Secunia CSI7
Advisories
Research
Forums
Create Profile
Our Commitment
PSI
PSI API
CSI
OSI
xSI
Vulnerabilities
Programs
Open Discussions
My Threads
Create Thread
Statistics
About

Forum Thread: Fix insecure versions?

You are currently viewing a forum thread in the Secunia Community Forum. Please note that opinions expressed here are not of Secunia but solely reflect those of the user who wrote it.

This thread was submitted in the following forum:
OSI

This thread has been marked as resolved.
jpChris Fix insecure versions?
Member 23rd May, 2010 05:53
Ranking: 0
Posts: 7
User Since: 23rd May, 2010
System Score: N/A
Location: US
Last edited on 23rd May, 2010 05:54

Hi all,

I ran the OSI and it found 10 Apps Total: 4 Insecure Versions and 6 patched Versions. And, One Error Detected With The Scan.

Below the Results Section it has Update Instructions: Download.

Great! But there's no info on whether I should uninstall the programs first or install over the top of them.

The apps are:
1) Adobe Flash Player
2) Macromedia Flash Player
3) Sun Java JRE 1.5
4) Sun Java JRE 1.6

A little more info on what-do-I-do-now would be appreciated; as well as what the heck "One Error Detected With The Scan" means.


Post "RE: Fix insecure versions?" has been selected as an answer.
Maurice Joyce RE: Fix insecure versions?
Handling Contributor 23rd May, 2010 09:25
Score: 11710
Posts: 8,954
User Since: 4th Jan 2009
System Score: N/A
Location: UK
Go to Control Panel>Add/remove and uninstall ALL entries U see for:

JAVA
JRE
JSE
Adobe Flash
Macromedia Flash

Now run OSI again - have all the vulnerabilities been removed?

--
Maurice

Windows 7 SP1 64 Bit OS
HP Intel Pentium i7
IE 11 for Windows 7 SP1
16GB RAM
Was this reply relevant?
+1
-0
jpChris RE: Fix insecure versions?
Member 23rd May, 2010 19:32
Score: 0
Posts: 7
User Since: 23rd May 2010
System Score: N/A
Location: US
Last edited on 23rd May, 2010 19:52
Hi Maurice,

Did as you said and Java, JRE, Macromedia Flash would not uninstall: CCleaner and JV16 Power Tools couldn't do it either.

I DL'ed and ran M$ Install Cleanup and now the progs are not in Add\Remove anymore.

However, when I went to run the scan again, I got the error message, "Problems Loading Java Applet in your browser".

So, what now? When I did a Search, there were 93(!) listings for Java and who knows how many Javas there are in the registry I searched for Java and hit the F3 key over 200 times(!) and I never made it out of HKCR\CLSID. Plus, there's still 4 folders for MacroMedia in "Application Data".

I repeat: What now???
Was this reply relevant?
+0
-0
TiMow RE: Fix insecure versions?
Dedicated Contributor 23rd May, 2010 19:54
Score: 737
Posts: 728
User Since: 26th Jun 2009
System Score: N/A
Location: CH
Unfortunately, if you use OSI, it requires Java Applet, therefore Java needs to be installed.

I don't want to tread on Maurice's toes, here, but his advice to uninstall all the insecure may have been a pre-curser to re-installing the current secure versions (maybe not).

However, if you wish to continue using OSI to scan, you will need to install the latest Java, from:

http://www.java.com/en/

Have you considered downloading and using the more thorough PSI, though?

TiMow

--
Computing is not yet a perfect science - it still requires humans.
Was this reply relevant?
+1
-0
jpChris RE: Fix insecure versions?
Member 23rd May, 2010 21:44
Score: 0
Posts: 7
User Since: 23rd May 2010
System Score: N/A
Location: US
Hi TiMow,

Please, step on some toes! There's who-knows-how-may hundreds of Java listings on my computer!!! And I know that all this c**p isn't necessary.

Ideally I'd like to uninstall everything Java and start from scratch.

Also, what's "PSI"?
Was this reply relevant?
+0
-0
Maurice Joyce RE: Fix insecure versions?
Handling Contributor 23rd May, 2010 22:08
Score: 11710
Posts: 8,954
User Since: 4th Jan 2009
System Score: N/A
Location: UK
@jpChris

Sorry I have been away & it looks like we have had a hijack trying to second guess my thoughts!

PSI is a much better version to check your system. It does not require Java & U are correct in the many people do not have Java installed.

I would recommend the first course of action is to install PSI from here:

http://secunia.com/vulnerability_scanning/personal...

I am around for a couple of hours so let me know if U intend using it & I will post an easy to follow set up guide.

If not, I will post details on how to rid your PC of all Java.

--
Maurice

Windows 7 SP1 64 Bit OS
HP Intel Pentium i7
IE 11 for Windows 7 SP1
16GB RAM
Was this reply relevant?
+2
-0
jpChris RE: Fix insecure versions?
Member 23rd May, 2010 22:39
Score: 0
Posts: 7
User Since: 23rd May 2010
System Score: N/A
Location: US
Hi Maurice,

OK, here's where I'm really depending on you: As I probably have close to 1,000 Javas entries everywhere, would you recommend a complete annihilation of Java and a fresh\clean install of the latest?

Or, just stay where I am and install the latest Java? I do have a couple of games that rely on Java\Flash\Shockwave, though.

TIA



Was this reply relevant?
+0
-0
Maurice Joyce RE: Fix insecure versions?
Handling Contributor 23rd May, 2010 22:49
Score: 11710
Posts: 8,954
User Since: 4th Jan 2009
System Score: N/A
Location: UK
I would have a complete clearout. Try this by going straight to Part 2.

JAVA PROBLEMS
=============


PART 1

STANDARD UPDATING OF JAVA
~~~~~~~~~~~~~~~~~~~~~~~~~~
Can be used with Windows XP,Vista & Windows 7 - 32 & 64 Bit Systems.

If U have but do not use a 64 Bit Browser there is no requirement for Java 64 to be installed.If already installed it can safely be removed via Control Panel>Add/Remove.

JAVA now use an Uninstaller as part of the install process. This makes updating very easy using this method.

1. [b]32 Bit Systems.


A.Go to Start>Control Panel>click on the JAVA icon>select the Update tab>click the Update Now button.
OR
B. Click this link:
http://www.java.com/en/download/manual.jsp (select 32 Bit)


1A. [64 Bit Systems.[/b] Click on this link:
http://www.java.com/en/download/manual.jsp (select 64 Bit)

Both 32 & 64 Bit downloads are available. Download/install them one at a time.

Notes:

U can use the 32 Bit browser to install the 64 Bit version.

To test your JAVA 32 Bit is working correctly use this test link:
http://java.com/en/download/help/testvm.xml

As normal,reboot,carry out a full PSI scan & all should be in order.

Secunia monitors both JAVA 32 & 64 Bit versions.

OPTIONAL EXTRA'S AFTER UPDATING
+++++++++++++++++++++++++++++++

1. Go to Control Panel>JAVA icon>Update Tab and take the tick out of box marked "Check for updates auto ....." (This will prevent a Java updater notification from starting each time U switch on your PC - PSI is already doing this job for U)

2. If U prefer not to have the JAVA icon in the System Tray when in use, open the Advanced Tab>look for Miscellaneous>click the + sign & then remove the tick from clearly marked box.

3. U may also wish to speed up your browser by clearing out the JAVA cache & permanently lowering the quota allocation. If U are unsure how to do this post back for more information.



++++++++++++++++++++++++++++++++++++++++++++++++++ ++++++++++++++++++++++++++++++++++++++++++++++++++ ++++++++++++++++++++++++++++++++++


PART 2

CLEARING OUT OLD JAVA DROSS (32 Bit)
~~~~~~~~~~~~~~~~~~~~~~~~~~~
If U have completed Part 1 & still have a problem it is because the new JAVA uninstaller only removes the previous version. U could still have very old JAVA dross on your system. Try this:

1.Install or double check U have the latest JAVA version (Currently Version 6 Update 20)from here:

http://www.java.com/en/download/manual.jsp (select 32 Bit)

http://www.java.com/en/download/manual.jsp (select 64 Bit)


2.This tool will remove all the old dross except for the version U have just installed. Click here:

http://raproducts.org/

*This link takes U to the site - select the Windows Binary (zip) option.
*This will lead U to Sourceforge.net to download it.
*Save the download to desktop.
*Activate the desktop zip icon which exposes the JAVARA EXE file. Click it
*Select RUN when asked.
*Select your language.
*The tool will now appear on the desktop - select REMOVE OLDER VERSIONS
*Once complete select ADDITIONAL TASKS - tick all boxes & activate.
*Right click on the desktop JAVARA zip file & delete it.

3.To test your JAVA is working correctly use this test link: http://java.com/en/download/help/testvm.xml

Revision 4

--
Maurice

Windows 7 SP1 64 Bit OS
HP Intel Pentium i7
IE 11 for Windows 7 SP1
16GB RAM
Was this reply relevant?
+1
-0
jpChris RE: Fix insecure versions?
Member 24th May, 2010 00:22
Score: 0
Posts: 7
User Since: 23rd May 2010
System Score: N/A
Location: US
Hi Maurice,

Sorry for the delay, but everyone wants a piece of my time.

Anyway, as I stated, I already ran JavaRA but there were still a bazillion entries. So, I DL'ed the latest Java, installed it and ran JavaRA again. This time I got an error saying, "could not find javara.def".

Then I ran JavaRA again and ticked everything in the Additional Tasks window. It did something and said all old c**p was cleaned out and then I was taken to the download JavaRA page again.

Closed out, rebooted again, ran JavaRA again and started over. This time I got a box saying, "Java 6.0.200.2". Then I went to the link you provided to check and it said I have the latest.

In Add\Remove Programs Java(tm) update 20.

So, As I don't have the wherewithal to fool around with this anymore, isn't there supposed to be a "Java Runtime" somewhere?






Was this reply relevant?
+0
-0
Maurice Joyce RE: Fix insecure versions?
Handling Contributor 24th May, 2010 00:28
Score: 11710
Posts: 8,954
User Since: 4th Jan 2009
System Score: N/A
Location: UK
U have got all U need.

In the Control Panel There should be a Java icon.

In Add/remove there should be an entry JAVA(TM) 6 update 20.

That is it - U have the latest & greatest JAVA. OSI should now work.

--
Maurice

Windows 7 SP1 64 Bit OS
HP Intel Pentium i7
IE 11 for Windows 7 SP1
16GB RAM
Was this reply relevant?
+1
-0
jpChris RE: Fix insecure versions?
Member 24th May, 2010 00:37
Score: 0
Posts: 7
User Since: 23rd May 2010
System Score: N/A
Location: US
OK, I've got the latest and (hopefully) all the old stuff has been cleared out.

I ran the OSI test again and the only thing that came up was the Adobe Flash Player 10.xx.

I removed the old version, rebooted, installed the latest, ran the OSI test again and got the same vulnerability with Flash Player.

Is it a PEBCAK (Problem Exists Between Chair And Keyboard) or am I missing something.

Thank you for your help, Maurice.
Was this reply relevant?
+0
-0
Maurice Joyce RE: Fix insecure versions?
Handling Contributor 24th May, 2010 00:45
Score: 11710
Posts: 8,954
User Since: 4th Jan 2009
System Score: N/A
Location: UK
POSSIBLE PROBLEMS - Solution 1 should fix it.

UPDATING ADOBE FLASH
====================
Works with Windows XP,Vista & Windows 7 - 32 & 64 Bit systems.

To successfully install Adobe Flash go here:
http://www.filehippo.com/download_flashplayer_ie/

& then here if U have any Gecko based browsers.

http://www.filehippo.com/download_flashplayer_fire...

The latest secure version is: 10.0.45.2
The latest Beta/RC version is:10.1.53.55 RC5

1. Select the Flash version U require & download it.
2. The installer will appear on the desk top. Before agreeing to install close:
a. All Browsers.
b. PSI
c. Windows Messenger.

3. The new install will then remove all old files during the update process.
4. Complete a PSI rescan.

POSSIBLE PROBLEMS.
++++++++++++++++++

If U failed to complete 2. above U may well find PSI still shows a vulnerability on the rescan.

SOLUTION 1

1. Double check your browser(s),PSI & Messenger are closed.
2. Navigate to:
32 Bit Systems - C:\Windows\system32\Macromedia\Flash
64 Bit Systems - C:\Windows\sysWOW64\Macromedia\Flash

In these locations U may well find these entries:
FLASH10D.OCX - Right click & delete it.
FLASH10E.OCX - The latest version which should be retained.
If U are using the Beta/RC version U will see 10H & not 10E.

SOLUTION 2

1. Check the path to the vulnerability.

If PSI finds any elements of Flash in the C:\i386 folder or on any drive other than C that is an OEM reinstallation partition (normally D drive) or a drive U use solely to backup your work U can safely create an ignore rule. It may also be in the Recycle Bin.

OPTIONAL EXTRA'S
++++++++++++++++

Security.
Adobe also have a very bad habit of changing your Flash settings each time they plug vulnerabilities. To change the security settings to your liking & regain control of your PC click here:

http://www.macromedia.com/support/documentation/en...

Click each tab U see & change the settings to your security requirements.

Bloat ware.
If you used the Adobe site, rather than FileHippo to update you will also find they try or have installed an unnecessary Download Manager.

It is bloat ware by a third party Company called NOS. If found I would uninstall it via Add/Remove.

If this post has solved your problem could you please select the ACCEPT option. This will lock the thread and stop you & I from receiving unnecessary update emails.

Revision 7.


--
Maurice

Windows 7 SP1 64 Bit OS
HP Intel Pentium i7
IE 11 for Windows 7 SP1
16GB RAM
Was this reply relevant?
+1
-0
TiMow RE: Fix insecure versions?
Dedicated Contributor 24th May, 2010 09:05
Score: 737
Posts: 728
User Since: 26th Jun 2009
System Score: N/A
Location: CH
@ Maurice Joyce

Hi Maurice

Just to clarify my intention wasn't to second guess you (I did use the proviso "may")- but your initial response seemed a little too blunt to be final; bearing in mind your normal patient, methodical approach to sorting out others' problems (notwithstanding your opinions regarding Adobe and Java).

I was just trying to point out that in order to run OSI, Java needs to be installed (it seemed a little strange to advise uninstalling it and then running OSI) - and if Java was deemed not necessary, then PSI should be considered.

This was all in view of believing that you would "return" to offer the correct assistance.

Regards

TiMow

--
Computing is not yet a perfect science - it still requires humans.
Was this reply relevant?
+0
-0
jpChris RE: Fix insecure versions?
Member 24th May, 2010 21:19
Score: 0
Posts: 7
User Since: 23rd May 2010
System Score: N/A
Location: US
Hi Maurice,

I wish I'd have know about DL'ing from filehippo first. I'm running SeaMonkey and every time I tried to install Flash I'd get a "Script error" at the end. Plus, my NPSWF32.DLL disappeared and I couldn't play a few games. I finally found a copy on another drive in the Macromedia folder, but it wasn't anywhere on my main drive! I did a copy\paste to the plug-ins folder and all is well now. Although, NPSWF32.DLL isn't in the Macromedia folder on the main drive. I'm wondering if it should\shouldn't be there? Oh, well.

Anyway, Thank You, Maurice, for all your help\support getting this mess straightened out. I'm now golden as far as Scans, Updates and Installs goes. As an aside, I asked a friend to search for Java and he found over 4,000 entries!

I'll click "Accept" and keep my fingers crossed.









Was this reply relevant?
+0
-0

This thread has been marked as locked.


 Products Solutions Customers Partner Resources Company
 
 Corporate
Vulnerability Intelligence Manager (VIM)
Corporate Software Inspector (CSI)
Consumer
Personal Software Inspector (PSI)
Online Software Inspector (OSI)
 Industry
Compliance
Technology
Integration
 Customers
Testimonials
 VARS
MSSP
Technology Partners
References
 Reports
Webinars
Events
 About us
Careers
Memberships
Newsroom


 
© 2002-2014 Secunia ApS - Rued Langgaards Vej 8, 4th floor, DK-2300 Copenhagen, Denmark - +45 7020 5144
Terms & Conditions and Copyright - Privacy - Report Vulnerability