Secunia CSI7
Advisories
Research
Forums
Create Profile
Our Commitment
PSI
PSI API
CSI
OSI
xSI
Vulnerabilities
Programs
Open Discussions
My Threads
Create Thread
Statistics
About

Forum Thread: Java JRE/JVM in CS5 no longer identified as insecure

You are currently viewing a forum thread in the Secunia Community Forum. Please note that opinions expressed here are not of Secunia but solely reflect those of the user who wrote it.

This thread was submitted in the following forum:
All Threads

This thread has been marked as resolved.
wally's dad Java JRE/JVM in CS5 no longer identified as insecure
Member 9th Sep, 2010 17:36
Ranking: 0
Posts: 10
User Since: 22nd Jun, 2010
System Score: N/A
Location: N/A
Many threads have been written about Java JRE/JVM insecure alerts after installing various Adobe CS5 programs/suites.

These do not appear in Add or Remove Programs/Programs and Features (Win7) and are not handled by Sun's updater when updating Java's default location at C:\Program Files\Java\jre6\bin

After trying various strategies, I followed the advice at: http://secunia.com/community/forum/thread/show/436... to rename the java.exe files and this has worked for months. I merely change the name back to the default each time the Adobe Updater notifies me of available updates for various Design Premium programs. However, this week after updating Adobe CS5, I forgot to rename to "java.exe_OLD" in each of the 4 locations these problematic files appear but PSI does not alert me to these anymore: The files in question appear at these locations:

C:\Users\All Users\Adobe\CS5\jre\bin\java.exe (ver. 6.0.180.7)
C:\ProgramData\Adobe\CS5\jre\bin\java.exe (ver. 6.0.180.7)
D:\Program Files\Adobe\Adobe Dreamweaver CS5\JVM\bin\java.exe (ver. 6.0.160.1)
D:\Program Files\Adobe\Adobe Flash Catalyst CS5\jre\bin\java.exe (ver. 6.0.160.1)

Another older java file that PSI never caught is located at:
D:\Program Files\Adobe\Acrobat 9.0\Designer 8.2\jre\bin\java.exe (5.0.110.3)

I rebooted and ran PSI's scan twice, but I still get a 100% secure 'bill of health'.

SO MY QUESTION IS: Does anybody know why PSI is not now identifying these insecure files as such anymore?

Windows 7 Pro 32 bit
PSI ver 1.5.0.2

Post "RE: Java JRE/JVM in CS5 no longer identified as insecure" has been selected as an answer.
Anthony Wells RE: Java JRE/JVM in CS5 no longer identified as insecure
Expert Contributor 9th Sep, 2010 18:51
Score: 2418
Posts: 3,311
User Since: 19th Dec 2007
System Score: N/A
Location: N/A

Hello wally's dad ,

This thread may shed some light , nothing specific bear in mind :-

http://secunia.com/community/forum/thread/show/535...

Not sure if Secunia will be handling the PSI over the weekend - normally they don't - so you may need to wait until Monday for them to respond . Due to the busy nature of the Forum with the new 2.0. Beta version of the PSI occupying people , you may need to try to catch their attention next week .

Take care

Anthony

--


It always seems impossible until its done.
Nelson Mandela
Was this reply relevant?
+1
-0
wally's dad RE: Java JRE/JVM in CS5 no longer identified as insecure
Member 13th Sep, 2010 07:28
Score: 0
Posts: 10
User Since: 22nd Jun 2010
System Score: N/A
Location: N/A
Thanks for your reply. But just how do you catch their attention?
Was this reply relevant?
+0
-0
mogs RE: Java JRE/JVM in CS5 no longer identified as insecure
Expert Contributor 13th Sep, 2010 07:37
Score: 2265
Posts: 6,266
User Since: 22nd Apr 2009
System Score: 100%
Location: UK
It's very likely Emil will pick up on it this morning....your thread is in a fairly prominent position....top of the page.....he seems to scroll thro' them first thing.
Regards.

--
Was this reply relevant?
+2
-2
This user no longer exists RE: Java JRE/JVM in CS5 no longer identified as insecure
Member 13th Sep, 2010 13:06
Hi,

The non-detection of these embedded versions of Flash and Java is quite
intentional. The PSI is a "security patch checker", and it's primary
function is to deliver security updates to end users.

Since no patches has been released to fix the issues of the embedded
versions of Flash/Java/etc, there is little purpose in alerting users to
these instances.

If or when a Secunia Advisory is issued for any of these products with
new patch information (whether related to the insecure embedded plug-ins
or not) the PSI will alert you about this.

hope this helps.
Was this reply relevant?
+0
-0
wally's dad RE: Java JRE/JVM in CS5 no longer identified as insecure
Member 13th Sep, 2010 16:02
Score: 0
Posts: 10
User Since: 22nd Jun 2010
System Score: N/A
Location: N/A
Thank you for the explanation. I submitted this thread because I was wondering why PSI identified these as Insecure for the past few months but suddenly stopped alerting me to them. Did the files somehow change, in the course of my re-naming them or has the PSI engine been adjusted to ignore them now? In view of your explanation, I was wondering about these versions of Java that are embedded in other products and not in the default location for JRE/JVM files, do they still present a security threat?
Was this reply relevant?
+0
-0
This user no longer exists RE: Java JRE/JVM in CS5 no longer identified as insecure
Member 13th Sep, 2010 16:05
Hi,

The files stopped being shown because users made us aware of the issue. Once they did, we corrected our rules to compensate.

If you have knowledge about other embedded, unfixable version bundlede with various software, please let us know (By posting the "Installation Path" to the offending file), and we can correct the misdetection.
Was this reply relevant?
+0
-0
wally's dad RE: Java JRE/JVM in CS5 no longer identified as insecure
Member 13th Sep, 2010 16:09
Score: 0
Posts: 10
User Since: 22nd Jun 2010
System Score: N/A
Location: N/A
Thank you Emil, for your quick and clear reply. Love your product. Keep up the good work!
Was this reply relevant?
+0
-0

This thread has been marked as locked.


 Products Solutions Customers Partner Resources Company
 
 Corporate
Vulnerability Intelligence Manager (VIM)
Corporate Software Inspector (CSI)
Consumer
Personal Software Inspector (PSI)
Online Software Inspector (OSI)
 Industry
Compliance
Technology
Integration
 Customers
Testimonials
 VARS
MSSP
Technology Partners
References
 Reports
Webinars
Events
 About us
Careers
Memberships
Newsroom


 
© 2002-2014 Secunia ApS - Rued Langgaards Vej 8, 4th floor, DK-2300 Copenhagen, Denmark - +45 7020 5144
Terms & Conditions and Copyright - Privacy - Report Vulnerability