Sun Java - Security Vulnerabilities and Updates

Hi mikewanca,

"If it were that easy to protect against Java vulnerabilities, why is the Java cache enabled by default? ". It doesn't necessarily (or at all) answer your question to ask you a question, but here goes: Why is there an option to disable (as opposed to size limit only) this Cache? The answer I realize might not be related.

 

The only reason I limit the cache size is to keep the old stuff at a minimum. I do the same with Firefox and Mozilla disk Cache (FF is at 3000kb and Mozilla at 10MB). Guess it's just a habit, really, trying to preserve disk space.

To answer your second question, the option to disable the cache might be there for various reasons... Just a guess but, possibly some sites update their applets frequently, and you want to always use the latest version?

But what about this?
....don't you think that ONE of the security advisories and alerts put out by Secunia or IDefense or .k-otik would have mentioned disabling the Java cache as a temporary workaround by now?

 

I did some more research and found:
For JRE 1.5.0
http://java.sun.com/j2se/1.5.0/docs/guide/deployment/deployment-guide/jcp.html
(enable/disable caching in JRE 1.5 Control Panel is listed under the General > Temporary Internet Files subpanel and NOT under Security)

For JRE 1.4.2:
http://java.sun.com/j2se/1.4.2/docs/guide/plugin/developer_guide/control_panel.html#cache
links to:
http://java.sun.com/j2se/1.4.2/docs/guide/plugin/developer_guide/applet_caching.html
which says:

and

 

sorry - I goofed with that reference

been reading it all through again and again and - there's nothing concrete there. A few other interesting bits maybe - but nothing that points the finger at the cache though. I'd started thinking "cross-browser" and with the cache in common... was trying to read something into it which just wasn't there - end of story.

best wishes, HJ

 

Here's an interesting discussion of the vitalsecurity.org "firefox-spyware-infects-ie" article, with a concrete suggestion
..... and a screenshot .....
showing how to use the Java Control Panel's Advanced tab to UNcheck two options under Security to prevent users from granting permission to run signed and untrusted content.

http://www.dslreports.com/forum/remark,12873822~mode=flat
Forums » Up and Running » Security » Firefox Spyware infects IE?

I'll have to consider installing JRE 1.5 since I don't see any comparable settings in JRE 1.4.2_07

 

Mike,

Thanks for the link, which is indeed a very interesting read. I've read a few other articles on the nonsense that Firefox Firefox Spyware infects IE, but this has more user information than most..

Ramona

 

You're welcome, Ramona.

Thanks to Hugh too

 

Good point, but I'll offer my reply to your question to the best of my 'memory'.

When the trojan outbreak through SUN Java occurred & hit me, besides specifically recalling that the cache was responsible, I recall the following: the day this was all over news sites the Cache was part of the explanation/story & there was mention that disabling it prevented the vulnerability. However, correct, it wasn't suggested as a temporary workaround because there was a solution available to simply update Java.

There is no proof of Cache vulnerability in current versions. IMHO & expressed by others, turning off the Cache in the current version is a secure preventative measure in the case or likelyhood that hackers continue to target this for malicious entry.

If you & Hugh are now determing that the cross browser vulnerability that Hugh mentioned is not related to the Java Cache being enabled, then what in your opinion caused it?

I do belatedly 'admit' that I had earlier located the link Hugh found, but reading it was unclear to me so I didn't then feel it would be helpful.

Yes, I realize I have not provided you the proof, & it does very much puzzle me that I can't locate the references as there were so many (99-100% similar / repetitive) within a period of 1-2 days when it occurred.

I may have initially posted a link in a different forum (without a very effective internal search) but I will try to find it next time I'm there.

 

You'll need to provide more detail on what trojan hit you and how you cleaned your system. If I were you, I'd post a question in the Security forum here. Those people have more experience with this sort of thing.

 

I don't recall the trojan names that were in the cache as I felt no need to remember them after researching & cleaning. Nor do I recall the cleaning steps or whether it was CA VET or Trojan Hunter etc as I 'personally' had no need to remember that. In the recess of unintentional memory I vaguely believe the trojan name definitely included the word Java & there were 3 the same with 1 suffix letter different, & 1 different (all at the same time).

I don't feel a need to post it in another Forum as I'm not currently infected + I have confidence in keeping the Java Cache disabled & it causes me zero noticeable surfing speed issues. Further, my descriptions to you will not tell someone else which trojans were involved.