Old Sun Java JRE updates

[AplusWebMaster]

FYI...

Have you checked Java?...
- http://blogs.technet.com/b/mmpc/arch...-the-java.aspx
18 Oct 2010 - "... by the beginning of this year, the number of Java exploits... (... -not- attacks using JavaScript) had well surpassed the total number of Adobe-related exploits we monitored. See chart... a reminder that, in addition to running real-time protection, it is -imperative- to apply all security updates for software, no matter what your flavor might be."
Chart: http://blogs.technet.com/cfs-filesys...0_4ECD269A.gif

- http://krebsonsecurity.com/2010/10/m...-exploitation/
October 18, 2010 - "... the spike in the third quarter of 2010 is primarily driven by attacks on three Java vulnerabilities that have already been patched for some time now. Even so, attacks against these flaws have “gone from hundreds of thousands per quarter to millions” ..."
- http://web.nvd.nist.gov/view/vuln/de...=CVE-2008-5353
Last revised: 08/21/2010
CVSS v2 Base Score: 10.0 (HIGH)
- http://web.nvd.nist.gov/view/vuln/de...=CVE-2009-3867
Last revised: 08/21/2010
CVSS v2 Base Score: 9.3 (HIGH)
- http://web.nvd.nist.gov/view/vuln/de...=CVE-2010-0094
Last revised: 08/21/2010
CVSS v2 Base Score: 7.5 (HIGH)

- http://labs.m86security.com/2010/10/...ed-by-zombies/
October 15, 2010 - "... effectively used in many other exploit tool kits. Potential victims are forced to visit Zombie’s exploit page when their browser loads an IFrame placed on a compromised website. All of the vulnerabilities exploited by this kit have been patched... 15 percent... of ‘visitors’ were successfully exploited by the Zombie Infection Kit and made to download a malicious executable. Because Java vulnerabilities accounted for 60 percent of infections, a surprising nine percent of all visitors were infected just by having an old version of java installed..."

- https://www.sans.org/newsletters/new...ssue=84#sID202
"... Eighty percent of PCs run at least one version of Java. Of those, 40 percent are running outdated versions. There is a Java update service, but user notification is slow and the service allows multiple versions of the software to run on PCs, so users' computers can be vulnerable to older attacks even if they're running a newer version of Java..."

[AplusWebMaster]

FYI...

Hello? Update. Please?
- http://www.zdnet.co.uk/blogs/walsing...hole-10020866/
25 October, 2010 - "... Only 7% have applied the critical patch. According to Trusteer*, 68% of Internet users are still at risk from the attacks that these Java vulnerabilities expose and goes as far as to claim that it has become the single most exploitable vulnerability on the web today... these things are not called 'critical' for the heck of it. "

* http://www.trusteer.com/company/pres...npatched-users
Oct. 25, 2010 – "... over a week after Oracle released a critical patch for Java, more than 68 percent of Internet users are still at risk from attacks that exploit these vulnerabilities. This may be the biggest security hole on the Internet today, since 73 percent of Internet computers are using Java..."
___

60 second check for updates here.

[AplusWebMaster]

FYI...

Java exploits!...
- http://isc.sans.edu/diary.html?storyid=9916
Last Updated: 2010-11-11 00:05:00 UTC - "... Bottom line: If you haven't done so yet, hunt down and patch every incarnation of Java on the PCs that you are responsible for."
* http://www.virustotal.com/file-scan/...d28-1289430438
File name: bad.exe
Submission date: 2010-11-10 23:07:18 (UTC)
Result: 14/43 (32.6%)

Currently Exploited Sun Java Vulnerabilities
- http://blog.sharpesecurity.com/2010/...lnerabilities/
___

60 second check for updates here.
___

- http://www.guardian.co.uk/technology...-apache-crisis
16 November 2010

[AplusWebMaster]

FYI...

Java JRE v1.6.0_23 released
- http://www.oracle.com/technetwork/ja...ads/index.html
Dec. 8, 2010
Offline Installation - jre-6u23-windows-i586.exe - 15.79 MB
[Noted: 2011.01.14 - "This release includes performance improvements and bug fixes."]

- http://www.oracle.com/technetwork/ja...es-191058.html
"... Bug Fixes: Java SE 6u23 does not contain any additional fixes for security vulnerabilities to its previous release, Java SE 6u22. Users who have Java SE 6u22 have the latest security fixes and do not need to upgrade to this release to be current on security fixes. For other bug fixes, see the Java SE 6u23 Bug Fixes page*..."
* http://www.oracle.com/technetwork/ja...es-191074.html
208 bug fixes ...
?? "6945145 - java_deployment - security - PKIX path validation failed: App won't start when offline when using JOGL/Win7 ..."

[AplusWebMaster]

FYI...

Java vuln - patch available...
- http://secunia.com/advisories/43262/
Release Date: 2011-02-09
Criticality level: Moderately critical
Impact: DoS
Where: From remote
Solution: Apply patch via the FPUpdater tool.
... The vulnerability is reported in the following products: Sun JDK and JRE 6 Update 23 and prior, Sun JDK 5.0 Update 27 and prior, Sun SDK 1.4.2_29 and prior.
- http://www.oracle.com/technetwork/to...76-305811.html
2011-February-08
___

- http://blogs.oracle.com/security/201...e-2010-44.html
February 8, 2011 - "... the fix for this vulnerability will also be included in the upcoming Java Critical Patch Update (Java SE and Java for Business Critical Patch Update - February 2011*), which will be released on February 15th 2011..."
* http://www.oracle.com/technetwork/to...ts-086861.html

- http://www.h-online.com/security/new...y-1186135.html
9 February 2011 - "... Affected are Java SE and Java for Business in the current and all previous versions of the JDK/JRE 6, 5 and 1.4. To solve the problem, Oracle has released a hotfix* that users are advised to apply immediately, as information on how to exploit the DoS vulnerability is already freely available. The vendor also plans to release a regular Java update on 15 February."
* http://www.oracle.com/technetwork/ja...html#fpupdater

[AplusWebMaster]

FYI...

Java v1.6.0_24 released
- http://www.oracle.com/technetwork/ja...ads/index.html
Feb. 15, 2011

Release Notes
- http://www.oracle.com/technetwork/ja...es-307697.html
The full internal version number for this update release is 1.6.0_24-b07 (where "b" means "build"). The external version number is 6u24...
Bug Fixes: This release contains fixes for security vulnerabilities. For more information, please see Oracle Java SE and Java for Business Critical Patch Update advisory.
- http://www.oracle.com/technetwork/to...11-304611.html
Feb. 2011 - "... This Critical Patch Update contains 21 new security fixes..."

Java Downloads for All Operating Systems - Recommended Version 6 Update 24
- http://java.com/en/download/manual.jsp

Which version of Java should I download for my 64-bit Windows operating system?
- http://java.com/en/download/faq/java_win64bit.xml

Bug list:
- http://www.oracle.com/technetwork/to...l#AppendixJAVA
___

3rd party Java test site
- http://javatester.org/version.html
___

Java - Multiple Flaws Let Remote Users Execute Arbitary Code, Access Data, Modifiy Data, and Deny Service
- http://www.securitytracker.com/id/1025082
Feb 15 2011

- http://secunia.com/advisories/43262/
Last Update: 2011-02-16
Criticality level: Highly critical
Impact: Manipulation of data, Exposure of sensitive information, DoS, System access
Where: From remote...
Solution: Apply updates (see vendor's advisory).
Original Advisory: Oracle:
- http://www.oracle.com/technetwork/to...11-304611.html
___

Most Vulnerable Browser Plug-in...
- http://www.esecurityplanet.com/news/print.php/3925356
February 17, 2011- "... between July of 2010 and January of 2011... 42 percent of users were running vulnerable out-of-date Java plug-ins..."

[AplusWebMaster]

FYI...

Java - update ugly...
- https://www.computerworld.com/s/arti...McAfee_scanner
March 24, 2011 - "Windows users who install the latest Java security patches may end up with a little more security than they bargained for, at least that's the risk they take if they don't pay close attention to the installation process a security scanning tool called the McAfee Security Scan Plus with its Java updates for the Windows operating system. The software is installed by default with the Java update, so unless users notice and uncheck the McAfee installation box as they're updating Java, they'll end up downloading McAfee's software too...
Oracle bundles different products with Java in different regions, so not all Windows users may get Security Scan Plus with their Java updates. Once downloaded, the McAfee software prompts the user on a daily basis to accept McAfee's licensing terms to complete the installation. The user can cancel out of this prompt, but there is no option to decline the terms. To remove the software, the user must use the Windows "Uninstall a Program" feature. A number of users have inadvertently installed the software since Oracle started the bundling deal with Intel's McAfee subsidiary last month... Some users are unhappy, including one who posted to an Intel message board after noticing a slowdown on a family member's PC a few weeks ago, apparently after a Java update... Security Scan Plus is a 1MB download. But it uses 4MB of memory when running, a company spokeswoman said via e-mail. There are other ways to end up with it on your system. Some users have complained of downloading it as part of an Adobe reader update, and it can be picked up when downloading via Adobe's Download Center, an Adobe spokeswoman said..."

[ ...aka: "Tag-along-software installs" - 'Not the only vendors who do this...]
- https://www.ixquick.com/
"... about 1,860 for ' Tag-along software installs '"
- https://encrypted.google.com/
Tag-along software installs
"... About 644,000 results..."

[AplusWebMaster]

FYI...

Java v1.6.0_25 released
- http://www.oracle.com/technetwork/ja...ads/index.html
April 22, 2011

Release Notes
- http://www.oracle.com/technetwork/ja...es-356444.html
"Highlights: This update release contains important enhancements for Java applications:
Improved performance and stability
Java HotSpot™ VM 20
Support for Internet Explorer 9, Firefox 4 and Chrome 10
Improved BigDecimal ...
Java SE 6u25 does not add any fixes for security vulnerabilities beyond those in Java SE 6u24. Users who have Java SE 6u24 have the latest security fixes and do not need to upgrade to this release to be current on security fixes..."

Bug fixes
- http://www.oracle.com/technetwork/ja...es-356453.html
193...

[AplusWebMaster]

FYI...

> http://www.oracle.com/technetwork/to...11-313339.html
June 3, 2011 - "This Critical Patch Update Pre-Release Announcement provides advance information about the Oracle Java SE Critical Patch Update for June 2011, which will be released on Tuesday, June 7, 2011... This Critical Patch Update contains 17 new security vulnerability fixes..."
___

Java exploits predominate...
- http://www.informationweek.com/news/...ndly=this-page
June 01, 2011 - "... In 2011, the Java threat doesn't appear to have diminished. According to a study by Kaspersky Labs[1] that looked at malware trends from January through March 2011, Java vulnerabilities comprised a significant portion of the top 10 "most seen" vulnerabilities* on people's PCs..."
* http://blogs.technet.com/b/mmpc/arch...s-du-jour.aspx
"... 7 of the top 10 threats are files containing exploits for Java vulnerabilities such as CVE-2008-5353, CVE-2010-0094, CVE-2010-0840 and CVE-2009-3867... many of these detections by MSS are the debris or aftermath after the exploit has already executed. By the time a user downloads and runs MSS to detect malware, the machine may have already been infected, if it was vulnerable to the exploit at the time... aside from additional malicious Java code detections... active threats were also reported on machines found to be infected by Exploit:Java/CVE-2008-5353**...
** http://web.nvd.nist.gov/view/vuln/de...=CVE-2008-5353
- http://web.nvd.nist.gov/view/vuln/de...=CVE-2009-3867
- http://web.nvd.nist.gov/view/vuln/de...=CVE-2010-0094
- http://web.nvd.nist.gov/view/vuln/de...=CVE-2010-0840
CVSS v2 Base Score: ... (HIGH)

[1] http://www.securelist.com/en/analysi..._for_Q1_2011#9
"... In the first quarter of 2011, the number of blocked attacks stood at 254,932,299 – these attacks were carried out from web resources located in different countries all over the world..."

> http://www.microsoft.com/security/si...px#section_3_1

[AplusWebMaster]

FYI...

Java JRE 6 Update 26 released
- http://java.com/en/download/manual.jsp

- http://www.oracle.com/technetwork/ja...ad-400751.html
June 7, 2011
Windows x86 15.85 MB jre-6u26-windows-i586.exe
Windows x64 16.14 MB jre-6u26-windows-x64.exe

Release Notes
- http://www.oracle.com/technetwork/ja...es-401875.html
This release contains fixes for security vulnerabilities. For more information, please see Oracle Java SE Critical Patch Update advisory*.

* http://www.oracle.com/technetwork/to...l#AppendixJAVA
CVSS Base Score 10.0: CVE-2011-0802, CVE-2011-0814, CVE-2011-0815, CVE-2011-0817, CVE-2011-0862, CVE-2011-0863, CVE-2011-0864, CVE-2011-0871, CVE-2011-0873
Other: CVE-2011-0786, CVE-2011-0788, CVE-2011-0865, CVE-2011-0866, CVE-2011-0867, CVE-2011-0868, CVE-2011-0869, CVE-2011-0872

Download Java for your desktop computer
> http://java.com/en/download/index.jsp
___

- http://www.securitytracker.com/id/1025610
CVE Reference: CVE-2011-0786, CVE-2011-0788, CVE-2011-0802, CVE-2011-0814, CVE-2011-0815, CVE-2011-0817, CVE-2011-0862, CVE-2011-0863, CVE-2011-0864, CVE-2011-0865, CVE-2011-0866, CVE-2011-0867, CVE-2011-0868, CVE-2011-0869, CVE-2011-0871, CVE-2011-0872, CVE-2011-0873
Impact: Denial of service via network, Disclosure of user information, Execution of arbitrary code via network, Modification of user information, User access via network...
A remote user can create a Java applet or Java Web Start application that, when loaded by the target user, will access or modify data or execute arbitrary code on the target user's system. A remote user can cause partial denial of service conditions on the target system.
Solution: The vendor has issued a fix...

- http://secunia.com/advisories/44784/
Last Update: 2011-06-10
Criticality level: Highly critical
Impact: Manipulation of data, Exposure of sensitive information, DoS, System access
Where: From remote...
Solution Status: Vendor Patch...
... versions prior to 1.6.0_26...

Quick test here: http://javatester.org/version.html
___

IBM Java v6.0.0 SR9 FP2 released
- http://secunia.com/advisories/45206/
Release Date: 2011-07-13
Criticality level: Highly critical
Impact: Manipulation of data, Exposure of sensitive information, DoS, System access
Where: From remote
CVE Reference(s): CVE-2011-0786, CVE-2011-0788, CVE-2011-0802, CVE-2011-0814, CVE-2011-0815, CVE-2011-0817, CVE-2011-0862, CVE-2011-0863, CVE-2011-0865, CVE-2011-0866, CVE-2011-0867, CVE-2011-0868, CVE-2011-0869, CVE-2011-0871, CVE-2011-0872, CVE-2011-0873
Solution: Update to version 6.0.0 SR9 FP2.
Original Advisory: http://www.ibm.com/developerworks/java/jdk/alerts/