navigation bar left navigation bar right

Secunia CSI7
navigation left tab Advisories navigation right tab
navigation left tab Research navigation right tab
navigation left tab Forums navigation right tab
navigation left tab Create Profile navigation right tab
navigation left tab Our Commitment navigation right tab
PSI
PSI API
CSI
OSI
xSI
Vulnerabilities
Programs
Open Discussions
My Threads
Create Thread
Statistics
About

Forum Thread: PSI keeps telling to patch Java

You are currently viewing a forum thread in the Secunia Community Forum. Please note that opinions expressed here are not of Secunia but solely reflect those of the user who wrote it.

This thread was submitted in the following forum:
Programs

Relating to this vendor:
Sun Microsystems
And, this specific program:
Oracle Java JRE 1.6.x / 6.x

This thread has been marked as locked.
Chanel PSI keeps telling to patch Java
Member 2nd Nov, 2010 12:16
Ranking: 2
Posts: 3
User Since: 2nd Nov, 2010
System Score: N/A
Location: BE
Hello,

Every couple of weeks PSI indicates that I have to download several patches for Java. One of them is update 22. Sometimes I do all the downloads, repeat the scan and everything is ok again but it keeps returning.

Every time I download the new Java program on the Sun Java site (for Windows Vista) and this for 32 bits and for 64 bits versions, because on the site it's indicated that I should download both versions because I use both 32 bits browsers and 64 bits. After the downloads Java confirms that Java was installed succesfully. When I ask to check my Java version on the Java site itself it also states that I have the correct version.
After the download I see a pop-up window from PSI in the corner right below that indicates that program changes are detected and that Java is patchad.
When I repeat the scan after that, it keeps indicating that there still should be done one patch. 3 of the asked patches where ok, but one keeps being asked for.

I can't find out which patch I have to ad and where to find it. When I click on that item it indicates also that update 22 is already on my system??

Why does the scan tells me otherwise? Does this have something to do with my Bitdefender Internet Security 2010 settings?

Chanel RE: PSI keeps telling to patch Java
Member 2nd Nov, 2010 12:32
Score: 2
Posts: 3
User Since: 2nd Nov 2010
System Score: N/A
Location: BE
I was to quick to post a question.

I finally found out what was wrong. I didn't need to download patches, I had to remove two old versions of Java (update 20 and update 1) on my PC.
After a restart PSI didn't indicate anymore to patch Java.

Is a bit confusing though that PSI asks to download things when you should in fact remove older programs to fix the problem.
Was this reply relevant?
+0
-0
TiMow RE: PSI keeps telling to patch Java
Dedicated Contributor 2nd Nov, 2010 12:56
Score: 737
Posts: 728
User Since: 26th Jun 2009
System Score: N/A
Location: CH
Last edited on 2nd Nov, 2010 12:57
This a common misconception by many.

What PSI actually does, is to alert the user that it has found a vulnerability in a program/application/file.

When there is a known vendor patch available it will give the link to the vendor site (Download Solution).

But what is a failing in some vendor patches, is that, not all evidence of the previous version (and insecurity) is always removed with the update.
Alternatively some previous software installations, for whatever reasons, aren't always in default location - so subsequent updates haven't effected them.

So, despite having applied the latest patch/update, PSI will continue to alert you to a vulnerability, until it is removed.

Multiple application of the latest update doesn't change anything, in these instances. The insecurity must be found and dealt with.

Regarding your specific instance with Java, my answer on the following thread (3rd reply) may help to explain further - even though you have now solved your own problem.

http://secunia.com/community/forum/thread/show/613...

TiMow

--
Computing is not yet a perfect science - it still requires humans.
Was this reply relevant?
+4
-0
Chanel RE: PSI keeps telling to patch Java
Member 2nd Nov, 2010 16:19
Score: 2
Posts: 3
User Since: 2nd Nov 2010
System Score: N/A
Location: BE
Thank you for your reply. The thread you added is indeed exactly the same problem.
Now I know for the future that Secunia asks to look for any kind of problem with a program (such as removing older versions) and not only indicates that you have to download patches.
And the second thing I learned is that Java only removes the last update you did earlier but not all the other possible updates you still have on your PC.

Was this reply relevant?
+2
-0
TiMow RE: PSI keeps telling to patch Java
Dedicated Contributor 2nd Nov, 2010 17:31
Score: 737
Posts: 728
User Since: 26th Jun 2009
System Score: N/A
Location: CH
Last edited on 2nd Nov, 2010 17:40
I'm pleased you've had a eureka moment.
You're exactly right - PSI is a vulnerability checker and not an update checker - there are other programs for that.
Some program updates become available, but if they're not security fixes, for an existing vulnerability, then PSI doesn't alert the user.
There are still many users that don't realise and appreciate this.

In making a user aware to a vulnerability, PSI only points that user in the direction of the download site to rectify the problem.
But, as you've found out, it's not always so straight forward - unfortunately it's not Harry Potter's magic wand.

Knowing how the program works, and how to use the program is the key.

Just a last note - not to the detriment of PSI (I hope) - but when it alerts me to a security update, I, personally prefer to update from within said program (Help>Check for Updates- when available), than use PSI Download Solution.
I've found that this method can limit possible complications, that can sometimes occur.

TiMow

P.S. Once you're up to date with Java - in theory - what you've experienced should never be a problem again -- if only .....!

P.P.S. (sorry, another edit e-mail) - Java, too, can be updated from Control Panel>Java icon>Update tab>Update Now.

--
Computing is not yet a perfect science - it still requires humans.
Was this reply relevant?
+3
-0

This thread has been marked as locked.


 Products Solutions Customers Partner Resources Company
 
 Corporate
Vulnerability Intelligence Manager (VIM)
Corporate Software Inspector (CSI)
Consumer
Personal Software Inspector (PSI)
Online Software Inspector (OSI)
 Industry
Compliance
Technology
Integration
 Customers
Testimonials
 MSSP
Technology Partners
References
 Reports
Webinars
Events
 About us
Careers
Memberships
Newsroom


Secunia is a member of FIRST Secunia is a member of EDUcause Secunia is a member of The Open Group Secunia is a member of FS-ISAC
 
Secunia © 2002-2014 Secunia ApS - Rued Langgaards Vej 8, 4th floor, DK-2300 Copenhagen, Denmark - +45 7020 5144
Terms & Conditions and Copyright - Privacy - Report Vulnerability - Disclaimer
follow Secunia on Facebook follow Secunia on Twitter follow Secunia on LinkedIn follow Secunia on YouTube follow Secunia Xing follow Secunias RSS feed follow Secunia on Google+