dslreports logo
 
    All Forums Hot Topics Gallery
spc
Search similar:


uniqs
1628

NICK ADSL UK
MVM
join:2004-02-22
united kingd

NICK ADSL UK

MVM

Sun plugs five Java holes

Sun Microsystems has fixed five security bugs in Java that expose computers running Linux, Solaris and Windows to hacker attack.

The flaws are "highly critical", according to an advisory from Secunia posted on Tuesday. Vulnerabilities which get that ranking - one notch below "extremely critical", the security monitoring company's most severe rating - typically open the door to a remote intruder and to full compromise of the system.

All the flaws affect the Java Runtime Environment, or JRE, in computers loaded with Linux, Microsoft Windows or Sun's own Solaris operating system. This is the software many computer owners have on their system to run Java applications. The bugs could allow an intruder to use a Java application to inappropriately read and write files, or to run code on a victim's computer, Sun said in three separate security advisories released late on Monday.

The vulnerabilities also affect specific versions of the Sun Java Software Development Kit SDK and Java Development Kit (JDK), according to those advisories.

The French Security Incident Response Team, or FrSIRT, rated the issues "critical" in an alert posted on Tuesday.

There have been no reported cases of the flaws being exploited by hackers, Sun said in a statement.

Three of the bugs lie in application programming interface parts of the Java Runtime Environment (JRE). Another vulnerability lies in the Java Management Extensions implementation in the software. The fifth flaw is in an unspecified part of the JRE.

Sun is urging people to install updated software to protect their systems. It has released updates to address the issues, including JDK and JRE 5.0 Update 4, which was actually delivered on 23 June. A newer version, Update 5, was issued in September but Sun would not say if additional security problems were fixed in that release. The software can be downloaded from the Sun Java website.
»software.silicon.com/sec ··· 2,00.htm

jbob
Reach Out and Touch Someone
Premium Member
join:2004-04-26
Little Rock, AR
·Comcast XFINITY
Asus GT-AX6000
Asus RT-AC66U B1

jbob

Premium Member

You know I read this yesterday and was wondering are these new flaws that were patched. But then the article mentions that update 5 was released in Sept. Hell that was 2 months ago.

Seems this news release is a bit dated now. I guess the idea is to get people to patch who are still using older versions! DUH!
Px
join:2005-04-30

Px to NICK ADSL UK

Member

to NICK ADSL UK
Thanks I use JRE for a few apps and would prefer not to be infected.

fatdcuk
Premium Member
join:2005-02-20
England

1 edit

fatdcuk to NICK ADSL UK

Premium Member

to NICK ADSL UK
Thats so kind of them

Can we say thanks for the recent spate *cough "Vundo/Winfix/Virtumondo" infections in the same breath:(

Edit Spelling correction

CalamityJane
Premium Member
join:2002-08-27
Eustis, FL

1 recommendation

CalamityJane to NICK ADSL UK

Premium Member

to NICK ADSL UK
Sun is urging people to install updated software to protect their systems. It has released updates to address the issues, including JDK and JRE 5.0 Update 4, which was actually delivered on 23 June. A newer version, Update 5, was issued in September but Sun would not say if additional security problems were fixed in that release. The software can be downloaded from the Sun Java website.
»software.silicon.com/sec ··· 2,00.htm
The problem is that the update does NOT remove older vulnerable versions of Sun Java that can be exploited.
See here:
»Potential Vulnerability with Sun Java auto update

Once again they have neglected to instruct folks to remove the older vulnerable versions. So please remember after updating to look in the Control Panel under Add/Remove programs and remove older versions! Leaving them on your system leaves you vulnerable!! Can I just say this often enough?

jbob
Reach Out and Touch Someone
Premium Member
join:2004-04-26
Little Rock, AR

jbob to NICK ADSL UK

Premium Member

to NICK ADSL UK
WTH!!! And to top this update off I see now they released update 6 today. Why didn't they mention that in this news release? Surely someone had to know it was coming out soon, very soon!

iam x
Sungazer
Premium Member
join:2005-02-23

iam x to NICK ADSL UK

Premium Member

to NICK ADSL UK
CJ, sorry for being a dork, but is it ok if i first
get the automatic installation of version 5.0_6 and when it is installled then uninstall the previous 5.0_5 version?

thanks.

ZZZZZZZ
Premium Member
join:2001-05-27
PARADISE

ZZZZZZZ

Premium Member

said by iam x:

CJ, sorry for being a dork, but is it ok if i first
get the automatic installation of version 5.0_6 and when it is installled then uninstall the previous 5.0_5 version?

thanks.
--------------------------

No uninstall all your old versions first from the add-remove in the control planel!

Reboot and then install the new update!

CalamityJane
Premium Member
join:2002-08-27
Eustis, FL

1 recommendation

CalamityJane to iam x

Premium Member

to iam x
said by iam x:

but is it ok if i first
get the automatic installation of version 5.0_6 and when it is installled then uninstall the previous 5.0_5 version?
That's the way I do it. I don't think it matters as long as you remove the older versions at some point
Fox245
join:2001-02-07
Belgium

1 recommendation

Fox245

Member

I installed the latest version and after that killed the old version..everything works fine..so I guess it does not matter WHEN you delete the old one..but as CJ says : "don't forget to delete it"

Jake

hpb21
@unknown

hpb21 to NICK ADSL UK

Anon

to NICK ADSL UK
I have these installed in add/remove programs:

J2SE Runtime Environment 5.0 Update 1

J2SE Runtime Environment 5.0 Update 5

J2SE Runtime Environment 5.0 Update 6

Should I delete any of these? Thanx.

NICK ADSL UK
MVM
join:2004-02-22
united kingd

1 edit

NICK ADSL UK

MVM

J2SE Runtime Environment 5.0 Update 1

J2SE Runtime Environment 5.0 Update 5
Can be removed with no problem

hpb21
@unknown

hpb21 to NICK ADSL UK

Anon

to NICK ADSL UK
Thanx Nick.
bobince
join:2002-04-19
DE

bobince to NICK ADSL UK

Member

to NICK ADSL UK
I give up. Three strikes*, Sun, you're out.

(* technically - many, many more strikes than that.)

The Sun VM has proved just as dangerous as the Microsoft VM was, and Sun's incredibly poor automatic update strategy not only means more and more disc space and bandwidth is lost, but also that the machines are still vulnerable even after updating.

Java is not something I can install on a friend's machine and just leave it: it requires constant hand-holding. And the benefits of client-side Java are getting vanishingly small. I won't be installing it on any desktop machine any longer, even if Sun ever get around to fixing their idiotic mistakes.