navigation bar left navigation bar right

Secunia CSI7
navigation left tab Advisories navigation right tab
navigation left tab Research navigation right tab
navigation left tab Forums navigation right tab
navigation left tab Create Profile navigation right tab
navigation left tab Our Commitment navigation right tab
PSI
PSI API
CSI
OSI
xSI
Vulnerabilities
Programs
Open Discussions
My Threads
Create Thread
Statistics
About

Forum Thread: Latest Java update (6.0.200.2) leaves vulnerabilities from previo...

You are currently viewing a forum thread in the Secunia Community Forum. Please note that opinions expressed here are not of Secunia but solely reflect those of the user who wrote it.

This thread was submitted in the following forum:
Programs

Relating to this vendor:
Sun Microsystems
And, this specific program:
Oracle Java JRE 1.6.x / 6.x

This thread has been marked as locked.
simbha Latest Java update (6.0.200.2) leaves vulnerabilities from previous version
Member 2nd Jul, 2010 02:57
Ranking: 0
Posts: 2
User Since: 2nd Jul, 2010
System Score: N/A
Location: US
Last edited on 2nd Jul, 2010 03:01

I updated to the latest Java 6 update 20 and Secunia PSI removed Java from "Insecure" tab. However, I got hit by a drive-by because one of the plugins used by Firefox, Chrome etc in C:\Program Files\Java\jre6\bin\new_plugin\npdeploytk.dll didn't get updated and left behind a gaping security hole.

I think this has happened quite a bit to warrant a mention in the vulnerability note by CERT http://www.kb.cert.org/vuls/id/886582. See the "Note" in section III.

PSI scans java.exe to verify the version, but at least for this update it should also scan for the above dll or all the java deployment plugins and make sure they are updated. Definitely worthwhile if it can be for all future versions.

ddmarshall RE: Latest Java update (6.0.200.2) leaves vulnerabilities from previous version
Dedicated Contributor 2nd Jul, 2010 13:57
Score: 1212
Posts: 968
User Since: 8th Nov 2008
System Score: 98%
Location: UK
Oracle seem to think that Update 20 cures this problem, but in my case also Firefox detected it as an unsafe plugin and disabled it. I had to delete it manually.

http://www.java.com/en/download/help/firefox_addon...

--
This answer is provided “as-is.” You bear the risk of using it.
Was this reply relevant?
+1
-0
taffy078 RE: Latest Java update (6.0.200.2) leaves vulnerabilities from previous version
Contributor 2nd Jul, 2010 14:07
Score: 408
Posts: 1,352
User Since: 26th Feb 2009
System Score: 100%
Location: UK
I had similar problems with the previous update, but I didn't with this update because I followed Maurice Joyce's advice from a thread ten (?) days ago. See below.

I don't know if this will help you on this occasion. If it doesn't please get back so that one of the technical guys can help you.

Regards


***********************************************

JAVA PROBLEMS
=============
PART 1 - STANDARD MANUAL UPDATING OF JAVA
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Can be used with Windows XP,Vista & Windows 7 - 32 & 64 Bit Systems.

If U have but do not use a 64 Bit Browser there is no requirement for Java 64 to be installed.If already installed it can safely be removed via Control Panel>Add/Remove.

JAVA now use an Uninstaller as part of the install process. This makes updating very easy using this method.

1. 32 Bit Systems.

A.Go to Start>Control Panel>click on the JAVA icon>select the Update tab>click the Update Now button.
OR
B. Click this link:
http://www.java.com/en/download/manual.jsp (select 32 Bit)


1A. [64 Bit Systems.[/b] Click on this link:
http://www.java.com/en/download/manual.jsp (select 64 Bit)

Both 32 & 64 Bit downloads are available. Download/install them one at a time.

Notes:

U can use the 32 Bit browser to install the 64 Bit version.

To test your JAVA 32 Bit is working correctly use this test link:
http://java.com/en/download/help/testvm.xml

As normal,reboot,carry out a full PSI scan & all should be in order.

Secunia monitors both JAVA 32 & 64 Bit versions.

OPTIONAL EXTRA'S AFTER UPDATING WHICH ARE NOT COMPLETED BY THE AUTO UPDATE FEATURE
+++++++++++++++++++++++

1. Go to Control Panel>JAVA icon>Update Tab and take the tick out of box marked "Check for updates auto ....." (This will prevent a Java updater notification from starting each time U switch on your PC - PSI is already doing this job for U)

2. If U prefer not to have the JAVA icon in the System Tray when in use, open the Advanced Tab>look for Miscellaneous>click the + sign & then remove the tick from clearly marked box.

3. U may also wish to speed up your browser by clearing out the JAVA cache & permanently lowering the quota allocation. If U are unsure how to do this post back for more information.

PART 2 - CLEARING OUT OLD JAVA DROSS (32 Bit)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
If U have completed Part 1 & still have a problem it is because the new JAVA uninstaller only removes the previous version. U could still have very old JAVA dross on your system. Try this:

1.Install or double check U have the latest JAVA version (Currently Version 6 Update 20)from here:

http://www.java.com/en/download/manual.jsp (select 32 Bit)

http://www.java.com/en/download/manual.jsp (select 64 Bit)


2.This tool will remove all the old dross except for the version U have just installed. Click here:

http://raproducts.org/

*This link takes U to the site - select the Windows Binary (zip) option.
*This will lead U to Sourceforge.net to download it.
*Save the download to desktop.
*Activate the desktop zip icon which exposes the JAVARA EXE file. Click it
*Select RUN when asked.
*Select your language.
*The tool will now appear on the desktop - select REMOVE OLDER VERSIONS
*Once complete select ADDITIONAL TASKS - tick all boxes & activate.
*Right click on the desktop JAVARA zip file & delete it.

3.To test your JAVA is working correctly use this test link: http://java.com/en/download/help/testvm.xml


--
taffy078, West Yorkshire, UK

Desktop: Compaq Presario (OEM) 32 bit / AMD Athlon / 2 GB RAM
XP Home - SP3/ IE8/ Norton IS - Secunia PSI v2.0.0.3003

Laptop: Win 7 / IE11 / PSI v2.0.0.3003
Was this reply relevant?
+1
-0
Anthony Wells RE: Latest Java update (6.0.200.2) leaves vulnerabilities from previous version
Expert Contributor 2nd Jul, 2010 16:03
Score: 2454
Posts: 3,345
User Since: 19th Dec 2007
System Score: N/A
Location: N/A
Last edited on 2nd Jul, 2010 16:05
@simbha ,

Up until recently , the PSI used to detect Java in two locations , the current JRE6 bin location and in Windows system32 . As some posters queried why there were/are more than one entry for some programmes , support cleaned up some entries , including Java .

The PSI does show the Java Console extension for Ff , but neither of the two 6 update 20 plug-ins for Ff or Chrome .

I disabled the DTK U 19 plug-in as a "workaround" at the time of the initial vulnerability warning and Ff "told/displayed to" me that it had not been removed at the time of U 20 . Until the PSI can check and display all Ff extensions and plug-ins (in their thousands) and a whole raft of other .dll (and I don't think that is for tomorrow) , then perhaps the only realistic way is for some quick thinking person to tell support (at the time) that the update has left an "insecurity" behind and ask them to add it to their rules .

Maybe you could get them to add the file to their rules now , just in case someone else might still be/get caught out .

Take care
Anthony



--


It always seems impossible until its done.
Nelson Mandela
Was this reply relevant?
+1
-0
simbha RE: Latest Java update (6.0.200.2) leaves vulnerabilities from previous version
Member 2nd Jul, 2010 19:53
Score: 0
Posts: 2
User Since: 2nd Jul 2010
System Score: N/A
Location: US
Taffy,

Thanks for the information, but I already reinstalled the updated Java. Since I no longer trust the Java updater, I have decided to uninstall older versions of Java completely, delete the Java folder in Program Files and then install the new version from scratch.

Anthony,

I was hoping Secunia would start scanning Java plugins only, since Java seems to be exploit galore of the hour with tons of websites dedicated to teaching people how to craft pages with drive-by downloads. At the very least it should scan for the stale version (6.0.190.4) of the DTK plugin as a one time thing, since the latest Java updater seems to have messed up big time. A lot of people depend on Secunia PSI (I did) to patch the security issues and it will be welcome if the Secunia team can push out a rule to check for npdeploytk.dll and display a warning. I hope this would be an easy thing to do.

Thanks for your replies.
Was this reply relevant?
+0
-0
Anthony Wells RE: Latest Java update (6.0.200.2) leaves vulnerabilities from previous version
Expert Contributor 3rd Jul, 2010 21:29
Score: 2454
Posts: 3,345
User Since: 19th Dec 2007
System Score: N/A
Location: N/A

Hi simha ,

Secunia don't work on the PSI at weekends , so if they do not pick up on this thread at that time (Monday next) , you might like to contact them about this Java U19 plug-in insecurity problem by email to support@secunia.com

Take care
Anthony

--


It always seems impossible until its done.
Nelson Mandela
Was this reply relevant?
+0
-0

This thread has been marked as locked.


 Products Solutions Customers Partner Resources Company
 
 Corporate
Vulnerability Intelligence Manager (VIM)
Corporate Software Inspector (CSI)
Consumer
Personal Software Inspector (PSI)
Online Software Inspector (OSI)
 Industry
Compliance
Technology
Integration
 Customers
Testimonials
 MSSP
Technology Partners
References
 Reports
Webinars
Events
 About us
Careers
Memberships
Newsroom


Secunia is a member of FIRST Secunia is a member of EDUcause Secunia is a member of The Open Group Secunia is a member of FS-ISAC
 
Secunia © 2002-2014 Secunia ApS - Rued Langgaards Vej 8, 4th floor, DK-2300 Copenhagen, Denmark - +45 7020 5144
Terms & Conditions and Copyright - Privacy - Report Vulnerability - Disclaimer
follow Secunia on Facebook follow Secunia on Twitter follow Secunia on LinkedIn follow Secunia on YouTube follow Secunia Xing follow Secunias RSS feed follow Secunia on Google+