Wednesday, August 23, 2006

Java Update

Those of us in the security community will be enjoying our "Java" just a bit more these days. It isn't that the vulnerability issue with prior versions of Java no longer exists. Rather, it is that Sun Java has finally acknowledged the problem.

For a bit if history, Microsoft MVP CalamityJane detailed at Broadband Reports that fellow Microsoft MVP, Steve Welscher wrote to Sun about this issue in February, 2005:
Fellow MS MVP Steve Wechsler (aka MowGreen) wrote to Sun Microsystems (makers of Sun Java) to express the concerns raised in the Security Community that autoupdaters of Sun Java do not uninstall previous (vulnerable) versions of the program. He asked for clarification that if a User utilizes the automatic update mechanism of the JRE the previous vulnerable version is left on the system, and that those previous vulnerable versions can still be called by malware. The folks at Sun Microsystems wrote back confirming this is true and they would be investigating updating the java.com pages and the auto update uninstallation issue.
I wonder how many thousands of computer have been needlessly infected merely because there was no warning to uninstall prior versions of this software for 18 months after Sun Microsystems acknowledged the problem. Coincidentally, after seeing that there was still a lot of confusion in both updating and knowing what Java components to remove, I provided instructions just the other day in Java.

Below is a partial copy of Sun Alert ID 102557. Please keep in mind that this is merely an acknowledgement of the problem. It is still necessary to follow the instructions to remove prior versions of Java to avoid the Winfixer/Vundo/Virtumundo infection.


Java Plug-in and Java Web Start May Allow Applets and Applications to Run With Unpatched JRE
1. Impact

The Java Plug-in and Java Web Start both allow applets and applications to specify the version of the Java Runtime Environment (JRE) to run with. However, the versions of Java Web Start and the Java Plug-in listed in Section 2 below may allow applets or applications to run with a specified version of the JRE that does not have the latest security fixes.
2. Contributing Factors

This issue can occur in the following releases (for Solaris, Linux and Windows platforms):

* Java Plug-in included with J2SE 5.0 Update 5 and earlier, 1.4.x, 1.3.1, and 1.3.0_02 and later
* Java Web Start included with J2SE 5.0 Update 5 and earlier, and 1.4.2
* Java Web Start 1.2, 1.0.2, 1.0.1, and 1.0

{snip}
Java Web Start:

* Java Web Start 5.0 Update 6 and later for Windows, Solaris, and Linux

Note: Prior to 5.0 Update 6, an application could specify the version of the JRE on which it would run. With 5.0 Update 6 and later installed, unsigned Java Web Start applications that specify a version other than the latest installed will trigger a warning, requiring explicit user permission before the application will run. Signed Java Web Start applications are not affected.

{snip}

Note: It is recommended that affected versions be removed from your system. For more information, see the installation notes on the respective java.sun.com download pages.

No comments: