Sun Java - Security Vulnerabilities and Updates

While the Moz org won't release a full 1.8, they said they will continue as required security fixes for 1.7

With the new group being formed for seamonkey, this could conceivably change in the future. It'll likely be better with a dedicated group.

All browsers have vulnerabilities that will be discovered. Browsers other than IE just have much less insecurity:
*not built into OS
*smart ones not using ActiveX
*for now, lower market share = lower target.
The greatest insecurity is the User engaging in unsafe practices. Plus using Outlook or OE is more insecure in my view for most people than compared to even using IE (I only use IE for updates).

The worst new threats affect all browsers. A kind of trojan called kernel rootkits. Only detectable with 1 free tool from sysinternals called Rootkitreveal. Easy to install & run but then you need to learn how to read a long list of results that they tell you are harmless. If you find a kernel rootkit, 99% the only answer is a full reformat. Other vendors are trying to develop tools. Nothing else, not Trojan Hunter, & not HJT will detect these.

Another recent major vulnerability many are unaware of is Java trojans that escape the once thought to be 100% secure Java 'sandbox'. It is important now to:
*not use MS Java
*manually check Sun Java regularly for updates
*if on broadband, turn off the Java cache; you don't need it & it's where the vulnerability exists
*if on dialup, clear Java cache regularly (in the plugin, not the browser) & try turning it off as it may not affect your surfing speed to a noticeable degree (depends on the sites you regularly visit).

 

Marklet,

Thanks for the Java information! Will you also tell members how to turn off their Java Cache, as you suggested:

Thanks!

Ramona

 

If you want to have Firefox with all the accoutrements, i.e. extentions, forget it.
Reason is the no sooner even a maintenance update comes out, you will not have a good chunk of the ententions. And, new is not necessarily better, for the extentions.

 

You're welcome Ramona. I'll gladly explain (as best I can), but the steps may be different if a person doesn't have WIN XP (or even on XP I might have moved something in the past from a default location). Everyone else, please do feel free to contribute too.

Desktop
Start button
Settings
Control Panel
Java Plug-in
Cache tab
Clear (do this before turning off; if you didn't then turn Cache back on, Clear).
Uncheck Enable Caching
Apply

Now, while we're in the Plug-in:
Browser tab / Check all boxes / Apply
Update tab / Get Java Update

The last step has (after the vulnerabilities discovered a few months ago) become especially important. How often you do this step is up to you. If you turn off the Java cache this won't be 'as' important UNLESS a new vulnerability is discovered, but be aware this has become a major target / challenge to hackers now. If you're on dialup and if turning off the java cache noticeably slows your fav sites, then click this update check daily/paranoid or weekly. If you turned off java cache, click this update weekly or monthly. Or you might find it easier to remember if you tie this action in your 'mind' to an other event (eg whenever your MS Antispyware BETA or McAfee Antispyware etc or both has an update; not your AV unless you want daily frequency).

I once saw a method for creating an autoupdate scheduled task for this, but it didn't work (didn't catch updates). Personally, I don't like autoupdates or scheduled tasks (just my choice & I agree using them IS better for most people).

Hope I explained everything clearly. Anyone with a question please ask (there are no such things as stupid questions & everyone needs to learn). As I'm not historically a regular/frequent contributor here, - if a reply question is posed specifically to me: anybody should feel very comfortable replying themselves.

Thanks!

 

My wife and I have DSL but the very lowest version (i.e. 256 Kbs which translates to about 215 Kbs). I fear that turning the Java caching off will drag us down and make the point of having broadband sort of useless. Is it really that dangerous to just leave it?

 

Marklet,

Thanks for the explanation. What Version of Java are you using? I have no Cache, or Browser tabs in Version 5.0? Neither is there an option to turn off Cache that I can see...

Ramona

 

At 215kb it will not affect you in any noticeable way. I see you list your actual speed, so you know your DSL is functioning. It can't possibly hurt you to try turning it off? It's very easy to flick it back on.

Even running Trojan Hunter (or TDS), you're in danger if the all too common java trojans are living in & acting from your java cache.

The java cache was touted by Sun as a 100% secure sandbox where trojans could enter but do no harm. That's unfortunately now acknowledged (including by SUN) as no longer true.

Still want to leave it on? Cool. Worse case is someday reinstalling the OS, but IF you leave it on:
*store no private data on your PC; use external media & only when not web connected.
*don't view financial accounts online
*don't use your credit card online UNLESS it's one that intentionally has a very low limit or is a debit card that you keep a low balance on (this btw is good advice for everyone); you can request a separate low credit limit card for internet use (this may or not cost you any extra $ depending on your card issuer/bank).

 

Hi Ramona,

You're very welcome.
Java 2 Runtime Environment SE 1.4.1_07 VM b02 Java Plug-in.

This is the most secure version currently. It is free. It works perfectly with Netscape 7.2 and IE 6. As I don't currently use Firefox, I don't know if Firefox 'needs' something different.

If you don't currently have this version, I suggest downloading it from Sun & installing. Open using my previous instructions. Look at the Browser tab to see if Firefox is listed. If it is: check it to turn it on as yoour default for Firefox. If Firefox is not there: make it the default for the browsers that are there (at least you'll be using it then for those times when you need to use IE). If checking it for Firefox causes any problem, go back & uncheck it. If it works fine with Firefox, then for 'good housekeeping' remove your other Java.

I don't use your version but I would 'guess' there would be a Cache switch someplace. If not my next guess is the Cache is on & I'd say that's not good. You're probably aware that there are BOTH disclosed & undisclosed Firefox security issues including after the last release. I don't say this as a criticism as it's true of all browsers. (Yes, I know that NS 7.2 that I'm using is not the most current Moz 1.7 release; no one's perfect

 

I hope for our sakes that FF continues to be successful, MS really needs a competior. W/O a kick a in the behind, I doubt very much that IE7 would be deployed prior to Longhorne, whenever that's going to be.

but those that use it will have to stop being so convinced that they do not need protection against malware
I agree with that quote from Welshjim, some users of FF, and I stress some, are insufferable in this regard. I use FF on occasion, and there is nothing miraculous about it. The big advantage to FF is that out-of-the-box, it's inherently safer - at the moment. Wait till IE gets inherently safer (according MS), the compliants, I can't do this, or this doesn't work anymore and so on. Users are just as complicit in the vulnerabilities as are the developers.

Case in point: I fear that turning the Java caching off will drag us down and make the point of having broadband sort of useless. Is it really that dangerous to just leave it? That from James.

James, have you tried it? It can toggled

Regards - Charles

 

Hi Charles,

"but those that use it will have to stop being so convinced that they do not need protection against malware "
Absolutely true! In fact they'd be safer with IE & all required malware protection because the browser is not the worst point of entry. #1 culprit is the User in general. #2 is the email client. # 3 is email client + User. #4 is the browser.

"Wait till IE gets inherently safer (according MS), the compliants, I can't do this, or this doesn't work anymore and so on ". It will get safer, yes. Within the foreseeable horizon including Longhorn, it will not get safer than any non IE based browser.

"James, have you tried it? It can toggled ". Thank you Charles (I said that too). Does this then answer something for Ramona; are you confirming that you can use cacheless Java for Firefox too?

 

Version 5.0, or also called 1.5.0, also has the most current secure Release, 1.5.0_02, as doess 1.4.2_07 in the 1.4 Series. I'm sure you meant 1.4.2, and not 1.4.1. I posted on the Sun plugin forum, to see if someone can tell me where the elusive setting can be found.

Ramona

 

Ramona, you are throwing me for a loop?
I correctly posted my Java version as shown in the About, the Advanced, & the Explorer file. I also just clicked the Update button which opens a Sun page in the browser & stated:
"Congratulations!
You already have the most up-to-date version of the Java(TM) platform.

It is the latest, most secure, and fastest performing version of the Java platform available ".

So your post really confuses me?

 

Marklet,

I don't know what to tell you, but regardless of what the page congratulated you about, you absolutely don't have the most current, secure versions if you are using 1.4.1... In fact Version 1.4.1 has reached J2SE End of Life (EOL), and is no longer available other than thru the Archives, for developer's use.

Please read the security information on this Sun page:
http://sunsolve.sun.com/search/document.do?assetkey=1-26-57708-1

Ramona

 

Hi Ramona,

"Please read the security information on this Sun page:
http://sunsolve.sun.com/search/document.do?assetkey=1-26-57708-1 "

Read it. Confusing. Dated about 3 months ago. That seems like about the time I discovered this & upgraded.

This whole thing doesn't make sense. I'm telling people to keep updating & now it seems I'm not updated. I can only guess it's another Sun problem. Geeesh! Either the last update was wrong or the update function has a problem. Do believe me Ramona, I check often & get the same Sun page telling me I'm up to date!

Well, thank you kindly Ramona, I'm going to install the newest one now!
http://java.sun.com/j2se/1.4.2/download.html
Choose: J2SE v 1.4.2_07 JRE includes the JVM technology / Download Windows J2SE JRE

 

Yesterday I opened my Java Plugin and on the update tab (I keep autoupdates turned off) I clicked update now. I have 1.4.2_07-b05. I gave permission in my Sygate firewall and almost instantly I had a steaming cup of java in my notification tray. I clicked download and it wanted to know if I wanted to install version 1.50 second update. I said no and figured it was a glich. Today I decided to try it again. Same results. I thought they were two different things. The one I use is just a java "reader" and the other is the big deal for those who develop java stuff.

I also have turned off my java cache and have noticed no difference so far. Just thought someone might like to know.....

 

Hi

Java's not very good about knowing which version is up to date

if you go to the "test my java" web page here with version 1.4.2_07 it will tell you that you are out of date and should download the most recent version...

...but if you go with version 1.4.2_06 it says "congratulations you have the most recent java"

this matters because yesterday K-OTIK released details of a vulnerability with 1.4.2_06 which they rate "critical "

a similar situation happened immediately after 1.4.2_06 was released, the web site caught up after a day or two

==

checking "up-to-date-ness" tends to give different results, depending upon whether you do it at their web site or via the option on your own machine

I'm not sure I trust either method!

best wishes, HJ

PS if upgrading Sun Java, uninstall the old version first ! and be prepared for a load of bad dates next time you scandisk...

 

Marklet,

You're most welcome! I would use the offline installer, as there are some occasional problems with the auto updater. You might want to give the 5.0/1.5.0 a try, as it is definitely the latest and most secure.

Ramona

 

Hi Ramona,

It's even crazier than previously discussed. I also see another contributor in the thread referencing problems with the update status results.

Now, let me amaze you with several things.

Following your link, I download & install 1.4.2_07build5. I click the updater in that & it tells me that build 9 is available. I download/install. I click the update button again. Without further ado, it downloads & then asks me to install 1.50_02-b09. I install it. Now, I have a totally new GUI. I go to WIN Add/Remove & remove 1.4.1_07 and 1.4.2_07.

I found the cache settings you didn't see in 1.50; open the GUI. General tab, Settings, View Applets, & you'll see the Java Applet Cache Viewer. Delete all entries (empty the cache). Uncheck Enable Caching. OK. OK. OK.

Other people newly installing: also visit inside GUI the Java tab. There are 2 View buttons. Open each one to be sure 1.50 is set to be your default. Remove any old Java versions listed in those 2 sections & then do your housecleaning in WIN Add/Remove. (I also checked Windows Explorer, as you should: no remnants of the old java version subfolders were there; if you find any old version remnants, - delete them.

As a final step I housecleaned the old files & the installers out of my firewall.

This 1.50 has an autoupdater with a scheduler and also a manual update button. Based on other posts & my history, well - use BOTH

From what happened to me, I can only guess that without any announcement seen by me, SUN must want us all on the 1.50 product now. So why don't the fools withdraw the 1.4.2 download or at least add a note that it'll install & hitting the update therein will cycle you through 2 updates ending with 1.50 (& a less intuitive GUI)?

Ramona, can you see your java cache controls now?

 

Thank you Hugh. Your post lets me feel a little less crazy. Geesh, I help others on this & didn't know myself that SUN can't be trusted in telling you you're up to date. You need Ramona!

And I will run a scandisk later.

 

Marklet

the version thing had me seriously confused last time I upgraded (again because of a security issue)

==

expect quite a few files dated somewhen in 2069 - about 45 last time round if my memory serves... enough to make "mending" individually with scandisk tedious, but not quite enough to tell scandisk "mend everything you find "

check your PC clock first! (probably didn't need to remind you of that )

have to remind myself sometimes though

best wishes, HJ