Secunia CSI7
Advisories
Research
Forums
Create Profile
Our Commitment
PSI
PSI API
CSI
OSI
xSI
Vulnerabilities
Programs
Open Discussions
My Threads
Create Thread
Statistics
About

Forum Thread: Adobe Creative Suite CS5: vulnerability in Java JRE version insta...

You are currently viewing a forum thread in the Secunia Community Forum. Please note that opinions expressed here are not of Secunia but solely reflect those of the user who wrote it.

This thread was submitted in the following forum:
Programs

Relating to this vendor:
Adobe Systems
And, this specific program:
Adobe Photoshop CS5 12.x

This thread has been marked as locked.
Shepherd_france Adobe Creative Suite CS5: vulnerability in Java JRE version installed
Member 27th May, 2010 12:20
Ranking: 0
Posts: 6
User Since: 27th May, 2010
System Score: N/A
Location: FR
Last edited on 27th May, 2010 12:29

Hi,

After Photoshop CS5 installation via Creative Suite 5 Design Premium DVD, I had the bad surprise to see the following Secunia PSI alerts (French to English translation):

Sun Java JRE 1.6.x / 6.x (needs to be uninstalled)
Sun Java JRE 1.6.x / 6.x software (needs to be uninstalled) is vulnerable and could threat your computer security !
Secunia highly recommends to update this software by installing patch vendor.
Version of JRE detected: 6.0.180.7 (Secunia advisory: SA37255)

This alert appears twice for following paths:
C:\Users\All Users\Adobe\CS5\jre\bin\java.exe
C:\ProgramData\Adobe\CS5\jre\bin\java.exe

I launched Adobe Updater: no patch available (products are up-to-date). I called Adobe technical support who was not informed about this problem and told me that each software had vulnerabilities anyway. What an answer!

Java v6.0.20 (last version available) was already installed on my system before Adobe Creative Suite Design Premium CS5 installation.
Though Firefox plugins window displays Java Deployment Toolkit v6.0.200.2 and Java Platform SE6 U 20 v6.0.200.2, vulnerabilities are also reported in Secunia PSI Browsers tab.

To insure these vulnerable java executables cannot be run, I renamed java.exe with java.exe_old in C:\ProgramData\Adobe\CS5\jre\bin\java.exe (curiously operation automatically renamed java.exe in C:\Users\All Users\Adobe\CS5\jre\bin\java.exe).
However I do not consider this workaround as an acceptable solution and I don't even know yet if my Adobe applications are not going to crash sooner or later.

I don't know how to patch this vulnerability since JRE is there part of Adobe application folders. For Java updater within Control Panel (v6.0.20 regular installation) and Adobe folder (running jucheck.exe): version installed is up-to-date.
I don't know either if there is a better workaround than my current one (that does not create problems running Adobe programs).

Please Secunia, help would be more than welcome.
Thank you :-).

PS: obviously I'm not the only one to meet this problem. See lkupersmith comments on Adobe forum
http://forums.adobe.com/message/2843539#2843539
For information I never met this issue with Adobe Creative Suite Standard CS3.

PS: I didn't find Adobe Creative Suite 5 in Programs list by Vendors. Did I miss it? Otherwise can Secunia add it to the list?

taffy078 RE: Adobe Creative Suite CS5: vulnerability in Java JRE version installed
Contributor 27th May, 2010 16:13
Score: 408
Posts: 1,335
User Since: 26th Feb 2009
System Score: 100%
Location: UK
Last edited on 27th May, 2010 16:15
Hi. OK to call you Shepherd? Welcome to Secunia. Adobe often causes your type of problems and one of the technical guys will soon be along to help you resolve it.

But what an answer from Adobe!

In the meantime, if you want to suggest to Secunia that they add a program, please go to the paragraph at the bottom of the page (vulnerability, end-of-life etc) where you'll see this:

Help us improve our service to you:
Program missing? Suggest it here!

Follow the instructions there and post details of the .exe file .

Regards

EDIT: correcting typos




--
taffy078, West Yorkshire, UK

Desktop: Compaq Presario (OEM) 32 bit / AMD Athlon / 2 GB RAM
XP Home - SP3/ IE8/ Norton IS - Secunia PSI v2.0.0.3003

Laptop: Win 7 / IE11 / PSI v2.0.0.3003
Was this reply relevant?
+0
-0
taffy078 RE: Adobe Creative Suite CS5: vulnerability in Java JRE version installed
Contributor 27th May, 2010 16:25
Score: 408
Posts: 1,335
User Since: 26th Feb 2009
System Score: 100%
Location: UK
Last edited on 27th May, 2010 16:26
Hi. May I call you Shepherd?

Regarding Java, here is a post by Maurice Joyce who is a regular problem solver here, especially Java & Adobe.

It's long but it's easy to follow - honestly!

You can try those steps but do come back and let us know how you got on. Any problems still there can be resolved.

In the meantime, if you want to suggest to Secunia that they add a program, please go to the paragraph at the bottom of the Page (vulnerability, end-of-life etc) where you'll see this:

Help us improve our service to you:
Program missing? Suggest it here!

Follow the instructions there and post details of the .exe file .

PS I posted the first part of this earlier but it's not showing. (EDIT: it is! I must have had two Secunia screens open.)

************************************************** ***********
"PART 1

STANDARD UPDATING OF JAVA
~~~~~~~~~~~~~~~~~~~~~~~~~~
Can be used with Windows XP,Vista & Windows 7 - 32 & 64 Bit Systems.

If U have but do not use a 64 Bit Browser there is no requirement for Java 64 to be installed.If already installed it can safely be removed via Control Panel>Add/Remove.

JAVA now use an Uninstaller as part of the install process. This makes updating very easy using this method.

1. 32 Bit Systems.

A.Go to Start>Control Panel>click on the JAVA icon>select the Update tab>click the Update Now button.
OR
B. Click this link:
http://www.java.com/en/download/manual.jsp (select 32 Bit)


1A. [64 Bit Systems. Click on this link:
http://www.java.com/en/download/manual.jsp (select 64 Bit)

Both 32 & 64 Bit downloads are available. Download/install them one at a time.

Notes:

U can use the 32 Bit browser to install the 64 Bit version.

To test your JAVA 32 Bit is working correctly use this test link:
http://java.com/en/download/help/testvm.xml

As normal,reboot,carry out a full PSI scan & all should be in order.

Secunia monitors both JAVA 32 & 64 Bit versions.

OPTIONAL EXTRA'S AFTER UPDATING
+++++++++++++++++++++++++++++++

1. Go to Control Panel>JAVA icon>Update Tab and take the tick out of box marked "Check for updates auto ....." (This will prevent a Java updater notification from starting each time U switch on your PC - PSI is already doing this job for U)

2. If U prefer not to have the JAVA icon in the System Tray when in use, open the Advanced Tab>look for Miscellaneous>click the + sign & then remove the tick from clearly marked box.

3. U may also wish to speed up your browser by clearing out the JAVA cache & permanently lowering the quota allocation. If U are unsure how to do this post back for more information.



++++++++++++++++++++++++++++++++++++++++++++++++++ ++++++++++++++++++++++++++++++++++++++++++++++++++ ++++++++++++++++++++++++++++++++++


PART 2

CLEARING OUT OLD JAVA DROSS (32 Bit)
~~~~~~~~~~~~~~~~~~~~~~~~~~~
If U have completed Part 1 & still have a problem it is because the new JAVA uninstaller only removes the previous version. U could still have very old JAVA dross on your system. Try this:

1.Install or double check U have the latest JAVA version (Currently Version 6 Update 20)from here:

http://www.java.com/en/download/manual.jsp (select 32 Bit)

http://www.java.com/en/download/manual.jsp (select 64 Bit)


2.This tool will remove all the old dross except for the version U have just installed. Click here:

http://raproducts.org/

*This link takes U to the site - select the Windows Binary (zip) option.
*This will lead U to Sourceforge.net to download it.
*Save the download to desktop.
*Activate the desktop zip icon which exposes the JAVARA EXE file. Click it
*Select RUN when asked.
*Select your language.
*The tool will now appear on the desktop - select REMOVE OLDER VERSIONS
*Once complete select ADDITIONAL TASKS - tick all boxes & activate.
*Right click on the desktop JAVARA zip file & delete it.

3.To test your JAVA is working correctly use this test link: http://java.com/en/download/help/testvm.xml

Hope this helps.


--
taffy078, West Yorkshire, UK

Desktop: Compaq Presario (OEM) 32 bit / AMD Athlon / 2 GB RAM
XP Home - SP3/ IE8/ Norton IS - Secunia PSI v2.0.0.3003

Laptop: Win 7 / IE11 / PSI v2.0.0.3003
Was this reply relevant?
+0
-0
Anthony Wells RE: Adobe Creative Suite CS5: vulnerability in Java JRE version installed
Expert Contributor 27th May, 2010 17:01
Score: 2437
Posts: 3,323
User Since: 19th Dec 2007
System Score: N/A
Location: N/A
Last edited on 27th May, 2010 17:11
@sheperd_france ,

I have had a similar response some time ago , when Open Office was locked into an earlier/out of date/insecure version of JRE ; that came from a very helpful big chief in Sun , who looked after both products !!

Here is what Java currently state :-

http://www.java.com/en/download/faq/remove_olderve...

By adding "_old" you should keep the bad guys away and presumably you'll get a prompt if it doesn't run when you need it .

In the past (cannot find the exact thread - somewhere under a CS number) , when embedded Flash was not updated there was success in copying/loading an up to date copy of the .ddl file .*** How this process can/could be adapted to Java I do not know - neither whether the old version u18 is necessary to CS5 .

In my case the old version reloaded until an OOo update took care of the problem .

Lot's of questions and not enough answers .

Maybe someone else has light to shed .

Let us (other users) know how you get on .

Anthony

***EDIT : here's one :-

http://secunia.com/community/forum/thread/show/156...

--


It always seems impossible until its done.
Nelson Mandela
Was this reply relevant?
+2
-0
Shepherd_france RE: Adobe Creative Suite CS5: vulnerability in Java JRE version installed
Member 28th May, 2010 05:20
Score: 0
Posts: 6
User Since: 27th May 2010
System Score: N/A
Location: FR
Last edited on 28th May, 2010 05:25
Hi,

Thanks for trying to help me :-).

If I posted on Secunia this is because I already tried a lot of things without success.
I know how to manage regular Java installation/uninstallation. By the way I always remove version installed before installing last one available.

With Java "made in" Adobe, problem is different since JRE folder is embedded in Adobe ones. In addition, this version is maybe customized by or for Adobe.
If I compare JRE folders content from Adobe with JRE6 folders from Sun Java, I don't have exactly the same file names and the same number of items.

In the Control Panel "Programs and functionnalities" I only see the regular Sun Java installation (6.0.20). Of course, old version installed by Adobe doesn't appear there. Same comment for the list of programs in "Windows Installer Cleanup".

I even gave a try to this: after having saved Adobe JRE original folder, I run Java installer changing destination folder to Adobe one. Wizard warns Java is already installed on the system. I didn't go further to force reinstallation because:
- could cause Java update/uninstallation troubles due to multiple installations thru different paths;
- could also trigger CS5 update problems if Adobe releases a patch someday.
This is why I prefered renaming java.exe (if an Adobe patch shows up, coming back to original file name is quite easy before launching update).

I hoped Secunia could help relaying this vulnerability (after checking it of course). Before I post here I first used the Report vulnerability feature on Advisories page.
If serious websites and many users talk about this unacceptable vulnerability, I guess Adobe will have to patch it at least for preserving its brand image.

Was this reply relevant?
+0
-0
Anthony Wells RE: Adobe Creative Suite CS5: vulnerability in Java JRE version installed
Expert Contributor 28th May, 2010 11:13
Score: 2437
Posts: 3,323
User Since: 19th Dec 2007
System Score: N/A
Location: N/A
Last edited on 28th May, 2010 11:17
@Shepherd_france ,

There is a Community Forum problem/bug in the use of the sub-forum "Vulnerabilities" which taffy was quick to point out to you (after a bunch of problems last weekend) ; that is the place for only the technical aspects of the vulnerability and nothing else .

Your problem is whether the embedded version in CS5 is "insecure" and makes your system vulnerable : if so how insecure and under what conditions ?? This is a specific "program" situation and of no direct interest to the people who look after Advisories , unless it has a direct impact :ie : a new type of exploit of the existing Advisory .

Again , u18 is patched and your problem of applying the patch is a "program" problem not a "vulnerability" one in Secunia Forum terms/rules/interests .

I think you have done all you can , especially being prudent wherein the embedded files are not the same as your u20 JRE installation .

It was pointed out to me regarding OOo that the insecurity would only occur if I used "bad practices" ; ie/eg : opening an "Email link" of dubious origin in OOo .

So the question is :"what is the exposure of u18 ??"

Hope that is clearer re the Forum .

Let us know any "update(s)" :)))

Anthony

--


It always seems impossible until its done.
Nelson Mandela
Was this reply relevant?
+2
-0
Shepherd_france RE: Adobe Creative Suite CS5: vulnerability in Java JRE version installed
Member 28th May, 2010 12:30
Score: 0
Posts: 6
User Since: 27th May 2010
System Score: N/A
Location: FR
Last edited on 28th May, 2010 12:33
on 28th May, 2010 11:13, Anthony Wells wrote:
@Shepherd_france ,

There is a Community Forum problem/bug in the use of the sub-forum "Vulnerabilities" which taffy was quick to point out to you (after a bunch of problems last weekend) ; that is the place for only the technical aspects of the vulnerability and nothing else .

I think you misunderstood my previous post that didn't refer to the section Vulnerabilities I wrongly chosen but to Vulnerability report (http://secunia.com/advisories/report_vulnerability...).

on 28th May, 2010 11:13, Anthony Wells wrote:
Your problem is whether the embedded version in CS5 is "insecure" and makes your system vulnerable : if so how insecure and under what conditions ?? This is a specific "program" situation and of no direct interest to the people who look after Advisories , unless it has a direct impact :ie : a new type of exploit of the existing Advisory .

I don't know how unsecure it is and under what conditions. The problem is most of users don't have the competences to find that out.
So if I understand well your reasonning users must wait a possible exploit before vulnerability in CS5 deserves Advisories interest?

on 28th May, 2010 11:13, Anthony Wells wrote:
Again , u18 is patched and your problem of applying the patch is a "program" problem not a "vulnerability" one in Secunia Forum terms/rules/interests .

Sure problem is due to internal use of external Java licence but so what? If this vulnerability cannot be patched thru regular Sun installer/updater, Adobe becomes responsible of the problem. Then vulnerability should be assigned to Adobe CS5, not to Sun who did its job patching known vulnerabilities in U18 and U19.

on 28th May, 2010 11:13, Anthony Wells wrote:
I think you have done all you can , especially being prudent wherein the embedded files are not the same as your u20 JRE installation .

It was pointed out to me regarding OOo that the insecurity would only occur if I used "bad practices" ; ie/eg : opening an "Email link" of dubious origin in OOo .

What is OOo?
When you work all day long with your computer it's easy to get caught by tricky emails or website pages. I worked several years for ESET, so I know about "bad practises". Unfortunately in our daily behaviour, productivity often leads to "bad practises".

Regards,
Was this reply relevant?
+0
-0
Anthony Wells RE: Adobe Creative Suite CS5: vulnerability in Java JRE version installed
Expert Contributor 28th May, 2010 17:14
Score: 2437
Posts: 3,323
User Since: 19th Dec 2007
System Score: N/A
Location: N/A
Last edited on 28th May, 2010 17:17
@Sheperd_france ,

We are tending to wander off here a bit ; but to answer what I know , purely down to my personal experience - a Secunia Official may have other comments/corrections :-

1)The link is for resaerchers to expose/add to/etc. new/old vulnerabilities . Java u18 is fully exposed in the relevant SA and it is "known" to be embedded in CS5 ; so nothing new to report either with the link or in the problematic "vulnerabilities" sub-forum .

2a)Same applies to your next point . PSI has told you the problem and where it is (u18 in CS5) whether it exposes you to a seurity risk depends on .... :eg: location , as in , no exposure in a true "backup folder". The multiple possibilities of exposure are down to you to find out about on your own idiosyncratic system - not a Secunia/PSI job

2b)A "new" JRE exploit would apply to u20 which is the patch for u18 and Secunia would produce an Advisory for it ; same for a different exploit being discovered for CS5 or another embedded program .

3)The vulnerability is in Oracle's Sun Java JRE u18 and is so assigned there . You finding it in Adobe is your and Adobe's problem to fix , not Secunia's - they advise , you act . Their system works to their logic rather than your's , you are tending to use your interpretation of facts and language to prove/argue a point ; everbody is on a steep learning curve here on the Forum and that's why we are here.

4)OOo is the reduced term for the Open Office (organisation's) program as developed with Sun and to which I referred earlier . Nothing is 100% but prevention is infinitely less painful than cure . Good practice takes time , effort , etc. , any "excuses"/rushing - like a dubious website link - is a "reason" for the bad guys and just what they are looking to exploit .

Hope that is clearer (than mud):)

Take care
Anthony

--


It always seems impossible until its done.
Nelson Mandela
Was this reply relevant?
+3
-0
Shepherd_france RE: Adobe Creative Suite CS5: vulnerability in Java JRE version installed
Member 29th May, 2010 01:58
Score: 0
Posts: 6
User Since: 27th May 2010
System Score: N/A
Location: FR
@Anthony

Yes we are tending to wander off a bit.

With such logic Adobe can continue not patching as long as vulnerability is on Sun's back (which is not the case, it's not Sun responsibility if Adobe installs an old version already patched twice since u18). BTW I understand Adobe DVD items are not up-to-date but I don't understand they haven't released online patch yet.

PSI does its job I fully agree (but not all users have PSI installed).
For Secunia website, it's IMHO not the case.
If users launch a research on Secunia Advisories to check if some unpatched vulnerabilities affect Adobe Creative Suite CS5, they don't find anything about any CS5 product and think everything is fine... whereas it's not the case.

Am I the only user to search for such information on SA before installing software? Why since I have PSI to warns me? Because it's useless to install an application I don't need urgently for having to uninstall it if PSI warns about unpatched/unsolved vulnerabilities.

Regards from France :-),
Was this reply relevant?
+0
-0
Anthony Wells RE: Adobe Creative Suite CS5: vulnerability in Java JRE version installed
Expert Contributor 29th May, 2010 11:28
Score: 2437
Posts: 3,323
User Since: 19th Dec 2007
System Score: N/A
Location: N/A
Last edited on 29th May, 2010 11:33
@Shepherd ,

Secunia's business is the SA's and their commercial programme CSI . They generously offer PSI/OSI which tells/gives you an abbreviated version for free ; they are trying to get to as many people as possible and thereby reduce the overall weight of web insecurity.

CS5 is not specifically vulnerable , it's embedded u18 is . Secunia are specific (on record) in saying that the "repair" of an embedded program is down to the installer ; in this case Adobe . Noting every programme with an insecure embedded Java or Flash programme is not essential to them and would "cost" and clutter their present system (as I understand it) .That is their logic and it works for their business ; if you don't have CSI /PSI/OSI they can't help/advise you further than their SA . Being clever , I could add that you should know in detail what you have downloaded onto your system ; back to "excuses and "reasons" and why the bad guys are having a field day .

You are wise to look at SA's first ; but there is the "bear trap" of the "vulnerabilities" sub-form ; there is the latest "furious" debate here if you have time to spare/waste :-

http://secunia.com/community/forum/thread/show/434...

I live in France as well ; on the Med :)))))) in the largest vineyard in the world (the Languedoc) !!

Take care
Anthony

--


It always seems impossible until its done.
Nelson Mandela
Was this reply relevant?
+2
-0
Shepherd_france RE: Adobe Creative Suite CS5: vulnerability in Java JRE version installed
Member 29th May, 2010 12:51
Score: 0
Posts: 6
User Since: 27th May 2010
System Score: N/A
Location: FR
Last edited on 29th May, 2010 18:04
on 29th May, 2010 11:28, Anthony Wells wrote:
@Shepherd ,

Secunia's business is the SA's and their commercial programme CSI . They generously offer PSI/OSI which tells/gives you an abbreviated version for free ; they are trying to get to as many people as possible and thereby reduce the overall weight of web insecurity.

I agree with that, it's not my point.

on 29th May, 2010 11:28, Anthony Wells wrote:
CS5 is not specifically vulnerable , it's embedded u18 is .

Could we stop this game? Yes this is u18 that is vulnerable but as it is embedded in CS5 the only way to get rid of this vulnerability today is to uninstall CS5!
Good deal for users who paid 2750 € for full version or at minimum 896 € for CS5 upgrade. Creative Suite is for professionals (not only but mainly) and they don't enjoy seeing a vendor playing with their computing security.

on 29th May, 2010 11:28, Anthony Wells wrote:
Being clever , I could add that you should know in detail what you have downloaded onto your system ; back to "excuses and "reasons" and why the bad guys are having a field day .

Nonsense! Especially for end users.
Have you tried to install CS5? Even thru customized installation, because of dependencies between programs, user cannot control what is installed. Have you ever had a look at the system after Adobe Creative Suite CS5 installation? It is invaded even when user uncheck all the modules he didn't want to install (some are installed all the same probably due to dependencies mentionned).
And once again, we are talking of Adobe, a big famous company providing professional software, not of the installation of small product downloaded from nowhere! So clever you are if you always know about everything installed on your computer.

Bon week-end :-).

PS: a detail just came back to my mind. In the Adobe system requirements list for Windows:
- Java™ Runtime Environment 1.5 (32 bit) or 1.6
Let suppose JRE is part of system requirements, not that it is installed by Adobe itself.

Was this reply relevant?
+0
-0
Anthony Wells RE: Adobe Creative Suite CS5: vulnerability in Java JRE version installed
Expert Contributor 31st May, 2010 19:34
Score: 2437
Posts: 3,323
User Since: 19th Dec 2007
System Score: N/A
Location: N/A
Last edited on 31st May, 2010 19:35
@Shepherd_france ,

The second time you quote me is out of context and it refers to Secunia/PSI point of view - see Secunia Official Morten Hansen's second post here :-

http://secunia.com/community/forum/thread/show/434...

If you have a continuing problem with this , I suggest you take it up in an email to support@secunia.com .

My "nonsense" is purely your PERSONAL OPINION and I stick by what I said - chacun a ses défauts - "knowing" is not the same as "controlling" for amateur or professional alike .

The rest is down to you and Adobe ; I won't be clever again and say caveat emptor , however often I so do .

Anthony




--


It always seems impossible until its done.
Nelson Mandela
Was this reply relevant?
+3
-0
jmorlan RE: Adobe Creative Suite CS5: vulnerability in Java JRE version installed
Member 31st May, 2010 20:17
Score: 4
Posts: 12
User Since: 26th Nov 2008
System Score: N/A
Location: US
I have exactly the same issue. Is there a setting to point CS5 to the default JRE installation so we can just rip the insecure version out?

I agree this is an Adobe issue, not a Secunia issue. Adobe needs to respond.
Was this reply relevant?
+0
-0
Anthony Wells RE: Adobe Creative Suite CS5: vulnerability in Java JRE version installed
Expert Contributor 31st May, 2010 21:07
Score: 2437
Posts: 3,323
User Since: 19th Dec 2007
System Score: N/A
Location: N/A

What is the use/exposure of the embedded u18 as against that of the free standing u20 ??

--


It always seems impossible until its done.
Nelson Mandela
Was this reply relevant?
+3
-0

This thread has been marked as locked.


 Products Solutions Customers Partner Resources Company
 
 Corporate
Vulnerability Intelligence Manager (VIM)
Corporate Software Inspector (CSI)
Consumer
Personal Software Inspector (PSI)
Online Software Inspector (OSI)
 Industry
Compliance
Technology
Integration
 Customers
Testimonials
 VARS
MSSP
Technology Partners
References
 Reports
Webinars
Events
 About us
Careers
Memberships
Newsroom


 
© 2002-2014 Secunia ApS - Rued Langgaards Vej 8, 4th floor, DK-2300 Copenhagen, Denmark - +45 7020 5144
Terms & Conditions and Copyright - Privacy - Report Vulnerability