Old Sun Java JRE updates

[AplusWebMaster]

FYI...

Java proof-of-concept attack released
- http://www.theregister.co.uk/2009/12...s_java_attack/
4 December 2009 - "... A security researcher has released a proof-of-concept attack that exploits critical vulnerabilities that Apple patched on Thursday. The vulns stem from bugs in the Java runtime environment that allow attackers to remotely execute malicious code. Sun Microsystems patched the flaws early last month*... The code will also exploit unpatched Windows machines..."
* Sun Java v1.6.0_17: http://java.sun.com/javase/downloads/index.jsp

Quick check to see what you have installed:
- http://javatester.org/version.html

[AplusWebMaster]

FYI...

Java ...exploit in use in web drive-by attacks
- http://isc.sans.org/diary.html?storyid=7879
Last Updated: 2010-01-05 17:54:55 UTC - "... java applet exploiting CVE-2008-5353 ( http://web.nvd.nist.gov/view/vuln/de...=CVE-2008-5353 / ...JRE 6 Update 10 and earlier; JDK and JRE 5.0 Update 16 and earlier; and SDK and JRE 1.4.2_18 and earlier... ) as part of a web drive-by attack. While PoC has been around for a long time for this, this is the first time I've heard of it being used in the wild for a general attack... As we get more details on what it does, we'll update this entry with it."
* https://www.virustotal.com/analisis/...74d-1262270360
File jar_cache5501.zip received on 2009.12.31 14:39:20 (UTC)
Result: 7/39 (17.95%)

[AplusWebMaster]

FYI...

Sun Java JRE v1.6.0_18 released
- http://java.sun.com/javase/downloads/index.jsp
January 13, 2010

Release Notes - Changes in 1.6.0_18
- http://java.sun.com/javase/6/webnotes/6u18.html
"... This feature release does not contain any new fixes for security vulnerabilities to its previous release, Java SE 6 Update 17. Users who have Java SE 6 Update 17 have the latest security fixes and do not need to upgrade to this release to be current on security fixes..."

Bug fixes - 358
- http://java.sun.com/javase/6/webnote...fixes-1.6.0_18

[AplusWebMaster]

FYI...

Java JRE 6 Update 19 released
- http://java.sun.com/javase/downloads/index.jsp
March 30, 2010

Supported System Configurations
- http://java.sun.com/javase/6/webnote...gurations.html

Changes in 1.6.0_19
- http://java.sun.com/javase/6/webnotes/6u19.html
"This release contains fixes for security vulnerabilities..."
28 Bug Fixes

- http://secunia.com/advisories/37255/
Release Date: 2010-03-31
Criticality level: Highly critical
Impact: Unknown, Manipulation of data, Exposure of system information, Exposure of sensitive information, DoS, System access
Where: From remote
Solution Status: Vendor Patch
Software: Java JDK 1.4.x, 1.5.x, 1.6.x, Java JRE 1.4.x, 1.5.x / 5.x, 1.6.x / 6.x
Oracle:
http://www.oracle.com/technology/dep...pumar2010.html

- http://secunia.com/secunia_research/2009-49/
31/03/2010
- http://secunia.com/secunia_research/2009-50/
31/03/2010

- http://atlas.arbor.net/briefs/index#2090669689
March 31, 2010 - "Analysis: This is a serious issue for Java users who should review this update and apply it as soon as possible..."

[AplusWebMaster]

FYI...

JRE Java Platform SE and Java Deployment Toolkit Plugins Code Execution vulns

- http://secunia.com/advisories/39260/
Release Date: 2010-04-12
Criticality level: Highly critical
Impact: System access
Where: From remote
Solution Status: Unpatched
Software: Sun Java JDK 1.6.x, Sun Java JRE 1.6.x / 6.x
... The vulnerability is confirmed in JRE version 6 Update 19. Other versions may also be affected...
Original Advisory: Tavis Ormandy:
http://archives.neohapsis.com/archiv...0-04/0122.html ...

- http://www.securityfocus.com/bid/39346/info
Remote: Yes
Updated: Apr 09 2010
Vulnerable: Sun JRE (Windows Production Release) "since version 6 Update 10".
- http://www.securityfocus.com/bid/39346/discuss
Java Runtime Environment (JRE) is prone to arbitrary code-execution vulnerabilities that affect multiple Java plugins for multiple browsers. Attackers can exploit these issues to execute arbitrary code in the context of the user running the vulnerable applications. The issues affect Java Runtime Environment versions 1.6.0_10 and later (JRE 6 Update 10 and later); other versions may also be vulnerable...

- http://www.mail-archive.com/full-dis.../msg40571.html
09 Apr 2010

- http://www.symantec.com/security_res...atconlearn.jsp
09 Apr 2010
• 'deploytk.dll' - Java Deployment Toolkit ActiveX plugin for Internet Explorer (CLSID: CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA)
• 'jp2iexp.dll' - Java Platform SE ActiveX plugin for Internet Explorer (CLSID: 8AD9C840-044E-11D1-B3E9-00805F499D93)
• 'npdeploytk.dll' - Java Deployment Toolkit plugin for Mozilla Firefox
• 'npjp2.dll' - Java Platform SE plugin for Mozilla Firefox and Google Chrome

- http://www.theregister.co.uk/2010/04...vulnerability/
09 Apr 2010

- http://isc.sans.org/diary.html?storyid=8608
Last Updated: 2010-04-10 21:01:56 UTC

- http://www.us-cert.gov/current/#sun_...toolkit_plugin
April 13, 2010
- http://www.kb.cert.org/vuls/id/886582
Last Updated: 2010-04-12

[AplusWebMaster]

FYI...

Java exploit in the wild...
- http://www.theregister.co.uk/2010/04...ity_exploited/
14 April 2010 - "A popular song lyrics website has been found serving attack code that tries to exploit a critical vulnerability in Oracle's Java virtual machine, which is installed on hundreds of millions of computers worldwide. The site, songlyrics .com, is serving up javascript that invokes the weakness disclosed last week by security researcher Tavis Ormandy... AVG Technologies Chief Research Officer Roger Thompson, who discovered the in-the-wild attack, said songlyrics .com reaches out to another domain, assetmancomjobs .com, for a malicious JAR, or Java Archive, file and gets a 404 error indicating the payload isn't available..."

- http://krebsonsecurity.com/2010/04/u...d-in-the-wild/
April 14, 2010

- http://www.symantec.com/security_res...atconlearn.jsp
"The ThreatCon is currently at Level 2: Elevated.
On April 14, 2010, multiple sources reported in-the-wild exploitation of a code execution vulnerability (BID 39346) affecting Oracle JRE Java Platform SE and Java Deployment Toolkit Plugins. This issue affects Oracle Java JRE, since version 6 Update 10 (Other versions may also be affected). Exploitation of this issue can allow an attacker to load and execute an arbitrary JAR file from an attacker specified UNC share. Since there is no patch available we recommend users to stay cautious while visiting sites and disable the associated controls if they are not required..."

[AplusWebMaster]

FYI...

Java JRE 6 Update 20 released
- http://java.sun.com/javase/downloads/index.jsp
April 15, 2010

Changes in 1.6.0_20
- http://java.sun.com/javase/6/webnotes/6u20.html
"This release contains fixes for security vulnerabilities..."
3 Bug Fixes...

Supported System Configurations
- http://java.sun.com/javase/6/webnote...gurations.html

- http://secunia.com/advisories/39260/
Last Update: 2010-04-16
Criticality level: Highly critical
Impact: System access
Where: From remote
Software: Sun Java JDK 1.6.x, Sun Java JRE 1.6.x / 6.x
CVE Reference(s):
- http://web.nvd.nist.gov/view/vuln/de...=CVE-2010-0886
Last revised: 05/27/2010 / CVSS v2 Base Score: 10.0 (HIGH)
- http://web.nvd.nist.gov/view/vuln/de...=CVE-2010-0887
Last revised: 05/25/2010 / CVSS v2 Base Score: 10.0 (HIGH)
- http://web.nvd.nist.gov/view/vuln/de...=CVE-2010-1423
Last revised: 04/16/2010 / CVSS v2 Base Score: 9.3 (HIGH)
Solution:
Update to JRE or JDK version 6 Update 20.

Java Patch Targets Latest Attacks
- http://krebsonsecurity.com/2010/04/j...atest-attacks/
April 15, 2010

[AplusWebMaster]

FYI...

Java v1.6.0_20 US-CERT advisory...
- http://www.kb.cert.org/vuls/id/886582
Last Updated: 2010-04-19
"... Note: The installer for Java 1.6.0_20 may not correctly update all instances of the Java Deployment Toolkit plugin. In some cases, the plugin that resides in the \bin\new_plugin directory may not be updated to the fixed 6.0.200.2 version of npdeployJava1.dll. If the new_plugin directory contains npdeploytk.dll version 6.0.190.4 or earlier, then browsers that use plug-ins, such as Mozilla Firefox or Google Chrome, may still be vulnerable. To correct this situation, delete the vulnerable npdeploytk.dll from the new_plugin directory and replace it with the npdeployJava1.dll version from the bin directory. Please note that the Java Development Toolkit can be installed in multiple browsers, therefore workarounds need to be applied to all browsers with the Java Development Toolkit..."
(IE "killbit" procedure also available at the URL above.)

- http://krebsonsecurity.com/2010/04/m...in-in-firefox/
April 20, 2010 - "Mozilla is disabling older versions of the Java Development Toolkit plugin for Firefox users, in a bid to block attacks against a newly-discovered Java security hole that attackers have been exploiting of late to install malicious code... If you want to disable it manually, go to Tools, Add-ons, click the Plugins icon, select the Toolkit and hit the “Disable” button..."

- http://atlas.arbor.net/briefs/index#-1067279310
Title: Oracle Java Security Alert
Severity: Extreme Severity
Published: Thursday, June 10, 2010 18:11
Oracle has released a Java security alert for two bugs in the JDK and JRE 6. Desktop Java installations can be used to execute arbitrary commands on the victim's system. Oracle has released updated software to address this issue.
Analysis: This is a critical issue we have seen exploited in the wild. Due to the complexity of updating Java installations, which may leave behind older and vulnerable versions, we encourage sites to update with extreme care.
Source: Oracle Security Alert for CVE-2010-0886 - May 2010
- http://www.oracle.com/technology/dep...2010-0886.html

[AplusWebMaster]

FYI...

Java JRE 6 Update 21 released
- http://java.sun.com/javase/downloads/index.jsp
July 8, 2010

Changes in 1.6.0_21
- http://java.sun.com/javase/6/webnotes/6u21.html
"Bug Fixes: Java SE 6 Update 21 does not contain any additional fixes for security vulnerabilities to its previous release, Java SE 6 Update 20. Users who have Java SE 6 Update 20 have the latest security fixes and do not need to upgrade to this release to be current on security fixes. For other bug fixes, see the Java SE 6u21 Bug Fixes* page..."
* http://java.sun.com/javase/6/webnotes/BugFixes6u21.html
(Many) ... including: Comparison of 2 arrays could cause VM crash, Windows-only: tzmappings needs update for KB979306, Java plugin + Firefox does not pick up auto proxy settings from Java control panel, Add Sun Java Plugin in windows registry for Mozilla Browsers, regression: deadlock in JNLP2ClassLoader, 1.6 update 17 and 18 throw java.lang.IndexOutOfBoundsException, and others.

- http://www.oracle.com/technetwork/ja...21-156341.html
Changes in 1.6.0_21 (6u21)
___

- http://blogs.iss.net/archive/Java_Web_Start_Jailb.html
July 12, 2010 - "... issues regarding an argument injection vulnerability affecting Sun Java JRE/JDK version 6.19 and earlier (CVE-2010-1423*)... IBM Managed Security Services (MSS)... discovered that within that timeframe (April 21 through May 26) 4,118 attacks against the CVE-2010-1423 vulnerability were observed... it was observed that most of the malicious sites were associated with the Fragus Exploit Kit. Fragus is a console application for managing and cultivating botnets... If an attack is successful, the victim becomes a member of the botnet..."
* http://web.nvd.nist.gov/view/vuln/de...=CVE-2010-1423

[AplusWebMaster]

FYI...

Java JRE v1.6.0_22 released
- http://www.oracle.com/technetwork/ja...ads/index.html
2010-October-12

Release Notes
- http://www.oracle.com/technetwork/ja...es-176121.html

Oracle Java SE and Java for Business Risk Matrix (CVE#)
- http://www.oracle.com/technetwork/to...l#AppendixJAVA

- http://krebsonsecurity.com/2010/10/j...ecurity-flaws/
October 12, 2010 - "... critical update... fixing at least 29 security vulnerabilities..."

- http://secunia.com/advisories/41791/
Release Date: 2010-10-13
Last Update: 2010-10-21
Criticality level: Highly critical
Impact: Manipulation of data, Exposure of sensitive information, DoS, System access
Where: From remote...
Solution Status: Vendor Patch
CVE Reference(s): CVE-2009-3555, CVE-2010-1321, CVE-2010-3541, CVE-2010-3548, CVE-2010-3549, CVE-2010-3550, CVE-2010-3551, CVE-2010-3552, CVE-2010-3553, CVE-2010-3554, CVE-2010-3555, CVE-2010-3556, CVE-2010-3557, CVE-2010-3558, CVE-2010-3559, CVE-2010-3560, CVE-2010-3561, CVE-2010-3562, CVE-2010-3563, CVE-2010-3565, CVE-2010-3566, CVE-2010-3567, CVE-2010-3568, CVE-2010-3569, CVE-2010-3570, CVE-2010-3571, CVE-2010-3572, CVE-2010-3573, CVE-2010-3574

- http://www.securitytracker.com/id?1024573
Oct 14 2010