PDA

View Full Version : Old Sun Java JRE updates



AplusWebMaster
2006-11-30, 13:39
FYI...

Java Runtime Environment (JRE) 5.0 Update 10 released
- http://java.sun.com/javase/downloads/index.jsp

100+ bug fixes
- http://java.sun.com/j2se/1.5.0/ReleaseNotes.html#150_10
(Several [not all] interesting bug fixes)
BugId Category Subcategory Description
6374321 java classes_awt Textfield loses focus after alt key hit in IE browser
6424631 java_plugin iexplorer Signed applet hangs browser if a remote policy server is being used
6386537 java_plugin iexplorer Deadlock occurs between Java Plug-in and Windows in 1.3.1_06
6437047 java_plugin iexplorer Java Plugin controls are considered "Not Verified" in IE's "Managed Add-ons" list
6466876 java_plugin iexplorer Applet frame is not repainted correctly
6460113 java_plugin iexplorer REGRESSION: Access Violation running on 5.0u9 b01 plugin
6417341 java_plugin misc IE Window becomes Zombie when closed prior to the modal dialog
6406801 java_plugin misc Vista: Click "Go to Java.com" button of Java system tray, two IE windows pop up

:rolleyes:

siljaline
2006-12-01, 09:16
Thanks, Jack - appreciated.

Silj

djpailo
2006-12-02, 22:54
I hate Sun Java but I am forced to use it because MS java is discontinued and buggy. Why does Sun Java take so long to update, load etc..its just so annoying..

Thanks for the new update news.

siljaline
2006-12-03, 00:04
I hate Sun Java but I am forced to use it because MS java is discontinued and buggy. Why does Sun Java take so long to update, load etc..its just so annoying..

Thanks for the new update news.
Windows version? The update is rather large, yes, that's a given and yes it will take a while to download and install, you have to learn to live with it.

Silj

djpailo
2006-12-06, 21:39
Windows version? The update is rather large, yes, that's a given and yes it will take a while to download and install, you have to learn to live with it.

Silj

How come no one else is allowed to build their own version of java and release it for free?

AplusWebMaster
2006-12-06, 23:24
How come no one else is allowed to build their own version of java and release it for free?
Patents...


:lip:

siljaline
2006-12-07, 01:30
Patents...


:lip: That certainly would be the reason!!

Regards,
Silj

AplusWebMaster
2006-12-11, 19:59
FYI...

Java Runtime Environment (JRE) 6 (build 1.6.0-b105)
The Java SE Runtime Environment (JRE) allows end-users to run Java applications.
- http://java.sun.com/javase/downloads/index.jsp

> Known Bugs and Issues
Java SE 6 Release Notes
- http://java.sun.com/javase/6/webnotes/index.html#windows
Windows Notes

.

AplusWebMaster
2006-12-20, 16:42
FYI...

- http://secunia.com/advisories/23445/
Release Date: 2006-12-20
Critical: Highly critical
Impact: Privilege escalation, System access
Where: From remote
Solution Status: Vendor Patch....
...The following releases are affected:
* JDK and JRE 5.0 Update 7 and prior
* SDK and JRE 1.4.2_12 and prior
* SDK and JRE 1.3.1_18 and prior
* JDK and JRE 5.0 Update 6 and prior
* SDK and JRE 1.4.2_12 and prior
* SDK and JRE 1.3.1_18 and prior ...
Solution: Update to fixed versions:
JDK and JRE 5.0: Update to JDK and JRE 5.0 Update 8 or later.
http://java.sun.com/javase/downloads/index_jdk5.jsp
SDK and JRE 1.4.x: Update to SDK and JRE 1.4.2_13 or later.
http://java.sun.com/j2se/1.4.2/download.html
SDK and JRE 1.3.x: Update to SDK and JRE 1.3.1_19 or later.
http://java.sun.com/j2se/1.3/download.html ...
Original Advisory: Sun:
http://sunsolve.sun.com/search/document.do?assetkey=1-26-102729-1
http://sunsolve.sun.com/search/document.do?assetkey=1-26-102731-1 ..."

Also: http://isc.sans.org/diary.php?storyid=1960
Last Updated: 2006-12-20 03:30:43 UTC
"...Sun has a weird habit of *not* removing older versions from your machine, so you might want to do that manually..."

:lip: :fear:

AplusWebMaster
2007-01-02, 14:40
FYI...

- http://isc.sans.org/diary.php?storyid=1994
Last Updated: 2007-01-02 04:13:00 UTC
"...Java 6 was released after nearly 2 years of work in December. Many of the updates to Java involve improved security functionality and memory leak updates. A full list of updates is available*... it has been observed that the Java update installer does not clean up older revisions of the product. Any update / change control procedures need to take this into account and remove older versions once you are satisfied that it is safe to move forward..."

"The Java Platform has added support for the following Security functionality in version 6..."
* http://java.sun.com/javase/6/docs/technotes/guides/security/enhancements.html

.

AplusWebMaster
2007-01-04, 04:47
FYI...

Incompatibilities between the Java Platform, Standard Edition 6 and J2SE 5.0
- http://java.sun.com/javase/6/webnotes/compatibility.html#incompatibilities
Jan 03, 2007


:spider: :lip:

AplusWebMaster
2007-01-17, 15:15
FYI...

- http://secunia.com/advisories/23757/
Release Date: 2007-01-17
Critical: Highly critical
Impact: System access
Where: From remote
Solution Status: Vendor Patch...
...The vulnerability is reported in the following versions:
* JDK and JRE 5.0 Update 9 and prior.
* SDK and JRE 1.4.2_12 and prior.
* SDK and JRE 1.3.1_18 and prior.
Solution: > Updated to fixed versions.
JDK and JRE 5.0:
Update to JDK and JRE 5.0 Update 10 or later.
- http://java.sun.com/javase/downloads/index_jdk5.jsp
SDK and JRE 1.4.x:
Update to SDK and JRE 1.4.2_13 or later.
- http://java.sun.com/j2se/1.4.2/download.html
SDK and JRE 1.3.x:
Update to SDK and JRE 1.3.1_19 or later.
- http://java.sun.com/j2se/1.3/download.html ...
Original Advisory:
Sun Microsystems: http://sunsolve.sun.com/search/document.do?assetkey=1-26-102760-1 ..."
"...Relief/Workaround: There is no workaround...
Resolution: This issue is addressed in the following releases (for Windows, Solaris, and Linux):
* JDK and JRE 5.0 Update 10 or later
* SDK and JRE 1.4.2_13 or later
* SDK and JRE 1.3.1_19 or later ..."

:fear:

AplusWebMaster
2007-01-18, 14:36
FYI...

- http://www.vnunet.com/vnunet/news/2172403/java-exploits-brewing
12 Jan 2007 ~ "Attackers have released exploit code targeting two previously patched flaws in Sun Microsystems' Java Runtime Environment (JRE) and Java Software Development Kit (SDK). The flaws could allow an attacker to remotely execute code on a Windows, Linux or Solaris system. Sun issued patches for both vulnerabilities in December. The JRE component allows JavaScript code to be executed on most operating systems, including Windows, Mac OS, Linux and Unix... Java is inherently a more secure system, because JRE uses so-called sandboxing that allows it to operate as a virtual machine to block access to other parts of the system... As developers create JavaScript applications that require more capabilities, they begin to call up .dll files from the system. As soon as the programs reach outside the virtual machine for system files, the security protection of the sandbox is negated..."

:fear:

AplusWebMaster
2007-01-18, 16:37
More...

- http://www.f-secure.com/weblog/archives/archive-012007.html#00001083
January 18, 2007 ~ "...When running a Java applet from a web page using a vulnerable version of Java Runtime, an applet exploiting the vulnerability may escape Java's sandbox. This means that the Java applet would have exactly the same access to the file system and process execution as any native application. Java vulnerabilities have been actively used by malicious web pages in the past, so it is quite possible that this new vulnerability will also be used. So do make sure that your Java runtime is up to date, instructions are available at Sun Advisory #102760*.
Note: Sun provides links to J2SE 5.0 Update 10 in their advisory. As we posted earlier, version 6.0 is also available**..."

* http://www.sunsolve.sun.com/search/document.do?assetkey=1-26-102760-1

** http://java.sun.com/javase/downloads/index.jsp

:fear:

AplusWebMaster
2007-01-23, 04:23
FYI...

- http://www.us-cert.gov/cas/techalerts/TA07-022A.html
January 22, 2007
"...Systems Affected: Sun Java Runtime Environment versions
* JDK and JRE 5.0 Update 9 and earlier
* SDK and JRE 1.4.2_12 and earlier
* SDK and JRE 1.3.1_18 and earlier
Overview: The Sun Java Runtime Environment contains multiple vulnerabilities that can allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system.
Solution: Apply an update from Sun
These issues are addressed in the following versions of the Sun Java Runtime environment:
* JDK and JRE 5.0 Update 10 or later
* SDK and JRE 1.4.2_13 or later
* SDK and JRE 1.3.1_19 or later
If you install the latest version of Java, older versions of Java may remain installed on your computer. If these versions of Java are not needed, you may wish to remove them..."

.

AplusWebMaster
2007-01-30, 15:39
FYI...

Java Runtime Environment (JRE) 5.0 Update 11
The J2SE Runtime Environment (JRE) allows end-users to run Java applications.
- http://java.sun.com/javase/downloads/index_jdk5.jsp

Changes in 1.5.0_11
- http://java.sun.com/j2se/1.5.0/ReleaseNotes.html#150_11
50+ bug fixes (from v1.5.0_10)

:spider:

AplusWebMaster
2007-02-13, 13:51
FYI...

...Java update (1.5.0u11)...
- http://isc.sans.org/diary.html?storyid=2226
Last Updated: 2007-02-12 22:35:17 UTC
"...It is worth noting that this update contains time zone data that incorporates Day Light Saving changes for 2007... Remember to remove the old update revisions if you don’t need them any more (after you’ve thoroughly tested all your applications, of course)..."

:spider:

AplusWebMaster
2007-04-11, 02:43
FYI...

Java Runtime Environment (JRE) 6u1 released
- http://java.sun.com/javase/downloads/index.jsp

Release Notes - Changes in 1.6.0_01
- http://java.sun.com/javase/6/webnotes/ReleaseNotes.html#160_01
90+ bug fixes


.

AplusWebMaster
2007-05-01, 18:01
FYI...

Java Platform Privilege Escalation Vuln - updates available
- http://secunia.com/advisories/25069/
Release Date: 2007-05-01
Critical: Moderately critical
Impact: Security Bypass
Where: From remote
Solution Status: Vendor Patch
Software:
Sun Java Enterprise System 5.x
Sun Java JDK 1.5.x
Sun Java JRE 1.4.x
Sun Java JRE 1.5.x / 5.x
Sun Java SDK 1.4.x
...The vulnerability is reported in Java Web Start in JDK -and- JRE 5.0 Update 10 and Java Web Start in SDK and JRE 1.4.2_13 - and earlier- for Windows, Solaris and Linux...
>>> Solution: Update to Java Web Start in JDK and JRE 5.0 Update 11 or later, or Java Web Start in SDK and JRE 1.4.2_14 or later...
-- J2SE 5.0 --
http://java.sun.com/j2se/1.5.0/download.jsp
--- J2SE 1.4.2 --
http://java.sun.com/j2se/1.4.2/download.html
Note that vulnerable versions should be removed from the system...
Original Advisory:
http://sunsolve.sun.com/search/document.do?assetkey=1-26-102881-1 ..."

.

AplusWebMaster
2007-05-31, 14:34
FYI...

Java Runtime Environment (JRE) 5.0 Update 12
- http://java.sun.com/javase/downloads/index_jdk5.jsp

Release Notes
- http://java.sun.com/j2se/1.5.0/ReleaseNotes.html#150_12
70+ fixes


:spider:

AplusWebMaster
2007-06-06, 17:28
FYI...

Security Vulns in the JRE Image Parsing Code may Allow a Untrusted Applet to Elevate Privileges
- http://www.sunsolve.sun.com/search/printfriendly.do?assetkey=1-26-102934-1
Update Date: Thu May 31 00:00:00 MDT 2007
Relief/Workaround: There is no workaround. Please see Resolution section below.
Resolution: The first issue is addressed in the following releases (for Windows, Solaris, and Linux):
* JDK and JRE 6 Update 1 or later
* JDK and JRE 5.0 Update 11 or later...
Java SE 6 Update 1 is available for download at the following links:
* http://java.sun.com/javase/downloads/index.jsp
J2SE 5.0 is available for download at the following link:
* http://java.sun.com/j2se/1.5.0/download.jsp ...
Note: When installing a new version of the product from a source other than a Solaris patch, it is recommended that the old affected versions be removed from your system..."

> http://www.us-cert.gov/current/#sun_microsystems_releases_security_advisory
June 6, 2007

> http://www.kb.cert.org/vuls/id/138545
Last Updated: 06/06/2007

- http://java.sun.com/javase/6/
"Java SE 6 is the current major release of the Java SE platform... Sun provides some older product and technology releases as a courtesy..."

:fear:

AplusWebMaster
2007-06-08, 17:29
FYI...

- http://java.sun.com/javase/6/
"Java SE 6 is the current major release of the Java SE platform... Sun provides some older product and technology releases as a courtesy..."

.

djpailo
2007-06-09, 16:51
Thanks for the notice. I read on neowin that microsoft were making a flash program to rival adobes flash player. Will they ever resume with their java programme or are there still legal issues?

AplusWebMaster
2007-06-29, 15:24
FYI...

- http://secunia.com/advisories/25823/
Release Date: 2007-06-29
Critical: Highly critical
Impact: Security Bypass, Manipulation of data
Where: From remote
Solution Status: Vendor Patch
Software:
Java Web Start 1.x
Sun Java JDK 1.5.x
Sun Java JRE 1.4.x
Sun Java JRE 1.5.x / 5.x
Sun Java SDK 1.4.x
...The vulnerability affects Java Web Start in JDK and JRE 5.0 Update 11 and earlier and Java Web Start in SDK and JRE 1.4.2_13 and earlier for the Windows platform...
Solution: Apply updates.
Java Web Start in JDK and JRE 5.0 Update 12 or later
http://java.sun.com/j2se/1.5.0/download.jsp
Java Web Start in SDK and JRE 1.4.2_14 or later
http://java.sun.com/j2se/1.4.2/download.html ...
Original Advisory:
http://sunsolve.sun.com/search/document.do?assetkey=1-26-102957-1 ..."

Also see: http://secunia.com/advisories/25769/
( http://sunsolve.sun.com/search/document.do?assetkey=1-26-102958-1 )

:fear:

AplusWebMaster
2007-07-05, 20:50
FYI...

SunJava JRE v1.6.0_02 released
Download Java Runtime Environment (JRE) 6u2:
- http://java.sun.com/javase/downloads/index.jsp

Release notes:
- http://java.sun.com/javase/6/webnotes/ReleaseNotes.html#160_02
180+ bug fixes (!)

-----------------------------

- http://java.sun.com/javase/6/
"Java SE 6 is the current major release of the Java SE platform... Sun provides some older product and technology releases as a courtesy..."

.

AplusWebMaster
2007-07-10, 22:16
FYI...

- http://secunia.com/advisories/25981/
Release Date: 2007-07-10
Critical: Highly critical
Impact: System access
Where: From remote
Solution Status: Vendor Patch
Software: Java Web Start 1.x, Sun Java JRE 1.5.x / 5.x, Sun Java JRE 1.6.x / 6.x ...
The vulnerability is reported in the following versions:
* Java Runtime Environment 6 Update 1 and earlier
* Java Runtime Environment 5 Update 11, and earlier ...
Solution: Apply updates.
JRE 5 Update 12:
http://java.sun.com/javase/downloads/index_jdk5.jsp
JRE 6 Update 2:
http://java.sun.com/javase/downloads/index.jsp ..."

Note: http://java.sun.com/javase/6/
"Java SE 6 is the current major release of the Java SE platform... Sun provides some older product and technology releases as a courtesy..."

:fear:

AplusWebMaster
2007-07-11, 12:42
FYI...

Sun Java vuln - updates available
> http://secunia.com/advisories/26015/
Release Date: 2007-07-11
Critical: Moderately critical
...The vulnerability affects the following versions for Solaris, Linux, and Windows:
* JDK and JRE 6 Update 1 and earlier
* JDK and JRE 5.0 Updates 7, 8, 9, 10, and 11
* SDK and JRE 1.4.2_11, _12, _13, and _14 ...
Solution: Update to the latest versions:
JDK and JRE 6 Update 2 or later: http://java.sun.com/javase/downloads/index.jsp
JDK and JRE 5.0 Update 12 and later: http://java.sun.com/j2se/1.5.0/download.jsp
SDK and JRE 1.4.2_15 and later: http://java.sun.com/j2se/1.4.2/download.html ...
Original Advisory:
http://sunsolve.sun.com/search/document.do?assetkey=1-26-102997-1 ...

- http://secunia.com/advisories/26031/
Release Date: 2007-07-11
Critical: Moderately critical
Impact: System access
Where: From remote
Solution Status: Vendor Patch
Software: Sun Java JDK 1.6.x, Sun Java JRE 1.6.x / 6.x ...
Solution: Apply patches.
Update to JDK and JRE 6 Update 2 or later.
http://java.sun.com/javase/downloads/index.jsp ...

----------------------
Note: http://java.sun.com/javase/6/
"Java SE 6 is the current major release of the Java SE platform... Sun provides some older product and technology releases as a courtesy..."

.

AplusWebMaster
2007-07-13, 22:07
FYI...

- http://isc.sans.org/diary.html?storyid=3140
Last Updated: 2007-07-13 16:44:38 UTC - "...anyone using the Java Runtime Environment or Java Development Kit is at risk.
http://www.auscert.org.au/render.html
This flaw may have an impact on PDA's and mobile phones as well as PC's. Because Java is browser independent it has potential to impact many, many devices. It is recommended that you patch all java devices as soon as possible."

- http://news.zdnet.com/2100-1009_22-6196493.html
July 13, 2007 - "...problem is compounded by the fact that organizations are unlikely to take on the daunting process of patching -all- of their Java Runtime vulnerabilities..."

:oops:

AplusWebMaster
2007-10-02, 22:46
FYI...

- http://java.sun.com/javase/downloads/index.jsp

Bug Fixes: -10-
- http://java.sun.com/javase/6/webnotes/ReleaseNotes.html#160_03

----------------------
Note: http://java.sun.com/javase/6/
"Java SE 6 is the current major release of the Java SE platform... Sun provides some older product and technology releases as a courtesy..."

.

AplusWebMaster
2007-10-04, 13:03
FYI...

Sun Java JRE multiple Vulns - updates available
- http://secunia.com/advisories/27009/
Release Date: 2007-10-04
Critical: Highly critical
Impact: Security Bypass, Manipulation of data, Exposure of system information, Exposure of sensitive information, System access
Where: From remote
Solution Status: Vendor Patch
Software: Sun Java JDK 1.5.x, Sun Java JDK 1.6.x, Sun Java JRE 1.3.x, Sun Java JRE 1.4.x, Sun Java JRE 1.5.x / 5.x, Sun Java JRE 1.6.x / 6.x, Sun Java SDK 1.3.x, Sun Java SDK 1.4.x
...The vulnerabilities are reported in the following versions:
* JDK and JRE 6 Update 2 and earlier
* JDK and JRE 5.0 Update 12 and earlier
* SDK and JRE 1.4.2_15 and earlier
* SDK and JRE 1.3.1_20 and earlier
Solution: Update to the fixed versions.
JDK and JRE 6 Update 3:
http://java.sun.com/javase/downloads/index.jsp
JDK and JRE 5.0 Update 13:
http://java.sun.com/javase/downloads/index_jdk5.jsp
SDK and JRE 1.4.2_16:
http://java.sun.com/j2se/1.4.2/download.html
SDK and JRE 1.3.1 for Solaris 8:
http://java.sun.com/j2se/1.3/download.html ...

.

AplusWebMaster
2008-01-12, 02:29
FYI...

SunJava JRE v1.6.0_04 released
- http://java.sun.com/javase/downloads/index.jsp
"Java SE Runtime Environment (JRE) allows end-users to run Java applications."

Release Notes:
- http://java.sun.com/javase/6/webnotes/ReleaseNotes.html#160_04
> 370+ Bug fixes !!!

:lip::spider:

AplusWebMaster
2008-01-15, 16:56
FYI..

- http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-0012
Last revised: 1/10/2008
Vulnerable software and versions
Configuration 1: Sun, JRE, 5.0 Update13, and previous

Java Runtime Environment (JRE) 5.0 Update 14
> http://java.sun.com/javase/downloads/index_jdk5.jsp

-or- Update to JRE 6 update 4:
> http://java.sun.com/javase/downloads/index.jsp

Note: http://java.sun.com/javase/6/
"Java SE 6 is the current major release of the Java SE platform... Sun provides some older product and technology releases as a courtesy..."
=================================

- http://secunia.com/advisories/28746/
Release Date: 2008-02-01
Critical: Less critical
Impact: Security Bypass
Where: From remote
Solution Status: Vendor Patch
Software: Sun Java JDK 1.6.x, Sun Java JRE 1.6.x / 6.x
...Successful exploitation requires that malicious XML data is processed within a trusted applet or Java Web Start application. The security issue is reported in Sun JDK and JRE 6 Update 3 and earlier. Sun JDK and JRE 5.0, and SDK and JRE 1.4.x and 1.3.x are reportedly not affected...
Solution: Update to JDK or JRE 6 Update 4 or later.
http://java.sun.com/javase/downloads/index.jsp
JDK 6 Update 4 for Solaris is also available in the following patches:
Java SE 6 update 4 (as delivered in patch 125136-05 or later)
Java SE 6 update 4 (as delivered in patch 125137-05 or later (64bit))
Java SE 6 x86 update 4 (as delivered in patch 125138-05 or later)
Java SE 6 x86 update 4 (as delivered in patch 125139-05 or later (64bit))
Provided and/or discovered by:
The vendor credits Chris Evans and Johannes Henkel, Google Security Team.
Original Advisory:
http://sunsolve.sun.com/search/document.do?assetkey=1-66-231246-1

AplusWebMaster
2008-03-04, 22:39
FYI...

Sun Java JRE6 Update 5 released
> http://java.sun.com/javase/downloads/index.jsp
March 04, 2008

Release Notes:
> http://java.sun.com/javase/6/webnotes/ReleaseNotes.html#160_05
-7- fixes

Note: http://java.sun.com/javase/6/
"Java SE 6 is the current major release of the Java SE platform... Sun provides some older product and technology releases as a courtesy..."

:fear:

AplusWebMaster
2008-03-06, 18:22
FYI...

Sun Java JDK/JRE multiple Vulns - update available
- http://secunia.com/advisories/29239/
Last Update: 2008-03-06
Critical: Highly critical
Impact: Security Bypass, Manipulation of data, DoS, System access
Where: From remote
Solution Status: Vendor Patch...

- http://sunsolve.sun.com/search/document.do?assetkey=1-66-233327-1
"Buffer Overflow Vulnerability in Java Web Start May Allow an Untrusted Application to Elevate its Privileges...
This issue can occur in the following releases (for Windows, Solaris, and Linux):
* JDK and JRE 6 Update 4 and earlier
* JDK and JRE 5.0 Update 14 and earlier
* SDK and JRE 1.4.2_16 and earlier ...
Resolution
This issue is addressed in the following releases (for Windows, Solaris, and Linux):
* JDK and JRE 6 Update 5 or later
* JDK and JRE 5.0 Update 15 or later
* SDK and JRE 1.4.2_17 or later ..."

:fear:

AplusWebMaster
2008-04-16, 16:00
FYI...

Sun Java Runtime Environment (JRE) 6 Update 6
- http://java.sun.com/javase/downloads/index.jsp
April 16, 2008

Release notes:
- http://java.sun.com/javase/6/webnotes/ReleaseNotes.html#160_06
13 [lucky] Bug fixes (several interesting...)
- HttpClient and HttpsClient should not try to reverse lookup IP address of a proxy server
- REGRESSION: setting -Djava.security.debug=failure result in NPE in ACC
- Java control panel is not showing up in the Windows Vista control panel on a AMD 64 machine
- 6.0 JRE applet running on Vista limits heap to 64 MB
- Java 6 JavaWebstart increases footprint by factor 2 ...

Verify/test (-not- a Sun site):
- http://javatester.org/version.html ...
Note: Don't forget to uninstall the old version(s). Their installs don't do it...

- http://java.sun.com/javase/6/
"Java SE 6 is the current major release of the Java SE platform... Sun provides some older product and technology releases as a courtesy..."

.

AplusWebMaster
2008-04-18, 19:47
FYI... (No Secunia advisory, yet)

- http://sunsolve.sun.com/search/document.do?assetkey=1-66-231246-1
Jan 30, 2008 - "... Vulnerability in the Java Runtime Environment XML Parsing Code May Allow URL Resources to be Accessed..."
- http://sunsolve.sun.com/search/document.do?assetkey=1-66-231261-1
Feb 05, 2008 - "... Two Vulnerabilities in the Java Runtime Environment May Independently Allow an Untrusted Application or Applet to Elevate Privileges..."
- http://sunsolve.sun.com/search/document.do?assetkey=1-66-233322-1
Mar 04, 2008 - "... Vulnerability in the Java Runtime Environment With the Processing of XSLT Transformations..."
- http://sunsolve.sun.com/search/document.do?assetkey=1-66-233324-1
Mar 04, 2008 - "... Security Vulnerability in the Java Plug-in May Allow an Untrusted Applet to Elevate Privileges..."
- http://sunsolve.sun.com/search/document.do?assetkey=1-66-233325-1
Mar 04, 2008 - "... Vulnerabilties in the Java Runtime Environment image Parsing Library..."
(...and probably others.)

"...Resolution: (These issues are) addressed in the following releases (for all supported platforms):
JDK and JRE 6 Update x or later..."

Choose "later" - JDK and JRE 6 Update 6 (current)
...available for download at the following link:
- http://java.sun.com/javase/downloads/index.jsp

:fear:

AplusWebMaster
2008-04-21, 23:55
FYI...

- http://blog.washingtonpost.com/securityfix/2008/04/java_update_released.html
April 21, 2008 - "...Note to Sun: When you ship an update that includes security fixes, alert your user base and update your Web site. Who is that user base? Just about anyone who owns a Windows computer. Sun estimates that Java is installed on more than 600 million computers worldwide..."

:whistle:

AplusWebMaster
2008-07-09, 14:35
FYI...

Java SE Runtime Environment 6u7 First Customer Ship
- http://java.sun.com/javase/downloads/index.jsp
July 9, 2008

Changes in 1.6.0_07:
- http://java.sun.com/javase/6/webnotes/ReleaseNotes.html#160_07
13 Bug fixes

Verify/test (-not- a Sun site):
- http://javatester.org/version.html ...
Note: Don't forget to uninstall the old version(s). Their installs don't do it...

- http://sunsolve.sun.com/search/document.do?assetkey=1-26-238905-1
"...Note: When installing a new version of the product from a source other than a Solaris patch, it is recommended that the old affected versions be removed from your system. To remove old affected versions on the Windows platform, please see: http://java.com/en/download/help/uninstall_java.xml ..."

- http://java.sun.com/javase/6/
"Java SE 6 is the current major release of the Java SE platform... Sun provides some older product and technology releases as a courtesy..."

Sun Java JDK/JRE multiple vulns
- http://secunia.com/advisories/31010/
Release Date: 2008-07-09
Critical: Highly critical
Impact: Security Bypass, Exposure of system information, Exposure of sensitive information, DoS, System access
Where: From remote
Solution Status: Vendor Patch
Software: Java Web Start 1.x, Java Web Start 5.x, Java Web Start 6.x, Sun Java JDK 1.5.x, Sun Java JDK 1.6.x, Sun Java JRE 1.3.x, Sun Java JRE 1.4.x, Sun Java JRE 1.5.x / 5.x, Sun Java JRE 1.6.x / 6.x, Sun Java SDK 1.3.x, Sun Java SDK 1.4.x ...
Solution: Update to the fixed version.
JDK and JRE 6 Update 7:
http://java.sun.com/javase/downloads/index.jsp
JDK and JRE 5.0 Update 16:
http://java.sun.com/javase/downloads/index_jdk5.jsp
SDK and JRE 1.4.2_18:
http://java.sun.com/j2se/1.4.2/download.html
SDK and JRE 1.3.1_23 (for customers with Solaris 8 and Vintage Support Offering support contracts):
http://java.sun.com/j2se/1.3/download.html ...

- http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-3112
Last revised: 7/10/2008
CVSS v2 Base score: 9.3 (High)

:fear:

AplusWebMaster
2008-10-16, 21:02
FYI...

Sun Java JRE v1.6.0_10 released
- http://java.sun.com/javase/downloads/index.jsp
Oct. 16, 2008

Release Notes
- http://java.sun.com/javase/6/webnotes/6u10.html
(MANY bug fixes listed...)

Verify/test (-not- a Sun site):
- http://javatester.org/version.html ...
Note: Don't forget to uninstall the old version(s). Their installs don't do it...
- http://sunsolve.sun.com/search/document.do?assetkey=1-26-238905-1
"...Note: When installing a new version of the product from a source other than a Solaris patch, it is recommended that the old affected versions be removed from your system. To remove old affected versions on the Windows platform, please see: http://java.com/en/download/help/uninstall_java.xml ..."

- http://java.sun.com/javase/6/
"Java SE 6 is the current major release of the Java SE platform... Sun provides some older product and technology releases as a courtesy..."

AplusWebMaster
2008-12-03, 00:19
FYI...

Sun Java JRE v1.6.0_11 released
- http://java.sun.com/javase/downloads/index.jsp
Dec. 02, 2008

Release Notes
- http://java.sun.com/javase/6/webnotes/6u11.html
-18- bug fixes...
"This release contains fixes for one or more security vulnerabilities. For more information, please see Sun Alerts 244986, 244987, 244988, 244989, 244990, 244991, 244992, 245246, 246266, 246286, 246346, 246366, and 246387..."

- http://java.sun.com/javase/6/
"Java SE 6 is the current major release of the Java SE platform... Sun provides some older product and technology releases as a courtesy..."

Verify/test (-not- a Sun site):
- http://javatester.org/version.html ...

.

AplusWebMaster
2008-12-04, 19:20
Additional detail:

Sun Java JDK/JRE multiple vulns - updates available
- http://secunia.com/advisories/32991/
Release Date: 2008-12-04
Critical: Highly critical
Impact: Security Bypass, Exposure of system information, Exposure of sensitive information, DoS, System access
Where: From remote
Solution Status: Vendor Patch...
Solution: Update to a fixed version.
JDK and JRE 6 Update 11: http://java.sun.com/javase/downloads/index.jsp
JDK and JRE 5.0 Update 17: http://java.sun.com/javase/downloads/index_jdk5.jsp
SDK and JRE 1.4.2_19: http://java.sun.com/j2se/1.4.2/download.html
SDK and JRE 1.3.1_24 (for customers with Solaris 8 and Vintage Support Offering support contracts): http://java.sun.com/j2se/1.3/download.html ...

- http://www.us-cert.gov/cas/techalerts/TA08-340A.html

- http://java.sun.com/javase/6/
"Java SE 6 is the current major release of the Java SE platform... Sun provides some older product and technology releases as a courtesy..."

:fear:

AplusWebMaster
2008-12-19, 20:37
FYI...

- http://java.com/en/download/help/new_plugin.xml
"This article applies to:
* Platform(s): Windows 2000 (SP4+), Windows XP (SP1 SP2), Vista
* Browser(s): Internet Explorer 6.x, Internet Explorer 7.x, Netscape 7, Mozilla 1.4+, Firefox
* JRE version(s): 6.0 ...
...old Java Plug-in and next-generation Java Plug-in
The new Java Plug-in is enabled by default. However if there are issues running applets with the new Java Plug-in, the user can switch to the old Java plug-in without any manual manipulation of the windows registry and moving files..."

(More detail available at the URL above.)

:fear:

AplusWebMaster
2009-02-02, 20:44
FYI...

SunJava SE Runtime Environment JRE 6 Update 12
- http://java.sun.com/javase/downloads/index.jsp
Feb. 2, 2009

Release Notes
- http://java.sun.com/javase/6/webnotes/6u12.html
"This feature release does -not- contain any new fixes for security vulnerabilities to its previous release, Java SE 6 Update 11. Users who have Java SE 6 Update 11 have the latest security fixes and do not need to upgrade to this release to be current on security fixes..."
Bug Fixes: 140

:scratch:

AplusWebMaster
2009-03-24, 22:23
FYI...

SunJava SE Runtime Environment JRE 6 Update 13 released
- http://java.sun.com/javase/downloads/index.jsp
March 24, 2009

Release Notes
- http://java.sun.com/javase/6/webnotes/6u13.html
"...Bug Fixes
This release contains fixes for one or more security vulnerabilities. For more information, please see Sun Alerts 254569, 254570, 254571, 254608, 254609, 254610, and 254611..."
(Links to Alerts shown at the URL above - Total: -7-)

- http://java.sun.com/javase/6/
"Java SE 6 is the current major release of the Java SE platform... Sun provides some older product and technology releases as a courtesy..."

// Security Updates for Java SE
- http://blogs.sun.com/security/category/news
23 Mar 2009 - "On March 24, 2009, Sun will release the following security updates:
• JDK and JRE 6 Update 13: http://java.sun.com/javase/downloads/index.jsp
• JDK and JRE 5.0 Update 18: http://java.sun.com/javase/downloads/index_jdk5.jsp
• SDK and JRE 1.4.2_20: http://java.sun.com/j2se/1.4.2/download.html
• SDK and JRE 1.3.1_25 (for customers with Solaris 8 and Vintage Support Offering support contracts): http://java.sun.com/j2se/1.3/download.html ...

- http://secunia.com/advisories/34451/
Release Date: 2009-03-26
Critical: Highly critical
Impact: Security Bypass, DoS, System access
Where: From remote
Solution Status: Vendor Patch
Software: Sun Java JDK 1.5.x, Sun Java JDK 1.6.x, Sun Java JRE 1.3.x, Sun Java JRE 1.4.x, Sun Java JRE 1.5.x / 5.x, Sun Java JRE 1.6.x / 6.x, Sun Java SDK 1.3.x, Sun Java SDK 1.4.x...
Solution: Update to a fixed version...

- http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-1093
- http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-1094
- http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-1095
- http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-1096
- http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-1097
- http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-1098
- http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-1099
- http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-1100
- http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-1101
- http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-1102
- http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-1103
- http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-1104
- http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-1105
- http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-1106
- http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-1107

:fear:

AplusWebMaster
2009-05-21, 00:03
FYI...

JRE 5.0 Update 19 released
- http://java.sun.com/javase/downloads/index_jdk5.jsp
May 20, 2009 - "... already announced its End of Service Life (EOSL) ... October 30th, 2009. Public releases of the J2SE 5.0 platform will be stopped at that time..."

Changes to 1.5.0_19
- http://java.sun.com/j2se/1.5.0/ReleaseNotes.html#150_19
"...As of this update, support has been added for the following system configurations:
• Internet Explorer 8
• Windows Server 2008 ..."
(Bug Fixes: 50+)

- http://java.sun.com/javase/6/
"Java SE 6 is the current major release of the Java SE platform... Sun provides some older product and technology releases as a courtesy..."

- https://jdk6.dev.java.net/6uNea.html
Java SE 6 Update 14 - FCS - Q2, 2009

AplusWebMaster
2009-05-29, 21:05
FYI...

Sun Java - JRE 6 Update 14 released
- http://java.sun.com/javase/downloads/index.jsp
5/29/2009 - "This release is Windows 7 support-ready and includes support for Internet Explorer 8, Windows Server 2008 SP2, and Windows Vista SP2..."

Changes in 1.6.0_14 (6u14)
- http://java.sun.com/javase/6/webnotes/6u14.html
...Bug Fixes:
This feature release does not contain any new fixes for security vulnerabilities to its previous release, Java SE 6 Update 13. Users who have Java SE 6 Update 13 have the latest security fixes and do not need to upgrade to this release to be current on security fixes..."
(... but there are 350+ bug fixes listed.)

- http://java.sun.com/javase/6/
"Java SE 6 is the current major release of the Java SE platform... Sun provides some older product and technology releases as a courtesy..."
___

Auto-updater with Java6u13 does not see Update 14
- http://www.theinquirer.net/inquirer/opinion/1184565/java-auto-updater-fails-releases
5 June 2009

:fear:

tashi
2009-08-05, 23:58
JRE 6 Update 15

http://java.sun.com/javase/downloads/index.jsp


This release is Windows 7 support-ready and includes support for Internet Explorer 8, Windows Server 2008 SP2, and Windows Vista SP2. New features include the G1 garbage collector, plus performance and security enhancements.
Release notes: http://java.sun.com/javase/6/webnotes/6u15.html

Sans Diary.


Several readers wrote in about the java update.
Their concerns included the fact that there is always a pre-checked piggyback application when you download java from SUN.
I was offered Microsoft's bling tool bar for IE. Others were offered Carbonite Online Backup.
The fact that updates usually modifies your current configuration so if you have your check for updates set to daily you may find has been modified to once a month after the update.
You may find the java tray icon is enabled even if you have disabled it in the past.
So after you update check your configuration and if you don't want the pre-checked software uncheck the check box.
http://isc.sans.org/diary.html?storyid=6916
___

- http://secunia.com/advisories/36159/2/
Last Update: 2009-08-07
Critical: Highly critical
Impact: Security Bypass, Exposure of sensitive information, DoS, System access
Where: From remote
Solution Status: Vendor Patch
Software: Sun Java JDK 1.5.x, Sun Java JDK 1.6.x, Sun Java JRE 1.4.x, Sun Java JRE 1.5.x / 5.x, Sun Java JRE 1.6.x / 6.x, Sun Java SDK 1.4.x ...
Solution: Update to a fixed version.
JDK and JRE 6 Update 15:
http://java.sun.com/javase/downloads/index.jsp
JDK and JRE 5.0 Update 20:
http://java.sun.com/javase/downloads/index_jdk5.jsp
Java SE for Business SDK and JRE 1.4.2_22:
http://www.sun.com/software/javaseforbusiness/getit_download.jsp ...

CVE reference:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-2625
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-2670
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-2671
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-2672
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-2673
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-2674
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-2675
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-2676
.

AplusWebMaster
2009-08-12, 15:14
FYI...

Sun Java JRE 6 Update -16- released
- http://java.sun.com/javase/downloads/index.jsp
08.11.2009

- http://java.sun.com/javase/6/webnotes/6u16.html
"Bug Fixes (1)
This feature release does not contain any new fixes for security vulnerabilities to its previous release, Java SE 6 Update 15. Users who have Java SE 6 Update 15 have the latest security fixes and do not need to upgrade to this release to be current on security fixes.
BugId
6862295 hotspot / jvmti / JDWP threadid changes during debugging session (leading to ignored breakpoints) ..."

.

AplusWebMaster
2009-10-14, 21:15
FYI...

Sun Java design problem in the updated Secunia OSI applet
- http://secunia.com/vulnerability_scanning/online/security_notice/
"... Technical Description
A previous version of the Secunia OSI is affected by a security related design problem in Sun Java, which allows malicious people to manipulate the signed JAR file and allows compromising a system that trusts the certificate used to sign the old version.
Technical Solution
Run the Secunia OSI**. It will automatically configure Sun Java to prevent the old OSI applet from running (by enabling the certificate revocation checks described below). Alternatively, you may remove the trust relationship to the old Secunia certificate and / or manually enable the following Sun Java security settings:
"Check publisher certificate for revocation"
"Enable online certificate validation"
Technical Background
The problem in Sun Java, which affects the Secunia OSI and other signed applets, will be presented at a security conference on 16/10/2008. To secure Secunia OSI users, Secunia has published this update and taken the below described measures to protect the Secunia OSI users until a proper and permanent fix is implemented in Sun Java. Secunia has worked around the design problem in Sun Java in the updated OSI applet, revoked the old certificate, and signed the updated applet with a new certificate. Sun Java does not offer any means to "kill" old applets like e.g. the kill-bit for ActiveX controls. Thus, it has been necessary to revoke the certificate used to sign the old applet. However, certificate revocation is disabled by default in Sun Java. It is therefore necessary to either manually remove the trust relation to the old certificate or run the Secunia OSI, which enables checking of Certificate Revocation Lists (CRL) in Sun Java. Sun has informed Secunia that they are working on a "kill list mechanism". You can read more about these insecure default CRL settings in Sun Java on the CERT/CC blog*."
* http://www.cert.org/blogs/vuls/2008/06/signed_java_security_worse_tha.html

** http://secunia.com/vulnerability_scanning/online/?task=start

:fear:

AplusWebMaster
2009-11-03, 23:58
FYI...

Sun Java JRE v1.6.0_17 released
- http://java.sun.com/javase/downloads/index.jsp
11.03.2009

- http://java.sun.com/javase/6/webnotes/6u17.html
Bug Fixes ( 33 )
"... This release contains fixes for one or more security vulnerabilities..."

- http://secunia.com/advisories/37231/2/
Release Date: 2009-11-04
Critical: Highly critical
Impact: Security Bypass, DoS, System access
Where: From remote
Solution Status: Vendor Patch...
Solution: Update to a fixed version.
Original Advisory: Sun:
http://sunsolve.sun.com/search/document.do?assetkey=1-66-269868-1
http://sunsolve.sun.com/search/document.do?assetkey=1-66-269869-1
http://sunsolve.sun.com/search/document.do?assetkey=1-66-269870-1
http://sunsolve.sun.com/search/document.do?assetkey=1-66-270474-1
http://sunsolve.sun.com/search/document.do?assetkey=1-66-270475-1
http://sunsolve.sun.com/search/document.do?assetkey=1-66-270476-1

- http://secunia.com/advisories/37231/3/
CVE reference: CVE-2009-3728, CVE-2009-3729, CVE-2009-3864, CVE-2009-3865, CVE-2009-3866, CVE-2009-3867, CVE-2009-3868, CVE-2009-3869, CVE-2009-3871, CVE-2009-3872, CVE-2009-3873, CVE-2009-3874, CVE-2009-3875, CVE-2009-3876, CVE-2009-3877, CVE-2009-3879, CVE-2009-3880, CVE-2009-3881, CVE-2009-3882, CVE-2009-3883, CVE-2009-3884, CVE-2009-3886, CVE-2009-3885

:fear:

AplusWebMaster
2009-12-04, 21:46
FYI...

Java proof-of-concept attack released
- http://www.theregister.co.uk/2009/12/04/mac_windows_java_attack/
4 December 2009 - "... A security researcher has released a proof-of-concept attack that exploits critical vulnerabilities that Apple patched on Thursday. The vulns stem from bugs in the Java runtime environment that allow attackers to remotely execute malicious code. Sun Microsystems patched the flaws early last month*... The code will also exploit unpatched Windows machines..."
* Sun Java v1.6.0_17: http://java.sun.com/javase/downloads/index.jsp

Quick check to see what you have installed:
- http://javatester.org/version.html

:mad::fear::mad:

AplusWebMaster
2010-01-05, 23:27
FYI...

Java ...exploit in use in web drive-by attacks
- http://isc.sans.org/diary.html?storyid=7879
Last Updated: 2010-01-05 17:54:55 UTC - "... java applet exploiting CVE-2008-5353 ( http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-5353 / ...JRE 6 Update 10 and earlier; JDK and JRE 5.0 Update 16 and earlier; and SDK and JRE 1.4.2_18 and earlier... ) as part of a web drive-by attack. While PoC has been around for a long time for this, this is the first time I've heard of it being used in the wild for a general attack... As we get more details on what it does, we'll update this entry with it."
* https://www.virustotal.com/analisis/d4f5bcc9acecb2f53a78313fc073563de9fc4f7045dd8123a23a08f926a3974d-1262270360
File jar_cache5501.zip received on 2009.12.31 14:39:20 (UTC)
Result: 7/39 (17.95%)

:fear::mad:

AplusWebMaster
2010-01-13, 23:24
FYI...

Sun Java JRE v1.6.0_18 released
- http://java.sun.com/javase/downloads/index.jsp
January 13, 2010

Release Notes - Changes in 1.6.0_18
- http://java.sun.com/javase/6/webnotes/6u18.html
"... This feature release does not contain any new fixes for security vulnerabilities to its previous release, Java SE 6 Update 17. Users who have Java SE 6 Update 17 have the latest security fixes and do not need to upgrade to this release to be current on security fixes..."

Bug fixes - 358
- http://java.sun.com/javase/6/webnotes/6u18.html#bugfixes-1.6.0_18

:fear:

AplusWebMaster
2010-03-30, 20:02
FYI...

Java JRE 6 Update 19 released
- http://java.sun.com/javase/downloads/index.jsp
March 30, 2010

Supported System Configurations
- http://java.sun.com/javase/6/webnotes/install/system-configurations.html

Changes in 1.6.0_19
- http://java.sun.com/javase/6/webnotes/6u19.html
"This release contains fixes for security vulnerabilities..."
28 Bug Fixes

- http://secunia.com/advisories/37255/
Release Date: 2010-03-31
Criticality level: Highly critical
Impact: Unknown, Manipulation of data, Exposure of system information, Exposure of sensitive information, DoS, System access
Where: From remote
Solution Status: Vendor Patch
Software: Java JDK 1.4.x, 1.5.x, 1.6.x, Java JRE 1.4.x, 1.5.x / 5.x, 1.6.x / 6.x
Oracle:
http://www.oracle.com/technology/deploy/security/critical-patch-updates/javacpumar2010.html

- http://secunia.com/secunia_research/2009-49/
31/03/2010
- http://secunia.com/secunia_research/2009-50/
31/03/2010

- http://atlas.arbor.net/briefs/index#2090669689
March 31, 2010 - "Analysis: This is a serious issue for Java users who should review this update and apply it as soon as possible..."

:fear:

AplusWebMaster
2010-04-12, 13:58
FYI...

JRE Java Platform SE and Java Deployment Toolkit Plugins Code Execution vulns

- http://secunia.com/advisories/39260/
Release Date: 2010-04-12
Criticality level: Highly critical
Impact: System access
Where: From remote
Solution Status: Unpatched
Software: Sun Java JDK 1.6.x, Sun Java JRE 1.6.x / 6.x
... The vulnerability is confirmed in JRE version 6 Update 19. Other versions may also be affected...
Original Advisory: Tavis Ormandy:
http://archives.neohapsis.com/archives/fulldisclosure/2010-04/0122.html ...

- http://www.securityfocus.com/bid/39346/info
Remote: Yes
Updated: Apr 09 2010
Vulnerable: Sun JRE (Windows Production Release) "since version 6 Update 10".
- http://www.securityfocus.com/bid/39346/discuss
Java Runtime Environment (JRE) is prone to arbitrary code-execution vulnerabilities that affect multiple Java plugins for multiple browsers. Attackers can exploit these issues to execute arbitrary code in the context of the user running the vulnerable applications. The issues affect Java Runtime Environment versions 1.6.0_10 and later (JRE 6 Update 10 and later); other versions may also be vulnerable...

- http://www.mail-archive.com/full-disclosure@lists.grok.org.uk/msg40571.html
09 Apr 2010

- http://www.symantec.com/security_response/threatconlearn.jsp
09 Apr 2010
• 'deploytk.dll' - Java Deployment Toolkit ActiveX plugin for Internet Explorer (CLSID: CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA)
• 'jp2iexp.dll' - Java Platform SE ActiveX plugin for Internet Explorer (CLSID: 8AD9C840-044E-11D1-B3E9-00805F499D93)
• 'npdeploytk.dll' - Java Deployment Toolkit plugin for Mozilla Firefox
• 'npjp2.dll' - Java Platform SE plugin for Mozilla Firefox and Google Chrome

- http://www.theregister.co.uk/2010/04/09/critical_java_vulnerability/
09 Apr 2010

- http://isc.sans.org/diary.html?storyid=8608
Last Updated: 2010-04-10 21:01:56 UTC

- http://www.us-cert.gov/current/#sun_java_deployment_toolkit_plugin
April 13, 2010
- http://www.kb.cert.org/vuls/id/886582
Last Updated: 2010-04-12

:fear::fear:

AplusWebMaster
2010-04-15, 04:08
FYI...

Java exploit in the wild...
- http://www.theregister.co.uk/2010/04/14/critical_java_vulnerability_exploited/
14 April 2010 - "A popular song lyrics website has been found serving attack code that tries to exploit a critical vulnerability in Oracle's Java virtual machine, which is installed on hundreds of millions of computers worldwide. The site, songlyrics .com, is serving up javascript that invokes the weakness disclosed last week by security researcher Tavis Ormandy... AVG Technologies Chief Research Officer Roger Thompson, who discovered the in-the-wild attack, said songlyrics .com reaches out to another domain, assetmancomjobs .com, for a malicious JAR, or Java Archive, file and gets a 404 error indicating the payload isn't available..."

- http://krebsonsecurity.com/2010/04/unpatched-java-exploit-spotted-in-the-wild/
April 14, 2010

- http://www.symantec.com/security_response/threatconlearn.jsp
"The ThreatCon is currently at Level 2: Elevated.
On April 14, 2010, multiple sources reported in-the-wild exploitation of a code execution vulnerability (BID 39346) affecting Oracle JRE Java Platform SE and Java Deployment Toolkit Plugins. This issue affects Oracle Java JRE, since version 6 Update 10 (Other versions may also be affected). Exploitation of this issue can allow an attacker to load and execute an arbitrary JAR file from an attacker specified UNC share. Since there is no patch available we recommend users to stay cautious while visiting sites and disable the associated controls if they are not required..."

:fear::fear::fear:

AplusWebMaster
2010-04-15, 21:03
FYI...

Java JRE 6 Update 20 released
- http://java.sun.com/javase/downloads/index.jsp
April 15, 2010

Changes in 1.6.0_20
- http://java.sun.com/javase/6/webnotes/6u20.html
"This release contains fixes for security vulnerabilities..."
3 Bug Fixes...

Supported System Configurations
- http://java.sun.com/javase/6/webnotes/install/system-configurations.html

- http://secunia.com/advisories/39260/
Last Update: 2010-04-16
Criticality level: Highly critical
Impact: System access
Where: From remote
Software: Sun Java JDK 1.6.x, Sun Java JRE 1.6.x / 6.x
CVE Reference(s):
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-0886
Last revised: 05/27/2010 / CVSS v2 Base Score: 10.0 (HIGH)
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-0887
Last revised: 05/25/2010 / CVSS v2 Base Score: 10.0 (HIGH)
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-1423
Last revised: 04/16/2010 / CVSS v2 Base Score: 9.3 (HIGH)
Solution:
Update to JRE or JDK version 6 Update 20.

Java Patch Targets Latest Attacks
- http://krebsonsecurity.com/2010/04/java-patch-targets-latest-attacks/
April 15, 2010

:fear:

AplusWebMaster
2010-04-20, 11:20
FYI...

Java v1.6.0_20 US-CERT advisory...
- http://www.kb.cert.org/vuls/id/886582
Last Updated: 2010-04-19
"... Note: The installer for Java 1.6.0_20 may not correctly update all instances of the Java Deployment Toolkit plugin. In some cases, the plugin that resides in the \bin\new_plugin directory may not be updated to the fixed 6.0.200.2 version of npdeployJava1.dll. If the new_plugin directory contains npdeploytk.dll version 6.0.190.4 or earlier, then browsers that use plug-ins, such as Mozilla Firefox or Google Chrome, may still be vulnerable. To correct this situation, delete the vulnerable npdeploytk.dll from the new_plugin directory and replace it with the npdeployJava1.dll version from the bin directory. Please note that the Java Development Toolkit can be installed in multiple browsers, therefore workarounds need to be applied to all browsers with the Java Development Toolkit..."
(IE "killbit" procedure also available at the URL above.)

- http://krebsonsecurity.com/2010/04/mozilla-disables-insecure-java-plugin-in-firefox/
April 20, 2010 - "Mozilla is disabling older versions of the Java Development Toolkit plugin for Firefox users, in a bid to block attacks against a newly-discovered Java security hole that attackers have been exploiting of late to install malicious code... If you want to disable it manually, go to Tools, Add-ons, click the Plugins icon, select the Toolkit and hit the “Disable” button..."

- http://atlas.arbor.net/briefs/index#-1067279310
Title: Oracle Java Security Alert
Severity: Extreme Severity
Published: Thursday, June 10, 2010 18:11
Oracle has released a Java security alert for two bugs in the JDK and JRE 6. Desktop Java installations can be used to execute arbitrary commands on the victim's system. Oracle has released updated software to address this issue.
Analysis: This is a critical issue we have seen exploited in the wild. Due to the complexity of updating Java installations, which may leave behind older and vulnerable versions, we encourage sites to update with extreme care.
Source: Oracle Security Alert for CVE-2010-0886 - May 2010
- http://www.oracle.com/technology/deploy/security/alerts/alert-cve-2010-0886.html

:fear::fear:

AplusWebMaster
2010-07-08, 20:39
FYI...

Java JRE 6 Update 21 released
- http://java.sun.com/javase/downloads/index.jsp
July 8, 2010

Changes in 1.6.0_21
- http://java.sun.com/javase/6/webnotes/6u21.html
"Bug Fixes: Java SE 6 Update 21 does not contain any additional fixes for security vulnerabilities to its previous release, Java SE 6 Update 20. Users who have Java SE 6 Update 20 have the latest security fixes and do not need to upgrade to this release to be current on security fixes. For other bug fixes, see the Java SE 6u21 Bug Fixes* page..."
* http://java.sun.com/javase/6/webnotes/BugFixes6u21.html
(Many) ... including: Comparison of 2 arrays could cause VM crash, Windows-only: tzmappings needs update for KB979306, Java plugin + Firefox does not pick up auto proxy settings from Java control panel, Add Sun Java Plugin in windows registry for Mozilla Browsers, regression: deadlock in JNLP2ClassLoader, 1.6 update 17 and 18 throw java.lang.IndexOutOfBoundsException, and others.

- http://www.oracle.com/technetwork/java/javase/6u21-156341.html
Changes in 1.6.0_21 (6u21)
___

- http://blogs.iss.net/archive/Java_Web_Start_Jailb.html
July 12, 2010 - "... issues regarding an argument injection vulnerability affecting Sun Java JRE/JDK version 6.19 and earlier (CVE-2010-1423*)... IBM Managed Security Services (MSS)... discovered that within that timeframe (April 21 through May 26) 4,118 attacks against the CVE-2010-1423 vulnerability were observed... it was observed that most of the malicious sites were associated with the Fragus Exploit Kit. Fragus is a console application for managing and cultivating botnets... If an attack is successful, the victim becomes a member of the botnet..."
* http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-1423

:fear:

AplusWebMaster
2010-10-13, 00:57
FYI...

Java JRE v1.6.0_22 released
- http://www.oracle.com/technetwork/java/javase/downloads/index.html
2010-October-12

Release Notes
- http://www.oracle.com/technetwork/java/javase/6u22releasenotes-176121.html

Oracle Java SE and Java for Business Risk Matrix (CVE#)
- http://www.oracle.com/technetwork/topics/security/javacpuoct2010-176258.html#AppendixJAVA

- http://krebsonsecurity.com/2010/10/java-update-clobbers-29-security-flaws/
October 12, 2010 - "... critical update... fixing at least 29 security vulnerabilities..."

- http://secunia.com/advisories/41791/
Release Date: 2010-10-13
Last Update: 2010-10-21
Criticality level: Highly critical
Impact: Manipulation of data, Exposure of sensitive information, DoS, System access
Where: From remote...
Solution Status: Vendor Patch
CVE Reference(s): CVE-2009-3555, CVE-2010-1321, CVE-2010-3541, CVE-2010-3548, CVE-2010-3549, CVE-2010-3550, CVE-2010-3551, CVE-2010-3552, CVE-2010-3553, CVE-2010-3554, CVE-2010-3555, CVE-2010-3556, CVE-2010-3557, CVE-2010-3558, CVE-2010-3559, CVE-2010-3560, CVE-2010-3561, CVE-2010-3562, CVE-2010-3563, CVE-2010-3565, CVE-2010-3566, CVE-2010-3567, CVE-2010-3568, CVE-2010-3569, CVE-2010-3570, CVE-2010-3571, CVE-2010-3572, CVE-2010-3573, CVE-2010-3574

- http://www.securitytracker.com/id?1024573
Oct 14 2010

:fear:

AplusWebMaster
2010-10-18, 21:27
FYI...

Have you checked Java?...
- http://blogs.technet.com/b/mmpc/archive/2010/10/18/have-you-checked-the-java.aspx
18 Oct 2010 - "... by the beginning of this year, the number of Java exploits... (... -not- attacks using JavaScript) had well surpassed the total number of Adobe-related exploits we monitored. See chart... a reminder that, in addition to running real-time protection, it is -imperative- to apply all security updates for software, no matter what your flavor might be."
Chart: http://blogs.technet.com/cfs-filesystemfile.ashx/__key/CommunityServer-Blogs-Components-WeblogFiles/00-00-00-62-58-metablogapi/5824.JavaPDFAttacksthrough2010Q31_5F00_4ECD269A.gif

- http://krebsonsecurity.com/2010/10/microsoft-a-tidal-wave-of-java-exploitation/
October 18, 2010 - "... the spike in the third quarter of 2010 is primarily driven by attacks on three Java vulnerabilities that have already been patched for some time now. Even so, attacks against these flaws have “gone from hundreds of thousands per quarter to millions” ..."
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-5353
Last revised: 08/21/2010
CVSS v2 Base Score: 10.0 (HIGH)
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-3867
Last revised: 08/21/2010
CVSS v2 Base Score: 9.3 (HIGH)
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-0094
Last revised: 08/21/2010
CVSS v2 Base Score: 7.5 (HIGH)

- http://labs.m86security.com/2010/10/don%E2%80%99t-get-infected-by-zombies/
October 15, 2010 - "... effectively used in many other exploit tool kits. Potential victims are forced to visit Zombie’s exploit page when their browser loads an IFrame placed on a compromised website. All of the vulnerabilities exploited by this kit have been patched... 15 percent... of ‘visitors’ were successfully exploited by the Zombie Infection Kit and made to download a malicious executable. Because Java vulnerabilities accounted for 60 percent of infections, a surprising nine percent of all visitors were infected just by having an old version of java installed..."

- https://www.sans.org/newsletters/newsbites/newsbites.php?vol=12&issue=84#sID202
"... Eighty percent of PCs run at least one version of Java. Of those, 40 percent are running outdated versions. There is a Java update service, but user notification is slow and the service allows multiple versions of the software to run on PCs, so users' computers can be vulnerable to older attacks even if they're running a newer version of Java..."

:fear::mad::fear:

AplusWebMaster
2010-10-26, 15:25
FYI...

Hello? Update. Please?
- http://www.zdnet.co.uk/blogs/walsingham-10020628/guess-who-hasnt-patched-the-java-security-hole-10020866/
25 October, 2010 - "... Only 7% have applied the critical patch. According to Trusteer*, 68% of Internet users are still at risk from the attacks that these Java vulnerabilities expose and goes as far as to claim that it has become the single most exploitable vulnerability on the web today... these things are not called 'critical' for the heck of it. "

* http://www.trusteer.com/company/press/trusteer-finds-massive-internet-security-hole-remains-unpatched-users
Oct. 25, 2010 – "... over a week after Oracle released a critical patch for Java, more than 68 percent of Internet users are still at risk from attacks that exploit these vulnerabilities. This may be the biggest security hole on the Internet today, since 73 percent of Internet computers are using Java..."
___

60 second check for updates here (http://secunia.com/vulnerability_scanning/online/?inclusion=1&task=load&rp_id=heiseuk).

:sad:

AplusWebMaster
2010-11-11, 05:38
FYI...

Java exploits!...
- http://isc.sans.edu/diary.html?storyid=9916
Last Updated: 2010-11-11 00:05:00 UTC - "... Bottom line: If you haven't done so yet, hunt down and patch every incarnation of Java on the PCs that you are responsible for."
* http://www.virustotal.com/file-scan/report.html?id=d47224d8141b36082443d3e06920af51e098076cae2581f5aebd076b0d61cd28-1289430438
File name: bad.exe
Submission date: 2010-11-10 23:07:18 (UTC)
Result: 14/43 (32.6%)

Currently Exploited Sun Java Vulnerabilities
- http://blog.sharpesecurity.com/2010/10/25/list-of-currently-exploited-sun-java-vulnerabilities/
___

60 second check for updates here (http://secunia.com/vulnerability_scanning/online/?inclusion=1&task=load&rp_id=heiseuk).
___

- http://www.guardian.co.uk/technology/blog/2010/nov/16/java-oracle-google-ibm-harmony-apache-crisis
16 November 2010

:fear::fear:

AplusWebMaster
2010-12-08, 23:43
FYI...

Java JRE v1.6.0_23 released
- http://www.oracle.com/technetwork/java/javase/downloads/index.html
Dec. 8, 2010
Offline Installation - jre-6u23-windows-i586.exe - 15.79 MB
[Noted: 2011.01.14 - "This release includes performance improvements and bug fixes."]

- http://www.oracle.com/technetwork/java/javase/6u23releasenotes-191058.html
"... Bug Fixes: Java SE 6u23 does not contain any additional fixes for security vulnerabilities to its previous release, Java SE 6u22. Users who have Java SE 6u22 have the latest security fixes and do not need to upgrade to this release to be current on security fixes. For other bug fixes, see the Java SE 6u23 Bug Fixes page*..."
* http://www.oracle.com/technetwork/java/javase/2col/6u23bugfixes-191074.html
208 bug fixes ...
?? "6945145 - java_deployment - security - PKIX path validation failed: App won't start when offline when using JOGL/Win7 ..."

:fear:

AplusWebMaster
2011-02-09, 17:16
FYI...

Java vuln - patch available...
- http://secunia.com/advisories/43262/
Release Date: 2011-02-09
Criticality level: Moderately critical
Impact: DoS
Where: From remote
Solution: Apply patch via the FPUpdater tool.
... The vulnerability is reported in the following products: Sun JDK and JRE 6 Update 23 and prior, Sun JDK 5.0 Update 27 and prior, Sun SDK 1.4.2_29 and prior.
- http://www.oracle.com/technetwork/topics/security/alert-cve-2010-4476-305811.html
2011-February-08
___

- http://blogs.oracle.com/security/2011/02/security_alert_for_cve-2010-44.html
February 8, 2011 - "... the fix for this vulnerability will also be included in the upcoming Java Critical Patch Update (Java SE and Java for Business Critical Patch Update - February 2011*), which will be released on February 15th 2011..."
* http://www.oracle.com/technetwork/topics/security/alerts-086861.html

- http://www.h-online.com/security/news/item/Oracle-warns-of-Java-vulnerability-1186135.html
9 February 2011 - "... Affected are Java SE and Java for Business in the current and all previous versions of the JDK/JRE 6, 5 and 1.4. To solve the problem, Oracle has released a hotfix* that users are advised to apply immediately, as information on how to exploit the DoS vulnerability is already freely available. The vendor also plans to release a regular Java update on 15 February."
* http://www.oracle.com/technetwork/java/javase/downloads/index.html#fpupdater

:fear::fear:

AplusWebMaster
2011-02-16, 00:48
FYI...

Java v1.6.0_24 released
- http://www.oracle.com/technetwork/java/javase/downloads/index.html
Feb. 15, 2011

Release Notes
- http://www.oracle.com/technetwork/java/javase/6u24releasenotes-307697.html
The full internal version number for this update release is 1.6.0_24-b07 (where "b" means "build"). The external version number is 6u24...
Bug Fixes: This release contains fixes for security vulnerabilities. For more information, please see Oracle Java SE and Java for Business Critical Patch Update advisory.
- http://www.oracle.com/technetwork/topics/security/javacpufeb2011-304611.html
Feb. 2011 - "... This Critical Patch Update contains 21 new security fixes..."

Java Downloads for All Operating Systems - Recommended Version 6 Update 24
- http://java.com/en/download/manual.jsp

Which version of Java should I download for my 64-bit Windows operating system?
- http://java.com/en/download/faq/java_win64bit.xml

Bug list:
- http://www.oracle.com/technetwork/topics/security/javacpufeb2011-304611.html#AppendixJAVA
___

3rd party Java test site
- http://javatester.org/version.html
___

Java - Multiple Flaws Let Remote Users Execute Arbitary Code, Access Data, Modifiy Data, and Deny Service
- http://www.securitytracker.com/id/1025082
Feb 15 2011

- http://secunia.com/advisories/43262/
Last Update: 2011-02-16
Criticality level: Highly critical
Impact: Manipulation of data, Exposure of sensitive information, DoS, System access
Where: From remote...
Solution: Apply updates (see vendor's advisory).
Original Advisory: Oracle:
- http://www.oracle.com/technetwork/topics/security/javacpufeb2011-304611.html
___

Most Vulnerable Browser Plug-in...
- http://www.esecurityplanet.com/news/print.php/3925356
February 17, 2011- "... between July of 2010 and January of 2011... 42 percent of users were running vulnerable out-of-date Java plug-ins..."

:fear:

AplusWebMaster
2011-03-24, 16:18
FYI...

Java - update ugly...
- https://www.computerworld.com/s/article/9215021/Java_updates_may_include_annoying_McAfee_scanner
March 24, 2011 - "Windows users who install the latest Java security patches may end up with a little more security than they bargained for, at least that's the risk they take if they don't pay close attention to the installation process a security scanning tool called the McAfee Security Scan Plus with its Java updates for the Windows operating system. The software is installed by default with the Java update, so unless users notice and uncheck the McAfee installation box as they're updating Java, they'll end up downloading McAfee's software too...
Oracle bundles different products with Java in different regions, so not all Windows users may get Security Scan Plus with their Java updates. Once downloaded, the McAfee software prompts the user on a daily basis to accept McAfee's licensing terms to complete the installation. The user can cancel out of this prompt, but there is no option to decline the terms. To remove the software, the user must use the Windows "Uninstall a Program" feature. A number of users have inadvertently installed the software since Oracle started the bundling deal with Intel's McAfee subsidiary last month... Some users are unhappy, including one who posted to an Intel message board after noticing a slowdown on a family member's PC a few weeks ago, apparently after a Java update... Security Scan Plus is a 1MB download. But it uses 4MB of memory when running, a company spokeswoman said via e-mail. There are other ways to end up with it on your system. Some users have complained of downloading it as part of an Adobe reader update, and it can be picked up when downloading via Adobe's Download Center, an Adobe spokeswoman said..."

[ ...aka: "Tag-along-software installs" - 'Not the only vendors who do this...]
- https://www.ixquick.com/
"... about 1,860 for ' Tag-along software installs '"
- https://encrypted.google.com/
Tag-along software installs
"... About 644,000 results..."

:fear::fear:

AplusWebMaster
2011-04-22, 20:31
FYI...

Java v1.6.0_25 released
- http://www.oracle.com/technetwork/java/javase/downloads/index.html
April 22, 2011

Release Notes
- http://www.oracle.com/technetwork/java/javase/6u25releasenotes-356444.html
"Highlights: This update release contains important enhancements for Java applications:
Improved performance and stability
Java HotSpot™ VM 20
Support for Internet Explorer 9, Firefox 4 and Chrome 10
Improved BigDecimal ...
Java SE 6u25 does not add any fixes for security vulnerabilities beyond those in Java SE 6u24. Users who have Java SE 6u24 have the latest security fixes and do not need to upgrade to this release to be current on security fixes..."

Bug fixes
- http://www.oracle.com/technetwork/java/javase/2col/6u25bugfixes-356453.html
193...

:fear:

AplusWebMaster
2011-06-03, 21:29
FYI...

> http://www.oracle.com/technetwork/topics/security/javacpujune2011-313339.html
June 3, 2011 - "This Critical Patch Update Pre-Release Announcement provides advance information about the Oracle Java SE Critical Patch Update for June 2011, which will be released on Tuesday, June 7, 2011... This Critical Patch Update contains 17 new security vulnerability fixes..."
___

Java exploits predominate...
- http://www.informationweek.com/news/security/vulnerabilities/229700251?printer_friendly=this-page
June 01, 2011 - "... In 2011, the Java threat doesn't appear to have diminished. According to a study by Kaspersky Labs[1] that looked at malware trends from January through March 2011, Java vulnerabilities comprised a significant portion of the top 10 "most seen" vulnerabilities* on people's PCs..."
* http://blogs.technet.com/b/mmpc/archive/2011/05/25/microsoft-safety-scanner-detects-exploits-du-jour.aspx
"... 7 of the top 10 threats are files containing exploits for Java vulnerabilities such as CVE-2008-5353, CVE-2010-0094, CVE-2010-0840 and CVE-2009-3867... many of these detections by MSS are the debris or aftermath after the exploit has already executed. By the time a user downloads and runs MSS to detect malware, the machine may have already been infected, if it was vulnerable to the exploit at the time... aside from additional malicious Java code detections... active threats were also reported on machines found to be infected by Exploit:Java/CVE-2008-5353**...
** http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-5353
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-3867
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-0094
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-0840
CVSS v2 Base Score: ... (HIGH)

[1] http://www.securelist.com/en/analysis/204792176/IT_Threat_Evolution_for_Q1_2011#9
"... In the first quarter of 2011, the number of blocked attacks stood at 254,932,299 – these attacks were carried out from web resources located in different countries all over the world..."

> http://www.microsoft.com/security/sir/keyfindings/default.aspx#section_3_1

:fear::fear:

AplusWebMaster
2011-06-07, 21:44
FYI...

Java JRE 6 Update 26 released
- http://java.com/en/download/manual.jsp

- http://www.oracle.com/technetwork/java/javase/downloads/jre-6u26-download-400751.html
June 7, 2011
Windows x86 15.85 MB jre-6u26-windows-i586.exe
Windows x64 16.14 MB jre-6u26-windows-x64.exe

Release Notes
- http://www.oracle.com/technetwork/java/javase/6u26releasenotes-401875.html
This release contains fixes for security vulnerabilities. For more information, please see Oracle Java SE Critical Patch Update advisory*.

* http://www.oracle.com/technetwork/topics/security/javacpujune2011-313339.html#AppendixJAVA
CVSS Base Score 10.0: CVE-2011-0802, CVE-2011-0814, CVE-2011-0815, CVE-2011-0817, CVE-2011-0862, CVE-2011-0863, CVE-2011-0864, CVE-2011-0871, CVE-2011-0873
Other: CVE-2011-0786, CVE-2011-0788, CVE-2011-0865, CVE-2011-0866, CVE-2011-0867, CVE-2011-0868, CVE-2011-0869, CVE-2011-0872

Download Java for your desktop computer
> http://java.com/en/download/index.jsp
___

- http://www.securitytracker.com/id/1025610
CVE Reference: CVE-2011-0786, CVE-2011-0788, CVE-2011-0802, CVE-2011-0814, CVE-2011-0815, CVE-2011-0817, CVE-2011-0862, CVE-2011-0863, CVE-2011-0864, CVE-2011-0865, CVE-2011-0866, CVE-2011-0867, CVE-2011-0868, CVE-2011-0869, CVE-2011-0871, CVE-2011-0872, CVE-2011-0873
Impact: Denial of service via network, Disclosure of user information, Execution of arbitrary code via network, Modification of user information, User access via network...
A remote user can create a Java applet or Java Web Start application that, when loaded by the target user, will access or modify data or execute arbitrary code on the target user's system. A remote user can cause partial denial of service conditions on the target system.
Solution: The vendor has issued a fix...

- http://secunia.com/advisories/44784/
Last Update: 2011-06-10
Criticality level: Highly critical
Impact: Manipulation of data, Exposure of sensitive information, DoS, System access
Where: From remote...
Solution Status: Vendor Patch...
... versions prior to 1.6.0_26...

Quick test here: http://javatester.org/version.html
___

IBM Java v6.0.0 SR9 FP2 released
- http://secunia.com/advisories/45206/
Release Date: 2011-07-13
Criticality level: Highly critical
Impact: Manipulation of data, Exposure of sensitive information, DoS, System access
Where: From remote
CVE Reference(s): CVE-2011-0786, CVE-2011-0788, CVE-2011-0802, CVE-2011-0814, CVE-2011-0815, CVE-2011-0817, CVE-2011-0862, CVE-2011-0863, CVE-2011-0865, CVE-2011-0866, CVE-2011-0867, CVE-2011-0868, CVE-2011-0869, CVE-2011-0871, CVE-2011-0872, CVE-2011-0873
Solution: Update to version 6.0.0 SR9 FP2.
Original Advisory: http://www.ibm.com/developerworks/java/jdk/alerts/

:fear:

AplusWebMaster
2011-07-29, 01:42
FYI...

Java JRE v7 released
- http://www.oracle.com/technetwork/java/javase/downloads/java-se-jre-7-download-432155.html
July 28 2011

JDK 7 and JRE 7 Supported System Configurations
- http://www.oracle.com/technetwork/java/javase/config-417990.html

Security Enhancements
- http://download.oracle.com/javase/7/docs/technotes/guides/security/enhancements7.html

Release Notes
- http://www.oracle.com/technetwork/java/javase/jdk7-relnotes-429209.html

Changes in Java SE 7
- http://www.oracle.com/technetwork/java/javase/jdk7-relnotes-418459.html#changes

Known Issues
- http://www.oracle.com/technetwork/java/javase/jdk7-relnotes-418459.html#knownissues
___

- http://h-online.com/-1288208
29 July 2011 - "9494 bug fixes, 1966 enhancements, 9018 updates, 147 builds and four specification requests have gone into developing the latest Java Platform 7 and Oracle has now released JDK 7 as a general availability release. It is the first major release of the Java development environment since Oracle's takeover of Sun Microsystems..."

:fear::spider:

AplusWebMaster
2011-08-17, 21:28
FYI...

- https://isc.sans.edu/diary.html?storyid=11506
Last Updated: 2011-09-05 13:44:59 UTC ...(Version: 2)
___

Java JRE 6 Update 27 released
- http://www.oracle.com/technetwork/java/javase/downloads/jre-6u27-download-440425.html
August 17, 2011
Windows x86 ... jre-6u27-windows-i586.exe
Windows x64 ... jre-6u27-windows-x64.exe

Release Notes
- http://www.oracle.com/technetwork/java/javase/6u27-relnotes-444147.html

Bug Fixes
- http://www.oracle.com/technetwork/java/javase/6u27bugfixes-444150.html

NOTE:
• https://www.java.com/en/download/faq/java7.xml
Java7: "... The new release of Java is first made available to the developers to ensure no major problems are found before we make it available on the java.com website for end users to download the latest version..."

:fear:

AplusWebMaster
2011-10-19, 00:18
FYI...

Java 7 Update 1 released
Release Notes / Bug Fixes
- http://www.oracle.com/technetwork/java/javase/7u1-relnotes-507962.html
October 18, 2011 - "... version number for this update release is 1.7.0_1-b08 (where "b" means "build"). The external version number is 7u1..."

Downloads
- http://www.oracle.com/technetwork/java/javase/downloads/jre-7u1-download-513652.html
Windows x86 jre-7u1-windows-i586.exe
Windows x64 jre-7u1-windows-x64.exe
___

Java 6 Update 29 released
Release Notes / Bug Fixes
- http://www.oracle.com/technetwork/java/javase/6u29-relnotes-507960.html
October 18, 2011 - "... version number for this update release is 1.6.0_29-b11 (where "b" means "build"). The external version number is 6u29..."

Downloads
- http://www.oracle.com/technetwork/java/javase/downloads/jre-6u29-download-513650.html
Windows x86 jre-6u29-windows-i586.exe
Windows x64 jre-6u29-windows-x64.exe
___

Oracle Java SE Critical Patch Update Advisory - October 2011
- http://www.oracle.com/technetwork/topics/security/javacpuoct2011-443431.html#AppendixJAVA
"... contains 20 new security fixes for Oracle Java SE. 19 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password...
... Supported Versions Affected: JDK and JRE 7, 6 Update 27 and before..."
___

JRE Multiple Flaws Let Remote Users Execute Arbitrary Code and Deny Service
- http://www.securitytracker.com/id/1026215
CVE Reference: CVE-2011-3516, CVE-2011-3521, CVE-2011-3544, CVE-2011-3545, CVE-2011-3546, CVE-2011-3547, CVE-2011-3548, CVE-2011-3549, CVE-2011-3550, CVE-2011-3551, CVE-2011-3552, CVE-2011-3553, CVE-2011-3554, CVE-2011-3555, CVE-2011-3556, CVE-2011-3557, CVE-2011-3558, CVE-2011-3560, CVE-2011-3561
Date: Oct 19 2011
Impact: Denial of service via network, Disclosure of system information, Disclosure of user information, Execution of arbitrary code via network, Modification of system information, Modification of user information, User access via network.
Version(s): JDK and JRE 7; JDK and JRE 6 Update 27 and prior; JDK and JRE 5.0 Update 31 and prior; SDK and JRE 1.4.2_33 and prior.
... vendor has issued a fix... advisory is available at:
http://www.oracle.com/technetwork/topics/security/javacpuoct2011-443431.html

- https://secunia.com/advisories/46512/
Release Date: 2011-10-19
Criticality level: Highly critical
Impact: Hijacking, Spoofing, Manipulation of data, Exposure of sensitive information, DoS, System access
Where: From remote
Solution Status: Vendor Patch
Software: Oracle Java JDK/JRE SE 1.7.x / 7.x, JDK/JRE 1.6.x / 6.x, JDK/JRE 1.5.x, JDK/JRE 1.4.x
Description: Multiple vulnerabilities have been reported in Oracle Java SE, which can be exploited by malicious users to disclose certain information and by malicious people to disclose potentially sensitive information, hijack a user's session, conduct DNS cache poisoning attacks, manipulate certain data, cause a DoS (Denial of Service), and compromise a vulnerable system.
... see the vendor's advisory for details...
http://www.oracle.com/technetwork/topics/security/javacpuoct2011-443431.html

:fear::fear:

AplusWebMaster
2011-11-24, 05:30
FYI...

IBM Java - multiple vulns - update available
- https://secunia.com/advisories/46977/
Release Date: 2011-11-23
Criticality level: Highly critical
Impact: Exposure of sensitive information, DoS, System access
Where: From remote
Software: IBM Java 5.x ...
CVE Reference(s): CVE-2011-3545, CVE-2011-3547, CVE-2011-3548, CVE-2011-3549, CVE-2011-3552, CVE-2011-3554, CVE-2011-3556
Solution: Update to version SR13.
Original Advisory: http://www.ibm.com/developerworks/java/jdk/alerts/

> https://www.ibm.com/developerworks/java/jdk/
___

- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3547
CVSS v2 Base Score: 5.0 (MEDIUM)
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3552
CVSS v2 Base Score: 2.6 (LOW)
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3545
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3548
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3549
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3554
Last revised: 10/30/2011
CVSS v2 Base Score: 10.0 (HIGH)
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3556
CVSS v2 Base Score: 7.5 (HIGH)

:fear::fear:

AplusWebMaster
2011-12-12, 23:01
FYI...

Java 6u30 / 7u2 released
- http://www.oracle.com/technetwork/java/javase/6u30-relnotes-1394870.html
Dec. 12, 2011 - "... a notable bug fix for Java SE 6u30:
Area: JSSE: Runtime Synopsis: REGRESSION - 6u29 -breaks- ssl connectivity using TLS_DH_anon_WITH_AES_128_CBC_SHA . It is strongly encouraged that applications using JSSE (SSL/TLS) be upgraded to this release to have access to the latest changes that address this recent vulnerability: Under certain circumstances, Java SE 6u29* will incorrectly throw an IndexOutOfBoundsException or send an extra SSL/TLS packet..."
* http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=7103725
Related: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3389
Last revised: 12/13/2011

- http://www.oracle.com/technetwork/java/javase/7u2-relnotes-1394228.html
Dec. 12, 2011 - "... 7u2 does -not- add any fixes for security vulnerabilities beyond those in Java SE 7u1. Users who have Java SE 7u1 have the latest security fixes and do not need to upgrade to this release to be current on security fixes..."

Bug Fixes... in Java SE 6u30:
- http://www.oracle.com/technetwork/java/javase/2col/6u30bugfixes-1394936.html
Bug Fixes... in Java SE 7u2:
- http://www.oracle.com/technetwork/java/javase/2col/7u2bugfixes-1394661.html

Downloads: http://www.oracle.com/technetwork/java/javase/downloads/index.html

JRE 6u30: http://www.oracle.com/technetwork/java/javase/downloads/jre-6u30-download-1377142.html

JRE 7u2: http://www.oracle.com/technetwork/java/javase/downloads/jre-7u2-download-1377135.html
___

- https://krebsonsecurity.com/2011/12/security-updates-for-microsoft-windows-java/
December 13, 2011 - "... specific details of the flaws* fixed in this update..."

* Exploitable bugs fixed in update 30
- https://krebsonsecurity.com/wp-content/uploads/2011/12/java6update30notes.txt
http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=6761678
http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=6670868
http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=7041800
http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=6682380
http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=7103725

:fear:

AplusWebMaster
2012-02-15, 12:59
FYI...

Java update advisory - Feb 2012
- http://www.oracle.com/technetwork/topics/security/javacpufeb2012-366318.html
2012-February-17 Rev 2. Replaced CVE-2011-3571 with CVE-2012-0507
2012-February-14 Rev 1. Initial Release
2012-February-14 - "... Affected product releases and versions:
JDK and JRE 7 Update 2 and earlier, JDK and JRE 6 Update 30 and earlier, JDK and JRE 5.0 Update 33 and earlier, SDK and JRE 1.4.2_35 and earlier, JavaFX 2.0.2 and earlier, JavaFX...
>> http://www.oracle.com/technetwork/java/javase/downloads/index.html
"... Java SE 7u3 - This release includes security fixes... Java SE 6 Update 31 - This release includes security fixes..."

Java JRE 7u3:
- http://www.oracle.com/technetwork/java/javase/downloads/jre-7u3-download-1501631.html
Release Notes:
- http://www.oracle.com/technetwork/java/javase/7u3-relnotes-1481928.html
"... version number for this update release is 1.7.0_03-b04 (b05 in Windows, where "b" means "build"). The external version number is 7u3..."

Java JRE 6u31:
- http://www.oracle.com/technetwork/java/javase/downloads/jre-6u31-download-1501637.html
Release Notes:
- http://www.oracle.com/technetwork/java/javase/6u31-relnotes-1482342.html
"... version number for this update release is 1.6.0_31-b04 (b05 in Windows, where "b" means "build")..."
___

- http://www.securitytracker.com/id/1026687
CVE Reference:
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3563 - 6.4
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-0497 - 10.0 (HIGH)
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-0498 - 10.0 (HIGH)
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-0499 - 10.0 (HIGH)
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-0500 - 10.0 (HIGH)
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-0501 - 5.0
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-0502 - 6.4
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-0503 - 7.5 (HIGH)
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-0504 - 9.3 (HIGH)
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-0505 - 7.5 (HIGH)
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-0506 - 4.3
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-0508 - 10.0 (HIGH)
Date: Feb 14 2012
Impact: Denial of service via network, Disclosure of user information, Execution of arbitrary code via network, Modification of user information, User access via network
Version(s): 1.4.2_35 and prior, 5.0 Update 33 and prior; 6 Update 30 and prior; 7 Update 2 and prior...
The vendor's advisory is available at:
- http://www.oracle.com/technetwork/topics/security/javacpufeb2012-366318.html

- https://secunia.com/advisories/48009/
Release Date: 2012-02-15
Criticality level: Highly critical
Impact: Manipulation of data, Exposure of sensitive information, DoS, System access
Where: From remote...
Original Advisory:
- http://www.oracle.com/technetwork/topics/security/javacpufeb2012-366318.html

:fear::fear:

AplusWebMaster
2012-04-26, 21:53
FYI...

Java v.6u32/v.7u4 released
> http://www.oracle.com/technetwork/java/javase/downloads/index.html
___

Java SE Runtime Environment 7u4 - Download
- http://www.oracle.com/technetwork/java/javase/downloads/jre-7u4-download-1591157.html
April 26, 2012

Release notes
- http://www.oracle.com/technetwork/java/javase/7u4-relnotes-1575007.html
"... Bug Fixes: Java SE 7u4 does -not- add any fixes for security vulnerabilities beyond those in Java SE 7u3..."

Bug Fixes - Java SE 7u4
- http://www.oracle.com/technetwork/java/javase/2col/7u4bugfixes-1579555.html

- http://h-online.com/-1562140
27 April 2012 - "The new Java Standard Edition 7 Update 4 is the first Oracle-sponsored Java release that has been made available for Mac OS X (Lion)... Java SE 7 Update 4 can be downloaded for Macs, as well as Windows and Linux..."
- http://www.oracle.com/technetwork/java/javase/downloads/jdk-7u4-downloads-1591156.html
___

Java SE Runtime Environment 6 Update 32 - Download
- http://www.oracle.com/technetwork/java/javase/downloads/jre-6u32-downloads-1594646.html
April 26, 2012

Release notes
- http://www.oracle.com/technetwork/java/javase/6u32-relnotes-1578471.html

Bug Fixes - Java SE 6u32
- http://www.oracle.com/technetwork/java/javase/2col/6u32bugfixes-1579554.html

Java 6 End of Life (EOL) Notice
- http://www.oracle.com/technetwork/java/eol-135779.html
After November 2012, Oracle will no longer post updates of Java SE 6 to its public download sites...
___

Oracle to bring Java security fixes directly to Mac user ...
- http://atlas.arbor.net/briefs/index#-1272909644
Severity: Elevated Severity
Published: Monday, April 30, 2012 16:24
Oracle is now providing a direct version of Java to OSX users.
Analysis: This is a positive development that will hopefully reduce OSX malware. The lag in patch time between Oracle and Apple has been a thorn in the side of security for some time and the pain of the recent Flashback trojan, the SabPub trojan, and now another OSX malware using the same Java security hole has been significant enough that users should migrate towards Oracle Java as soon as possible. Cyber criminals are aware that OSX is a viable platform for malware, and will have their eyes open for other gaps in coverage.
Source: http://arstechnica.com/apple/news/2012/04/oracle-updates-java-to-se-7-for-os-x-brings-full-jdk-support.ars

.

AplusWebMaster
2012-06-10, 16:51
FYI...

- http://www.oracle.com/technetwork/topics/security/javacpujun2012-1515912.html
"This Critical Patch Update Pre-Release Announcement provides advance information about the Oracle Critical Patch Update for June 2012, which will be released on Tuesday, June 12, 2012...
Security vulnerabilities addressed by this Critical Patch Update affect the following products:
JDK and JRE 7 Update 4 and earlier
JDK and JRE 6 Update 32 and earlier
JDK and JRE 5.0 Update 35 and earlier
SDK and JRE 1.4.2_37 and earlier
JavaFX 2.1 and earlier...
This Critical Patch Update contains 14 new security fixes for Oracle Java SE. 12 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. The highest CVSS Base Score of vulnerabilities affecting Oracle Java SE is 10.0. The Oracle Java SE components affected by vulnerabilities that are fixed in this Critical Patch Update are:
Java Runtime Environment."

.