Secunia CSI7
Advisories
Research
Forums
Create Profile
Our Commitment
PSI
PSI API
CSI
OSI
xSI
Vulnerabilities
Programs
Open Discussions
My Threads
Create Thread
Statistics
About

Forum Thread: Secunia Advisory SA37255 - Program has old Java within it- what t...

You are currently viewing a forum thread in the Secunia Community Forum. Please note that opinions expressed here are not of Secunia but solely reflect those of the user who wrote it.

This thread was submitted in the following forum:
Programs

Relating to this vendor:
Sun Microsystems
And, this specific program:
Oracle Java JRE 1.6.x / 6.x

This thread has been marked as resolved.
thebigeast Secunia Advisory SA37255 - Program has old Java within it- what to do?
Member 7th Jun, 2010 01:27
Ranking: -1
Posts: 4
User Since: 3rd Sep, 2009
System Score: N/A
Location: US
The following program has this version of Java installed within it: 6.0.0.105. The program is:

C:\Program Files\Starry Night Pro 6 Astrophoto\jre\bin\java.exe

I wrote the publisher of the program and had this series of responses:

Me: Secunia PSI is listing the latest updated version of Starry Night Astrophoto suite as having a Java insecurity. The Java version within the program is listed as 6.0.0.105. Java is now at version 6.0.20. Do you plan on updating the Java version within the program?

Them: Astrophoto Suite is no longer being produced, so there won't be a disc with a newer version of Java on it. But if you have a newer Java installed on your computer the version on the disc won't matter.

Me: Thanks for your prompt reply. I do have the latest Java on my computer. However, the old Java still resides in your program. I have no idea how to update that. When I updated Java for the computer, it has no impact on your program. If I run your program, it will be using the old Java leaving me potentially vulnerable. Astrophoto Suite is built on Starry Night which you are still producing and I have the latest version. I assume Starry Night uses the old Java - or is Java only used in Astrophoto Suite?

Them: Apologies, let me clarify this -- Starry Night itself does not actually use Java. The only Java used is in the older installers, which Pro Astrophoto uses. Once it's installed it should no longer be an issue.

I also suspect that your security software is reporting a false positive -- all sorts of programs can result in alerts even if they're harmless.

This potential vulnerability is also showing up in Secunia PSI under browsers being unsecure even though the browsers are updated and PSI points to Astrophoto suite as being the culprit.

I could delete Java from within the program. Their support person seems to suggest Java was only in the installers and the main program does not need it to run.

I'd appreciate hearing any thoughts and suggestions on this matter. Thanks in advance for any and all replies!




Post "RE: Secunia Advisory SA37255 - Program has old Java within it- what to do?" has been selected as an answer.
michaelsalis RE: Secunia Advisory SA37255 - Program has old Java within it- what to do?
Member 7th Jun, 2010 09:00
Score: 57
Posts: 141
User Since: 18th Feb 2009
System Score: 98%
Location: UK
Last edited on 7th Jun, 2010 09:02
hi

Although I have no specific knowledge of the program, I uninstalled Java completely from my laptop some time ago and have not found a need for it.

In my experience, including programs needing Java to work, if you don't have it installed and a particular program needs it you will be advised to download and install the latest version.

I see no problem, unless you need Java for a particular program, in uninstalling it and seeing how you get on without it. The worst that can happen is that you may need to install it in the future.

--
Michael
Toshiba Satelite A660
Intel i7
Windows 7 Ultimate
IE9

Toshiba Equium Laptop
Intel Centrino Duo
Windows Vista Ultimate SP2
IE9
Was this reply relevant?
+2
-0
TiMow RE: Secunia Advisory SA37255 - Program has old Java within it- what to do?
Dedicated Contributor 7th Jun, 2010 09:16
Score: 737
Posts: 728
User Since: 26th Jun 2009
System Score: N/A
Location: CH
If you check the following thread; it also refers to a (different) program with an old version of Java embedded.

http://secunia.com/community/forum/thread/show/436...

If you scroll down to the last post from @Maurice Joyce, the advice was to rename the Java.exe file with the suffix "_old", to remove it from the "equation".

This should have the same effect as deletion, but with less harsh impact, and remove the vulnerability (after a rescan).

TiMow

--
Computing is not yet a perfect science - it still requires humans.
Was this reply relevant?
+2
-0

This thread has been marked as locked.


 Products Solutions Customers Partner Resources Company
 
 Corporate
Vulnerability Intelligence Manager (VIM)
Corporate Software Inspector (CSI)
Consumer
Personal Software Inspector (PSI)
Online Software Inspector (OSI)
 Industry
Compliance
Technology
Integration
 Customers
Testimonials
 VARS
MSSP
Technology Partners
References
 Reports
Webinars
Events
 About us
Careers
Memberships
Newsroom


 
© 2002-2014 Secunia ApS - Rued Langgaards Vej 8, 4th floor, DK-2300 Copenhagen, Denmark - +45 7020 5144
Terms & Conditions and Copyright - Privacy - Report Vulnerability