Security Vulnerabilities in Sun JRE may Allow an Untrusted Applet to Elevate its Privileges

Discussion in 'Computer Security' started by David H. Lipman, Feb 8, 2006.

  1. David H. Lipman, Feb 8, 2006
    #1
    1. Advertising

  2. David H. Lipman

    Virus Guy Guest

    Re: Security Vulnerabilities in Sun JRE may Allow an Untrusted Applet toElevate its Privileges

    "David H. Lipman" wrote:

    > http://sunsolve.sun.com/search/document.do?assetkey=1-26-102171-1
    >
    > "Note: It is recommended that affected versions be removed from
    > your system.


    Well, which version is NOT affected?

    I see that all these cases, that version 1.3.x is not affected.
    Should I revert to that version?

    How secure is version 1.5.0_05-b05 ?
     
    Virus Guy, Feb 9, 2006
    #2
    1. Advertising

  3. Re: Security Vulnerabilities in Sun JRE may Allow an Untrusted Applet to Elevate its Privileges

    From: "Virus Guy" <>

    | "David H. Lipman" wrote:
    |
    >> http://sunsolve.sun.com/search/document.do?assetkey=1-26-102171-1
    >>
    >> "Note: It is recommended that affected versions be removed from
    >> your system.

    |
    | Well, which version is NOT affected?
    |
    | I see that all these cases, that version 1.3.x is not affected.
    | Should I revert to that version?
    |
    | How secure is version 1.5.0_05-b05 ?

    Update to and use JRE 5 update 6.

    --
    Dave
    http://www.claymania.com/removal-trojan-adware.html
    http://www.ik-cs.com/got-a-virus.htm
     
    David H. Lipman, Feb 9, 2006
    #3
  4. David H. Lipman

    Jim Byrd Guest

    Re: Security Vulnerabilities in Sun JRE may Allow an Untrusted Applet to Elevate its Privileges

    Hi Virus Guy - I would strongly recommend against using ANY version prior to
    1.5.0_05-b06. Contrary to the Sun Bulletin, a group of MVP's that have been
    working on this issue for several months now have come to stongly suspect
    that 1.3.x versions contain an exploit that is being utilized by
    Winfixer/Vundo and have been recommending against the use of any earlier
    version to include specifically the uninstalling of ALL prior versions. See
    here: http://www.frsirt.com/english/advisories/2006/0467 and my Blog.


    --
    Regards, Jim Byrd, MS-MVP/DTS/AH-VSOP
    My Blog, Defending Your Machine, here:
    http://DefendingYourMachine.blogspot.com/



    "Virus Guy" <> wrote in message news:
    > "David H. Lipman" wrote:
    >
    >> http://sunsolve.sun.com/search/document.do?assetkey=1-26-102171-1
    >>
    >> "Note: It is recommended that affected versions be removed from
    >> your system.

    >
    > Well, which version is NOT affected?
    >
    > I see that all these cases, that version 1.3.x is not affected.
    > Should I revert to that version?
    >
    > How secure is version 1.5.0_05-b05 ?
     
    Jim Byrd, Feb 9, 2006
    #4
  5. David H. Lipman

    shawn Guest

    Re: Security Vulnerabilities in Sun JRE may Allow an Untrusted Applet to Elevate its Privileges

    On Thu, 09 Feb 2006 01:37:05 GMT, "David H. Lipman"
    <DLipman~nospam~@Verizon.Net> wrote:

    >From: "Virus Guy" <>
    >
    >| "David H. Lipman" wrote:
    >|
    >>> http://sunsolve.sun.com/search/document.do?assetkey=1-26-102171-1
    >>>
    >>> "Note: It is recommended that affected versions be removed from
    >>> your system.

    >|
    >| Well, which version is NOT affected?
    >|
    >| I see that all these cases, that version 1.3.x is not affected.
    >| Should I revert to that version?
    >|
    >| How secure is version 1.5.0_05-b05 ?
    >
    >Update to and use JRE 5 update 6.


    And remove all of the other versions from your system.
     
    shawn, Feb 9, 2006
    #5
  6. David H. Lipman

    SK Guest

    Re: Security Vulnerabilities in Sun JRE may Allow an Untrusted Applet to Elevate its Privileges

    On Thu, 09 Feb 2006 05:45:01 -0500, shawn <>
    wrote:

    >On Thu, 09 Feb 2006 01:37:05 GMT, "David H. Lipman"
    ><DLipman~nospam~@Verizon.Net> wrote:
    >
    >>From: "Virus Guy" <>
    >>
    >>| "David H. Lipman" wrote:
    >>|
    >>>> http://sunsolve.sun.com/search/document.do?assetkey=1-26-102171-1
    >>>>
    >>>> "Note: It is recommended that affected versions be removed from
    >>>> your system.

    >>|
    >>| Well, which version is NOT affected?
    >>|
    >>| I see that all these cases, that version 1.3.x is not affected.
    >>| Should I revert to that version?
    >>|
    >>| How secure is version 1.5.0_05-b05 ?
    >>
    >>Update to and use JRE 5 update 6.

    >



    Did that and removed all other version shown on Ad/remove programs.

    However there is still a picture of "Java(TM) Control Panel" showing
    on control panel. Its version seems to be 1.5.0 (build 1.5.0._06-b05
    and its update info shows Dec 2005.

    What is that and why does it not show any update info??
     
    SK, Feb 9, 2006
    #6
  7. David H. Lipman

    Virus Guy Guest

    Re: Security Vulnerabilities in Sun JRE may Allow an Untrusted Applet toElevate its Privileges

    Art wrote:

    > I wonder why security conscious users have Java installed at all.
    > I dropped it long ago and have never missed it. I know that some
    > financial institutions require it


    I'm running version 1.5.0_05-b05 and ever since I installed that
    version (or perhaps a version or two before it) some page components
    (presumably java graphics elements) have the annoying habbit of being
    rendered/displayed in other windows that have the current focus (such
    as word, excel, etc).

    For example, on this page:

    http:/www.forexdirectory.net/cad.html

    The currency matrix above the chart is frequently drawn on-top of
    portions of the screen where it shouldn't be (sometimes even on the
    desktop). I don't know what that page would look like without Java...
     
    Virus Guy, Feb 9, 2006
    #7
  8. David H. Lipman

    Jim Byrd Guest

    Re: Security Vulnerabilities in Sun JRE may Allow an Untrusted Applet to Elevate its Privileges

    Hi Virus Guy - FWIW, that page renders correctly on my machine using IE6SP1
    and 1.5.0_05-b06.

    --
    Regards, Jim Byrd, MS-MVP/DTS/AH-VSOP
    My Blog, Defending Your Machine, here:
    http://DefendingYourMachine.blogspot.com/



    "Virus Guy" <> wrote in message news:
    > Art wrote:
    >
    >> I wonder why security conscious users have Java installed at all.
    >> I dropped it long ago and have never missed it. I know that some
    >> financial institutions require it

    >
    > I'm running version 1.5.0_05-b05 and ever since I installed that
    > version (or perhaps a version or two before it) some page components
    > (presumably java graphics elements) have the annoying habbit of being
    > rendered/displayed in other windows that have the current focus (such
    > as word, excel, etc).
    >
    > For example, on this page:
    >
    > http:/www.forexdirectory.net/cad.html
    >
    > The currency matrix above the chart is frequently drawn on-top of
    > portions of the screen where it shouldn't be (sometimes even on the
    > desktop). I don't know what that page would look like without Java...
     
    Jim Byrd, Feb 9, 2006
    #8
  9. Re: Security Vulnerabilities in Sun JRE may Allow an Untrusted Applet to Elevate its Privileges

    On that special day, Virus Guy, () said...

    > http:/www.forexdirectory.net/cad.html
    >
    > The currency matrix above the chart is frequently drawn on-top of
    > portions of the screen where it shouldn't be (sometimes even on the
    > desktop). I don't know what that page would look like without Java...


    rather empty. At least, if I refuse to let all these advertisment
    cookies to be placed on my machine.


    Gabriele Neukam




    --
    Ah, Information. A property, too valuable these days, to give it away,
    just so, at no cost.
     
    Gabriele Neukam, Feb 9, 2006
    #9
  10. David H. Lipman

    Stephen Howe Guest

    Re: Security Vulnerabilities in Sun JRE may Allow an Untrusted Applet to Elevate its Privileges

    > However there is still a picture of "Java(TM) Control Panel" showing
    > on control panel. Its version seems to be 1.5.0 (build 1.5.0._06-b05
    > and its update info shows Dec 2005.


    I had that. But on rebooting it was gone.

    Stephen Howe
     
    Stephen Howe, Feb 10, 2006
    #10
  11. David H. Lipman

    Stephen Howe Guest

    > "Note: It is recommended that affected versions be removed from your
    > system. For more
    > information, please see the installation notes on the respective
    > java.sun.com download
    > pages."


    How many wretched versions of Java are there?

    I see

    J2EE 1.4 SDK
    JDK 5.0 Update 6 with NetBeans 5.0
    JDK 5.0 Update 6 with NetBeans 4.1
    JDK 5.0 Update 6
    JRE 5.0 Update 6

    very confusing. I think it is the last that I want.

    Yet I already have
    jre-1_5_0_06-windows-i586-p.exe
    downloaded which claims
    J2SE Runtime Environment 5.0 Update 6 inside

    I think have just uninstalled the latest.

    Yet elsewhere on the Internet I see "b09" suffix (I assume build 9).

    Stephen Howe
     
    Stephen Howe, Feb 10, 2006
    #11
  12. From: "Stephen Howe" <sjhoweATdialDOTpipexDOTcom>

    >> "Note: It is recommended that affected versions be removed from your
    >> system. For more
    >> information, please see the installation notes on the respective
    >> java.sun.com download
    >> pages."

    |
    | How many wretched versions of Java are there?
    |
    | I see
    |
    | J2EE 1.4 SDK
    | JDK 5.0 Update 6 with NetBeans 5.0
    | JDK 5.0 Update 6 with NetBeans 4.1
    | JDK 5.0 Update 6
    | JRE 5.0 Update 6
    |
    | very confusing. I think it is the last that I want.
    |
    | Yet I already have
    | jre-1_5_0_06-windows-i586-p.exe
    | downloaded which claims
    | J2SE Runtime Environment 5.0 Update 6 inside
    |
    | I think have just uninstalled the latest.
    |
    | Yet elsewhere on the Internet I see "b09" suffix (I assume build 9).
    |
    | Stephen Howe
    |

    From what I see the current version is JRE 5 Update 6.

    http://www.java.com/en/download/manual.jsp

    --
    Dave
    http://www.claymania.com/removal-trojan-adware.html
    http://www.ik-cs.com/got-a-virus.htm
     
    David H. Lipman, Feb 10, 2006
    #12
  13. David H. Lipman

    Mr. Uh Clem Guest

    Re: Security Vulnerabilities in Sun JRE may Allow an Untrusted Appletto Elevate its Privileges

    shawn wrote:
    > On Thu, 09 Feb 2006 01:37:05 GMT, "David H. Lipman"
    > <DLipman~nospam~@Verizon.Net> wrote:


    ....
    >>
    >> Update to and use JRE 5 update 6.

    >
    > And remove all of the other versions from your system.
    >


    I'm aware of some software packages written in Java which
    come packaged with a JRE (not sure which release, but I"m
    sure it is older) to run on Windows. The JRE is only used
    with that application and the application is a dedicated
    client, used with only a specific server app on dedicated
    hosts the customers own. The reason for including a
    dedicated JRE is that successive JRE releases were breaking
    things.

    Q: Is this exploitable, given it is not being used for
    general web browsing??

    --
    Clem
    "If you push something hard enough, it will fall over."
    - Fudd's first law of opposition
     
    Mr. Uh Clem, Feb 11, 2006
    #13
  14. Re: Security Vulnerabilities in Sun JRE may Allow an Untrusted Applet to Elevate its Privileges

    From: "Mr. Uh Clem" <>

    | shawn wrote:
    >> On Thu, 09 Feb 2006 01:37:05 GMT, "David H. Lipman"
    >> <DLipman~nospam~@Verizon.Net> wrote:

    |
    | ...
    >>>
    >>> Update to and use JRE 5 update 6.

    >>
    >> And remove all of the other versions from your system.
    >>

    | I'm aware of some software packages written in Java which
    | come packaged with a JRE (not sure which release, but I"m
    | sure it is older) to run on Windows. The JRE is only used
    | with that application and the application is a dedicated
    | client, used with only a specific server app on dedicated
    | hosts the customers own. The reason for including a
    | dedicated JRE is that successive JRE releases were breaking
    | things.
    |
    | Q: Is this exploitable, given it is not being used for
    | general web browsing??
    |

    That's a good question. I too have used specific Java apps that come with Java embedded
    within the application.

    I think it would be best to contact the vendor of that software application and point to the
    Sun Java bulletin.

    --
    Dave
    http://www.claymania.com/removal-trojan-adware.html
    http://www.ik-cs.com/got-a-virus.htm
     
    David H. Lipman, Feb 11, 2006
    #14
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Winsotn Wolf
    Replies:
    1
    Views:
    3,546
    Walter Roberson
    Dec 15, 2003
  2. Brian

    How to elevate hamster house 4 feet?

    Brian, Mar 22, 2007, in forum: Computer Support
    Replies:
    15
    Views:
    765
  3. Au79

    Eight Vulnerabilities You May Have Missed

    Au79, Jun 17, 2007, in forum: Computer Support
    Replies:
    0
    Views:
    500
  4. hope springs eternal

    Elevate America free certification courses

    hope springs eternal, Feb 25, 2009, in forum: Microsoft Certification
    Replies:
    0
    Views:
    893
    hope springs eternal
    Feb 25, 2009
  5. Carlos
    Replies:
    6
    Views:
    8,058
    roman modic
    May 31, 2009
Loading...

Share This Page