MSN Toolbar included with Sun Java Security 'updates'

December 9, 2008

Beware of the opt-out behavior of Sun's java automatic updater. In the

US, at least, the MSN toolbar comes PREchecked [opt-out] and will

install along with purported java 'security' updates. Said 'security'

updates are presented as the latest version of Sun's java runtime.

Including crappy toolbars with security updates as an opt-out is a

REALLY dumb, shortsighted decision.

Shame on MS for doing so.

As to Sun's java, who needs it ?

If a site requires java, then avoid it like the plague.

Especially any site that does financial transactions.

MowGreen [MVP 2003-2009]

===============

-343- FDNY

Never Forgotten

===============

December 9, 2008

I don't like pre-checked opt-in boxes any more than you, but I wonder

why you happen to pick on Java, when this practice is widespread among

software providers, and why particularly Java-employing websites,

especially financial websites.

Sounds like you have a bone to pick with an unnamed Java-employing

financial website, and because of that I should avoid software that has

served me well for years?

---

Leonard Grey

Errare humanum est

MowGreen [MVP] wrote:

> Beware of the opt-out behavior of Sun's java automatic updater. In the

> US, at least, the MSN toolbar comes PREchecked [opt-out] and will

> install along with purported java 'security' updates. Said 'security'

> updates are presented as the latest version of Sun's java runtime.

>

> Including crappy toolbars with security updates as an opt-out is a

> REALLY dumb, shortsighted decision.

> Shame on MS for doing so.

>

> As to Sun's java, who needs it ?

> If a site requires java, then avoid it like the plague.

> Especially any site that does financial transactions.

>

> MowGreen [MVP 2003-2009]

> ===============

> -343- FDNY

> Never Forgotten

> ===============

>

>

December 9, 2008

The date and time was 12/9/2008 1:36 PM, and on a whim, MowGreen [MVP]

pounded out on the keyboard:

> Beware of the opt-out behavior of Sun's java automatic updater. In the

> US, at least, the MSN toolbar comes PREchecked [opt-out] and will

> install along with purported java 'security' updates. Said 'security'

> updates are presented as the latest version of Sun's java runtime.

>

> Including crappy toolbars with security updates as an opt-out is a

> REALLY dumb, shortsighted decision.

> Shame on MS for doing so.

>

> As to Sun's java, who needs it ?

> If a site requires java, then avoid it like the plague.

> Especially any site that does financial transactions.

>

> MowGreen [MVP 2003-2009]

> ===============

> -343- FDNY

> Never Forgotten

> ===============

>

>

Hi Mow,

Is that MS's fault? When I downloaded Java 6.11 the day it was

released, I had the Yahoo toolbar option. When I downloaded it again

the day after (on another network), the Open Office option was

presented. It appears Sun is bundling these toolbars only on some

install files. On both of my downloads, I downloaded the offline (full)

version.

--

Terry R.

Reply Note

Anti-spam measures are included in my email address.

Delete NOSPAM from the email address after clicking Reply.

December 9, 2008

Ah, Steve:

Many hardware firewalls, such as Cisco, require Java to log into them.

Tom

: As to Sun's java, who needs it ?

: If a site requires java, then avoid it like the plague.

: Especially any site that does financial transactions.

:

: MowGreen [MVP 2003-2009]

: ===============

: -343- FDNY

: Never Forgotten

: ===============

:

December 9, 2008

On Tue, 09 Dec 2008 13:36:40 -0800, "MowGreen [MVP]"

<mowgreen@nowandzen.com> wrote:

>If a site requires java, then avoid it like the plague.

> Especially any site that does financial transactions.

That would eliminate a LOT of websites.

Given that, I'd say your advice is relatively worthless here.

December 9, 2008

On Tue, 9 Dec 2008 16:48:48 -0600, "Tom [Pepper] Willett"

<tom@youreadaisyifyoudo.com> wrote:

>Ah, Steve:

>

>Many hardware firewalls, such as Cisco, require Java to log into them.

>

>Tom

Just tell him in plain English that he's fulla crap on this.

December 10, 2008

From: "Terry R." <F1Com@NOSPAMpobox.com>

| The date and time was 12/9/2008 1:36 PM, and on a whim, MowGreen [MVP]

| pounded out on the keyboard:

>> Beware of the opt-out behavior of Sun's java automatic updater. In the

>> US, at least, the MSN toolbar comes PREchecked [opt-out] and will

>> install along with purported java 'security' updates. Said 'security'

>> updates are presented as the latest version of Sun's java runtime.

>> Including crappy toolbars with security updates as an opt-out is a

>> REALLY dumb, shortsighted decision.

>> Shame on MS for doing so.

>> As to Sun's java, who needs it ?

>> If a site requires java, then avoid it like the plague.

>> Especially any site that does financial transactions.

>> MowGreen [MVP 2003-2009]

>> ===============

>> -343- FDNY

>> Never Forgotten

>> ===============

| Hi Mow,

| Is that MS's fault? When I downloaded Java 6.11 the day it was

| released, I had the Yahoo toolbar option. When I downloaded it again

| the day after (on another network), the Open Office option was

| presented. It appears Sun is bundling these toolbars only on some

| install files. On both of my downloads, I downloaded the offline (full)

| version.

A better place to download is...

http://java.sun.com/javase/downloads/index.jsp

Then you won't download the version with the Yahoo Toolbar.

jre-6u11-windows-i586-p-s.exe --> contains the toolbar

jre-6u11-windows-i586-p.exe --> does not contain the toolbar

--

Dave

http://www.claymania.com/removal-trojan-adware.html

Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp

December 10, 2008

From: "MowGreen [MVP]" <mowgreen@nowandzen.com>

| Beware of the opt-out behavior of Sun's java automatic updater. In the

| US, at least, the MSN toolbar comes PREchecked [opt-out] and will

| install along with purported java 'security' updates. Said 'security'

| updates are presented as the latest version of Sun's java runtime.

| Including crappy toolbars with security updates as an opt-out is a

| REALLY dumb, shortsighted decision.

| Shame on MS for doing so.

| As to Sun's java, who needs it ?

| If a site requires java, then avoid it like the plague.

| Especially any site that does financial transactions.

| MowGreen [MVP 2003-2009]

| ===============

| -343- FDNY

| Never Forgotten

| ===============

There are some organizations, like ours, that REQUIRE Sun Java !

Who needs it -- We do.

--

Dave

http://www.claymania.com/removal-trojan-adware.html

Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp

December 10, 2008

The date and time was 12/9/2008 5:13 PM, and on a whim, David H. Lipman

pounded out on the keyboard:

> From: "Terry R." <F1Com@NOSPAMpobox.com>

>

> | The date and time was 12/9/2008 1:36 PM, and on a whim, MowGreen [MVP]

> | pounded out on the keyboard:

>

>>> Beware of the opt-out behavior of Sun's java automatic updater. In the

>>> US, at least, the MSN toolbar comes PREchecked [opt-out] and will

>>> install along with purported java 'security' updates. Said 'security'

>>> updates are presented as the latest version of Sun's java runtime.

>

>>> Including crappy toolbars with security updates as an opt-out is a

>>> REALLY dumb, shortsighted decision.

>>> Shame on MS for doing so.

>

>>> As to Sun's java, who needs it ?

>>> If a site requires java, then avoid it like the plague.

>>> Especially any site that does financial transactions.

>

>

>>> MowGreen [MVP 2003-2009]

>>> ===============

>>> -343- FDNY

>>> Never Forgotten

>>> ===============

>

> | Hi Mow,

>

> | Is that MS's fault? When I downloaded Java 6.11 the day it was

> | released, I had the Yahoo toolbar option. When I downloaded it again

> | the day after (on another network), the Open Office option was

> | presented. It appears Sun is bundling these toolbars only on some

> | install files. On both of my downloads, I downloaded the offline (full)

> | version.

>

> A better place to download is...

> http://java.sun.com/javase/downloads/index.jsp

>

> Then you won't download the version with the Yahoo Toolbar.

>

> jre-6u11-windows-i586-p-s.exe --> contains the toolbar

>

> jre-6u11-windows-i586-p.exe --> does not contain the toolbar

>

>

I only download from the Java site, and the Yahoo toolbar was included

the first day it was released.

--

Terry R.

Reply Note

Anti-spam measures are included in my email address.

Delete NOSPAM from the email address after clicking Reply.

December 10, 2008

From: "Terry R." <F1Com@NOSPAMpobox.com>

>> A better place to download is...

>> http://java.sun.com/javase/downloads/index.jsp

>> Then you won't download the version with the Yahoo Toolbar.

>> jre-6u11-windows-i586-p-s.exe --> contains the toolbar

>> jre-6u11-windows-i586-p.exe --> does not contain the toolbar

| I only download from the Java site, and the Yahoo toolbar was included

| the first day it was released.

I noted at least two download sites. The URL cited will provide the offline installation

file "jre-6u11-windows-i586-p.exe" which doesn't bundle the toolbar(s) while the other

site offers "jre-6u11-windows-i586-p-s.exe" which does bundle the toolbar.

This isn't new and I have seen that for many versons.

--

Dave

http://www.claymania.com/removal-trojan-adware.html

Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp

December 10, 2008

The date and time was 12/10/2008 3:33 AM, and on a whim, David H. Lipman

pounded out on the keyboard:

> From: "Terry R." <F1Com@NOSPAMpobox.com>

>

>>> A better place to download is...

>>> http://java.sun.com/javase/downloads/index.jsp

>

>>> Then you won't download the version with the Yahoo Toolbar.

>

>>> jre-6u11-windows-i586-p-s.exe --> contains the toolbar

>

>>> jre-6u11-windows-i586-p.exe --> does not contain the toolbar

>

> | I only download from the Java site, and the Yahoo toolbar was included

> | the first day it was released.

>

> I noted at least two download sites. The URL cited will provide the offline installation

> file "jre-6u11-windows-i586-p.exe" which doesn't bundle the toolbar(s) while the other

> site offers "jre-6u11-windows-i586-p-s.exe" which does bundle the toolbar.

>

> This isn't new and I have seen that for many versons.

>

As I said, I also downloaded the offline install, both days, both from

the Java site. They were different.

Just the messenger.

--

Terry R.

Reply Note

Anti-spam measures are included in my email address.

Delete NOSPAM from the email address after clicking Reply.

December 10, 2008

> Including crappy toolbars with security updates as an opt-out is a REALLY

> dumb, shortsighted decision.

> Shame on MS for doing so.

It's amazing though how many people apparently don't see any problem with

this. In the "service" economy increasingly based on brainwashing and

deception rather than competence and functionality, advertising is sacred

cow and is welcome in any clothes, isn't it.

December 10, 2008

> Is that MS's fault?

yes, it is - second after Sun. Any advertiser does have control on the

places where their ads appear. If Microsoft ads suddenly showed up on

low-quality sites, Microsoft most likely would take steps to protect their

image.

Though, if those were MSN ads, maybe they would not.

December 10, 2008

A lot of people confuse Sun Java and Javascript.

The two are unrelated, other than in their sharing a C-like syntax. They are

sufficiently different that Javascript code will generally not run in Java,

or vice versa.

Having cleared that one up...

Javascript is generally a function of the browser itself. It requires no

plugin. It is not accessible outside of the webpage environment.

Java is a 'runtime environment' which becomes part of the operating system,

not unlike the .NET environment. Hence it is not strictly speaking a browser

plugin, but an OS extension. A browser-plugin DLL allows this OS extension to

be accessed from within webpages. Hopefully, with 'sandboxing' to prevent

other off-limits parts of the computer being accessed by the webpage code.

Most websites don't actually require either. Some site that use dynamic

menus (mine included) require Javascript.

BUT, many websites use CSS to control layout, and on these the layout will

go to pieces if Javascript is turned off.

They still don't need Sun Java, though. ;-)

The proportion of websites which use Sun Java is miniscule. At a very rough

guess, one in ten thousand. I don't as a rule install Sun Java - it isn't on

this machine- and I cannot even recall when I last encountered a site which

complained about its absence.

Yet, Java represents a considerable security risk for two reasons:

Until recently, Sun Java updates failed to remove old, vulnerable versions.

Since a Java program can specify which version to use, this meant that even

fully-patched computers were STILL VULNERABLE to Java-coded malware.

Several exploits using buffer-overflows in other software, e.g. Flash,

Quicktime, rely on Java to actually execute the malware. Thus even if Java

isn't at fault per se, its presence still reduces your computer's security.

As for Cisco routers, yes, they use a Java-based GUI known as IOS. Only

thing is, this GUI interface is so unbelievably slow and unstable that no-one

worthy of the title of Cisco engineer uses it, preferring to write a text

config-file and upload it to the router manually. I reckon that Cisco would

drastically expand their userbase if they got rid of this hopeless software

and used a conventional HTTP config-page, as does almost every other router

manufacturer on the planet.

The other time you need Java, of coure, is for scripting in Open Office.

"Eddie Hyde" wrote:

> >If a site requires java, then avoid it like the plague.

>

> That would eliminate a LOT of websites.

December 10, 2008

No bone to pick with any financial site that is intelligent enough to

understand the risk involved when using java. My financial sites do NOT

use java. None of my systems have any java runtimes installed.

For some history on why I refuse to allow java on my systems ...

in February 05 I contacted Sun and inquired as to the security risk of

leaving older, vulnerable versions on a system when a 'new' runtime was

pushed out. They admitted that it was a security risk and did NOTHING

about it until just recently. Do the math. How many systems were exposed

to a vulnerability that Sun KNEW existed for over 3 years ?

Every one of their Security bulletins has this at the end of them,

neatly hidden from Users who visit java.com that were totally unaware of

WHY the older, vulnerable versions should be uninstalled:

http://sunsolve.sun.com/search/document.do...y=1-26-244987-1

> Note: When installing a new version of the product from a source other than a Solaris patch, it is

> recommended that the old affected versions be removed from your system. To remove old affected

> versions on the Windows platform, please see:

>

> http://java.com/en/download/help/uninstall_java.xml

I've seen 6 or more JSE's installed on clients' systems. Heck, on one

client's system there were 10 RUNTIMES installed. At 115 MB each, that's

a HUGE amount of disk space being wasted, isn't it ?

I'm not the only one that has been ranting about Sun and their updating

mechanism:

Ghosts of Java Haunt Users

http://blog.washingtonpost.com/securityfix...s_again_po.html

Check out that article, please. Brian Krebs has been on this for as long

as I have.

If another vendor ignored their own SECURITY suggestions, refused to fix

their auto updating mechanism, then I'd be flaming them, too ... trust me.

Now, as to Microsoft's decision to include the MSN toolbar with newer

versions of Sun's java runtime ... MS has made a tremendous improvement

as to security in their software and OS'. It appears that they are

willing to go backwards in regards to security when they include the MSN

toolbar as an OPT-OUT when a newer JRE is pushed out that, in reality,

is a SECURITY update that addresses known vulnerabilities in the

previous runtimes. I'd venture an educated guess that 99% of newer

runtimes came out to address Critical vulns.

This will affect Users who are under the impression that anything MS

offers 'should be installed'. I've seen this first hand on clients'

systems when they installed what was purported to be a security update

from a 3rd party vendor that included unnecessary crap ... like Adobe

trying to sneak the Google toolbar along with Shockwave security

updates. The clients' were more then annoyed and became reticent to

install subsquent updates for Flash and Shockwave. Guess what happened

to them eventually ?

All it will take is for Users to get peeved about the installation of an

unnecessary toolbar, or, for something to go wrong during installation

of a JSE that causes serious issues.

Then Users will become reticent when their systems are offered Security

updates from Automatic or Windows Update.

There's enough FUD concerning updating already; does MS really need to

stoke the 'tin foil' crowd ?

So, in effect, MS is stating that ad revenue trumps security.

Sorry, that irks me to no end. I've made my feelings known to them but

.... I have a strong suspicion that Marketing trumps Security these days.

So, I'm not keeping my thoughts to myself any longer and want others to

know WHY including toolbars and other crap along with SECURITY updates

is a shortsighted and counterproductive practice.

Cabiche, Leonard ?

MowGreen [MVP 2003-2009]

===============

343- FDNY

Never Forgotten

================

Leonard Grey wrote:

> I don't like pre-checked opt-in boxes any more than you, but I wonder

> why you happen to pick on Java, when this practice is widespread among

> software providers, and why particularly Java-employing websites,

> especially financial websites.

>

> Sounds like you have a bone to pick with an unnamed Java-employing

> financial website, and because of that I should avoid software that has

> served me well for years?

> ---

> Leonard Grey

> Errare humanum est

>

> MowGreen [MVP] wrote:

>

>> Beware of the opt-out behavior of Sun's java automatic updater. In

>> the US, at least, the MSN toolbar comes PREchecked [opt-out] and will

>> install along with purported java 'security' updates. Said 'security'

>> updates are presented as the latest version of Sun's java runtime.

>>

>> Including crappy toolbars with security updates as an opt-out is a

>> REALLY dumb, shortsighted decision.

>> Shame on MS for doing so.

>>

>> As to Sun's java, who needs it ?

>> If a site requires java, then avoid it like the plague.

>> Especially any site that does financial transactions.

>>

>> MowGreen [MVP 2003-2009]

>> ===============

>> -343- FDNY

>> Never Forgotten

>> ===============

>>

>>

December 10, 2008

>

> There are some organizations, like ours, that REQUIRE Sun Java !

>

> Who needs it -- We do.

>

Et tu, David <w>

ORGANIZATIONS know how to deal with securing Sun's JSE, their networks,

workstations, and servers.

Does the Average User know that, too ? Hardly.

Sorry, Sun is NOT needed by most Average Users.

BTW, now that Sun's auto updating mechanism now removes older,

vulnerable versions, are you using the Static configuration method to

retain them ?

http://java.sun.com/javase/6/docs/technote...re_install.html

MowGreen [MVP 2003-2009]

===============

-343- FDNY

Never Forgotten

===============

December 10, 2008

Perhaps MS will allow Sun to use their updating pipeline to push out

JSEs issued to address vulns in the previous JSE. Then they'll be

offering purported security updates via AU|MU|WU that include the MSN

toolbar and the blame can be laid on Sun.

Think of the revenue from that ... and then think about how the Justice

Dept. would react. <eg>

MowGreen [MVP 2003-2009]

===============

-343- FDNY

Never Forgotten

===============

Vadim Rapp wrote:

>>Is that MS's fault?

>

> yes, it is - second after Sun. Any advertiser does have control on the

> places where their ads appear. If Microsoft ads suddenly showed up on

> low-quality sites, Microsoft most likely would take steps to protect their

> image.

>

> Though, if those were MSN ads, maybe they would not.

>

>

December 11, 2008

From: "MowGreen [MVP]" <mowgreen@nowandzen.com>

>> There are some organizations, like ours, that REQUIRE Sun Java !

>> Who needs it -- We do.

| Et tu, David <w>

| ORGANIZATIONS know how to deal with securing Sun's JSE, their networks,

| workstations, and servers.

| Does the Average User know that, too ? Hardly.

| Sorry, Sun is NOT needed by most Average Users.

| BTW, now that Sun's auto updating mechanism now removes older,

| vulnerable versions, are you using the Static configuration method to

| retain them ?

| http://java.sun.com/javase/6/docs/technote...re_install.html

| MowGreen [MVP 2003-2009]

| ===============

| -343- FDNY

| Never Forgotten

| ===============

Our situation is complex and we are not using any static configuration method. From

periodic and required training to web systems to JInitiator, Sun Java is required. I too

have seen as many as eight versions of Sun Java on our platforms. I manually remove them

all and install the latest version. I limit the cache to 50MB (1GB is the default, are

they joking ?) and I will disable the Quick Start service. We can't have additional open

ports lowering the IA level of our systems.

All toolbars are forbidden. Yahoo, Google, MSN, etc. If the JavaUpdateScheduler is now

downloading bundled toolbars that is a big problem!

On another note...

Did you know that Adobe Acrobat Pro v9 bundles JRE v5 update 11 ?

"C:\Program Files\Adobe\Acrobat 9.0\Designer 8.2\jre\bin\java.exe"

Why can't they just rely on SUN JRE installed on the OS ?

Why do they bundle a KNOWN vulnerable version ?

I have opened a case number with Adobe on this issue. They NEVER responded.

--

Dave

http://www.claymania.com/removal-trojan-adware.html

Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp

December 11, 2008

From: "MowGreen [MVP]" <mowgreen@nowandzen.com>

| Perhaps MS will allow Sun to use their updating pipeline to push out

| JSEs issued to address vulns in the previous JSE. Then they'll be

| offering purported security updates via AU|MU|WU that include the MSN

| toolbar and the blame can be laid on Sun.

| Think of the revenue from that ... and then think about how the Justice

| Dept. would react. <eg>

| MowGreen [MVP 2003-2009]

| ===============

| -343- FDNY

| Never Forgotten

| ===============

Think about how SUN had an agreement with Microsoft for SUN Java to be be provided to

Microsoft and Microsoft violated the terms of the agreement and SUN sued Microsoft and MS

lost !

--

Dave

http://www.claymania.com/removal-trojan-adware.html

Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp

December 11, 2008

"David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message

news:u6cqYTyWJHA.1188@TK2MSFTNGP05.phx.gbl...

> From: "MowGreen [MVP]" <mowgreen@nowandzen.com>

>

>

>>> There are some organizations, like ours, that REQUIRE Sun Java !

>

>>> Who needs it -- We do.

>

> | Et tu, David <w>

>

> | ORGANIZATIONS know how to deal with securing Sun's JSE, their networks,

> | workstations, and servers.

> | Does the Average User know that, too ? Hardly.

> | Sorry, Sun is NOT needed by most Average Users.

>

> | BTW, now that Sun's auto updating mechanism now removes older,

> | vulnerable versions, are you using the Static configuration method to

> | retain them ?

> |

> http://java.sun.com/javase/6/docs/technote...re_install.html

>

> | MowGreen [MVP 2003-2009]

> | ===============

> | -343- FDNY

> | Never Forgotten

> | ===============

>

> Our situation is complex and we are not using any static configuration

> method. From

> periodic and required training to web systems to JInitiator, Sun Java is

> required. I too

> have seen as many as eight versions of Sun Java on our platforms. I

> manually remove them

> all and install the latest version. I limit the cache to 50MB (1GB is the

> default, are

> they joking ?) and I will disable the Quick Start service. We can't have

> additional open

> ports lowering the IA level of our systems.

>

> All toolbars are forbidden. Yahoo, Google, MSN, etc. If the

> JavaUpdateScheduler is now

> downloading bundled toolbars that is a big problem!

>

> On another note...

> Did you know that Adobe Acrobat Pro v9 bundles JRE v5 update 11 ?

> "C:Program FilesAdobeAcrobat 9.0Designer 8.2jrebinjava.exe"

>

> Why can't they just rely on SUN JRE installed on the OS ?

> Why do they bundle a KNOWN vulnerable version ?

>

> I have opened a case number with Adobe on this issue. They NEVER

> responded.

Thanks for mentioning this again, I was wondering if there was any

response. A vulnerable program in a known location is a very bad

thing securitywise.

December 11, 2008

The date and time was 12/10/2008 4:10 PM, and on a whim, David H. Lipman

pounded out on the keyboard:

> From: "MowGreen [MVP]" <mowgreen@nowandzen.com>

>

>

>>> There are some organizations, like ours, that REQUIRE Sun Java !

>

>>> Who needs it -- We do.

>

> | Et tu, David <w>

>

> | ORGANIZATIONS know how to deal with securing Sun's JSE, their networks,

> | workstations, and servers.

> | Does the Average User know that, too ? Hardly.

> | Sorry, Sun is NOT needed by most Average Users.

>

> | BTW, now that Sun's auto updating mechanism now removes older,

> | vulnerable versions, are you using the Static configuration method to

> | retain them ?

> | http://java.sun.com/javase/6/docs/technote...re_install.html

>

> | MowGreen [MVP 2003-2009]

> | ===============

> | -343- FDNY

> | Never Forgotten

> | ===============

>

> Our situation is complex and we are not using any static configuration method. From

> periodic and required training to web systems to JInitiator, Sun Java is required. I too

> have seen as many as eight versions of Sun Java on our platforms. I manually remove them

> all and install the latest version. I limit the cache to 50MB (1GB is the default, are

> they joking ?) and I will disable the Quick Start service. We can't have additional open

> ports lowering the IA level of our systems.

>

> All toolbars are forbidden. Yahoo, Google, MSN, etc. If the JavaUpdateScheduler is now

> downloading bundled toolbars that is a big problem!

>

> On another note...

> Did you know that Adobe Acrobat Pro v9 bundles JRE v5 update 11 ?

> "C:Program FilesAdobeAcrobat 9.0Designer 8.2jrebinjava.exe"

>

> Why can't they just rely on SUN JRE installed on the OS ?

> Why do they bundle a KNOWN vulnerable version ?

>

> I have opened a case number with Adobe on this issue. They NEVER responded.

>

Blackberry Professional for Exchange was installed on a server at a

network I admin. Java 5.11 was also installed. I updated to 6.11 and

the software wouldn't work! Why are they using versions so old?

--

Terry R.

Reply Note

Anti-spam measures are included in my email address.

Delete NOSPAM from the email address after clicking Reply.

December 11, 2008

From: "FromTheRafters" <erratic@nomail.afraid.org>

| Thanks for mentioning this again, I was wondering if there was any

| response. A vulnerable program in a known location is a very bad

| thing securitywise.

I brought it up on the semi-private Adobeforums and they were more interested in the URLs

in my signature calling them spam and my quoting those I responded to.

--

Dave

http://www.claymania.com/removal-trojan-adware.html

Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp

December 11, 2008

From: "Terry R." <F1Com@NOSPAMpobox.com>

| Blackberry Professional for Exchange was installed on a server at a

| network I admin. Java 5.11 was also installed. I updated to 6.11 and

| the software wouldn't work! Why are they using versions so old?

| --

| Terry R.

The idiots of these companies need to work off a centralized version of SUN Java and NOT

the concept of installing old versions modified to their needs.

--

Dave

http://www.claymania.com/removal-trojan-adware.html

Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp

December 11, 2008

In the first place, I believe the word is /capisce/ but I'll defer to

the Italians in the group.

However you describe it, you have a bone to pick. No big deal...everyone

has a bone to pick. But I don't post (or cross-post) to a public

newsgroup to tell people to stop using any and all Zone Alarm products

just because I disagree with the way Zone Alarm conducts its business.

And even if I were so inclined, I would do it in a newsgroup for Zone Alarm.

---

Leonard Grey

Errare humanum est

MowGreen [MVP] wrote:

> No bone to pick with any financial site that is intelligent enough to

> understand the risk involved when using java. My financial sites do NOT

> use java. None of my systems have any java runtimes installed.

>

> For some history on why I refuse to allow java on my systems ...

> in February 05 I contacted Sun and inquired as to the security risk of

> leaving older, vulnerable versions on a system when a 'new' runtime was

> pushed out. They admitted that it was a security risk and did NOTHING

> about it until just recently. Do the math. How many systems were exposed

> to a vulnerability that Sun KNEW existed for over 3 years ?

>

> Every one of their Security bulletins has this at the end of them,

> neatly hidden from Users who visit java.com that were totally unaware of

> WHY the older, vulnerable versions should be uninstalled:

>

> http://sunsolve.sun.com/search/document.do...y=1-26-244987-1

>

>> Note: When installing a new version of the product from a source other

>> than a Solaris patch, it is recommended that the old affected versions

>> be removed from your system. To remove old affected versions on the

>> Windows platform, please see:

>>

>> http://java.com/en/download/help/uninstall_java.xml

>

> I've seen 6 or more JSE's installed on clients' systems. Heck, on one

> client's system there were 10 RUNTIMES installed. At 115 MB each, that's

> a HUGE amount of disk space being wasted, isn't it ?

>

> I'm not the only one that has been ranting about Sun and their updating

> mechanism:

>

> Ghosts of Java Haunt Users

> http://blog.washingtonpost.com/securityfix...s_again_po.html

>

> Check out that article, please. Brian Krebs has been on this for as long

> as I have.

>

> If another vendor ignored their own SECURITY suggestions, refused to fix

> their auto updating mechanism, then I'd be flaming them, too ... trust me.

>

> Now, as to Microsoft's decision to include the MSN toolbar with newer

> versions of Sun's java runtime ... MS has made a tremendous improvement

> as to security in their software and OS'. It appears that they are

> willing to go backwards in regards to security when they include the MSN

> toolbar as an OPT-OUT when a newer JRE is pushed out that, in reality,

> is a SECURITY update that addresses known vulnerabilities in the

> previous runtimes. I'd venture an educated guess that 99% of newer

> runtimes came out to address Critical vulns.

>

> This will affect Users who are under the impression that anything MS

> offers 'should be installed'. I've seen this first hand on clients'

> systems when they installed what was purported to be a security update

> from a 3rd party vendor that included unnecessary crap ... like Adobe

> trying to sneak the Google toolbar along with Shockwave security

> updates. The clients' were more then annoyed and became reticent to

> install subsquent updates for Flash and Shockwave. Guess what happened

> to them eventually ?

>

> All it will take is for Users to get peeved about the installation of an

> unnecessary toolbar, or, for something to go wrong during installation

> of a JSE that causes serious issues.

> Then Users will become reticent when their systems are offered Security

> updates from Automatic or Windows Update.

> There's enough FUD concerning updating already; does MS really need to

> stoke the 'tin foil' crowd ?

>

> So, in effect, MS is stating that ad revenue trumps security.

> Sorry, that irks me to no end. I've made my feelings known to them but

> ... I have a strong suspicion that Marketing trumps Security these days.

> So, I'm not keeping my thoughts to myself any longer and want others to

> know WHY including toolbars and other crap along with SECURITY updates

> is a shortsighted and counterproductive practice.

>

> Cabiche, Leonard ?

>

> MowGreen [MVP 2003-2009]

> ===============

> 343- FDNY

> Never Forgotten

> ================

>

> Leonard Grey wrote:

>

>> I don't like pre-checked opt-in boxes any more than you, but I wonder

>> why you happen to pick on Java, when this practice is widespread among

>> software providers, and why particularly Java-employing websites,

>> especially financial websites.

>>

>> Sounds like you have a bone to pick with an unnamed Java-employing

>> financial website, and because of that I should avoid software that

>> has served me well for years?

>> ---

>> Leonard Grey

>> Errare humanum est

>>

>> MowGreen [MVP] wrote:

>>

>>> Beware of the opt-out behavior of Sun's java automatic updater. In

>>> the US, at least, the MSN toolbar comes PREchecked [opt-out] and will

>>> install along with purported java 'security' updates. Said 'security'

>>> updates are presented as the latest version of Sun's java runtime.

>>>

>>> Including crappy toolbars with security updates as an opt-out is a

>>> REALLY dumb, shortsighted decision.

>>> Shame on MS for doing so.

>>>

>>> As to Sun's java, who needs it ?

>>> If a site requires java, then avoid it like the plague.

>>> Especially any site that does financial transactions.

>>>

>>> MowGreen [MVP 2003-2009]

>>> ===============

>>> -343- FDNY

>>> Never Forgotten

>>> ===============

>>>

>>>

December 11, 2008

From: "Leonard Grey" <l.grey@invalid.invalid>

| In the first place, I believe the word is /capisce/ but I'll defer to

| the Italians in the group.

| However you describe it, you have a bone to pick. No big deal...everyone

| has a bone to pick. But I don't post (or cross-post) to a public

| newsgroup to tell people to stop using any and all Zone Alarm products

| just because I disagree with the way Zone Alarm conducts its business.

| And even if I were so inclined, I would do it in a newsgroup for Zone Alarm.

| ---

| Leonard Grey

| Errare humanum est

Except for the suspicions of a backdoor in ZoneAlarm inserted by (censored), it is

intended to protect a PC.

On the otherhand, SUN Java is responsible for MANY people being infected with malware

due to they're overwhelming number and consistency of vulnerabilities.

--

Dave

http://www.claymania.com/removal-trojan-adware.html

Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp

Sign In

MSN Toolbar included with Sun Java Security 'updates'

Recommended Posts

Guest MowGreen [MVP]

Popular Days

Popular Days

Guest Leonard Grey

Guest Terry R.

Guest Tom [Pepper] Willett

Guest Eddie Hyde

Guest Eddie Hyde

Guest David H. Lipman

Guest David H. Lipman

Guest Terry R.

Guest David H. Lipman

Guest Terry R.

Guest Vadim Rapp

Guest Vadim Rapp

Guest Anteaus

Guest MowGreen [MVP]

Guest MowGreen [MVP]

Guest MowGreen [MVP]

Guest David H. Lipman

Guest David H. Lipman

Guest FromTheRafters

Guest Terry R.

Guest David H. Lipman

Guest David H. Lipman

Guest Leonard Grey

Guest David H. Lipman

Join the conversation

Browse

Activity

Support