Secunia CSI7
Advisories
Research
Forums
Create Profile
Our Commitment
PSI
PSI API
CSI
OSI
xSI
Vulnerabilities
Programs
Open Discussions
My Threads
Create Thread
Statistics
About

Forum Thread: Reporting unpatched danger but scan says no problems

You are currently viewing a forum thread in the Secunia Community Forum. Please note that opinions expressed here are not of Secunia but solely reflect those of the user who wrote it.

This thread was submitted in the following forum:
Programs

Relating to this vendor:
Oracle Corporation
And, this specific program:
Sun Java JRE 1.4.x / 4.x

This thread has been marked as locked.
balsam Reporting unpatched danger but scan says no problems
Member 6th Sep, 2010 03:05
Ranking: 0
Posts: 4
User Since: 25th Jun, 2009
System Score: N/A
Location: US
XP home. Secunia found SunJava JRE1.4.x needed patching. After it was patched and a scan was run the threat still showed as needing attention. Uninstalled and reinstalled Secunia but the new install still showed Sun Java JRE 1.4x was still a threat. I keep updating Sun Java which tells me I already have the latest version. But I reinstalled anyway (5 times now) trying to get rid of the warning from Secunia. We have run out of ideas. Can anyone help please?

TiMow RE: Reporting unpatched danger but scan says no problems
Dedicated Contributor 6th Sep, 2010 07:57
Score: 737
Posts: 728
User Since: 26th Jun 2009
System Score: N/A
Location: CH
Last edited on 6th Sep, 2010 09:55
Hi balsam

As I'm sure you're aware, the latest stand alone version of Java is 1.6.x / 6.x (6.0.210.6).

It could be that this "old" version (1.4.x) is an embedded version included within a third party program.

If that is the case, then it doesn't get updated when the stand alone version does. Only when the "mother" program gets updated by the program vendor is there a possibility that the Java version becomes (more) current.

The key to solving this issue, is to find the installation path where PSI is finding the insecure Java.

[As of yet I haven't updated to the latest PSI (2.0 beta) and the following guidelines relate to my stable PSI installation (1.5.0.2) - there may be some differences in appearance/operation of which I'm not aware.]

- PSI in Advanced mode (top right PSI window)
- click [+] on l.h.s. of Java listing (Insecure or End of life tab)
- click Technical Details icon (from Toolbox)
- highlight the installation path, then copy (Ctrl + C)
- post this (Ctrl + V) back to the forum

We can go from there.

TiMow

PS - An afterthought: have you checked to see if this Java version is present in Add/Remove Programs (from Control Panel)? - unlikely, but possible. Should it be there, you can easily remove it.

--
Computing is not yet a perfect science - it still requires humans.
Was this reply relevant?
+3
-0
This user no longer exists RE: Reporting unpatched danger but scan says no problems
Member 6th Sep, 2010 10:45
Hi,

Since Sun Java JRE 1.4.x is End-Of-Life (EOL) the "Solution" provided by the Secunia PSI is a download for version 1.6.x. This means that the old version will not be uninstalled, even though you have applied the solution. To avoid the alert, you need to either remove or ignore the old version.

If, however, you feel there are still unsolved problems, I suggest you post the "Path" to the file here. To obtain the path, switch your PSI to advanced mode, go to the End-Of-Life tab, click "+" to expand, and copy-and-paste the field labeled "Installation Path".

hope this helps.
Was this reply relevant?
+0
-0
balsam RE: Reporting unpatched danger but scan says no problems
Member 7th Sep, 2010 01:25
Score: 0
Posts: 4
User Since: 25th Jun 2009
System Score: N/A
Location: US
Thank for your so prompt assistance. Your directions where so easy to follow even for a near beginner. Here is the path:
C:\Program Files\Java\j2re1.4.2\bin\eula.dll
By-the-way, I did remove everything relating to Java using "Add/Remove" and even after removing all of Java, when I ran a scan PSI still found the old Java a threat on my computer. I understand now, thanks to all the great help I got, that the "end-of-life" Java is still on my computer somewhere and I need to get rid of it but as it's not in my "Add/Remove" I will need the assistance you kindly offered. Another by-the-way, I did successfully install the latest Java 1.6.x and it is safely on my "Add/Remove" list. Thanks so much, Balsam
Was this reply relevant?
+0
-0
TiMow RE: Reporting unpatched danger but scan says no problems
Dedicated Contributor 7th Sep, 2010 08:24
Score: 737
Posts: 728
User Since: 26th Jun 2009
System Score: N/A
Location: CH
Last edited on 7th Sep, 2010 09:07
Hi balsam

Thanks for posting the file path. Although similar, it is not the same as the normal location, which is as follows:

C:\Program Files\Java\jre6\bin\java.exe

For ease of reference, yours is:

C:\Program Files\Java\j2re1.4.2\bin\eula.dll

The last part of the file path is preventing this from being updated with the normal stand alone Java.
It is unclear to me why this is present:

- the acronym "eula" will probably stand for "end user licence agreement", but for what? Having done Google search, out of the many possibilities for the origins of any "eula", it does specifically give a link relating to M$ XP Home:

http://www.microsoft.com/windowsxp/eula/home.mspx

This may be why it's there (maybe not).

- dll stands for "dynamic link libraries", which means many files can access/reference the same routine.

I think that you don't need this for normal operations, but rather than delete it (just in case), you can rename this file, so if something was found not to function correctly (unlikely), you can easily revert back.

If using PSI 1.5.0.2, follow same procedure as above - Advanced, [+], etc.
Then click "Open Folder"; - this will take you to the main Java file location in Windows Explorer.
On r.h.s. of window are many named icons - look for "eula.dll" (they're listed alphabetically). Once found, click to highlight, right click and choose Rename. Move curser to end of line and add _old after .dll

This addition is not recognised in computer language and therefore this line wont be used, but if there appears to be any operational problems, you can easily undo your change (maybe keep a separate not of the file path for reference).

[If using PSI 2.0 beta, there is another way of going to "Open Folder", but that info. will need to come from another source]

Don't forget to re-boot and re-scan PSI.

TiMow

EDIT: Just checked my Java file elements - I also have "eula.dll", but for current Java u.21 (hover mouse over icon for details) - licence agreement for Java itself.
Be sure to make sure you check (follow) your file path for \j2re1.4.2\ (probably listed on l.h.s. of Window Explorer window, and not the current \jre6\.

You may just want to consider deleting the entry for \j2re1.4.2\ (l.h.s.), if the above doesn't work. In the first instance it goes to recycle bin (where it can be re-instated if needed), but PSI may still pick it up from there (again check file path, if it does).

--
Computing is not yet a perfect science - it still requires humans.
Was this reply relevant?
+2
-0
Maurice Joyce RE: Reporting unpatched danger but scan says no problems
Handling Contributor 7th Sep, 2010 09:43
Score: 11581
Posts: 8,899
User Since: 4th Jan 2009
System Score: N/A
Location: UK
Its just and old End User Licence Agreement.(EULA)

Go to Control Panel>Add/remove.

Look for any JRE,JSE,JDK or JAVA(TM) entries and uninstall them EXCEPT for JAVA(TM) 6 Update 21.

--
Maurice

Windows 7 SP1 64 Bit OS
HP Intel Pentium i7
IE 11 for Windows 7 SP1
16GB RAM
Was this reply relevant?
+6
-0
Anthony Wells RE: Reporting unpatched danger but scan says no problems
Expert Contributor 7th Sep, 2010 14:37
Score: 2425
Posts: 3,315
User Since: 19th Dec 2007
System Score: N/A
Location: N/A
Last edited on 7th Sep, 2010 14:39
TiMow ,

This is what a EULA is :-

http://en.wikipedia.org/wiki/Software_license_agre...

It's the thing you are asked to read at the beginning of a software installation and have to click saying you read it in order to proceed ; doesn't matter if you lie ;))

This tthread looks at some aspects of this and includes Maurice Joyce's link to "Javacool's" software tool "EULAlyzer" . Handy to have :))

http://secunia.com/community/forum/thread/show/520...

Take care

Anthony



--


It always seems impossible until its done.
Nelson Mandela
Was this reply relevant?
+3
-1
TiMow RE: Reporting unpatched danger but scan says no problems
Dedicated Contributor 7th Sep, 2010 16:22
Score: 737
Posts: 728
User Since: 26th Jun 2009
System Score: N/A
Location: CH
Hi Anthony

I was/am happy on the meaning of the acronym eula** - had also already checked out the Wiki definition when I did a Google search. It seemed a little coincidental that the third search result (at that time - I know the order changes), related specifically to M$ XP home eula - which is the OS the poster is running. I then wondered if there was a remnant of that, that required embedded Java that was causing the problem (unlikely, maybe); or whether it was just the licence agreement for that version of Java when it was current, that has been missed in subsequent updates (with hindsight, probably).
The M$ XP home eula is dated June 2004 which could coincide with when JRE 1.4 was current - the earliest I traced Java back (with filehippo) was 1.5.0.4 from Jul 2005.

The poster of this thread (@balsam) has already written that he has removed all Java from add/remove and only has latest there, so I think in this instance the post from M.J. wont help - he will still need to rename or delete the problem file.

Judging by the times of his posts, he's either a nightowl, or more than likely on the other side of the pond - have to look in the morning (CET), to see if further clarification/assistance is required.

** if it's a topic on which I'm not absolutely 100% au fait with then I do use a little bit of the conditional, suggestive and similar terminology in my replies; as opposed to categorically stating something, and the looking an ass if it's not 100% accurate (has that happened before?)

Regards

TiMow

--
Computing is not yet a perfect science - it still requires humans.
Was this reply relevant?
+1
-1
Maurice Joyce RE: Reporting unpatched danger but scan says no problems
Handling Contributor 7th Sep, 2010 17:25
Score: 11581
Posts: 8,899
User Since: 4th Jan 2009
System Score: N/A
Location: UK
What he said he has removed everything from JAVA. Version 1.4 would be registered as JRE in add/remove at that time.

There is no mention of the fact that he has/or knows that JRE/JSE/JDK are one of the same thing & is recorded in add/remove as such.

If the original uninstaller has not removed the EULA then all that is needed is to navigate to:
C:\Program Files\Java\j2re1.4.2\bin\eula.dll

right click & delete it.

--
Maurice

Windows 7 SP1 64 Bit OS
HP Intel Pentium i7
IE 11 for Windows 7 SP1
16GB RAM
Was this reply relevant?
+2
-0
balsam RE: Reporting unpatched danger but scan says no problems
Member 7th Sep, 2010 21:19
Score: 0
Posts: 4
User Since: 25th Jun 2009
System Score: N/A
Location: US
Hi,
Thanks to all for the really great help that I am getting. You are teaching me so much and helping me to fix my problem at the same time. I am going to first try changing the ending of the "old" EOL (end-of-life) by adding "old". That sounds like the easiest for me to do. No time to do that now but am looking forward to putting your suggestions to use and I'll reply again then and let you know how it went. Hopefully, my first attempt will work. I'm not very experienced with computers but your instructions are easy for me to understand and follow. Thanks again, you people are the greatest! Balsam (in Seattle)
Was this reply relevant?
+0
-0
balsam RE: Reporting unpatched danger but scan says no problems
Member 9th Sep, 2010 00:58
Score: 0
Posts: 4
User Since: 25th Jun 2009
System Score: N/A
Location: US
Hi Again,
I am pleased to let you all know that all the assistance I received from you has payed off.
I went to Secunia (v1.5.0.2) advanced tab then to the EOL tab and found a link to the old Java 2re1.4.2 folder in Windows Explorer, clicked on it and removed it as Secunia advised.
Also, under the "end-of-life" tab, I found that WinDVD4.x v4.0.11.37 has also had its life ended and Secunia recommended that it be removed as it was not secure without current updates - which it will not be getting, being "dead" so to speak. After running another scan the report was clean and clear.
Secunia is a wonderful program which has served me well for years and I am looking forward to my security being kept up-to-date for many more years to come. Needless to say, their "community" has got to be the best with all of the great people so willing to share their knowledge and expertise.
Thanks again to all of you and best wishes to you.
Sincerely, balsam
Was this reply relevant?
+0
-0
TiMow RE: Reporting unpatched danger but scan says no problems
Dedicated Contributor 9th Sep, 2010 08:27
Score: 737
Posts: 728
User Since: 26th Jun 2009
System Score: N/A
Location: CH
Hi balsam

Glad all is OK.
Hands on experience (for me) is the best way of learning, albeit the learning curve is sometimes exponential - the higher you get, the more slippy it becomes.

Regards

TiMow

--
Computing is not yet a perfect science - it still requires humans.
Was this reply relevant?
+2
-2

This thread has been marked as locked.


 Products Solutions Customers Partner Resources Company
 
 Corporate
Vulnerability Intelligence Manager (VIM)
Corporate Software Inspector (CSI)
Consumer
Personal Software Inspector (PSI)
Online Software Inspector (OSI)
 Industry
Compliance
Technology
Integration
 Customers
Testimonials
 VARS
MSSP
Technology Partners
References
 Reports
Webinars
Events
 About us
Careers
Memberships
Newsroom


 
© 2002-2014 Secunia ApS - Rued Langgaards Vej 8, 4th floor, DK-2300 Copenhagen, Denmark - +45 7020 5144
Terms & Conditions and Copyright - Privacy - Report Vulnerability