Hi,

Maybe you already knew this, but I wanted to point you again to it.

In case you have Sun Java Runtime Environment installed, then :
1.
check if you have the latest version installed.
2.
remove older version(s) of it.

Well known security expert CalamityJane started a thread about it at the DSLR/BBR-security-forum:
http://www.dslreports.com/forum/remark,14738046

Thanks Janie !!! :-*

- begin quote -

Fellow MS MVP Steve Wechsler (aka MowGreen) wrote to Sun Microsystems (makers of Sun Java) to express the concerns raised in the Security Community that autoupdaters of Sun Java do not uninstall previous (vulnerable) versions of the program. He asked for clarification that if a User utilizes the automatic update mechanism of the JRE the previous vulnerable version is left on the system, and that those previous vulnerable versions can still be called by malware. The folks at Sun Microsystems wrote back confirming this is true and they would be investigating updating the java.com pages and the auto update uninstallation issue. That was back in February and to date, none of these issues has been resolved.

Therefore all users are encouraged to please check in your Control Panel, under Add/Remove programs and uninstall any older versions of Sun Java. And in the future, remember to remove older versions of Java when you automatically update to a newer version to avoid exploitation of older versions left on your system.

The most current version of Sun Java is: Java Runtime Environment Version 5.0 Update 5

- end quote -

Manual download:
http://www.java.com/en/download/manual.jsp

Or check here for automatic:
http://www.java.com/en/download/windows_automatic.jsp

As Janie wrote:
Please remember to uninstall all old versions of Sun Java

Thanks! The thought of removing the older Java app slipped my mind completely. Those suckers are persistent, and will not go away until they're manually removed. At one point I had 4 or 5 versions of Java on my machine not knowing whether they were required or not. :o

I am using a very old computer and I'm not sure if Sun Java was ever installed on this machine. I went to Contol Panel checked in Add/Remove and I didn't see anything about a Sun Java program. This may be a dumb question but could an old version be on the computer and not show up in Add/Remove?

There are all kinds of utilities (even MS's own TweakUI) that'll permit you to remove items from Add-Remove without touching the affected program itself. So yes, it's quite possible this was done.

And if you find and delete the program's uninstall info, typically that'll take it out of Add-Remove too -- but that could make cleanup a real mess if you ever do want to uninstall it.

If you want a "lean, mean" Add-Remove list, just take it out of there -- nearly any good installer adds an Uninstall entry to the Start Menu.

(Edit) Getting back to Sun Java itself, if it is installed you should find one or more lines relating to it under Internet Options/Advanced.

-{ Quote: "Thanks! The thought of removing the older Java app slipped my mind completely. Those suckers are persistent, and will not go away until they're manually removed. At one point I had 4 or 5 versions of Java on my machine not knowing whether they were required or not. :o" }-
I had 3 or 4 versions on my computer before I saw that my old versions of Java app were not being removed, so what I did was clean all traces of Java out of my computer before puting the new version on. Other appys assume you are updating and will look for signs of a previous instillation, if it doesn't find any the appy will install a new folder for you and put the new version in it and delete the old version.

In the FAQ's at java.com they recommend that you retain older versions of java http://www.java.com/en/download/faq/5000070400.xml Apparently,certain applications may be written against a specific version of the JRE. I'm confused now. Who is right?

Well in xp java if you have it installed will be listed in the control panel. Where possible it will pay to just use the update button on the java icon in the control panel and then going to this link that it has been installed correctly
http://java.com:80/en/download/installed.jsp
Please note that for technical reasons i use an older version

It's everybody's own choice to use whatever program and whatever version of it.

But make no mistake :
The warning wasn't posted for nothing.....
(if that is the right English expression..... ?...)

-{ Quote: "In the FAQ's at java.com they recommend that you retain older versions of java http://www.java.com/en/download/faq/5000070400.xml Apparently,certain applications may be written against a specific version of the JRE. I'm confused now. Who is right?" }-
Same thing I came across; which is why I was reluctant to remove the older JREs. I've since decided to assume the small risk and only keep the most recent JRE release on my computer. I haven't noticed any apps not functioning because of it yet.

Hi,

CalamityJane gives two examples on DSLR/BBR where she fixed a Vundo infection on machines that had older version(s) of Sun Java still installed:

http://www.dslreports.com/forum/remark,14738046

-{ Quote: "
Ok folks, here is yet another Vundo/Winfixer infectee with older versions of Java installed underneath the most current version:
http://www.dslreports.com/forum/remark,14816218
Java 2 Runtime Environment SE v1.4.2.06
J2SE Runtime Environment 5.0 Update 2
J2SE Runtime Environment 5.0 Update 5

SunMicrosystems really needs to FIX this!
" }-

-{ Quote: "
I just finished another Vundo infection in this thread:
http://www.dslreports.com/forum/remark,14814560
He had two versions of Sun Java.
J2SE Runtime Environment 5.0 Update 5
Java 2 Runtime Environment, SE v1.4.2_05
" }-

I have strange problem with Java. I just uninstalled Sun Java 5 update 4 but Java is still on my pc. There is no more Java entry in Add/Remove Program or Control Panel, there is no any Java or similar folder in Program Files but Java persists. I can use LimeWire, javascripts working well on diferent websites, can open virus.gr !? I am confused. ???

-{ Quote: "I have strange problem with Java. I just uninstalled Sun Java 5 update 4 but Java is still on my pc. There is no more Java entry in Add/Remove Program or Control Panel, there is no any Java or similar folder in Program Files but Java persists. I can use LimeWire, javascripts working well on diferent websites, can open virus.gr !? I am confused. ???" }-Note that JavaScript is not the same as Java the language. Modern browsers all have JavaScript, but Java the executable language has to have a Java Virtual Machine {VM} installed, either the older Microsoft JVM or Sun Java. HTH .. ;)

Thank you Randy Bell. I check my Java at javatester.org and the result was: 1.1.4 from Microsoft Corp. I asume that it is javascript, part of IE 6. ;D

Oh so how do i uninstall older versions the install i got from java update was
J2SE Runtime Environment 1.5.0_06-b05

and wtf does it need to connect to install?

im going crazy.. is java update necessary i have 5.0 4 but i updated anyways now im angry becuases it is slow, and zone alarm keeps warning of connections anyways.. how do i uninstall older apps?

you should be able to uninstall from add/remove programs. i don't know about the last update but normally updates include security updates too so it's best to keep the latest. however, i haven't got the latest version i still have the version before.

it might be OK to uninstall the last one if you still have the version before in add/remove that's if it's giving you problems, if you do though turn off java in your browser and only use it when you get a popup asking for it and you trust the site, you should really do that anyway. i only use it in my browser about 2 times a year when it needs to use an applet.

also, programs like JAP and azearus use java because they're written with it. as well as other cross-platform programs

An update on this issue as it still remains a problem! CERT picked up on this in January with this bulletin:

Malicious Website Exploiting Sun Java Plug-in Vulnerability
http://www.us-cert.gov/current/current_activity.html#javaapi

When the SANS Handler's diary covered that bulletin, they clarified which are the latest versions of Sun Java you should have (but they barely touched on the fact that you still need to manually uninstall any OLD version of Sun Java)
http://isc.sans.org/diary.php?storyid=1039
CERTs warn about java bug being exploited
-{ Quote: "UPDATE
According to the bulletins you need at least:

* Version 1.3.1_16 or later
* Version 1.4.2_09 or later
* Version (1.)5 update 4 or later (My Note: we are now at update 6) " }-
-{ Quote: "Vince told it's also necessary to remove the old java environments, not just get the new ones as an attacker can target the old environments when they are still present." }-

We are still seeing an large number of victims with Winfixer/Vundo who have old versions of Sun Java installed and are not aware of it. Please continue to get the word out!!

I have also since added a warning about the old versions of Sun Java in our Vundo removal instructions here:
Trojan Vundo/Virtumonde/Winfixer Removal
http://www.dslreports.com/faq/13619

Sun Microsystems still have not addressed this risk of not removing older versions on autodating!!:thumbd:

Edit: typos

I am running Firefox 1.5 and the newest version of Java does not work for reasons I cannot discover. when I go back to an older version it starts working again.

I routinely remove my older version of Java from Add/Remove Programs every time I update (before I update) and it currently shows only the latest, 5.0 update 6, but I find that I have two older versions in my Program files folder, which show up also in the Java Runtime Settings box in the Java applet. There are three .exe files in the bin folder for each version, so I could use my old uninstaller (Mckafee Quick Clean) to try to uninstall them but I'm a little afraid of creating a mess. Would it be safe to simply delete the folders for those versions, or would I be better off trying to remove them with my uninstaller?

What I decided to do was move the folders for those older versions to another, temporary folder. The first effect I notice is that they still show up in the Java Runtime Settings box of the applet, but with red boxes around them! I scanned my registry with CCleaner but it found no issues, so I guess I can't do anything about it. I might try uninstalling the current version, moving it's folder out of Program Files if it's still there, and reinstalling.

I did uninstall and reinstall Java. After I uninstalled, I didn't find a folder in Program Files, but I did find one in C:\Program Files\Common Files that contained the subfolders Update\Base Images\1.5.0.b64\patch-jre1.50_01.b08 and patch-jre1.5.0_2.b09 (I should mention that I have Win98SE2). I moved that folder also to my temporary folder, then scanned the registry with CCleaner, which found several dll files and registry entries that I backed up and deleted. Then I reinstalled Java. I find no subfolders for the older versions in Program Files or c:\Program Files\Common Files, but they still appear in the Java Runtime Settings box with the red boxes around them! CCleaner finds no new issues. I guess I've done about all I can do.
I have Java disabled by the NoScript extension in my Firefox browser and almost never use it, but I did test the plugin and found that it's working fine.
It will be interesting to see what happens the next time I update Java.

Thank you.

Uninstalled version 1.3.01 via add/remove as I couldn't find a program to open the isu extension unistall file within the JavaSoft folder.

This left part of the lib containing a few applets which uninstall shield told me were still there. So I deleted each and every one of them apart from the main JavaSoft folder which I then reinstalled the updated version into.

I then downloaded the latest version 5 with update 6 which has presented no problems FWIW.

I'd been concerned about configuring it properly but as I don't use Java much, it has shown the necessary icon to prove the install worked so I thought I'd give some feedback. This is on an XP SP2 Standalone PC.

Thanks for the heads up and the links that provide all the information I needed - hope it's the same for others :thumb:

CL