a lot of J2SE Runtime Enviroment version??

  • Thread starter Thread starter Guest
  • Start date Start date
G

Guest

I just updated my J2SE Runtime Enviroment to version 1.5.0_06-b05. Is it ok
to uninstall the older version?

I have the following older version J2SE Runtime Enviroment installed:
1.4.1_02
1.4.2_07
1.5.0_04
1.5.0_06
 
balem said:
I just updated my J2SE Runtime Enviroment to version 1.5.0_06-b05. Is it ok
to uninstall the older version?
Click to expand...

You want J2SE Runtime Environment 5.0 Update 6.
Here: http://java.com/en/download/index.jsp
I have the following older version J2SE Runtime Enviroment installed:
1.4.1_02
1.4.2_07
1.5.0_04
1.5.0_06
Click to expand...
Delete the above older builds from Add/Remove Programs as they pose an exploit
threat.

Randy

--
siljaline

MS - MVP Windows (IE/OE) & Security, AH-VSOP
_________________________________________
Security Tools Updates
http://aumha.net/viewforum.php?f=31

Reply to group, as return address
is invalid that we may all benefit.
 
Hi Balem and Randy

This URL is also good to verify Java version.

http://www.java.com/en/download/installed.jsp

Question to Randy:

If a user looks around in different security forums a lot of
"experts" recommend to uninstall all Java versions before latest.

I have not seen any comments from Sun or Microsoft about this
issue.

What is right or wrong with this ?
We have seen some outbreaks with trojans probably using
Java "black holes" but no one can show any evidence about this.

So it´s strange that Sun don´t comment this ???

regards
plun
 
Randy, after seeing your response, I checked my Java console in Control
Panel. I verified I had auto-update selected. I verified my version as
Version 1.5.0 (build 1.5.0_06-b05), note this is the same as the OP. After
briefly wondering why my updater wasn't working, I went ahead and hit the
Update Now button. It told me I already had the latest. Can you explain what
I'm missing? Thanks.
Larry
 
Also, I went to the website plun suggested, and got this response.........

JAVA SOFTWARE for Your Computer
VERIFY YOUR JAVA SOFTWARE INSTALLATION

We detected your Java environment as follows;
Description Your Environment

Java Runtime Vendor: Sun Microsystems Inc.
Java Runtime Version 1.5.0_06


CONGRATULATIONS, you have the Latest version of Java!

I'm confused about your recommendation. Please explain. Thanks.
Larry
 
Hi Larry

Java is a mess and for you this is OK ;)

Randy wrote
"You want J2SE Runtime Environment 5.0 Update 6."

"Java Runtime Version 1.5.0_06" , it´s the same
as Randy recommend. J"2"SE is confusing.

regards
plun
 
plun said:
This URL is also good to verify Java version.

http://www.java.com/en/download/installed.jsp
Click to expand...

URL is great, use it all the time.
Question to Randy:

If a user looks around in different security forums a lot of
"experts" recommend to uninstall all Java versions before latest.
Click to expand...

You may do this before or after the latest update, I'm not sure if it makes
a difference which you perform first.
I have not seen any comments from Sun or Microsoft about this
issue.
Click to expand...

Sun Java is not a Microsoft product, as you know - therefore you won't
be seeing any articles that I know of.

Sun's latest statement on the issue:
http://sunsolve.sun.com/search/document.do?assetkey=1-26-102171-1

Randy

--
siljaline

MS - MVP Windows (IE/OE) & Security, AH-VSOP
_________________________________________
Security Tools Updates
http://aumha.net/viewforum.php?f=31

Reply to group, as return address
is invalid that we may all benefit.
 
Your default version is current, so that's good.

Now you need to go to add or remove programs, and see how many older
versions you still have in place, and remove them.

--
 
Hi Randy and Bill

Thanks for that URL !

About MS and comments I believe that it is
an important advisory also for MS to publish with
a reference to Sun.

The challenge is that Java uninstalls are so "damned" boring.

;)

regards
plun
 
plun said:
The challenge is that Java uninstalls are so "damned" boring.
Click to expand...
Tell me about it--I do them on a couple of dozen pc's regularly.

At least a full-blown Java install isn't boring. I blew Java completely
away at some point in the recent past, and really hadn't noticed that it was
gone until I was testing Sun's instructions for checking the current default
version in place and found that the command didn't exist on my system.

So--I went to Java.com and said Do It.

It was not until there was a brief flash of installshield dialog about the
Google Toolbar that I realized that I hadn't seen any checkbox to unchoose
that option on the install.

Fortunately it was easily found in add or remove programs, and I was able to
remove it even before the install had completed.

So at least there's a little thrill possible during the install operation!
 
Hi Bill

I don´t know any other way ;) and it is boring ;)

It must be possible to have a script that just disables
every earlier versions and then delete all belonging files.

What I also don´t understand is how earlier versions can be vulnerable
?

Just "dead" files and registry settings........... ????

regards
plun
 
Agreed--the uninstalling process is boring.

I don't know of any proof that if there is a vulnerability, it is being
exploited.

The evidence for the files constituting a vulnerability is in an email to
Steve Wechsler from a Sun employee. And (but only by inference) the
statement that they make at the end of every vulnerability advisory notice
that removing the vulnerable version is recommended (but only in the
advisory, and even there they don't tell you how to do it.)
--
 
Hi

Maybe Randy K can ask around about why earlier versions must
be uninstalled ?

regards
plun
 
plun said:
Hi

Maybe Randy K can ask around about why earlier versions must
be uninstalled ?
Click to expand...

Good thing I read all the threads that I subscribe to Plun!

My best information is that any Java prior to J2SE Runtime Environment 5.0
Update 6.0 should be uninstalled **after** successful download and installation
of the above update.

As Bill - Jim, etc - may have already stated, the prior builds are subject to
"Vundo"
"WinFixer" parasite infection - extremely tedious and difficult to remove.

This Sun document is the most current that I know of but am told that it is
incomplete.
<http://sunsolve.sun.com/search/document.do?assetkey=1-26-102171-1>

Randy

--
siljaline

MS - MVP Windows (IE/OE) & Security, AH-VSOP
_________________________________________
Security Tools Updates
http://aumha.net/viewforum.php?f=31

Reply to group, as return address
is invalid that we may all benefit.
 
Here's the email:
It starts with Steve's message quoted.
Steve's had no further contact from Sun.
----------------------------------------------------------------------------------

2/24/2005 4:01 AM

Hello Steve,

] Reading this Sun Alert ID: 57708
] http://sunsolve.sun.com/search/document.do?assetkey=1-26-57708-1

] It states :
]
] >Note: It is recommended that affected versions be removed from your
system.
] >For more information, please see the installation notes on the respective
] >java.sun.com download pages.

] Neither page that I went to from the link on java.sun.com download page
] state that previous vulnerable versions should be uninstalled :
]
] http://java.com/en/download/help/5000010200.xml
] http://java.com/en/download/help/5000010300.xml
]
] If a User utilizes the automatic update mechanism of the JRE the
] previous vulnerable version is left on the system.
] As I understand it, those previous vulnerable versions can still be
] called by malware. If this is not the case, please set me straight.


You are correct that the previous vulnerable versions can still be
called by malware. We forwarded your e-mail along to the Java group and
they let us know that they are currently investigating your suggestions
of updating the java.com pages and the auto update uninstallation issue
and appreciate the feedback. We will follow-up with any further updates.


Best regards,
Sun Security Coordination Team
(e-mail address removed)
 
Randy said:
As Bill - Jim, etc - may have already stated, the prior builds are subject to
"Vundo" "WinFixer" parasite infection - extremely tedious and difficult to
remove.
Click to expand...

Hi Randy

Well, as you probably knows I am a fan of Castlecops wiki and
I cannot say it´s difficult to remove.... ;)
(And some other MVP and ASAP pages)

So about earlier versions again, are all versions loaded in memory in a
Windows box or is it older applets causing this "Sandbox API bypass" ?

http://www.kb.cert.org/vuls/id/974188

I cannot understand how it works if a user has latest version installed
and also other older versions.

If it is dangerous Sun must include a uninstall function when a upgrade
is performed. IMHO.

regards
plun
 
plun said:
Hi Randy

Well, as you probably knows I am a fan of Castlecops wiki and
I cannot say it´s difficult to remove.... ;)
(And some other MVP and ASAP pages)

So about earlier versions again, are all versions loaded in memory in a Windows
box or is it older applets causing this "Sandbox API bypass" ?

http://www.kb.cert.org/vuls/id/974188

I cannot understand how it works if a user has latest version installed and also
other older versions.

If it is dangerous Sun must include a uninstall function when a upgrade
is performed. IMHO.
Click to expand...

Plun,
To be honest, I am not "behind the ball" with the Sun Java exploits.
MVP - Mow Green, is an active member and buddy of mine at AumHa Forums.
We invite you to join to discuss this.
http://aumha.net/profile.php?mode=register
Once you've received your confirmation email, perhaps we shall see you there?

Regards,

Randy

--
siljaline

MS - MVP Windows (IE/OE) & Security, AH-VSOP
_________________________________________
Security Tools Updates
http://aumha.net/viewforum.php?f=31

Reply to group, as return address
is invalid that we may all benefit.
 
Back
Top