Guest Gotde T Shirt Posted September 10, 2008 Posted September 10, 2008 A well-known 'feature' of the Sun Java update process is that it leaves older versions still installed. Could an old version with a vulnerability be exploited by the baddies, even when the fixed version has been installed? Quote
Guest Malke Posted September 10, 2008 Posted September 10, 2008 Gotde T Shirt wrote: <span style="color:blue"> > A well-known 'feature' of the Sun Java update process is that it leaves > older versions still installed. Could an old version with a vulnerability > be exploited by the baddies, even when the fixed version has been > installed?</span> Yes. That's why you should remove the older versions and then install the latest one. Malke -- MS-MVP Elephant Boy Computers - Don't Panic! FAQ - http://www.elephantboycomputers.com/#FAQ Quote
Guest Kayman Posted September 10, 2008 Posted September 10, 2008 On Wed, 10 Sep 2008 13:01:27 GMT, Gotde T Shirt wrote: <span style="color:blue"> > A well-known 'feature' of the Sun Java update process is that it leaves > older versions still installed. Could an old version with a vulnerability > be exploited by the baddies, even when the fixed version has been > installed?</span> Yes. JavaRa at http://raproducts.org/ It's a neat little free utility that removes all remnants of Java. Quote
Guest Gotde T Shirt Posted September 10, 2008 Posted September 10, 2008 On Wed, 10 Sep 2008 21:22:04 +0700, Kayman wrote: <span style="color:blue"> > On Wed, 10 Sep 2008 13:01:27 GMT, Gotde T Shirt wrote: > <span style="color:green"> >> A well-known 'feature' of the Sun Java update process is that it leaves >> older versions still installed. Could an old version with a vulnerability >> be exploited by the baddies, even when the fixed version has been >> installed?</span> > > Yes. > JavaRa at http://raproducts.org/ > It's a neat little free utility that removes all remnants of Java.</span> That is neat. Its a pain uninstalling several old JRE versions manually. Thanks for the pointer. However, I'm horrified to hear about the old versions vulnerability risk. The average user may well update their Java runtime when prompted, but very few think to uninstall the old version(s). I'm particularly interested because I'd like to find a satisfactory explanation for the recent almost epidemic of customer systems infected with Rogue Antivirus malware, despite at first glance appearing to be reasonably up-to-date. Most of them have had old JRE installations, some as old as v1.4.x. BTW The users are not click-happy teenagers, nor porn-crazed adults. Quote
Guest David H. Lipman Posted September 10, 2008 Posted September 10, 2008 From: "Gotde T Shirt" <me@invalid.invalid> | A well-known 'feature' of the Sun Java update process is that it leaves | older versions still installed. Could an old version with a vulnerability | be exploited by the baddies, even when the fixed version has been | installed? I actually posed this question to Information Assurance (IA) experts who use Harris Stat and Digital eEye Retina on a regular basis. The subject matter was why older, vulnerable, versions of Sun Java are not removed if there are say 7 ~ 9 versions of Sun Java in; C:\Program Files\Java and listed in the Control Panel applet "Add/Remove Programs". The answer is this, when you install the latest version of Sun Java it will find the other versions of Sun Java and patch them to mitigate the vulnerability and thus there is no requirement toremove older versions of Sun Java to comply with IA requirements. At this point I will SUGGEST removing old versions but, it is not required to mitigate vulnerabilities, just install the LATEST version to mitigate the existing vulnerabilities. You should also NOT manually delete remnant folders if you remove older versions of Sun Java from the the Control Panel applet "Add/Remove Programs". Such software such as Apple Quicktime will drop a Java Jar in the folder and set an environemntal variable pointing to said Java Jar in that folder. If you manually remove the folder [ such as "C:\Program Files\Java\jre1.6.0_06" when you have v6 update 7 installed ] you will delete the Java Jar and break Apple Quicktime use of said Java Jar. For example... You installed Apple Quicktime when you had JRE v6 update 5 installed. Apple Quicktime will drop its Java Jar in "C:\Program Files\Java\jre1.6.0_05" and set and evironmental variable to the Java Jar in "C:\Program Files\Java\jre1.6.0_05". The only question I have now is when a program bundles an older version of Sun Java with its application such as Adobe Acrobat v9. C:\Program Files\Adobe\Acrobat 9.0\Designer 8.2\jre The question is if you install say JRE v6 update 7 will it find JRE in; C:\Program Files\Adobe\Acrobat 9.0\Designer 8.2\jre and patch it even though it is not in C:\Program Files\Java -- Dave http://www.claymania.com/removal-trojan-adware.html Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp Quote
Guest Gotde T Shirt Posted September 10, 2008 Posted September 10, 2008 On Wed, 10 Sep 2008 16:47:01 -0400, David H. Lipman wrote: <span style="color:blue"> > From: "Gotde T Shirt" <me@invalid.invalid> > >| A well-known 'feature' of the Sun Java update process is that it leaves >| older versions still installed. Could an old version with a vulnerability >| be exploited by the baddies, even when the fixed version has been >| installed? > > I actually posed this question to Information Assurance (IA) experts who use Harris Stat > and Digital eEye Retina on a regular basis. The subject matter was why older, vulnerable, > versions of Sun Java are not removed if there are say 7 ~ 9 versions of Sun Java in; > C:Program FilesJava and listed in the Control Panel applet "Add/Remove Programs". The > answer is this, when you install the latest version of Sun Java it will find the other > versions of Sun Java and patch them to mitigate the vulnerability and thus there is no > requirement toremove older versions of Sun Java to comply with IA requirements. > </span> No offence intended to you personally, but that explanation is improbable to say the least. 1) It wastes disk space and other resources willy-nilly for no good reason. 2) It is much more complex and therefore fragile than a simple replacement strategy. So why the hell would you adopt such a bizarre strategy? But the real killer observation is: 3) It doesn't stack up with reality - the file sizes and modification dates are unchanged for earlier JRE editions after a subsequent update has been applied. <span style="color:blue"> > At this point I will SUGGEST removing old versions but, it is not required to mitigate > vulnerabilities, just install the LATEST version to mitigate the existing vulnerabilities. > </span> I'm not so sure. <span style="color:blue"> > You should also NOT manually delete remnant folders if you remove older versions of Sun > Java from the the Control Panel applet "Add/Remove Programs". Such software such as Apple > Quicktime will drop a Java Jar in the folder and set an environemntal variable pointing to > said Java Jar in that folder. If you manually remove the folder [ such as "C:Program > FilesJavajre1.6.0_06" when you have v6 update 7 installed ] you will delete the Java > Jar and break Apple Quicktime use of said Java Jar. > > For example... > You installed Apple Quicktime when you had JRE v6 update 5 installed. Apple Quicktime > will drop its Java Jar in "C:Program FilesJavajre1.6.0_05" and set and evironmental > variable to the Java Jar in "C:Program FilesJavajre1.6.0_05". > </span> Agreed. <span style="color:blue"> > The only question I have now is when a program bundles an older version of Sun Java with > its application such as Adobe Acrobat v9. > C:Program FilesAdobeAcrobat 9.0Designer 8.2jre > > The question is if you install say JRE v6 update 7 will it find JRE in; C:Program > FilesAdobeAcrobat 9.0Designer 8.2jre and patch it even though it is not in > C:Program FilesJava</span> ....which sounds like DLL-hell reinvented. Quote
Guest FromTheRafters Posted September 10, 2008 Posted September 10, 2008 "David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message news:ulV1hZ4EJHA.4104@TK2MSFTNGP04.phx.gbl...<span style="color:blue"> > From: "Gotde T Shirt" <me@invalid.invalid> > > | A well-known 'feature' of the Sun Java update process is that it leaves > | older versions still installed. Could an old version with a > vulnerability > | be exploited by the baddies, even when the fixed version has been > | installed? > > I actually posed this question to Information Assurance (IA) experts who > use Harris Stat > and Digital eEye Retina on a regular basis. The subject matter was why > older, vulnerable, > versions of Sun Java are not removed if there are say 7 ~ 9 versions of > Sun Java in; > C:Program FilesJava and listed in the Control Panel applet "Add/Remove > Programs". The > answer is this, when you install the latest version of Sun Java it will > find the other > versions of Sun Java and patch them to mitigate the vulnerability and thus > there is no > requirement toremove older versions of Sun Java to comply with IA > requirements. > > At this point I will SUGGEST removing old versions but, it is not required > to mitigate > vulnerabilities, just install the LATEST version to mitigate the existing > vulnerabilities. > > You should also NOT manually delete remnant folders if you remove older > versions of Sun > Java from the the Control Panel applet "Add/Remove Programs". Such > software such as Apple > Quicktime will drop a Java Jar in the folder and set an environemntal > variable pointing to > said Java Jar in that folder. If you manually remove the folder [ such as > "C:Program > FilesJavajre1.6.0_06" when you have v6 update 7 installed ] you will > delete the Java > Jar and break Apple Quicktime use of said Java Jar. > > For example... > You installed Apple Quicktime when you had JRE v6 update 5 installed. > Apple Quicktime > will drop its Java Jar in "C:Program FilesJavajre1.6.0_05" and set and > evironmental > variable to the Java Jar in "C:Program FilesJavajre1.6.0_05". > > The only question I have now is when a program bundles an older version of > Sun Java with > its application such as Adobe Acrobat v9. > C:Program FilesAdobeAcrobat 9.0Designer 8.2jre > > The question is if you install say JRE v6 update 7 will it find JRE in; > C:Program > FilesAdobeAcrobat 9.0Designer 8.2jre and patch it even though it is > not in > C:Program FilesJava</span> Personally, I wouldn't expect the update process to look for all the places it might find them...but I would expect that the Adobe update process would keep up with JRE updates of its own accord since it saw fit to place it in its own directory. Please post back if you can get a satisfactory answer, I'm sure most everyone will find it interesting. Quote
Guest David H. Lipman Posted September 11, 2008 Posted September 11, 2008 From: "FromTheRafters" <erratic@ne.rr.com> | Personally, I wouldn't expect the update process to look for | all the places it might find them...but I would expect that the | Adobe update process would keep up with JRE updates of | its own accord since it saw fit to place it in its own directory. | Please post back if you can get a satisfactory answer, I'm sure | most everyone will find it interesting. I agree. I don't believe that JRE meant for the OS will update JRE used in an applied application such as Adobe Acrobat v9 (actually part of the Adobe Designer used for Adobe PDF forms). I posted a query on the private AdobeForums.Com but as of yet, no replies. I will continue to look into this particular aspect. -- Dave http://www.claymania.com/removal-trojan-adware.html Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp Quote
Guest David H. Lipman Posted September 11, 2008 Posted September 11, 2008 From: "Gotde T Shirt" <me@invalid.invalid> Replies are inline... | On Wed, 10 Sep 2008 16:47:01 -0400, David H. Lipman wrote: <span style="color:blue"><span style="color:green"> >> From: "Gotde T Shirt" <me@invalid.invalid></span></span> <span style="color:blue"><span style="color:green"> >>| A well-known 'feature' of the Sun Java update process is that it leaves >>| older versions still installed. Could an old version with a vulnerability >>| be exploited by the baddies, even when the fixed version has been >>| installed?</span></span> <span style="color:blue"><span style="color:green"> >> I actually posed this question to Information Assurance (IA) experts who use Harris >> Stat >> and Digital eEye Retina on a regular basis. The subject matter was why older, >> vulnerable, >> versions of Sun Java are not removed if there are say 7 ~ 9 versions of Sun Java in; >> C:Program FilesJava and listed in the Control Panel applet "Add/Remove Programs". >> The >> answer is this, when you install the latest version of Sun Java it will find the other >> versions of Sun Java and patch them to mitigate the vulnerability and thus there is no >> requirement toremove older versions of Sun Java to comply with IA requirements.</span></span> | No offence intended to you personally, but that explanation is improbable | to say the least. None will be taken. However these are facts. In the "shop" where I work where Information Security (INFOSEC) is MORE important than other computing aspects I have to listen what IA experts purport. In this case I have been told that Harris Stat and Digital eEye Retina do not flag older versions of Sun Java as being vulnerable to a known vulnerability (as indicated by a source such as Secunia) after the latest version of Sun JRE has been installed. If Harris Stat or Digital eEye Retina had flagged older versions as still being vulerable then they would be REQUIRED to remove the older versions. I have seen numerous examples of Java Explots and I understand the seriousness of its implications. | 1) It wastes disk space and other resources willy-nilly for no good reason. It sure does! I can't agree more. That';s why I state you should remove them through the Control Panel applet "Add/Remove Programs". | 2) It is much more complex and therefore fragile than a simple replacement | strategy. Not really. | So why the hell would you adopt such a bizarre strategy? But the real | killer | observation is: | 3) It doesn't stack up with reality - the file sizes and modification | dates | are unchanged for earlier JRE editions after a subsequent update has been | | applied. I have yet to test this information that I have reported. But, the fact is Harris Stat and Digital eEye Retina will flag Sun Java vulnerabilities and will not do so after the latest version has been installed. <span style="color:blue"><span style="color:green"> >> At this point I will SUGGEST removing old versions but, it is not required to</span></span> | mitigate<span style="color:blue"><span style="color:green"> >> vulnerabilities, just install the LATEST version to mitigate the existing >></span></span> existing<span style="color:blue"><span style="color:green"> >></span></span> | vulnerabilities. | I'm not so sure. Well, you do NOT have access to the information that I have access to nor the trained personnel I can consult with. <span style="color:blue"><span style="color:green"> >> You should also NOT manually delete remnant folders if you remove older versions of >></span></span> | Sun<span style="color:blue"><span style="color:green"> >> Java from the the Control Panel applet "Add/Remove Programs". Such software such</span></span> | as<span style="color:blue"><span style="color:green"> >> Apple >> Quicktime will drop a Java Jar in the folder and set an environemntal</span></span> | variable<span style="color:blue"><span style="color:green"> >> pointing to >> said Java Jar in that folder. If you manually remove the</span></span> | folder [ such as "C:\Program<span style="color:blue"><span style="color:green"> >> FilesJavajre1.6.0_06" when you have v6 update 7</span></span> | installed ] you will delete the<span style="color:blue"><span style="color:green"> >> Java >> Jar and break Apple Quicktime use of said Java</span></span> | Jar. <span style="color:blue"><span style="color:green"> >> For example... >> You installed Apple Quicktime when you had JRE v6 update 5</span></span> | installed. Apple<span style="color:blue"><span style="color:green"> >> Quicktime >> will drop its Java Jar in "C:Program</span></span> | Files\Java\jre1.6.0_05" and set and evironmental<span style="color:blue"><span style="color:green"> >> variable to the Java Jar in</span></span> | "C:\Program Files\Java\jre1.6.0_05". | Agreed. <span style="color:blue"><span style="color:green"> >> The only question I have now is when a</span></span> | program bundles an older version of Sun Java<span style="color:blue"><span style="color:green"> >> with >> its application such as Adobe Acrobat v9. >> C:Program FilesAdobeAcrobat 9.0Designer 8.2jre</span></span> <span style="color:blue"><span style="color:green"> >> The question is if you install say JRE v6 update 7 will it find JRE in; C:Program >> FilesAdobeAcrobat 9.0Designer 8.2jre and patch it even though it is not in >> C:Program FilesJava</span></span> | | ...which sounds like DLL-hell reinvented. | Yes, I guess it is. -- Dave http://www.claymania.com/removal-trojan-adware.html Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp Quote
Guest kurt wismer Posted September 12, 2008 Posted September 12, 2008 David H. Lipman wrote: [snip]<span style="color:blue"> > I actually posed this question to Information Assurance (IA) experts who use Harris Stat > and Digital eEye Retina on a regular basis. The subject matter was why older, vulnerable, > versions of Sun Java are not removed if there are say 7 ~ 9 versions of Sun Java in; > C:Program FilesJava and listed in the Control Panel applet "Add/Remove Programs". The > answer is this, when you install the latest version of Sun Java it will find the other > versions of Sun Java and patch them to mitigate the vulnerability and thus there is no > requirement toremove older versions of Sun Java to comply with IA requirements.</span> the only way to patch the older versions is to replace the files for the older versions, which would seem to imply that every new version contains not only all the files for the new version but also new binaries for each patched file in all previous versions (it can't just replace the file in the old version with the file from the latest version due to compatibility across versions)... that in turn means that with each new version there's another version they have to develop patches for when they release the subsequent version... from a software development perspective that quickly becomes unmanageable... i can't see how they could make it work as stated... surely there's a limit to how far back this 'patch all old versions' thing goes... -- "it's not the right time to be sober now the idiots have taken over spreading like a social cancer, is there an answer?" Quote
Guest David H. Lipman Posted September 12, 2008 Posted September 12, 2008 From: "FromTheRafters" <erratic@ne.rr.com> | Personally, I wouldn't expect the update process to look for | all the places it might find them...but I would expect that the | Adobe update process would keep up with JRE updates of | its own accord since it saw fit to place it in its own directory. | Please post back if you can get a satisfactory answer, I'm sure | most everyone will find it interesting. Adobe Acrobat v9 is a NEW product and this is the version information of the packaged Java. java version "1.5.0_11" Java� 2 Runtime Environment, Standard Edition (build 1.5.0_11-b03) Java HotSpot� Client VM (build 1.5.0_11-b03, mixed mode) I have an account with Adobe and posted this subject matter on the semi-private Adobe News Server (semi private because you need an Adobe account to post but the server is replicated to Usenet). I have gotten no answer so I called Adobe. The technician was surprised and a Case number was issued. BTW: Anyone can verify this vulnerability concept by opening a Command Prompt and entering... "C:\Program Files\Adobe\Acrobat 9.0\Designer 8.2\jre\bin\java.exe" -version And then reading the Secunia bulletin. http://secunia.com/advisories/31010/ -- Dave http://www.claymania.com/removal-trojan-adware.html Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.