MB (similar to my previous installation u.19).

Tray icon for Java informed that update was available (from u.18 to u.20), which I ran.

Everything now showing as it should:

- add/remove - Java (TM) 6 update 20; but file size of 90.61 MB

- add-on (Java console) and plugin versions for Ff. showing latest u.20

- all verified from Java control panel (u.20)

Rebooted re-scanned, but still not picked up by PSI in either patched or as a browser component under secure browsing.

If things don't sort out over w/e, will probably submit on Mon. for Emil.

Changed auto update check to weekly and will monitor forum for threads relating to future updates, and insecurities.

OS is XP SP3.

TiMow

--
Computing is not yet a perfect science - it still requires humans.
Was this reply relevant?
+0
-0
taffy078 RE: Sun Java Insecure Browser Plugin
Contributor 17th Apr, 2010 14:40
Score: 408
Posts: 1,307
User Since: 26th Feb 2009
System Score: 100%
Location: UK
I was surprised just now to see that Java was no longer showing as a problem. I've done nothing.
So I've just uninstalled v19, using the add/remove programs, and then installed v20.

I followed some advice here (Anthony?) about disabling something (as a temporary measure) when I had v19.
Should I now enable them? If so where can I find them? (Sorry, - I've looked at loads of threads but can't find the references to disabling them!)

--
taffy078, West Yorkshire, UK

Desktop: Compaq Presario (OEM) 32 bit / AMD Athlon / 2 GB RAM
XP Home - SP3/ IE8/ Norton IS - Secunia PSI v2.0.0.3003

Laptop: Win 7 / IE11 / PSI v2.0.0.3003
Was this reply relevant?
+0
-0
TiMow RE: Sun Java Insecure Browser Plugin
Dedicated Contributor 17th Apr, 2010 17:05
Score: 737
Posts: 728
User Since: 26th Jun 2009
System Score: N/A
Location: CH
Last edited on 17th Apr, 2010 17:18
Hi Taffy

The references you're looking for are towards the top of this thread.

But if you've uninstalled u.19 and re-installed u.20, then this should have automatically re-enabled them.

In Firefox > tools > add-ons > java console is under extension icon (this is what you first mistakenly disabled) > java deployment toolkit (this was the problem) is under plugin icon.

All Javas now, by downloading u.20, should by default be enabled - by clicking each to highlight you should see the option box to disable (don't click it). If you see that, then all is fine.

You did exactly the same as I did - uninstall u.19 from add/remove and new install u.20 - and yet PSI doesn't list any of my Javas.

Are you showing Java console (extn. for Ff.) and Sun Java (2x entries) under patched, and is Sun Java (2x) showing as a browser component for each of your browsers under secure browsing?

Also, curious to know what file size Java (TM) 6 update 20 shows under add/remove - this is shown on r.h.s. - my new install shows 90.61 MB, whereas others state 94.53 MB.

No hurry, post back at your leisure, if able to.

Thanks and regards

TiMow

PS - for the wider community:
I even re-installed, using each of my 3 browsers - Ff. Chrome and IE (in that order) - IE caused my security to pick up a registry change, relating to ActiveX,
, which I allowed, but still PSI is not finding/showing/reporting Java, after the obligatory reboot and re-scan after each time.

--
Computing is not yet a perfect science - it still requires humans.
Was this reply relevant?
+0
-0
mogs RE: Sun Java Insecure Browser Plugin
Expert Contributor 17th Apr, 2010 22:24
Score: 2265
Posts: 6,266
User Since: 22nd Apr 2009
System Score: 100%
Location: UK
I just found myself wondering ( that if you havn't already done so ); it might be worth running a CHKDSK at this time ? Consistancy/orphaned files so on and so forth ? With the uninstalling/installing process there always seems to occur some registry errors....what I find, is that Revo usually sorts them.
Just a couple of thoughts TiMow.....

--
Was this reply relevant?
+0
-0
taffy078 RE: Sun Java Insecure Browser Plugin
Contributor 18th Apr, 2010 08:27
Score: 408
Posts: 1,307
User Since: 26th Feb 2009
System Score: 100%
Location: UK
thanks TiMow. I was looking (for 'disable' issues) in the other thread on this!
To answer your questions:
1. All my Javas (u.20) are enabled. Thanks.
2. 'Patched' only shows Sun Java JRE 1.6.x/ 6.x.
3. 'Secure Browsing' shows this under both IE8 and Firefox.
4. File size in 'A/R' is 90.61 MB.

Hope this helps. Thanks again.

--
taffy078, West Yorkshire, UK

Desktop: Compaq Presario (OEM) 32 bit / AMD Athlon / 2 GB RAM
XP Home - SP3/ IE8/ Norton IS - Secunia PSI v2.0.0.3003

Laptop: Win 7 / IE11 / PSI v2.0.0.3003
Was this reply relevant?
+0
-0
VagnPalle RE: Sun Java Insecure Browser Plugin
Member 18th Apr, 2010 16:51
Score: -2
Posts: 2
User Since: 5th Jul 2009
System Score: N/A
Location: N/A
on 13th Apr, 2010 10:39, TiMow wrote:
For those who may not yet be aware, as of yesterday (12 Apr '10), Sun Java JRE version 6 Update 19, Deployment Toolkit browser plugin, is reported as Insecure, no solution; for all browsers - SA39260 applies.

All 3 of my installed browsers are boxed in red under Secure Browsing tab - cat. 4 threat.

Until a vendor solution/patch is available, it is now even more important to maintain safe browsing practices, as outlined by Secunia (and others) in the Secure Browsing tab.

Safe surfing,

TiMow

Was this reply relevant?
+0
-1
VagnPalle RE: Sun Java Insecure Browser Plugin
Member 18th Apr, 2010 16:52
Score: -2
Posts: 2
User Since: 5th Jul 2009
System Score: N/A
Location: N/A
on 13th Apr, 2010 10:39, TiMow wrote:
For those who may not yet be aware, as of yesterday (12 Apr '10), Sun Java JRE version 6 Update 19, Deployment Toolkit browser plugin, is reported as Insecure, no solution; for all browsers - SA39260 applies.

All 3 of my installed browsers are boxed in red under Secure Browsing tab - cat. 4 threat.

Until a vendor solution/patch is available, it is now even more important to maintain safe browsing practices, as outlined by Secunia (and others) in the Secure Browsing tab.

Safe surfing,

TiMow

Was this reply relevant?
+0
-1
Etain RE: Sun Java Insecure Browser Plugin
Member 18th Apr, 2010 17:30
Score: 0
Posts: 10
User Since: 3rd Apr 2009
System Score: N/A
Location: US
Greetings to all,

This thread has been helpful and informative, my thanks to all the participants. I'm having an odd problem with PSI regarding this issue.

Not knowing any of this was going on, yesterday I received a pop-up from FF stating the Java Deployment Toolkit plug-in was a security risk and I gave my permission to disable it.

I then ran a PSI scan that showed the Java JRE 1.6x / 6x (64 bit) was a level 4 risk and it also offered a download solution which I downloaded.

I'm in the habit of uninstalling older versions of Java first and after a restart of my system, I installed the new Java file that Secunia PSI linked me to as the solution: 6.0.190.4.

When I logged on this morning, Secunia is again telling me this Java is insecure AND it's still linking to Java 6 U 19 download as the solution. Just thought it might be important to mention this. I've found the Java U 20 and will uninstall what I have, restart, and download it. Hopefully, it will work for me.
Was this reply relevant?
+0
-0

This thread has been marked as locked.


 Products Solutions Customers Partner Resources Company
 
 Corporate
Vulnerability Intelligence Manager (VIM)
Corporate Software Inspector (CSI)
Consumer
Personal Software Inspector (PSI)
Online Software Inspector (OSI)
 Industry
Compliance
Technology
Integration
 Customers
Testimonials
 VARS
MSSP
Technology Partners
References
 Reports
Webinars
Events
 About us
Careers
Memberships
Newsroom


 
© 2002-2014 Secunia ApS - Rued Langgaards Vej 8, 4th floor, DK-2300 Copenhagen, Denmark - +45 7020 5144
Terms & Conditions and Copyright - Privacy - Report Vulnerability