M
MowGreen [MVP]
Issues related to damaged ActiveX software controls or the failure to
install them may be directly attributable to a Cool Web Search
infestation : http://www.spywareinfo.com/~merijn/cwschronicles.html
Back in April of 2004 this issue was much more prevalent than it is
today. But, due to Sun's incompetent java autoupdating mechanism which
leaves older, vulnerable versions on a system, Users systems are once
again being left vulnerable to this malware.
Make sure that you uninstall ALL older, vulnerable versions from
Add/Remove Programs in the Control Panel.
SOURCE:
Vulnerabilities in the Java Runtime Environment May Allow an Untrusted
Applet to Elevate Its Privileges
http://sunsolve.sun.com/search/docu...y" "availability, security" category:security
or
http://snipurl.com/koiq
At the very bottom of the page :
Unfortunately, when an unsuspecting User goes to the page referred to,
this is what they'll see :
Download Java Software for Your Computer
http://java.com/en/download/index.jsp
Clicking on that brings you to a page where there is no " installation
notes " mentioned. There is an Installation Instructions link :
http://java.com/en/download/help/index_installing.xml
OK. Still no mention of uninstalling older, vulnerable versions. Let's
check this page out. No, none of the articles is relevant. The only
thing that caught my eye was ... they install the GOOGLE TOOLBAR BY
DEFAULT. That's right. The box to install the toolbar is already checked
and without User intervention, it will be installed. Fine. That's for
installing Sun's package initially ... but WAIT. Subsequent SECURITY
UPDATES done via the java autoupdating mechanism ALSO INSTALL THE GOOGLE
TOOLBAR BY DEFAULT. Nice. Just like spyware trys to stealth install on
the unsuspecting User.
It's one thing to install it along with the initial installation of
their java runtime. It's quite another to attempt to stealth install it
during a SECURITY UPDATE.
If Microsoft attempted to install the MSN Toolbar by DEFAULT, or even
with the box for the installation unchecked by Default, how long would
it be before the Justice Department came calling ?
Back to the phantom information that Sun claimed existed on
" installation notes ". Let's click the
Test your Java Runtime Environment link :
http://java.com/en/download/help/testvm.xml
My system is two versions BEHIND the current one. Surely their Java Test
Page will detect this :
" Congratulations. The latest version is installed.
Your Java configuration is :
Vendor: Sun Microsystems Inc.
Version: 1.5.0_04 "
Well, the latest version that Sun has out is : 1.5.0_06
So, their information is WRONG AGAIN. But at least it was there.
Let's click the General Questions link :
http://java.com/en/download/faq/index_general.xml
THERE'S OUR ANSWER !!! :
Can I remove older versions of the JRE after installing a newer version? New
Finally. Let's click that :
http://java.com/en/download/faq/5000070400.xml
OH NO !!! :
That's not what they said in the Security Alert !!! All right Sun, what
is it ? Can't you get your information straight ? What is the Average
User supposed to do ?
They've been aware of this situation since February of this year.
They have acknowledged to me that leaving older, vulnerable versions
behind leaves the system at risk.
OK, it's December ... DO SOMETHING SUN !!! Fix the automatic update
mechanism so that it UNINSTALLS older, vulnerable versions and doesn't
leave the Average User of your product at risk to another epidemic of
Cool Web Search variants.
And ... UNCHECK the Google Toolbar for SECURITY UPDATES by Default or
better yet, drop it altogether for SECURITY UPDATES.
MowGreen [MVP 2003-2006]
===============
*-343-* FDNY
Never Forgotten
===============
MowGreen [MVP 2003-2006]
===============
*-343-* FDNY
Never Forgotten
===============
install them may be directly attributable to a Cool Web Search
infestation : http://www.spywareinfo.com/~merijn/cwschronicles.html
Back in April of 2004 this issue was much more prevalent than it is
today. But, due to Sun's incompetent java autoupdating mechanism which
leaves older, vulnerable versions on a system, Users systems are once
again being left vulnerable to this malware.
Make sure that you uninstall ALL older, vulnerable versions from
Add/Remove Programs in the Control Panel.
SOURCE:
Vulnerabilities in the Java Runtime Environment May Allow an Untrusted
Applet to Elevate Its Privileges
http://sunsolve.sun.com/search/docu...y" "availability, security" category:security
or
http://snipurl.com/koiq
At the very bottom of the page :
Unfortunately, when an unsuspecting User goes to the page referred to,
this is what they'll see :
Download Java Software for Your Computer
http://java.com/en/download/index.jsp
Clicking on that brings you to a page where there is no " installation
notes " mentioned. There is an Installation Instructions link :
http://java.com/en/download/help/index_installing.xml
OK. Still no mention of uninstalling older, vulnerable versions. Let's
check this page out. No, none of the articles is relevant. The only
thing that caught my eye was ... they install the GOOGLE TOOLBAR BY
DEFAULT. That's right. The box to install the toolbar is already checked
and without User intervention, it will be installed. Fine. That's for
installing Sun's package initially ... but WAIT. Subsequent SECURITY
UPDATES done via the java autoupdating mechanism ALSO INSTALL THE GOOGLE
TOOLBAR BY DEFAULT. Nice. Just like spyware trys to stealth install on
the unsuspecting User.
It's one thing to install it along with the initial installation of
their java runtime. It's quite another to attempt to stealth install it
during a SECURITY UPDATE.
If Microsoft attempted to install the MSN Toolbar by DEFAULT, or even
with the box for the installation unchecked by Default, how long would
it be before the Justice Department came calling ?
Back to the phantom information that Sun claimed existed on
" installation notes ". Let's click the
Test your Java Runtime Environment link :
http://java.com/en/download/help/testvm.xml
My system is two versions BEHIND the current one. Surely their Java Test
Page will detect this :
" Congratulations. The latest version is installed.
Your Java configuration is :
Vendor: Sun Microsystems Inc.
Version: 1.5.0_04 "
Well, the latest version that Sun has out is : 1.5.0_06
So, their information is WRONG AGAIN. But at least it was there.
Let's click the General Questions link :
http://java.com/en/download/faq/index_general.xml
THERE'S OUR ANSWER !!! :
Can I remove older versions of the JRE after installing a newer version? New
Finally. Let's click that :
http://java.com/en/download/faq/5000070400.xml
OH NO !!! :
That's not what they said in the Security Alert !!! All right Sun, what
is it ? Can't you get your information straight ? What is the Average
User supposed to do ?
They've been aware of this situation since February of this year.
They have acknowledged to me that leaving older, vulnerable versions
behind leaves the system at risk.
OK, it's December ... DO SOMETHING SUN !!! Fix the automatic update
mechanism so that it UNINSTALLS older, vulnerable versions and doesn't
leave the Average User of your product at risk to another epidemic of
Cool Web Search variants.
And ... UNCHECK the Google Toolbar for SECURITY UPDATES by Default or
better yet, drop it altogether for SECURITY UPDATES.
MowGreen [MVP 2003-2006]
===============
*-343-* FDNY
Never Forgotten
===============
MowGreen [MVP 2003-2006]
===============
*-343-* FDNY
Never Forgotten
===============
