Warning Sun Java: check version, remove older ones

Discussion in 'other security issues & news' started by FanJ, Nov 7, 2005.

Thread Status:
Not open for further replies.
  1. FanJ

    FanJ Guest

    Hi,

    Maybe you already knew this, but I wanted to point you again to it.

    In case you have Sun Java Runtime Environment installed, then :
    1.
    check if you have the latest version installed.
    2.
    remove older version(s) of it.

    Well known security expert CalamityJane started a thread about it at the DSLR/BBR-security-forum:
    http://www.dslreports.com/forum/remark,14738046

    Thanks Janie !!! :-*

    - begin quote -

    Fellow MS MVP Steve Wechsler (aka MowGreen) wrote to Sun Microsystems (makers of Sun Java) to express the concerns raised in the Security Community that autoupdaters of Sun Java do not uninstall previous (vulnerable) versions of the program. He asked for clarification that if a User utilizes the automatic update mechanism of the JRE the previous vulnerable version is left on the system, and that those previous vulnerable versions can still be called by malware. The folks at Sun Microsystems wrote back confirming this is true and they would be investigating updating the java.com pages and the auto update uninstallation issue. That was back in February and to date, none of these issues has been resolved.

    Therefore all users are encouraged to please check in your Control Panel, under Add/Remove programs and uninstall any older versions of Sun Java. And in the future, remember to remove older versions of Java when you automatically update to a newer version to avoid exploitation of older versions left on your system.

    The most current version of Sun Java is: Java Runtime Environment Version 5.0 Update 5

    - end quote -

    Manual download:
    http://www.java.com/en/download/manual.jsp

    Or check here for automatic:
    http://www.java.com/en/download/windows_automatic.jsp

    As Janie wrote:
    Please remember to uninstall all old versions of Sun Java
     
  2. AvianFlux

    AvianFlux Registered Member

    Joined:
    Dec 7, 2004
    Posts:
    237
    Thanks! The thought of removing the older Java app slipped my mind completely. Those suckers are persistent, and will not go away until they're manually removed. At one point I had 4 or 5 versions of Java on my machine not knowing whether they were required or not. :eek:
     
  3. greyfox

    greyfox Registered Member

    Joined:
    Jul 8, 2003
    Posts:
    577
    Location:
    Washington State USA
    I am using a very old computer and I'm not sure if Sun Java was ever installed on this machine. I went to Contol Panel checked in Add/Remove and I didn't see anything about a Sun Java program. This may be a dumb question but could an old version be on the computer and not show up in Add/Remove?
     
  4. MikeBCda

    MikeBCda Registered Member

    Joined:
    Jan 5, 2004
    Posts:
    1,627
    Location:
    southern Ont. Canada
    There are all kinds of utilities (even MS's own TweakUI) that'll permit you to remove items from Add-Remove without touching the affected program itself. So yes, it's quite possible this was done.

    And if you find and delete the program's uninstall info, typically that'll take it out of Add-Remove too -- but that could make cleanup a real mess if you ever do want to uninstall it.

    If you want a "lean, mean" Add-Remove list, just take it out of there -- nearly any good installer adds an Uninstall entry to the Start Menu.

    (Edit) Getting back to Sun Java itself, if it is installed you should find one or more lines relating to it under Internet Options/Advanced.
     
  5. Carver

    Carver Guest

    I had 3 or 4 versions on my computer before I saw that my old versions of Java app were not being removed, so what I did was clean all traces of Java out of my computer before puting the new version on. Other appys assume you are updating and will look for signs of a previous instillation, if it doesn't find any the appy will install a new folder for you and put the new version in it and delete the old version.
     
  6. Guessed

    Guessed Guest

    In the FAQ's at java.com they recommend that you retain older versions of java http://www.java.com/en/download/faq/5000070400.xml Apparently,certain applications may be written against a specific version of the JRE. I'm confused now. Who is right?
     
  7. NICK ADSL UK

    NICK ADSL UK Administrator

    Joined:
    May 13, 2003
    Posts:
    9,217
    Location:
    UK
    Well in xp java if you have it installed will be listed in the control panel. Where possible it will pay to just use the update button on the java icon in the control panel and then going to this link that it has been installed correctly
    http://java.com:80/en/download/installed.jsp
    Please note that for technical reasons i use an older version
     

    Attached Files:

  8. FanJ

    FanJ Guest

    It's everybody's own choice to use whatever program and whatever version of it.

    But make no mistake :
    The warning wasn't posted for nothing.....
    (if that is the right English expression..... ?...)
     
  9. AvianFlux

    AvianFlux Registered Member

    Joined:
    Dec 7, 2004
    Posts:
    237
    Same thing I came across; which is why I was reluctant to remove the older JREs. I've since decided to assume the small risk and only keep the most recent JRE release on my computer. I haven't noticed any apps not functioning because of it yet.
     
    Last edited: Nov 16, 2005
  10. FanJ

    FanJ Guest

    Hi,

    CalamityJane gives two examples on DSLR/BBR where she fixed a Vundo infection on machines that had older version(s) of Sun Java still installed:

    http://www.dslreports.com/forum/remark,14738046

     
  11. Zimzi

    Zimzi Registered Member

    Joined:
    Jul 10, 2005
    Posts:
    289
    I have strange problem with Java. I just uninstalled Sun Java 5 update 4 but Java is still on my pc. There is no more Java entry in Add/Remove Program or Control Panel, there is no any Java or similar folder in Program Files but Java persists. I can use LimeWire, javascripts working well on diferent websites, can open virus.gr !? I am confused. o_O
     
  12. Randy_Bell

    Randy_Bell Registered Member

    Joined:
    May 24, 2002
    Posts:
    3,004
    Location:
    Santa Clara, CA
    Note that JavaScript is not the same as Java the language. Modern browsers all have JavaScript, but Java the executable language has to have a Java Virtual Machine {VM} installed, either the older Microsoft JVM or Sun Java. HTH .. ;)
     
  13. Zimzi

    Zimzi Registered Member

    Joined:
    Jul 10, 2005
    Posts:
    289
    Thank you Randy Bell. I check my Java at javatester.org and the result was: 1.1.4 from Microsoft Corp. I asume that it is javascript, part of IE 6. :D
     
  14. dat dude

    dat dude Guest

    Oh so how do i uninstall older versions the install i got from java update was
    J2SE Runtime Environment 1.5.0_06-b05

    and wtf does it need to connect to install?
     
  15. me again

    me again Guest

    im going crazy.. is java update necessary i have 5.0 4 but i updated anyways now im angry becuases it is slow, and zone alarm keeps warning of connections anyways.. how do i uninstall older apps?
     
  16. iceni60

    iceni60 ( ^o^)

    Joined:
    Jun 29, 2004
    Posts:
    5,116
    you should be able to uninstall from add/remove programs. i don't know about the last update but normally updates include security updates too so it's best to keep the latest. however, i haven't got the latest version i still have the version before.

    it might be OK to uninstall the last one if you still have the version before in add/remove that's if it's giving you problems, if you do though turn off java in your browser and only use it when you get a popup asking for it and you trust the site, you should really do that anyway. i only use it in my browser about 2 times a year when it needs to use an applet.

    also, programs like JAP and azearus use java because they're written with it. as well as other cross-platform programs
     
  17. CalamityJane

    CalamityJane Registered Member

    Joined:
    Sep 29, 2002
    Posts:
    126
    Location:
    Central Florida
    An update on this issue as it still remains a problem! CERT picked up on this in January with this bulletin:

    Malicious Website Exploiting Sun Java Plug-in Vulnerability
    http://www.us-cert.gov/current/current_activity.html#javaapi

    When the SANS Handler's diary covered that bulletin, they clarified which are the latest versions of Sun Java you should have (but they barely touched on the fact that you still need to manually uninstall any OLD version of Sun Java)
    http://isc.sans.org/diary.php?storyid=1039
    CERTs warn about java bug being exploited
    We are still seeing an large number of victims with Winfixer/Vundo who have old versions of Sun Java installed and are not aware of it. Please continue to get the word out!!

    I have also since added a warning about the old versions of Sun Java in our Vundo removal instructions here:
    Trojan Vundo/Virtumonde/Winfixer Removal
    http://www.dslreports.com/faq/13619

    Sun Microsystems still have not addressed this risk of not removing older versions on autodating!!:thumbd:

    Edit: typos
     
  18. virginiageek

    virginiageek Registered Member

    Joined:
    Jul 1, 2004
    Posts:
    1
    I am running Firefox 1.5 and the newest version of Java does not work for reasons I cannot discover. when I go back to an older version it starts working again.
     
  19. KRH

    KRH Registered Member

    Joined:
    Aug 4, 2004
    Posts:
    17
    Location:
    seattle
    I routinely remove my older version of Java from Add/Remove Programs every time I update (before I update) and it currently shows only the latest, 5.0 update 6, but I find that I have two older versions in my Program files folder, which show up also in the Java Runtime Settings box in the Java applet. There are three .exe files in the bin folder for each version, so I could use my old uninstaller (Mckafee Quick Clean) to try to uninstall them but I'm a little afraid of creating a mess. Would it be safe to simply delete the folders for those versions, or would I be better off trying to remove them with my uninstaller?
     
  20. KRH

    KRH Registered Member

    Joined:
    Aug 4, 2004
    Posts:
    17
    Location:
    seattle
    What I decided to do was move the folders for those older versions to another, temporary folder. The first effect I notice is that they still show up in the Java Runtime Settings box of the applet, but with red boxes around them! I scanned my registry with CCleaner but it found no issues, so I guess I can't do anything about it. I might try uninstalling the current version, moving it's folder out of Program Files if it's still there, and reinstalling.
     
  21. KRH

    KRH Registered Member

    Joined:
    Aug 4, 2004
    Posts:
    17
    Location:
    seattle
    I did uninstall and reinstall Java. After I uninstalled, I didn't find a folder in Program Files, but I did find one in C:\Program Files\Common Files that contained the subfolders Update\Base Images\1.5.0.b64\patch-jre1.50_01.b08 and patch-jre1.5.0_2.b09 (I should mention that I have Win98SE2). I moved that folder also to my temporary folder, then scanned the registry with CCleaner, which found several dll files and registry entries that I backed up and deleted. Then I reinstalled Java. I find no subfolders for the older versions in Program Files or c:\Program Files\Common Files, but they still appear in the Java Runtime Settings box with the red boxes around them! CCleaner finds no new issues. I guess I've done about all I can do.
    I have Java disabled by the NoScript extension in my Firefox browser and almost never use it, but I did test the plugin and found that it's working fine.
    It will be interesting to see what happens the next time I update Java.
     
    Last edited: Feb 27, 2006
  22. ConstantLearning

    ConstantLearning Registered Member

    Joined:
    Jan 9, 2006
    Posts:
    157
    Thank you.

    Uninstalled version 1.3.01 via add/remove as I couldn't find a program to open the isu extension unistall file within the JavaSoft folder.

    This left part of the lib containing a few applets which uninstall shield told me were still there. So I deleted each and every one of them apart from the main JavaSoft folder which I then reinstalled the updated version into.

    I then downloaded the latest version 5 with update 6 which has presented no problems FWIW.

    I'd been concerned about configuring it properly but as I don't use Java much, it has shown the necessary icon to prove the install worked so I thought I'd give some feedback. This is on an XP SP2 Standalone PC.

    Thanks for the heads up and the links that provide all the information I needed - hope it's the same for others :thumb:

    CL
     
Loading...
Thread Status:
Not open for further replies.