Secunia CSI7
Advisories
Research
Forums
Create Profile
Our Commitment
PSI
PSI API
CSI
OSI
xSI
Vulnerabilities
Programs
Open Discussions
My Threads
Create Thread
Statistics
About

Forum Thread: OSI/PSI Discrepancy with Firefox for Java JRE

You are currently viewing a forum thread in the Secunia Community Forum. Please note that opinions expressed here are not of Secunia but solely reflect those of the user who wrote it.

This thread was submitted in the following forum:
OSI

This thread has been marked as locked.
ceridgac1 OSI/PSI Discrepancy with Firefox for Java JRE
Member 20th Aug, 2010 08:07
Ranking: 0
Posts: 3
User Since: 20th Aug, 2010
System Score: N/A
Location: US
The Online Software Inspector & the Personal Software Inspector both report my computer's installed version of the Java Runtime Environment software (JRE) as fully patched and current. The installed version of the Java JRE is 6.0.200.2. However, Firefox (Web Browser) version 3.6.8 reports that the current version of the Java JRE is insecure and that it should be updated. It presents an "Update" button.

This has been reported as insecure by Firefox for one month, yet Secunia still displays it as the current patched version of the JRE. This is the first discrepancy I've noted with the OSI/PSI and Firefox. Which is the correct analysis, the Secunia OSI/PSI or Firefox?

taffy078

RE: OSI/PSI Discrepancy with Firefox for Java JRE
[+]
This reply has been minimised due to a negative Relevancy Score.
This user no longer exists RE: OSI/PSI Discrepancy with Firefox for Java JRE
Member 20th Aug, 2010 08:49
Hi,

The PSI is right in this matter. Java JRE Update 20 is the latest security update, whereas Update 21 is a maintenance release.

For more information, please see our advisory: http://secunia.com/advisories/39260/

As well as the Java SE 6 Update 20 release notes: http://www.oracle.com/technetwork/java/javase/6u21...

Particularly, at the very bottom of the Oracle release notes:
"Java SE 6 Update 21 does not contain any additional fixes for security vulnerabilities to its previous release, Java SE 6 Update 20. Users who have Java SE 6 Update 20 have the latest security fixes and do not need to upgrade to this release to be current on security fixes."

hope this helps.
Was this reply relevant?
+0
-0
ceridgac1 RE: OSI/PSI Discrepancy with Firefox for Java JRE
Member 20th Aug, 2010 09:06
Score: 0
Posts: 3
User Since: 20th Aug 2010
System Score: N/A
Location: US
on 20th Aug, 2010 08:13, taffy078 wrote:
Hi ceridgac1.

My Java JRE was updated to v 6.0.210.6 earlier this week.

(A) So that we can help you, we need to know what file(s) Secunia has picked up as insecure. This is what you should do next:

Secunia has picked up no files as insecure -- the score is 100%.

1 Go to the main Secunia PSI window & click on ‘Advanced’ if it’s underlined in blue. (Don't be put off by the name "Advanced"! It's easy to follow/use.)

2 Click on “+” to highlight & expand it.

3 Click on “Technical Details” (in Toolbox”)

4 This will give you the installation path of the insecure file. If you copy & paste it in your next reply here, someone here will be able to help.


(B) When you reply please also tell us what version of Secunia you are using. It's shown in the bottom-right of the main Secunia screen.

v1.5.0.2

(C) Finally, please post some info about your PC etc – e.g. see my signature below.

Thanks.

Was this reply relevant?
+0
-0
ceridgac1 RE: OSI/PSI Discrepancy with Firefox for Java JRE
Member 20th Aug, 2010 09:15
Score: 0
Posts: 3
User Since: 20th Aug 2010
System Score: N/A
Location: US
on 20th Aug, 2010 08:49, wrote:
Hi,

The PSI is right in this matter. Java JRE Update 20 is the latest security update, whereas Update 21 is a maintenance release.

For more information, please see our advisory: http://secunia.com/advisories/39260/

As well as the Java SE 6 Update 20 release notes: http://www.oracle.com/technetwork/java/javase/6u21...

Particularly, at the very bottom of the Oracle release notes:
"Java SE 6 Update 21 does not contain any additional fixes for security vulnerabilities to its previous release, Java SE 6 Update 20. Users who have Java SE 6 Update 20 have the latest security fixes and do not need to upgrade to this release to be current on security fixes."

hope this helps.


Thank you, Emil. My suspicions are supported by your response. It is as I suspected, a maintenance release. Sometimes, the download Website for the Java JRE is lax on explanations for what is new with updates. I generally use the 64-bit version of the JRE with IE 8.0-64, but this Firefox recommended update showed using the 32-bit version of Firefox. I have not yet installed the Firefox 64-bit beta version.


Was this reply relevant?
+0
-0
Anthony Wells RE: OSI/PSI Discrepancy with Firefox for Java JRE
Expert Contributor 20th Aug, 2010 12:28
Score: 2437
Posts: 3,324
User Since: 19th Dec 2007
System Score: N/A
Location: N/A
Last edited on 20th Aug, 2010 12:30
@ceridgac1 ,

If it is any consolation , I had exactly the same situation running Java U20 when Firefox 3.6.8 plug-in updates "suddenly" (as it were) requested U21 for Java several days ago , despite U21 being out very much longer .

As expected , the Java website offered me U21 and I took the opportunity to load it , simply to stop the Ff plug-in warning .

If you want full clarification you would need to ask Mozilla as to why the sudden "unnecessary" update warning .

Take care

Anthony

--


It always seems impossible until its done.
Nelson Mandela
Was this reply relevant?
+1
-0

This thread has been marked as locked.


 Products Solutions Customers Partner Resources Company
 
 Corporate
Vulnerability Intelligence Manager (VIM)
Corporate Software Inspector (CSI)
Consumer
Personal Software Inspector (PSI)
Online Software Inspector (OSI)
 Industry
Compliance
Technology
Integration
 Customers
Testimonials
 VARS
MSSP
Technology Partners
References
 Reports
Webinars
Events
 About us
Careers
Memberships
Newsroom


 
© 2002-2014 Secunia ApS - Rued Langgaards Vej 8, 4th floor, DK-2300 Copenhagen, Denmark - +45 7020 5144
Terms & Conditions and Copyright - Privacy - Report Vulnerability