Secunia CSI7
Advisories
Research
Forums
Create Profile
Our Commitment
PSI
PSI API
CSI
OSI
xSI
Vulnerabilities
Programs
Open Discussions
My Threads
Create Thread
Statistics
About

Forum Thread: Auto Update Java

You are currently viewing a forum thread in the Secunia Community Forum. Please note that opinions expressed here are not of Secunia but solely reflect those of the user who wrote it.

This thread was submitted in the following forum:
Programs

Relating to this vendor:
Sun Microsystems
And, this specific program:
Oracle Java JRE 1.6.x / 6.x

This thread has been marked as locked.
12321 Auto Update Java
Member 2nd Sep, 2010 17:28
Ranking: 0
Posts: 5
User Since: 2nd Sep, 2010
System Score: N/A
Location: DE
What is with Java programs?
When I enable auto update for java does PSI 2.0 beta update the java dic in the specific program folder?

e.g. %ProgramFiles%\Xmind\Xmind_Windows\jre\bin\java.ex e

I mean if Secunia gonna do it, then some programs not gonna run anymore...

Maurice Joyce RE: Auto Update Java
Handling Contributor 2nd Sep, 2010 17:38
Score: 11312
Posts: 8,728
User Since: 4th Jan 2009
System Score: N/A
Location: UK
The default location for Java is:

C:\Program Files\Java\jre6\bin\java.exe (on a 32 Bit system)

It looks like Xmind have embedded Java in their programme. It is up to the vendor of Xmind to issue the patch.

Java direct install ( and I suspect PSI update) will only update to the default location.

--
Maurice

Windows 7 SP1 64 Bit OS
HP Intel Pentium i7
IE 11 for Windows 7 SP1
16GB RAM
Was this reply relevant?
+4
-0
12321 RE: Auto Update Java
Member 2nd Sep, 2010 18:10
Score: 0
Posts: 5
User Since: 2nd Sep 2010
System Score: N/A
Location: DE
Last edited on 2nd Sep, 2010 18:13
on 2nd Sep, 2010 17:38, Maurice Joyce wrote:
[...] and I suspect PSI update) will only update to the default location.


thanks for your reply.
yeah I suspect that too.

But will PSI 2.0 beta each time it detects that the java in "any folder" (where ever) try to install the up-to-date Java in the default location?
Was this reply relevant?
+0
-0
Maurice Joyce RE: Auto Update Java
Handling Contributor 2nd Sep, 2010 18:32
Score: 11312
Posts: 8,728
User Since: 4th Jan 2009
System Score: N/A
Location: UK
I suspect the answer is no but what U describe could happen.

Ideally the auto feature should update your main default JAVA & notify U that there is another embedded vulnerable version & point U to the vendor to fix it.

Best we wait for Secunia to comment. Sorry I cannot help further.





--
Maurice

Windows 7 SP1 64 Bit OS
HP Intel Pentium i7
IE 11 for Windows 7 SP1
16GB RAM
Was this reply relevant?
+1
-0
This user no longer exists RE: Auto Update Java
Member 3rd Sep, 2010 12:41
Hi,

Since this is a bundled install, and there is no actions the end-user can take to remedy it, I have updated our rules so this instance of Java should not be shown if you run a rescan.

Updating the embedded Java Runtime is the responsibility of the vendor, in this case Xmind Ltd.

hope this helps.
Was this reply relevant?
+0
-0
Anthony Wells RE: Auto Update Java
Expert Contributor 3rd Sep, 2010 16:59
Score: 2384
Posts: 3,280
User Since: 19th Dec 2007
System Score: N/A
Location: N/A
Last edited on 3rd Sep, 2010 18:27
Hi Emil ,

This takes us back to what does the user need to know and the "lack of " secure browsing tab and info in 2.0 Beta and as raised by myself and @RTdev near the beginning of this thread :-

http://secunia.com/community/forum/thread/show/532...

Surely this is a "classic" case of a zombie file and the user needs as much help and data to see/asses the risk associated with a vulnerability in an embedded file . Sure the assessment is/can be difficult/complicated/not for the beginner ; but , in my book , that does not mean ignoring the situation and removing the "heads up" advice or the logic would be to go back to having the "simple" mode of PSI or scrap it and only provide the OSI - I am only exaggerating the logic - in a classic platonic argument :)

EDIT : I notice you have done the same in this thread despite the fact there is a "known" sort of workaround of copying the up to date .dll and is posted/stated by @smurphdude which counters your statement that the end user cannot "patch" ; even if it might not be easy for Keith (the OP) to apply , why remove the programme file from all scans ?? Not everybody limits themselves to IE , some may use Ff or Chrome or another Gecko based browser where the plug-in might be needed :-

http://secunia.com/community/forum/thread/show/534...

The same applies here , where ddmarshall provides the "workaround - and suffers some bizarre marking (here and elsewhere :(() for his trouble :-

http://secunia.com/community/forum/thread/show/535...

Take care

Anthony

--


It always seems impossible until its done.
Nelson Mandela
Was this reply relevant?
+1
-0
This user no longer exists RE: Auto Update Java
Member 6th Sep, 2010 12:38
Hi Anthony,

I see your point, and understand how this could be a concern. However, I disagree that this can be considered a classic Zombie File. Our current definition of Zombie Files are those which are left over from old installations, etc.

In this situtation, the problem is that the Adobe has bundleded an Insecure version of their own software in another program. This is not the same as having the Insecure software installed, as an exploitating vector for the problem has to be prooved before we can report on the issue.

Since there is neither a reported vulnerability, or an official workaround, there is little we can do. Secunia only helps users connect with vendor-provided solutions and patches.

In this case, the Insecure installation is not seperate from the main program, and should therefore not be shown seperately. If, however, a vulnerability is reported in the main application (possibly in relation to the insecure bundleded flash), we would definitively report on that.

Hope this helps.
Was this reply relevant?
+0
-0
Anthony Wells RE: Auto Update Java
Expert Contributor 6th Sep, 2010 14:18
Score: 2384
Posts: 3,280
User Since: 19th Dec 2007
System Score: N/A
Location: N/A
Last edited on 6th Sep, 2010 14:21
Hi Emil ,

Thanks for your time in replying :)

I believe that part of the problem is coming from terminology and a certain -at the moment - lack of clarity or change of emphasis .

If , by definition , only left behind after update files are "zombies" that's fine by me , so we are left with embedded files which has always been known to be the responsibility of the vendor of the main programme , equally fine .

You say :

"Since there is neither a reported vulnerability, or an official workaround, there is little we can do. Secunia only helps users connect with vendor-provided solutions and patches. "

The Secunia PSI is a "vulnerability" checker .

Indeed , in this case and in the two instances of Flash in the threads I linked to above , the vulnerability is known - no vendor solution , but known .

In this case of Java , one might be stuck ; but the data could/has been displayed .

In the case of Flash you are talking a Gecko based browser plug-in having a known vulnerability ; again no vendor solution , but a well known (for some 18 months or longer , if memory serves me , and posted to the Forum) workaround which the end user can apply her/himself . This was possible to see with "secure browsing" data and notwithstanding it's absence , the vulnerability and fix are still there even if you have removed them from the scan - and despite there are actions the end user can take . The PSI is still a vulnerability checker , so why not attempt to display all it has to offer , especially where the likes of Flash are in questionable locations .

As has been stated elsewhere , ignorance is not blissful.

Anyway , unless the "secure browsing" data returns my points will be irrelevant and to my mind I would prefer to go back to version 1.5.0.2 and forgo the cosmetic bits - I personally don't need "auto-updates" , disk selection or faster scans ; I do like to be up to date with the latest attacks by the bad guys .

Thanks again , Emil.

Take care

Anthony

--


It always seems impossible until its done.
Nelson Mandela
Was this reply relevant?
+0
-0

This thread has been marked as locked.


 Products Solutions Customers Partner Resources Company
 
 Corporate
Vulnerability Intelligence Manager (VIM)
Corporate Software Inspector (CSI)
Consumer
Personal Software Inspector (PSI)
Online Software Inspector (OSI)
 Industry
Compliance
Technology
Integration
 Customers
Testimonials
 VARS
MSSP
Technology Partners
References
 Factsheets
Reports
Webinars
Events
 About us
Careers
Memberships
Newsroom


 
© 2002-2014 Secunia ApS - Rued Langgaards Vej 8, 4th floor, DK-2300 Copenhagen, Denmark - +45 7020 5144
Terms & Conditions and Copyright - Privacy - Report Vulnerability