Tech Talk

[Java Runtime Environment (JRE) 5.0 Update 10 released]

FYI...

Java Runtime Environment (JRE) 5.0 Update 10 released
- http://java.sun.com/javase/downloads/index.jsp

100+ bug fixes
- http://java.sun.com/j2se/1.5.0/ReleaseNotes.html#150_10
(Several [not all] interesting bug fixes)
BugId     Category       Subcategory    Description
6374321 java           classes_awt  Textfield loses focus after alt key hit in IE browser
6424631 java_plugin    iexplorer    Signed applet hangs browser if a remote policy server is being used
6386537 java_plugin    iexplorer    Deadlock occurs between Java Plug-in and Windows in 1.3.1_06
6437047 java_plugin    iexplorer    Java Plugin controls are considered "Not Verified" in  IE's "Managed Add-ons" list
6466876 java_plugin    iexplorer    Applet frame is not repainted correctly
6460113 java_plugin    iexplorer    REGRESSION: Access Violation running on 5.0u9 b01 plugin
6417341 java_plugin    misc       IE Window becomes Zombie when closed prior to the modal dialog
6406801 java_plugin    misc       Vista: Click "Go to Java.com" button of Java system tray, two IE windows pop up

 

[here]

FYI...

Sun JDK 5.0 Update 10
- http://isc.sans.org/diary.php?storyid=1960
Last Updated: 2006-12-20 03:30:43 UTC
"...One thing that caught my eye is the bug 6437047. This "bug" was present with previous versions of Sun's JDK and is related to the Java plugin for Internet Explorer. Previous versions of the JDK were not properly signed which means that they were listed as (Not verified) in Internet Explorer (you can check this by opening the Manage add-ons tools in Internet Explorer: Tools -> Manage Add-ons -> Enable or Disable Add-ons). This didn't prevent JDK from working, but definitely isn't best practice in security, where we're trying to educate our users to deny any non signed applets/applications/components. Sun finally fixed this (signed the plugin properly) so now the "(Not verified)"  warning is not there any more... Sun has a weird habit of *not* removing older versions from your machine, so you might want to do that manually... update is available from:
http://java.sun.com/javase/downloads/index_jdk5.jsp ..."

.

[Sun Java JRE v1.6.0_11 released]

FYI...

Sun Java JRE v1.6.0_11 released
- http://java.sun.com/javase/downloads/index.jsp
Dec. 02, 2008

Release Notes
- http://java.sun.com/javase/6/webnotes/6u11.html
-18- bug fixes...
"This release contains fixes for one or more security vulnerabilities. For more information, please see Sun Alerts 244986, 244987, 244988, 244989, 244990, 244991, 244992, 245246, 246266, 246286, 246346, 246366, and 246387..."

- http://java.sun.com/javase/6/
"Java SE 6 is the current major release of the Java SE platform... Sun provides some older product and technology releases as a courtesy..."

Verify/test (-not- a Sun site):
- http://javatester.org/version.html ...

   

[Highly critical]

Additional detail:

- http://secunia.com/advisories/32991/
Release Date: 2008-12-04
Critical: Highly critical
Impact: Security Bypass, Exposure of system information, Exposure of sensitive information, DoS, System access
Where: From remote
Solution Status: Vendor Patch...
Solution: Update to a fixed version.
JDK and JRE 6 Update 11: http://java.sun.com/javase/downloads/index.jsp
JDK and JRE 5.0 Update 17: http://java.sun.com/javase/downloads/index_jdk5.jsp
SDK and JRE 1.4.2_19: http://java.sun.com/j2se/1.4.2/download.html
SDK and JRE 1.3.1_24 (for customers with Solaris 8 and Vintage Support Offering support contracts): http://java.sun.com/j2se/1.3/download.html ...

- http://www.us-cert.gov/cas/techalerts/TA08-340A.html

- http://java.sun.com/javase/6/
"Java SE 6 is the current major release of the Java SE platform... Sun provides some older product and technology releases as a courtesy..."

 

[old Java Plug-in and next-generation Java Plug-in]

FYI...

- http://java.com/en/download/help/new_plugin.xml
"This article applies to:
* Platform(s): Windows 2000 (SP4+), Windows XP (SP1 SP2), Vista
* Browser(s): Internet Explorer 6.x, Internet Explorer 7.x, Netscape 7, Mozilla 1.4+, Firefox
* JRE version(s): 6.0 ...
...old Java Plug-in and next-generation Java Plug-in
The new Java Plug-in is enabled by default. However if there are issues running applets with the new Java Plug-in, the user can switch to the old Java plug-in without any manual manipulation of the windows registry and moving files..."

(More detail available at the URL above.)

 

[SunJava SE Runtime Environment JRE 6 Update 12]

FYI...

SunJava SE Runtime Environment JRE 6 Update 12
- http://java.sun.com/javase/downloads/index.jsp
Feb. 2, 2009

Release Notes
- http://java.sun.com/javase/6/webnotes/6u12.html
"This feature release does not contain any new fixes for security vulnerabilities to its previous release, Java SE 6 Update 11*. Users who have Java SE 6 Update 11 have the latest security fixes and do not need to upgrade to this release to be current on security fixes..."
Bug Fixes: 140

 

[SunJava SE Runtime Environment JRE 6 Update 13 released]

FYI...

SunJava SE Runtime Environment JRE 6 Update 13 released
- http://java.sun.com/javase/downloads/index.jsp
March 24, 2009

Release Notes
- http://java.sun.com/javase/6/webnotes/6u13.html
"...Bug Fixes
This release contains fixes for one or more security vulnerabilities. For more information, please see Sun Alerts 254569, 254570, 254571, 254608, 254609, 254610, and 254611..."
(Links to Alerts shown at the URL above - Total: -7-)

- http://java.sun.com/javase/6/
"Java SE 6 is the current major release of the Java SE platform... Sun provides some older product and technology releases as a courtesy..."

// Security Updates for Java SE
- http://blogs.sun.com/security/category/news
23 Mar 2009 - "On March 24, 2009, Sun will release the following security updates:
• JDK and JRE 6 Update 13: http://java.sun.com/javase/downloads/index.jsp
• JDK and JRE 5.0 Update 18: http://java.sun.com/javase/downloads/index_jdk5.jsp
• SDK and JRE 1.4.2_20: http://java.sun.com/j2se/1.4.2/download.html
• SDK and JRE 1.3.1_25 (for customers with Solaris 8 and Vintage Support Offering support contracts): http://java.sun.com/j2se/1.3/download.html ...

- http://secunia.com/advisories/34451/
Release Date: 2009-03-26
Critical: Highly critical
Impact: Security Bypass, DoS, System access
Where: From remote
Solution Status: Vendor Patch
Software: Sun Java JDK 1.5.x, Sun Java JDK 1.6.x, Sun Java JRE 1.3.x, Sun Java JRE 1.4.x, Sun Java JRE 1.5.x / 5.x, Sun Java JRE 1.6.x / 6.x, Sun Java SDK 1.3.x, Sun Java SDK 1.4.x...
Solution: Update to a fixed version...

- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-1093 CVSS v2 Base Score:  9.0 (HIGH)
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-1094 CVSS v2 Base Score: 10.0 (HIGH)
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-1095 CVSS v2 Base Score:  7.5 (HIGH)
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-1096 CVSS v2 Base Score:  7.5 (HIGH)
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-1097 CVSS v2 Base Score:  7.5 (HIGH)
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-1098 CVSS v2 Base Score:  7.5 (HIGH)
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-1099 CVSS v2 Base Score:  7.5 (HIGH)
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-1100 CVSS v2 Base Score:  6.4 (MEDIUM)
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-1101 CVSS v2 Base Score:  6.4 (MEDIUM)
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-1102 CVSS v2 Base Score:  6.4 (MEDIUM)
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-1103 CVSS v2 Base Score:  6.4 (MEDIUM)
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-1104 CVSS v2 Base Score:  5.8 (MEDIUM)
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-1105 CVSS v2 Base Score:  7.5 (HIGH)
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-1106 CVSS v2 Base Score:  6.4 (MEDIUM)
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-1107 CVSS v2 Base Score:  4.3 (MEDIUM)

 

[JRE 5.0 Update 19 released]

FYI...

JRE 5.0 Update 19 released
- http://java.sun.com/javase/downloads/index_jdk5.jsp
May 20, 2009 - "... already announced its End of Service Life (EOSL) ... October 30th, 2009. Public releases of the J2SE 5.0 platform will be stopped at that time..."

Changes to 1.5.0_19
- http://java.sun.com/j2se/1.5.0/ReleaseNotes.html#150_19
"...As of this update, support has been added for the following system configurations:
• Internet Explorer 8
• Windows Server 2008 ..."
(Bug Fixes: 50+)

- http://java.sun.com/javase/6/
"Java SE 6 is the current major release of the Java SE platform... Sun provides some older product and technology releases as a courtesy..."

- https://jdk6.dev.java.net/6uNea.html
Java SE 6 Update 14 - FCS - Q2, 2009

.

[Sun Java - JRE 6 Update 14 released]

FYI...

Sun Java - JRE 6 Update 14 released
- http://java.sun.com/javase/downloads/index.jsp
5/29/2009 - "This release is Windows 7 support-ready and includes support for Internet Explorer 8, Windows Server 2008 SP2, and Windows Vista SP2..."

Changes in 1.6.0_14 (6u14)
- http://java.sun.com/javase/6/webnotes/6u14.html
...Bug Fixes:
This feature release does not contain any new fixes for security vulnerabilities to its previous release, Java SE 6 Update 13. Users who have Java SE 6 Update 13 have the latest security fixes and do not need to upgrade to this release to be current on security fixes..."
(... but there are 350+ bug fixes listed.)

- http://java.sun.com/javase/6/
"Java SE 6 is the current major release of the Java SE platform... Sun provides some older product and technology releases as a courtesy..."
___

Auto-updater with Java6u13 does not see Update 14
- http://www.theinquirer.net/inquirer/opinion/1184565/java-auto-updater-fails-releases
5 June 2009

 

[Blacklist Jar Feature]

FYI...

- http://isc.sans.org/diary.html?storyid=6547
Last Updated: 2009-06-11 08:25:06 UTC ...(Version: 2) - "... despite there being 'no security bug fixes', interesting security news in the release notes:
'Blacklist Jar Feature
Support for blacklisting signed jar files has been added to 6u14. A blacklist is a list of signed jars that contain serious security vulnerabilities that can be exploited by untrusted applets or applications. A system-wide blacklist will be distributed with each JRE release. Java Plugin and Web Start will consult this blacklist and refuse to load any class or resource contained in a jar file that's on the blacklist. By default, blacklist checking is enabled. The deployment.security.blacklist.check deployment configuration property can be used to toggle this behavior.
The blacklist entries are the union of the blacklist files pointed to by the deployment.system.security.blacklist and deployment.user.security.blacklist properties. By default, deployment.system.security.blacklist points to the blacklist file in the jre/lib/security directory, and deployment.user.security.blacklist points to a blacklist file that contains additional entries added by a user...'"

 

[Sun Java JRE 6 Update 15 released]

FYI...

Sun Java JRE 6 Update 15 released
- http://java.sun.com/javase/downloads/index.jsp

Release Notes
- http://java.sun.com/javase/6/webnotes/6u15.html
37 Bug Fixes

- http://isc.sans.org/diary.html?storyid=6916
Last Updated: 2009-08-05 17:55:52 UTC ...(Version: 2) - "... Several readers wrote in about the java update. Their concerns included the fact that there is always a pre-checked piggyback application when you download java from SUN. I was offered Microsoft's bling tool bar for IE. Others were offered Carbonite Online Backup. The fact that updates usually modifies your current configuration so if you have your check for updates set to daily you may find has been modified to once a month after the update. You may find the java tray icon is enabled even if you have disabled it in the past. So after you update check your configuration and if you don't want the pre-checked software uncheck the check box."

- http://secunia.com/advisories/36159/2/
Last Update: 2009-08-07
Critical: Highly critical
Impact: Security Bypass, Exposure of sensitive information, DoS, System access
Where: From remote
Solution Status: Vendor Patch
Software: Sun Java JDK 1.5.x, Sun Java JDK 1.6.x, Sun Java JRE 1.4.x, Sun Java JRE 1.5.x / 5.x, Sun Java JRE 1.6.x / 6.x, Sun Java SDK 1.4.x ...
Solution: Update to a fixed version.
JDK and JRE 6 Update 15:
http://java.sun.com/javase/downloads/index.jsp
JDK and JRE 5.0 Update 20:
http://java.sun.com/javase/downloads/index_jdk5.jsp
Java SE for Business SDK and JRE 1.4.2_22:
http://www.sun.com/software/javaseforbusiness/getit_download.jsp ...

CVE reference:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-2625
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-2670
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-2671
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-2672
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-2673
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-2674
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-2675
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-2676

 

[Sun Java JRE 6 Update -16- released]

FYI...

Sun Java JRE 6 Update -16- released
- http://java.sun.com/javase/downloads/index.jsp
08.11.2009

- http://java.sun.com/javase/6/webnotes/6u16.html
"Bug Fixes (1)
This feature release does not contain any new fixes for security vulnerabilities to its previous release, Java SE 6 Update 15. Users who have Java SE 6 Update 15 have the latest security fixes and do not need to upgrade to this release to be current on security fixes.
BugId
6862295 hotspot / jvmti / JDWP threadid changes during debugging session (leading to ignored breakpoints) ..."

 

[Sun Java design problem in the updated Secunia OSI applet]

FYI...

Sun Java design problem in the updated Secunia OSI applet
- http://secunia.com/vulnerability_scanning/online/security_notice/
"... Technical Description
A previous version of the Secunia OSI is affected by a security related design problem in Sun Java, which allows malicious people to manipulate the signed JAR file and allows compromising a system that trusts the certificate used to sign the old version.
Technical Solution
Run the Secunia OSI**. It will automatically configure Sun Java to prevent the old OSI applet from running (by enabling the certificate revocation checks described below). Alternatively, you may remove the trust relationship to the old Secunia certificate and / or manually enable the following Sun Java security settings:
"Check publisher certificate for revocation"
"Enable online certificate validation"
Technical Background
The problem in Sun Java, which affects the Secunia OSI and other signed applets, will be presented at a security conference on 16/10/2008. To secure Secunia OSI users, Secunia has published this update and taken the below described measures to protect the Secunia OSI users until a proper and permanent fix is implemented in Sun Java. Secunia has worked around the design problem in Sun Java in the updated OSI applet, revoked the old certificate, and signed the updated applet with a new certificate. Sun Java does not offer any means to "kill" old applets like e.g. the kill-bit for ActiveX controls. Thus, it has been necessary to revoke the certificate used to sign the old applet. However, certificate revocation is disabled by default in Sun Java. It is therefore necessary to either manually remove the trust relation to the old certificate or run the Secunia OSI, which enables checking of Certificate Revocation Lists (CRL) in Sun Java. Sun has informed Secunia that they are working on a "kill list mechanism". You can read more about these insecure default CRL settings in Sun Java on the CERT/CC blog*."
* http://www.cert.org/blogs/vuls/2008/06/signed_java_security_worse_tha.html

** http://secunia.com/vulnerability_scanning/online/?task=start

 

[Sun Java JRE v1.6.0_17 released]

FYI...

Sun Java JRE v1.6.0_17 released
- http://java.sun.com/javase/downloads/index.jsp
11.03.2009

- http://java.sun.com/javase/6/webnotes/6u17.html
Bug Fixes ( 33 )
"... This release contains fixes for one or more security vulnerabilities..."

- http://secunia.com/advisories/37231/2/
Release Date: 2009-11-04
Critical: Highly critical
Impact: Security Bypass, DoS, System access
Where: From remote
Solution Status: Vendor Patch...
Solution: Update to a fixed version.
Original Advisory: Sun:
http://sunsolve.sun.com/search/document.do?assetkey=1-66-269868-1
http://sunsolve.sun.com/search/document.do?assetkey=1-66-269869-1
http://sunsolve.sun.com/search/document.do?assetkey=1-66-269870-1
http://sunsolve.sun.com/search/document.do?assetkey=1-66-270474-1
http://sunsolve.sun.com/search/document.do?assetkey=1-66-270475-1
http://sunsolve.sun.com/search/document.do?assetkey=1-66-270476-1

- http://secunia.com/advisories/37231/3/
CVE reference: CVE-2009-3728, CVE-2009-3729, CVE-2009-3864, CVE-2009-3865, CVE-2009-3866, CVE-2009-3867, CVE-2009-3868, CVE-2009-3869, CVE-2009-3871, CVE-2009-3872, CVE-2009-3873, CVE-2009-3874, CVE-2009-3875, CVE-2009-3876, CVE-2009-3877, CVE-2009-3879, CVE-2009-3880, CVE-2009-3881, CVE-2009-3882, CVE-2009-3883, CVE-2009-3884, CVE-2009-3886, CVE-2009-3885

 

[Java proof-of-concept attack released]

FYI...

Java proof-of-concept attack released
- http://www.theregister.co.uk/2009/12/04/mac_windows_java_attack/
4 December 2009 - "... A security researcher has released a proof-of-concept attack that exploits critical vulnerabilities that Apple patched on Thursday. The vulns stem from bugs in the Java runtime environment that allow attackers to remotely execute malicious code. Sun Microsystems patched the flaws early last month*... The code will also exploit unpatched Windows machines..."
* Sun Java v1.6.0_17: http://java.sun.com/javase/downloads/index.jsp

Quick check to see what you have installed:
- http://javatester.org/version.html