PDA

View Full Version : Java Run-Time vulnerabilities


jdh
June 9th, 2007, 08:49 AM
Sun JRE Vulnerabilities

http://isc.sans.org/diary.html?storyid=2928&rss

You can update JRE from the Java control in the Windows Control Panel.

Do not attempt to install or update to any version of JRE 6 in Windows 98 or ME!

There is a patched version of JRE 5 for Windows 98.

DH

P.S. Sun recommends uninstalling old versions of JRE before installing new. e.g. if you have 1.5 (5) and want to update to 1.6 (6), then uninstall 1.5 first.

Installing 1.6 (6) will NOT remove 1.5 (5). Leaving unpatched old version therefore can leave one exposed to currently known and exploited vulnerabilities. i.e. according to the intended design of Java, a Java applet (e.g. an exploit) is permitted to request an earlier (vulnerable) version of the JRE.

ndebord
June 9th, 2007, 03:18 PM
I never can figure out what to download from Sun.

For W98se, can you give me a link to the download?

Tks Much,

jdh
June 10th, 2007, 12:37 AM
I never can figure out what to download from Sun.

For W98se, can you give me a link to the download?

Tks Much,

http://java.com/en/download/windows98me_manual.jsp?locale=en&host=java.com

The file is :

jre-1_5_0_12-windows-i586-p-s.exe

I think it's actually more like 16 or 17 Mb instead of 13 something.

This is for the offline install. I prefer the offline install because I have an unreliable dial-up connection AND with the full download, I can re-install again if I have to , without re-downloading AGAIN.

I know what you mean about sun java site being confusing.

The first attempt I made at updating was for JRE 6 update 1 (the latest) because the stupid download page I landed on said just "windows" and I could not find any "system requirements".

Then AFTER the whole stupid download was done and I installed it, it said Win 98 NOT supported but it worked and seemed to claim (I think?) that it was really JRE 6 update 1, BUT when I checked for updates it turned out to be 6.0 not updated. So I tried to update but it FAILED (even tho 6.0 unupdated worked in running java applets , but with vulnerability) because a DLL was missing. So then I had to uninstall JRE 6 and down load JRE 5.

So I ended up with the following snafu:

1. download 6 and install it (worked but was not up to date)
2. uninstall 5 (and remnants of 4)
3. failed to get update 1 of JRE 6
4. uninstall JRE 6
5. download JRE 5
6. install JRE 5

Phew!

Bottom line, might as well do an hour of research on system compatibility before download, would probably still save time over what my snafu turned out to be.

I don't use Java much. Mainly for radar loops to track thunderstorms passing overhead in FLA.

They claim JRE 5 is faster than JRE 4 but with the NWS NOAA GOV the old JRE 4 seemed faster. It said something about there being a possibility of a security update for JRE 4 [?]. I only have 192Mb. Maybe JRE 5 runs faster if you have 512Mb?

I have all plug ins ask for confirmation before running, by NoScript extension of Firefox, regardless of whether site is whitelisted in NoScript or not, since I use plugins so rarely, it's not much of a bother to click the NoScript icon to let them play. If I was using plugins such as Java and Flash all the time I'd probably skip the confirmation on whitelisted sites. Just because McAfee rates a site with SiteAdvisor with a green (safe) button as of their last scan does not means some hacker hasn't infected the site with vulnerability-containing media files in the meanwhile.

I guess some of those video sites use a lot of Flash. The Web version of Yahoo Messenger is also based on Flash and they have Chinese, Vietnamese, and Portuguese language versions of it. The Web version of Yahoo Mesenger used to be Java based. I don't know the reason for the change of "platforms". Maybe something to do with the fact that it also supports MSN Instant Messaging ?

DH

ndebord
June 10th, 2007, 11:25 AM
http://java.com/en/download/windows98me_manual.jsp?locale=en&host=java.com

The file is :

jre-1_5_0_12-windows-i586-p-s.exe

16 or 17 Mb instead of 13 something.


DH

David,

Really quite strange too on my W98se laptop. I downloaded this file:

jre-1_5_0_12-windows-i586-p-s.exe

16 plus megs. And it refuses to run. No error message. Not stalled requiring a CAD. Just will NOT run. I followed the instructions on the SUN site to remove the previous update... Perhaps that is the issue.

Bottom Line. I run K-Meleon with Java disabled and can't remember the last time I needed to enable it (toggle switch), but I don't like to have a major app like this refuse to install.

<confused>

jdh
June 10th, 2007, 02:18 PM
David,

Really quite strange too on my W98se laptop. I downloaded this file:

jre-1_5_0_12-windows-i586-p-s.exe

16 plus megs. And it refuses to run. No error message. Not stalled requiring a CAD. Just will NOT run. I followed the instructions on the SUN site to remove the previous update... Perhaps that is the issue.

Bottom Line. I run K-Meleon with Java disabled and can't remember the last time I needed to enable it (toggle switch), but I don't like to have a major app like this refuse to install.

<confused>

I'm stumped too.

I don't think removing the old version, regardless of whether it was 1.3, 1.4, or 1.5 would hurt anything.

Just taking a wild guess, I'd say if the file is not corrupt (which we don't know either way) then it could be a problem with a missing or wrong DLL somewhere or something screwed up in the registry (which I wouldn't dare to try to fix myself personally).

You could refresh your desktop or other folder where the installer is located and check to make sure the coffee cup icon appears on the EXE file.

You could also right click the file and click "properties" and make sure that Windows 98 can read and display the EXE's "properties".

Of course passing these two "tests" does not guarantee that the file is not corrupted, which is the only other explanation I can think of.

Versions 1.3 (3), 1.5 (4) , and 1.6 (6) install in separate subfolders of "Program Files" folder. Newer versions do not overwrite the old. One of the reasons for uninstalling the old is just this, in fact. In particular, Java applets are permitted to request the browser/OS to run them under a specific Run-Time Environment VERSION (which may be old and unpatched, thus allowing exploitation of old unpatched vulnerabilities in previous versions).

The "good" reason for keep old versions of JRE is that one might have a Java applet or application that only runs under an old version.

If Firefox extensions would run under K-Meleon, you could try installing Firefox NoScript and setting NoScript to require confirmation before running ANY plug-ins (e.g. Java) even on trusted (whitelisted) sites. Instructions for doing this (under Firefox) are on the NoScript.net web site.

Here is a description of the JRE vulnerabilities:
http://isc.sans.org/diary.html?storyid=2928

Of course it is possible to uninstall all versions of JRE on your PC by using the "Add Remove" program control in the Control Panel of Windows. Doing so would make it impossible to run any Java applets/applications either inside or outside of your browser. (I don't know whether there would still be an old version of Microsoft, as opposed to Sun, Java Runtime left on your PC , then, or not.)

DH

ndebord
June 10th, 2007, 08:51 PM
Of course it is possible to uninstall all versions of JRE on your PC by using the "Add Remove" program control in the Control Panel of Windows...

DH

David,

Well, I really have no clue now at all. Something is wrong and probably on my laptop. What it is is a mystery. I downloaded the original 5.0 version (along with build 11) and it too would not install. I ran regclean to see if there was a setting somewhere and couldn't find anything as PC MAG's uninstall seems to have properly removed everything. I then went to Windows application data sub-folder and deleted everything under "Sun" and still it won't load. I did rename the file to a shortfile name and tried that and executable files do load from other programs, so I can't see how that could make a difference. Also I redownloaded the file this time using FF 2.0.4 (before I had used KM 1.0.2) and to no avail.

I give up.

(P.S. There are no old versions sitting around in C:\Program Files.)

As I have FF 2.0.4, I can install NoScript and follow its instructions. The implication being that that would force Java to run? <not sure what you are asking here>

Perhaps there is an incompatible DLL file somewhere in my system, but if that is the case, then SUN has merely confirmed my suspicions that its Java App is not a well-behaved app.

<SIGH>

Judy G. Russell
June 10th, 2007, 09:45 PM
I give up.I didn't see a new version that would run on 98...

jdh
June 11th, 2007, 12:48 AM
As I have FF 2.0.4, I can install NoScript and follow its instructions. The implication being that that would force Java to run? <not sure what you are asking here>


NoScript does have to ability to STOP Java (and all other plug ins) from running, even if they are properly installed.

The Firefox plugin called FlashBlock can stop Flash plugins from running but not other plugins.

NoScript can now ALSO prevent cross site scripting (XSS) attacks. Unfortunately some web sites write pages that do cross site scripting that is benign but looks nasty so that NoScript blocks it and the user (me) has to manually allow the potentially dangerous XSS to go thru to have the intended result of the legitimate web page appear on screen.

The main feature , of course, of No Script is blocking Javascript whenever it appears on a domain not whitelisted (approved) by the user (you or me). So for example, I have whitelisted my bank and yahoo.com (for yahoo mail).

The latest versions of NoScript also have an option the user can configure to block plugins on non-whitelisted (non trusted) domains. In addition to that, there is also a special (sort of like a hack) configuration of NoScript that lets you block all plugins, even on trusted domains, unless you confirm the running of them each time any such plug in tries to play / run.

So if one so desired one could block all Java running in Firefox. That is, if somehow Java Runtime Environment ever did get installed successfully it could not run in Firefox, without your explicit approval. Of course, if you really wanted to run a Java application (not browser applet) that you had somehow downloaded (not the JRE itself) it could still run OUTSIDE of the Firefox browser regardless of how NoScript was configured. IIRC this OUTSIDE the browser running of Java applications is done by running JRE.EXE with proper command line arguments (as we used to do in MS-DOS programs, e.g. Wordperfect, etc.).

Since you apparently have zero Java engines on your PC you don't have to worry about Java running either inside any browser or outside any browser.

However, if you are interested NoScript could give you additional protection from bad guys, namely:

1. attacks by JavaScript on untrusted domains

2. vulnerabilities in unpatched plugins other than Java (e.g. Flash, Quicktime, RealAudio, etc.)

however this (2.) only protects against involuntary (automatic) running / playing of plug in media. If you personally click on the media, it WILL play anyway.

Most Flash media that I see is annoying ads, so I have full "shields up" and block all plug ins (unless explicitly personally one at a time confirmed by me).

For somebody who likes to watch a lot of news videos and other videos, blocking Flash might cramp their style and they might want to keep it fully turned on all the time.

3. XSS attacks

Of course, if bad guys manage to hack a trusted (whitelisted by you) site, then you could still become a victim of a drive-by download (JavaScript or plugin). I have my NoScript to always require clicking on media for media player plugins to run (here a java applet could be considered a type of media even tho' it's actually code and not data), so even on a hacked site I could only voluntarily be hit by an unpatched plugin hole. Of course I would be hit INVOLUNTARILY by any exploit written in Javascript since I had previous given permission by whitelisting the site.

Witn NoScript, assuming one only enables JavaScript and plug-ins on trusted sites (whitelisted), then I believe that affords a significant degree of additional protection against zero-day (unrecognized, unknown, new, no virus signature, etc.) attacks via Firefox browser, above and beyond firewall, antivirus, and antispyware. Of course Firefox and security apps still have to be kept up to date.

Basically you need to be a system engineer to really protect yourself to a high degree. (But NoScript certainly does not require that high level of expertise to use effectively. But I would not advise NoScript for a naive computer newbie. Just pray for them. And subscribe to a decent security suite and keep it up to date.) I suspect that cell phones will soon if not already become that way too. Maybe the bad guys can figure out how to put cell phone rootkits into video clips so they can infect phones by the millions in a single day?

DH

jdh
June 11th, 2007, 01:00 AM
I didn't see a new version that would run on 98...

For anybody else who might read this thread, JRE 5 does run on Win 98. Updates 10 and earlier of JRE 5 are susceptible to the vulnerability.

Apparently Nick might have had update 11 downloaded at some point in the past? Update 12 of JRE 5 is the latest and at least update 12 of JRE 5 is supposed to be patched.

JRE 6 is the most up to date version of Java Runtime Environment but NEEDS to be updated to update 1 to be patched against this vulnerability. UNFORTUNATELY JRE 6 WILL download and install and RUN on Win 98 but anybody who does so will certainly regret it.

Bottom line is that it's worth spending time to search the blinking site to find the real system requirements even if they make 'em hard to find, esp. if you don't have the latest OS (or latest browser, etc.). It may not be too long before this becomes true for Windows XP. Maybe a good reason to switch to LINUX or FreeBSD ?

DH

Judy G. Russell
June 11th, 2007, 07:54 AM
It may not be too long before this becomes true for Windows XP.There is a very large currently installed base of XP, many of whom don't intend to "upgrade" to Vista any time soon. So I suspect that finding things for XP will be just dandy for quite some time. But 98? That's ancient in computer terms.

Lindsey
June 11th, 2007, 10:16 PM
There is a very large currently installed base of XP, many of whom don't intend to "upgrade" to Vista any time soon. So I suspect that finding things for XP will be just dandy for quite some time. But 98? That's ancient in computer terms.
Yeah; this is exactly what it means when a vendor says that a particular version of the software is "no longer supported." Doesn't mean it stops working, it just means that any future upgrades will not include that version, and that they don't guarantee that it will work with new devices, new applications, or application upgrades.

--Lindsey

ndebord
June 12th, 2007, 01:37 AM
For anybody else who might read this thread, JRE 5 does run on Win 98. Updates 10 and earlier of JRE 5 are susceptible to the vulnerability.

Apparently Nick might have had update 11 downloaded at some point in the past? Update 12 of JRE 5 is the latest and at least update 12 of JRE 5 is supposed to be patched.

DH

David,

I've given up for now. Using K-Meleon with its privacy toolbar, I commonly surf with Java and Javascript disabled except for often visited sites that require it (Yahoo Email comes to mind) and with FireFox I use PrefBar which provides an almost identical capability.

It is not good to not have the option of running Java, but I'll live with it for now on this very ancient laptop. Sooooon, I will have to update and perhaps I will dual boot with W98se and XP. We'll see.

Judy G. Russell
June 12th, 2007, 04:25 PM
Sooooon, I will have to update and perhaps I will dual boot with W98se and XP. Why in the world would you want to do that? I can see dual booting OS-X or Unix, but W98???

Judy G. Russell
June 12th, 2007, 04:27 PM
Yeah; this is exactly what it means when a vendor says that a particular version of the software is "no longer supported." Doesn't mean it stops working, it just means that any future upgrades will not include that version, and that they don't guarantee that it will work with new devices, new applications, or application upgrades.What annoys me is that with Quicken (a program I've used for almost as long as I've used computers), it often does mean it stops working with my bank! I appreciate the security upgrades, but...!

jdh
June 12th, 2007, 06:07 PM
Why in the world would you want to do that? I can see dual booting OS-X or Unix, but W98???

I used to have Win 95, OS/2 Warp 3, and NT 4 server on my old PC. I took out OS/2 and still have 95 and NT left. I sure as heck don't want to reinstall all the software that's on it (unless a disk crash forces me to). However, since I don't do a lot of multitasking, so that I don't need to have all apps available all the time, I'm thinking of uninstalling Firefox 1.5 on it on Win 95 and reinstalling Firefox 1.5 or 2.0 under Win NT 4 SP 6a since I suspect that memory management and disk swapping under Win 95 is crap and Firefox would probably run better under Win NT 4 and still keep RAM at 64Mb.

Sincerely,

Anecdotes from the Trailing Edge

Lindsey
June 12th, 2007, 11:07 PM
What annoys me is that with Quicken (a program I've used for almost as long as I've used computers), it often does mean it stops working with my bank! I appreciate the security upgrades, but...!
I don't do online banking, so . . .

--Lindsey

Judy G. Russell
June 13th, 2007, 08:50 AM
I used to have Win 95, OS/2 Warp 3, and NT 4 server on my old PC. I took out OS/2 and still have 95 and NT left. I sure as heck don't want to reinstall all the software that's on it (unless a disk crash forces me to).But Nick is talking about having to upgrade, presumably to a new machine. Why would you (or he) install 95 (or 98) on a new machine?

Judy G. Russell
June 13th, 2007, 08:51 AM
I don't do online banking, so . . .It took me awhile to trust it enough, but I now find it so incredibly convenient...