Java flaws

[Guest]

http://msn-
cnet.com.com/Java+flaws+open+door+to+hackers/2100-1002_3-
5746913.html?part=msn-cnet&tag=feed_2501&subj=ns_5746913

it's time to update your old Java on window

 

[Andre Da Costa]

Yep, thanks for the update.
--
Andre
Extended64 | http://www.extended64.com
Blog | http://www.extended64.com/blogs/andre
http://spaces.msn.com/members/adacosta
FAQ for MS AntiSpy http://www.geocities.com/marfer_mvp/FAQ_MSantispy.htm

 

[Steve Wechsler [MVP]]

Java Web Start / Sun JRE Sandbox Security Bypass Vulnerability
http://secunia.com/advisories/15671/

" Description:
Two vulnerabilities have been reported in Java Web Start and Sun Java
Runtime Environment (JRE), which can be exploited by malicious people to
compromise a user's system.

1) An unspecified error may be exploited by a malicious, untrusted
application to execute arbitrary code.

The vulnerability affects Java Web Start included in J2SE releases 5.0
and 5.0 Update 1 for Windows, Solaris and Linux.

2) An unspecified error may be exploited by a malicious, untrusted
applet to execute arbitrary code.

The vulnerability affects J2SE releases 5.0 and 5.0 Update 1 for
Windows, Solaris and Linux, and J2SE 1.4.2_07 and prior 1.4.2 releases
for Windows, Solaris and Linux.

Solution:
Update to J2SE 5.0 Update 2 or 1.4.2_08 for Windows, Solaris, and Linux.
http://java.sun.com/j2se/1.5.0/download.jsp
http://java.sun.com/j2se/1.4.2/download.html "

Steve Wechsler (akaMowGreen)
MS-MVP 2004-2005
===============
*-343-* FDNY
Never Forgotten
===============

 

[Bill Sanderson]

And I haven't spotted these being offered by the autoupdate feature of Sun's
Java which I have turned on.

Been meaning to look into this all day--now's the time, I guess.

 

[Bill Sanderson]

OK - looks like I put that version up long ago. I do wish they were clearer
about their naming convention. Here's how it reads:

Version 1.5.0 (build 1.5.0_02-b09)

This should be the safe version of the 1.5 build, as I understand it.

 

[Ron Chamberlin]

Bill,
There is a newer build 'Update3" that is now out.

http://www.java.com/en/download/manual.jsp


A reminder to all: When you update the Java, go back into Add/Remove
programs and yank out the old version(s) as vulnerabilities can still find
them and fir them off.

Ron Chamberlin
MS-MVP

 

[Bill Sanderson]

Hmm - when I hit that link and choose the top manual choice, I am offered:
jre-1_5_0_02-windows-i586-p-iftw.exe which doesn't look like a "3" to me?

I believe you, but it hasn't been offered to me by autoupdate yet, and since
this machine has only about 70 megs free I don't want to test here at the
moment.

--

 

[Donald Anadell]

Hi Bill,

I would concur with you about their naming convention

Like you, I'm showing the following version and build in the "About" screen in the Java Console Applet.

Version 1.5.0 (build 1.5.0_02-b09)

If there is an update to this version and build it is not available thru the manual update feature
in the Java Control Applet in the Control Panel. Executing the "Update Now"
feature returns, "You already have the latest Java(TM) Platform on this system."


Don

 

[Bill Sanderson]

I'm growing to mistrust early versions of autoupdate systems.

I used to depend quite heavily on Shavlik's products to double-check
Microsoft's patches. This is far less of an issue than it used to be.

I don't trust Sun very much at all. They've acknowledged that leaving
previous vulnerable versions installed leaves the system vulnerable, but
they have a FAQ which explains that this is the default action of their
installer, and that they recommend leaving the earlier versions in place.

There is an update to Adobe Reader to 7.0.2. Every 7.0.1 machine I did
help, check for updates on, updated. the 7.0 machine that I checked said
"no updates available." I suppose they have a delta update for .1 to .2,
but not for .0 to .2 yet, maybe.

--