Security Vulnerabilities in Sun JRE may Allow an Untrusted Applet to Elevate its Privileges

http://sunsolve.sun.com/search/docum...=1-26-102171-1

"Note: It is recommended that affected versions be removed from your system. For more
information, please see the installation notes on the respective java.sun.com download
pages."

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm

David H. Lipman

"David H. Lipman" wrote:

> http://sunsolve.sun.com/search/docum...=1-26-102171-1
>
> "Note: It is recommended that affected versions be removed from
> your system.

Well, which version is NOT affected?

I see that all these cases, that version 1.3.x is not affected.
Should I revert to that version?

How secure is version 1.5.0_05-b05 ?

Virus Guy

From: "Virus Guy" <>

| "David H. Lipman" wrote:
|
>> http://sunsolve.sun.com/search/docum...=1-26-102171-1
>>
>> "Note: It is recommended that affected versions be removed from
>> your system.
|
| Well, which version is NOT affected?
|
| I see that all these cases, that version 1.3.x is not affected.
| Should I revert to that version?
|
| How secure is version 1.5.0_05-b05 ?

Update to and use JRE 5 update 6.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm

David H. Lipman

Hi Virus Guy - I would strongly recommend against using ANY version prior to
1.5.0_05-b06. Contrary to the Sun Bulletin, a group of MVP's that have been
working on this issue for several months now have come to stongly suspect
that 1.3.x versions contain an exploit that is being utilized by
Winfixer/Vundo and have been recommending against the use of any earlier
version to include specifically the uninstalling of ALL prior versions. See
here: http://www.frsirt.com/english/advisories/2006/0467 and my Blog.


--
Regards, Jim Byrd, MS-MVP/DTS/AH-VSOP
My Blog, Defending Your Machine, here:
http://DefendingYourMachine.blogspot.com/



"Virus Guy" <> wrote in message news:
> "David H. Lipman" wrote:
>
>> http://sunsolve.sun.com/search/docum...=1-26-102171-1
>>
>> "Note: It is recommended that affected versions be removed from
>> your system.
>
> Well, which version is NOT affected?
>
> I see that all these cases, that version 1.3.x is not affected.
> Should I revert to that version?
>
> How secure is version 1.5.0_05-b05 ?

Jim Byrd

On Thu, 09 Feb 2006 01:37:05 GMT, "David H. Lipman"
<DLipman~nospam~@Verizon.Net> wrote:

>From: "Virus Guy" <>
>
>| "David H. Lipman" wrote:
>|
>>> http://sunsolve.sun.com/search/docum...=1-26-102171-1
>>>
>>> "Note: It is recommended that affected versions be removed from
>>> your system.
>|
>| Well, which version is NOT affected?
>|
>| I see that all these cases, that version 1.3.x is not affected.
>| Should I revert to that version?
>|
>| How secure is version 1.5.0_05-b05 ?
>
>Update to and use JRE 5 update 6.

And remove all of the other versions from your system.

shawn

On Thu, 09 Feb 2006 05:45:01 -0500, shawn <>
wrote:

>On Thu, 09 Feb 2006 01:37:05 GMT, "David H. Lipman"
><DLipman~nospam~@Verizon.Net> wrote:
>
>>From: "Virus Guy" <>
>>
>>| "David H. Lipman" wrote:
>>|
>>>> http://sunsolve.sun.com/search/docum...=1-26-102171-1
>>>>
>>>> "Note: It is recommended that affected versions be removed from
>>>> your system.
>>|
>>| Well, which version is NOT affected?
>>|
>>| I see that all these cases, that version 1.3.x is not affected.
>>| Should I revert to that version?
>>|
>>| How secure is version 1.5.0_05-b05 ?
>>
>>Update to and use JRE 5 update 6.
>


Did that and removed all other version shown on Ad/remove programs.

However there is still a picture of "Java(TM) Control Panel" showing
on control panel. Its version seems to be 1.5.0 (build 1.5.0._06-b05
and its update info shows Dec 2005.

What is that and why does it not show any update info??

SK

Art wrote:

> I wonder why security conscious users have Java installed at all.
> I dropped it long ago and have never missed it. I know that some
> financial institutions require it

I'm running version 1.5.0_05-b05 and ever since I installed that
version (or perhaps a version or two before it) some page components
(presumably java graphics elements) have the annoying habbit of being
rendered/displayed in other windows that have the current focus (such
as word, excel, etc).

For example, on this page:

http:/www.forexdirectory.net/cad.html

The currency matrix above the chart is frequently drawn on-top of
portions of the screen where it shouldn't be (sometimes even on the
desktop). I don't know what that page would look like without Java...

Virus Guy

Hi Virus Guy - FWIW, that page renders correctly on my machine using IE6SP1
and 1.5.0_05-b06.

--
Regards, Jim Byrd, MS-MVP/DTS/AH-VSOP
My Blog, Defending Your Machine, here:
http://DefendingYourMachine.blogspot.com/



"Virus Guy" <> wrote in message news:
> Art wrote:
>
>> I wonder why security conscious users have Java installed at all.
>> I dropped it long ago and have never missed it. I know that some
>> financial institutions require it
>
> I'm running version 1.5.0_05-b05 and ever since I installed that
> version (or perhaps a version or two before it) some page components
> (presumably java graphics elements) have the annoying habbit of being
> rendered/displayed in other windows that have the current focus (such
> as word, excel, etc).
>
> For example, on this page:
>
> http:/www.forexdirectory.net/cad.html
>
> The currency matrix above the chart is frequently drawn on-top of
> portions of the screen where it shouldn't be (sometimes even on the
> desktop). I don't know what that page would look like without Java...

Jim Byrd

On that special day, Virus Guy, () said...

> http:/www.forexdirectory.net/cad.html
>
> The currency matrix above the chart is frequently drawn on-top of
> portions of the screen where it shouldn't be (sometimes even on the
> desktop). I don't know what that page would look like without Java...

rather empty. At least, if I refuse to let all these advertisment
cookies to be placed on my machine.


Gabriele Neukam




--
Ah, Information. A property, too valuable these days, to give it away,
just so, at no cost.

Gabriele Neukam

> However there is still a picture of "Java(TM) Control Panel" showing
> on control panel. Its version seems to be 1.5.0 (build 1.5.0._06-b05
> and its update info shows Dec 2005.

I had that. But on rebooting it was gone.

Stephen Howe

Stephen Howe