Old Sun Java JRE updates

[AplusWebMaster]

Sun Java JDK/JRE updates - Highly Critical

Additional detail:

Sun Java JDK/JRE multiple vulns - updates available
- http://secunia.com/advisories/32991/
Release Date: 2008-12-04
Critical: Highly critical
Impact: Security Bypass, Exposure of system information, Exposure of sensitive information, DoS, System access
Where: From remote
Solution Status: Vendor Patch...
Solution: Update to a fixed version.
JDK and JRE 6 Update 11: http://java.sun.com/javase/downloads/index.jsp
JDK and JRE 5.0 Update 17: http://java.sun.com/javase/downloads/index_jdk5.jsp
SDK and JRE 1.4.2_19: http://java.sun.com/j2se/1.4.2/download.html
SDK and JRE 1.3.1_24 (for customers with Solaris 8 and Vintage Support Offering support contracts): http://java.sun.com/j2se/1.3/download.html ...

- http://www.us-cert.gov/cas/techalerts/TA08-340A.html

- http://java.sun.com/javase/6/
"Java SE 6 is the current major release of the Java SE platform... Sun provides some older product and technology releases as a courtesy..."

:fear:

 

[AplusWebMaster]

Next-generation Java Plug-in...

FYI...

- http://java.com/en/download/help/new_plugin.xml
"This article applies to:
* Platform(s): Windows 2000 (SP4+), Windows XP (SP1 SP2), Vista
* Browser(s): Internet Explorer 6.x, Internet Explorer 7.x, Netscape 7, Mozilla 1.4+, Firefox
* JRE version(s): 6.0 ...
...old Java Plug-in and next-generation Java Plug-in
The new Java Plug-in is enabled by default. However if there are issues running applets with the new Java Plug-in, the user can switch to the old Java plug-in without any manual manipulation of the windows registry and moving files..."

(More detail available at the URL above.)

:fear:

 

[AplusWebMaster]

Java JRE updates/advisories

FYI...

SunJava SE Runtime Environment JRE 6 Update 12
- http://java.sun.com/javase/downloads/index.jsp
Feb. 2, 2009

Release Notes
- http://java.sun.com/javase/6/webnotes/6u12.html
"This feature release does -not- contain any new fixes for security vulnerabilities to its previous release, Java SE 6 Update 11. Users who have Java SE 6 Update 11 have the latest security fixes and do not need to upgrade to this release to be current on security fixes..."
Bug Fixes: 140

:scratch:

 

[AplusWebMaster]

Java JRE v1.6.0_13 released

FYI...

SunJava SE Runtime Environment JRE 6 Update 13 released
- http://java.sun.com/javase/downloads/index.jsp
March 24, 2009

Release Notes
- http://java.sun.com/javase/6/webnotes/6u13.html
"...Bug Fixes
This release contains fixes for one or more security vulnerabilities. For more information, please see Sun Alerts 254569, 254570, 254571, 254608, 254609, 254610, and 254611..."
(Links to Alerts shown at the URL above - Total: -7-)

- http://java.sun.com/javase/6/
"Java SE 6 is the current major release of the Java SE platform... Sun provides some older product and technology releases as a courtesy..."

// Security Updates for Java SE
- http://blogs.sun.com/security/category/news
23 Mar 2009 - "On March 24, 2009, Sun will release the following security updates:
• JDK and JRE 6 Update 13: http://java.sun.com/javase/downloads/index.jsp
• JDK and JRE 5.0 Update 18: http://java.sun.com/javase/downloads/index_jdk5.jsp
• SDK and JRE 1.4.2_20: http://java.sun.com/j2se/1.4.2/download.html
• SDK and JRE 1.3.1_25 (for customers with Solaris 8 and Vintage Support Offering support contracts): http://java.sun.com/j2se/1.3/download.html ...

- http://secunia.com/advisories/34451/
Release Date: 2009-03-26
Critical: Highly critical
Impact: Security Bypass, DoS, System access
Where: From remote
Solution Status: Vendor Patch
Software: Sun Java JDK 1.5.x, Sun Java JDK 1.6.x, Sun Java JRE 1.3.x, Sun Java JRE 1.4.x, Sun Java JRE 1.5.x / 5.x, Sun Java JRE 1.6.x / 6.x, Sun Java SDK 1.3.x, Sun Java SDK 1.4.x...
Solution: Update to a fixed version...

- http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-1093
- http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-1094
- http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-1095
- http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-1096
- http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-1097
- http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-1098
- http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-1099
- http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-1100
- http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-1101
- http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-1102
- http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-1103
- http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-1104
- http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-1105
- http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-1106
- http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-1107

:fear:

 

[AplusWebMaster]

Sun Java JRE 5.0 Update 19 released

FYI...

JRE 5.0 Update 19 released
- http://java.sun.com/javase/downloads/index_jdk5.jsp
May 20, 2009 - "... already announced its End of Service Life (EOSL) ... October 30th, 2009. Public releases of the J2SE 5.0 platform will be stopped at that time..."

Changes to 1.5.0_19
- http://java.sun.com/j2se/1.5.0/ReleaseNotes.html#150_19
"...As of this update, support has been added for the following system configurations:
• Internet Explorer 8
• Windows Server 2008 ..."
(Bug Fixes: 50+)

- http://java.sun.com/javase/6/
"Java SE 6 is the current major release of the Java SE platform... Sun provides some older product and technology releases as a courtesy..."

- https://jdk6.dev.java.net/6uNea.html
Java SE 6 Update 14 - FCS - Q2, 2009

 

[AplusWebMaster]

Sun Java JRE 6 Update 14 released

FYI...

Sun Java - JRE 6 Update 14 released
- http://java.sun.com/javase/downloads/index.jsp
5/29/2009 - "This release is Windows 7 support-ready and includes support for Internet Explorer 8, Windows Server 2008 SP2, and Windows Vista SP2..."

Changes in 1.6.0_14 (6u14)
- http://java.sun.com/javase/6/webnotes/6u14.html
...Bug Fixes:
This feature release does not contain any new fixes for security vulnerabilities to its previous release, Java SE 6 Update 13. Users who have Java SE 6 Update 13 have the latest security fixes and do not need to upgrade to this release to be current on security fixes..."
(... but there are 350+ bug fixes listed.)

- http://java.sun.com/javase/6/
"Java SE 6 is the current major release of the Java SE platform... Sun provides some older product and technology releases as a courtesy..."
___

Auto-updater with Java6u13 does not see Update 14
- http://www.theinquirer.net/inquirer/opinion/1184565/java-auto-updater-fails-releases
5 June 2009

:fear:

 

[tashi]

Sun Java Runtime Environment 6 Update 15

JRE 6 Update 15

http://java.sun.com/javase/downloads/index.jsp

This release is Windows 7 support-ready and includes support for Internet Explorer 8, Windows Server 2008 SP2, and Windows Vista SP2. New features include the G1 garbage collector, plus performance and security enhancements.

Release notes: http://java.sun.com/javase/6/webnotes/6u15.html

Sans Diary.

Several readers wrote in about the java update.
Their concerns included the fact that there is always a pre-checked piggyback application when you download java from SUN.
I was offered Microsoft's bling tool bar for IE. Others were offered Carbonite Online Backup.
The fact that updates usually modifies your current configuration so if you have your check for updates set to daily you may find has been modified to once a month after the update.
You may find the java tray icon is enabled even if you have disabled it in the past.
So after you update check your configuration and if you don't want the pre-checked software uncheck the check box.

http://isc.sans.org/diary.html?storyid=6916
___

- http://secunia.com/advisories/36159/2/
Last Update: 2009-08-07
Critical: Highly critical
Impact: Security Bypass, Exposure of sensitive information, DoS, System access
Where: From remote
Solution Status: Vendor Patch
Software: Sun Java JDK 1.5.x, Sun Java JDK 1.6.x, Sun Java JRE 1.4.x, Sun Java JRE 1.5.x / 5.x, Sun Java JRE 1.6.x / 6.x, Sun Java SDK 1.4.x ...
Solution: Update to a fixed version.
JDK and JRE 6 Update 15:
http://java.sun.com/javase/downloads/index.jsp
JDK and JRE 5.0 Update 20:
http://java.sun.com/javase/downloads/index_jdk5.jsp
Java SE for Business SDK and JRE 1.4.2_22:
http://www.sun.com/software/javaseforbusiness/getit_download.jsp ...

CVE reference:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-2625
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-2670
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-2671
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-2672
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-2673
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-2674
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-2675
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-2676
.

 

[AplusWebMaster]

Sun Java JRE 6 Update 16 released

FYI...

Sun Java JRE 6 Update -16- released
- http://java.sun.com/javase/downloads/index.jsp
08.11.2009

- http://java.sun.com/javase/6/webnotes/6u16.html
"Bug Fixes (1)
This feature release does not contain any new fixes for security vulnerabilities to its previous release, Java SE 6 Update 15. Users who have Java SE 6 Update 15 have the latest security fixes and do not need to upgrade to this release to be current on security fixes.
BugId
6862295 hotspot / jvmti / JDWP threadid changes during debugging session (leading to ignored breakpoints) ..."

.

 

[AplusWebMaster]

Sun Java design problem in the updated Secunia OSI applet

FYI...

Sun Java design problem in the updated Secunia OSI applet
- http://secunia.com/vulnerability_scanning/online/security_notice/
"... Technical Description
A previous version of the Secunia OSI is affected by a security related design problem in Sun Java, which allows malicious people to manipulate the signed JAR file and allows compromising a system that trusts the certificate used to sign the old version.
Technical Solution
Run the Secunia OSI**. It will automatically configure Sun Java to prevent the old OSI applet from running (by enabling the certificate revocation checks described below). Alternatively, you may remove the trust relationship to the old Secunia certificate and / or manually enable the following Sun Java security settings:
"Check publisher certificate for revocation"
"Enable online certificate validation"
Technical Background
The problem in Sun Java, which affects the Secunia OSI and other signed applets, will be presented at a security conference on 16/10/2008. To secure Secunia OSI users, Secunia has published this update and taken the below described measures to protect the Secunia OSI users until a proper and permanent fix is implemented in Sun Java. Secunia has worked around the design problem in Sun Java in the updated OSI applet, revoked the old certificate, and signed the updated applet with a new certificate. Sun Java does not offer any means to "kill" old applets like e.g. the kill-bit for ActiveX controls. Thus, it has been necessary to revoke the certificate used to sign the old applet. However, certificate revocation is disabled by default in Sun Java. It is therefore necessary to either manually remove the trust relation to the old certificate or run the Secunia OSI, which enables checking of Certificate Revocation Lists (CRL) in Sun Java. Sun has informed Secunia that they are working on a "kill list mechanism". You can read more about these insecure default CRL settings in Sun Java on the CERT/CC blog*."
* http://www.cert.org/blogs/vuls/2008/06/signed_java_security_worse_tha.html

** http://secunia.com/vulnerability_scanning/online/?task=start

:fear:

 

[AplusWebMaster]

Sun Java JRE v1.6.0_17 released

FYI...

Sun Java JRE v1.6.0_17 released
- http://java.sun.com/javase/downloads/index.jsp
11.03.2009

- http://java.sun.com/javase/6/webnotes/6u17.html
Bug Fixes ( 33 )
"... This release contains fixes for one or more security vulnerabilities..."

- http://secunia.com/advisories/37231/2/
Release Date: 2009-11-04
Critical: Highly critical
Impact: Security Bypass, DoS, System access
Where: From remote
Solution Status: Vendor Patch...
Solution: Update to a fixed version.
Original Advisory: Sun:
http://sunsolve.sun.com/search/document.do?assetkey=1-66-269868-1
http://sunsolve.sun.com/search/document.do?assetkey=1-66-269869-1
http://sunsolve.sun.com/search/document.do?assetkey=1-66-269870-1
http://sunsolve.sun.com/search/document.do?assetkey=1-66-270474-1
http://sunsolve.sun.com/search/document.do?assetkey=1-66-270475-1
http://sunsolve.sun.com/search/document.do?assetkey=1-66-270476-1

- http://secunia.com/advisories/37231/3/
CVE reference: CVE-2009-3728, CVE-2009-3729, CVE-2009-3864, CVE-2009-3865, CVE-2009-3866, CVE-2009-3867, CVE-2009-3868, CVE-2009-3869, CVE-2009-3871, CVE-2009-3872, CVE-2009-3873, CVE-2009-3874, CVE-2009-3875, CVE-2009-3876, CVE-2009-3877, CVE-2009-3879, CVE-2009-3880, CVE-2009-3881, CVE-2009-3882, CVE-2009-3883, CVE-2009-3884, CVE-2009-3886, CVE-2009-3885

:fear:

 

[AplusWebMaster]

Java proof-of-concept attack released

FYI...

Java proof-of-concept attack released
- http://www.theregister.co.uk/2009/12/04/mac_windows_java_attack/
4 December 2009 - "... A security researcher has released a proof-of-concept attack that exploits critical vulnerabilities that Apple patched on Thursday. The vulns stem from bugs in the Java runtime environment that allow attackers to remotely execute malicious code. Sun Microsystems patched the flaws early last month*... The code will also exploit unpatched Windows machines..."
* Sun Java v1.6.0_17: http://java.sun.com/javase/downloads/index.jsp

Quick check to see what you have installed:
- http://javatester.org/version.html

:fear:

 

[AplusWebMaster]

Java ...exploit in use in web drive-by attacks

FYI...

Java ...exploit in use in web drive-by attacks
- http://isc.sans.org/diary.html?storyid=7879
Last Updated: 2010-01-05 17:54:55 UTC - "... java applet exploiting CVE-2008-5353 ( http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-5353 / ...JRE 6 Update 10 and earlier; JDK and JRE 5.0 Update 16 and earlier; and SDK and JRE 1.4.2_18 and earlier... ) as part of a web drive-by attack. While PoC has been around for a long time for this, this is the first time I've heard of it being used in the wild for a general attack... As we get more details on what it does, we'll update this entry with it."
* https://www.virustotal.com/analisis...3de9fc4f7045dd8123a23a08f926a3974d-1262270360
File jar_cache5501.zip received on 2009.12.31 14:39:20 (UTC)
Result: 7/39 (17.95%)

:fear:

 

[AplusWebMaster]

Sun Java JRE v1.6.0_18 released

FYI...

Sun Java JRE v1.6.0_18 released
- http://java.sun.com/javase/downloads/index.jsp
January 13, 2010

Release Notes - Changes in 1.6.0_18
- http://java.sun.com/javase/6/webnotes/6u18.html
"... This feature release does not contain any new fixes for security vulnerabilities to its previous release, Java SE 6 Update 17. Users who have Java SE 6 Update 17 have the latest security fixes and do not need to upgrade to this release to be current on security fixes..."

Bug fixes - 358
- http://java.sun.com/javase/6/webnotes/6u18.html#bugfixes-1.6.0_18

:fear:

 

[AplusWebMaster]

Java JRE 6 Update 19 released

FYI...

Java JRE 6 Update 19 released
- http://java.sun.com/javase/downloads/index.jsp
March 30, 2010

Supported System Configurations
- http://java.sun.com/javase/6/webnotes/install/system-configurations.html

Changes in 1.6.0_19
- http://java.sun.com/javase/6/webnotes/6u19.html
"This release contains fixes for security vulnerabilities..."
28 Bug Fixes

- http://secunia.com/advisories/37255/
Release Date: 2010-03-31
Criticality level: Highly critical
Impact: Unknown, Manipulation of data, Exposure of system information, Exposure of sensitive information, DoS, System access
Where: From remote
Solution Status: Vendor Patch
Software: Java JDK 1.4.x, 1.5.x, 1.6.x, Java JRE 1.4.x, 1.5.x / 5.x, 1.6.x / 6.x
Oracle:
http://www.oracle.com/technology/deploy/security/critical-patch-updates/javacpumar2010.html

- http://secunia.com/secunia_research/2009-49/
31/03/2010
- http://secunia.com/secunia_research/2009-50/
31/03/2010

- http://atlas.arbor.net/briefs/index#2090669689
March 31, 2010 - "Analysis: This is a serious issue for Java users who should review this update and apply it as soon as possible..."

:fear:

 

[AplusWebMaster]

Java JRE vuln - unpatched

FYI...

JRE Java Platform SE and Java Deployment Toolkit Plugins Code Execution vulns

- http://secunia.com/advisories/39260/
Release Date: 2010-04-12
Criticality level: Highly critical
Impact: System access
Where: From remote
Solution Status: Unpatched
Software: Sun Java JDK 1.6.x, Sun Java JRE 1.6.x / 6.x
... The vulnerability is confirmed in JRE version 6 Update 19. Other versions may also be affected...
Original Advisory: Tavis Ormandy:
http://archives.neohapsis.com/archives/fulldisclosure/2010-04/0122.html ...

- http://www.securityfocus.com/bid/39346/info
Remote: Yes
Updated: Apr 09 2010
Vulnerable: Sun JRE (Windows Production Release) "since version 6 Update 10".
- http://www.securityfocus.com/bid/39346/discuss
Java Runtime Environment (JRE) is prone to arbitrary code-execution vulnerabilities that affect multiple Java plugins for multiple browsers. Attackers can exploit these issues to execute arbitrary code in the context of the user running the vulnerable applications. The issues affect Java Runtime Environment versions 1.6.0_10 and later (JRE 6 Update 10 and later); other versions may also be vulnerable...

- http://www.mail-archive.com/full-disclosure@lists.grok.org.uk/msg40571.html
09 Apr 2010

- http://www.symantec.com/security_response/threatconlearn.jsp
09 Apr 2010
• 'deploytk.dll' - Java Deployment Toolkit ActiveX plugin for Internet Explorer (CLSID: CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA)
• 'jp2iexp.dll' - Java Platform SE ActiveX plugin for Internet Explorer (CLSID: 8AD9C840-044E-11D1-B3E9-00805F499D93)
• 'npdeploytk.dll' - Java Deployment Toolkit plugin for Mozilla Firefox
• 'npjp2.dll' - Java Platform SE plugin for Mozilla Firefox and Google Chrome

- http://www.theregister.co.uk/2010/04/09/critical_java_vulnerability/
09 Apr 2010

- http://isc.sans.org/diary.html?storyid=8608
Last Updated: 2010-04-10 21:01:56 UTC

- http://www.us-cert.gov/current/#sun_java_deployment_toolkit_plugin
April 13, 2010
- http://www.kb.cert.org/vuls/id/886582
Last Updated: 2010-04-12

:fear::fear:

 

[AplusWebMaster]

Java exploit in-the-wild...

FYI...

Java exploit in the wild...
- http://www.theregister.co.uk/2010/04/14/critical_java_vulnerability_exploited/
14 April 2010 - "A popular song lyrics website has been found serving attack code that tries to exploit a critical vulnerability in Oracle's Java virtual machine, which is installed on hundreds of millions of computers worldwide. The site, songlyrics .com, is serving up javascript that invokes the weakness disclosed last week by security researcher Tavis Ormandy... AVG Technologies Chief Research Officer Roger Thompson, who discovered the in-the-wild attack, said songlyrics .com reaches out to another domain, assetmancomjobs .com, for a malicious JAR, or Java Archive, file and gets a 404 error indicating the payload isn't available..."

- http://krebsonsecurity.com/2010/04/unpatched-java-exploit-spotted-in-the-wild/
April 14, 2010

- http://www.symantec.com/security_response/threatconlearn.jsp
"The ThreatCon is currently at Level 2: Elevated.
On April 14, 2010, multiple sources reported in-the-wild exploitation of a code execution vulnerability (BID 39346) affecting Oracle JRE Java Platform SE and Java Deployment Toolkit Plugins. This issue affects Oracle Java JRE, since version 6 Update 10 (Other versions may also be affected). Exploitation of this issue can allow an attacker to load and execute an arbitrary JAR file from an attacker specified UNC share. Since there is no patch available we recommend users to stay cautious while visiting sites and disable the associated controls if they are not required..."

:fear::fear::fear:

 

[AplusWebMaster]

Java JRE v1.6.0_20 update released

FYI...

Java JRE 6 Update 20 released
- http://java.sun.com/javase/downloads/index.jsp
April 15, 2010

Changes in 1.6.0_20
- http://java.sun.com/javase/6/webnotes/6u20.html
"This release contains fixes for security vulnerabilities..."
3 Bug Fixes...

Supported System Configurations
- http://java.sun.com/javase/6/webnotes/install/system-configurations.html

- http://secunia.com/advisories/39260/
Last Update: 2010-04-16
Criticality level: Highly critical
Impact: System access
Where: From remote
Software: Sun Java JDK 1.6.x, Sun Java JRE 1.6.x / 6.x
CVE Reference(s):
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-0886
Last revised: 05/27/2010 / CVSS v2 Base Score: 10.0 (HIGH)
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-0887
Last revised: 05/25/2010 / CVSS v2 Base Score: 10.0 (HIGH)
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-1423
Last revised: 04/16/2010 / CVSS v2 Base Score: 9.3 (HIGH)
Solution:
Update to JRE or JDK version 6 Update 20.

Java Patch Targets Latest Attacks
- http://krebsonsecurity.com/2010/04/java-patch-targets-latest-attacks/
April 15, 2010

:fear:

 

[AplusWebMaster]

Java v1.6.0_20 US-CERT advisory...

FYI...

Java v1.6.0_20 US-CERT advisory...
- http://www.kb.cert.org/vuls/id/886582
Last Updated: 2010-04-19
"... Note: The installer for Java 1.6.0_20 may not correctly update all instances of the Java Deployment Toolkit plugin. In some cases, the plugin that resides in the \bin\new_plugin directory may not be updated to the fixed 6.0.200.2 version of npdeployJava1.dll. If the new_plugin directory contains npdeploytk.dll version 6.0.190.4 or earlier, then browsers that use plug-ins, such as Mozilla Firefox or Google Chrome, may still be vulnerable. To correct this situation, delete the vulnerable npdeploytk.dll from the new_plugin directory and replace it with the npdeployJava1.dll version from the bin directory. Please note that the Java Development Toolkit can be installed in multiple browsers, therefore workarounds need to be applied to all browsers with the Java Development Toolkit..."
(IE "killbit" procedure also available at the URL above.)

- http://krebsonsecurity.com/2010/04/mozilla-disables-insecure-java-plugin-in-firefox/
April 20, 2010 - "Mozilla is disabling older versions of the Java Development Toolkit plugin for Firefox users, in a bid to block attacks against a newly-discovered Java security hole that attackers have been exploiting of late to install malicious code... If you want to disable it manually, go to Tools, Add-ons, click the Plugins icon, select the Toolkit and hit the “Disable” button..."

- http://atlas.arbor.net/briefs/index#-1067279310
Title: Oracle Java Security Alert
Severity: Extreme Severity
Published: Thursday, June 10, 2010 18:11
Oracle has released a Java security alert for two bugs in the JDK and JRE 6. Desktop Java installations can be used to execute arbitrary commands on the victim's system. Oracle has released updated software to address this issue.
Analysis: This is a critical issue we have seen exploited in the wild. Due to the complexity of updating Java installations, which may leave behind older and vulnerable versions, we encourage sites to update with extreme care.
Source: Oracle Security Alert for CVE-2010-0886 - May 2010
- http://www.oracle.com/technology/deploy/security/alerts/alert-cve-2010-0886.html

:fear::fear:

 

[AplusWebMaster]

Java JRE 6 Update 21 released

FYI...

Java JRE 6 Update 21 released
- http://java.sun.com/javase/downloads/index.jsp
July 8, 2010

Changes in 1.6.0_21
- http://java.sun.com/javase/6/webnotes/6u21.html
"Bug Fixes: Java SE 6 Update 21 does not contain any additional fixes for security vulnerabilities to its previous release, Java SE 6 Update 20. Users who have Java SE 6 Update 20 have the latest security fixes and do not need to upgrade to this release to be current on security fixes. For other bug fixes, see the Java SE 6u21 Bug Fixes* page..."
* http://java.sun.com/javase/6/webnotes/BugFixes6u21.html
(Many) ... including: Comparison of 2 arrays could cause VM crash, Windows-only: tzmappings needs update for KB979306, Java plugin + Firefox does not pick up auto proxy settings from Java control panel, Add Sun Java Plugin in windows registry for Mozilla Browsers, regression: deadlock in JNLP2ClassLoader, 1.6 update 17 and 18 throw java.lang.IndexOutOfBoundsException, and others.

- http://www.oracle.com/technetwork/java/javase/6u21-156341.html
Changes in 1.6.0_21 (6u21)
___

- http://blogs.iss.net/archive/Java_Web_Start_Jailb.html
July 12, 2010 - "... issues regarding an argument injection vulnerability affecting Sun Java JRE/JDK version 6.19 and earlier (CVE-2010-1423*)... IBM Managed Security Services (MSS)... discovered that within that timeframe (April 21 through May 26) 4,118 attacks against the CVE-2010-1423 vulnerability were observed... it was observed that most of the malicious sites were associated with the Fragus Exploit Kit. Fragus is a console application for managing and cultivating botnets... If an attack is successful, the victim becomes a member of the botnet..."
* http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-1423

:fear:

 

[AplusWebMaster]

Java JRE v1.6.0_22 released

FYI...

Java JRE v1.6.0_22 released
- http://www.oracle.com/technetwork/java/javase/downloads/index.html
2010-October-12

Release Notes
- http://www.oracle.com/technetwork/java/javase/6u22releasenotes-176121.html

Oracle Java SE and Java for Business Risk Matrix (CVE#)
- http://www.oracle.com/technetwork/topics/security/javacpuoct2010-176258.html#AppendixJAVA

- http://krebsonsecurity.com/2010/10/java-update-clobbers-29-security-flaws/
October 12, 2010 - "... critical update... fixing at least 29 security vulnerabilities..."

- http://secunia.com/advisories/41791/
Release Date: 2010-10-13
Last Update: 2010-10-21
Criticality level: Highly critical
Impact: Manipulation of data, Exposure of sensitive information, DoS, System access
Where: From remote...
Solution Status: Vendor Patch
CVE Reference(s): CVE-2009-3555, CVE-2010-1321, CVE-2010-3541, CVE-2010-3548, CVE-2010-3549, CVE-2010-3550, CVE-2010-3551, CVE-2010-3552, CVE-2010-3553, CVE-2010-3554, CVE-2010-3555, CVE-2010-3556, CVE-2010-3557, CVE-2010-3558, CVE-2010-3559, CVE-2010-3560, CVE-2010-3561, CVE-2010-3562, CVE-2010-3563, CVE-2010-3565, CVE-2010-3566, CVE-2010-3567, CVE-2010-3568, CVE-2010-3569, CVE-2010-3570, CVE-2010-3571, CVE-2010-3572, CVE-2010-3573, CVE-2010-3574

- http://www.securitytracker.com/id?1024573
Oct 14 2010

:fear: