CastleCops, Internet Crime Fighters
Need help? Click here to register for free! Absolutely zero advertisements on this site!

$9736.22 of $21422.68
left sidedonated so farneed $11686.46 donated to reach our goalright side, our goal
Help CastleCops serve the community on new servers, Donate Here to reach our goal.

Donation/Premium
spacer
Donations. Become Premium Today! Premium Icon
block bottom
Security Central
spacer
· Home
· PIRT/Fried Phish
· MIRT
· SIRT
· Deutsch
· Wiki
· Newsletter
· O16/ActiveX
· CLSID List
· Contest2007
· Downloads
· Feedback (send)
· Forums
· HijackThis
· Hijacktrend
· LSPs
· My Downloads
· O18
· O20
· O21
· O22
· O23
· O9
· Premium
· Private Messages
· Proxomitron
· Reviews
· Search
· StartupList
· Stories Archive
· Submit News
· WsIRT
· Your Account
· Acceptable Use Policy
block bottom
Survey
spacer
Was 2007 a good year?

Yes it was a wonderful year
Yes, but there is always room for improvement
Status quo
It was a challenge
Other (leave comment)



Results
Polls

Votes: 940
Comments: 25
block bottom
spacer spacer
image Sun Java (J2SE/JRE) Automatic Update Vulnerability image
Security Hole
MowGreen writes "The Sun Java (J2SE/JRE) Automatic Updater does not uninstall previous versions that have vulnerabilities. In addition, if a User is not aware of this behavior, said User may end up with several Java packages installed . Leaving previously versions installed runs the risk of infestation/infection due to malware writers ability to call them. In plain English, they can utilize them to infest a system with malware such as Cool Web Search or Trojan.Byte.Verify.

Plus, leaving the previous versions installed consumes disk( Hard Drive) space. Since each package is over 100 megabytes, this is not a trivial matter. This link is from a thread at the AumHa Hijack This Forum and shows a victim who had 3 versions of Sun Java installed and was not even aware of it : http://forum.aumha.org/viewtopic.php?p=90437#90437

In February of 2005 I contacted Sun concerning the Auto Updaters insecure and sloppy behavior. Here is their reply


========================================================================
Hello Steve,

---------------------------------------------------------------------------------------------------------------------------------- > Reading this Sun Alert ID: 57708 >http://sunsolve.sun.com/search/document.do?assetkey=1-26-57708-1

> It states :

>Note: It is recommended that affected versions be removed from your system. For more information, please see the installation notes on the respective java.sun.com download pages.

>Neither page that I went to from the link on java.sun.com download page state that previous vulnerable >versions should be uninstalled :
>http://java.com/en/download/help/5000010200.xml >http://java.com/en/download/help/5000010300.xml

>If a User utilizes the automatic update mechanism of the JRE the previous vulnerable version is left on the >system. As I understand it, those previous vulnerable versions can still be called by malware. If this is >not the case, please set me straight.
---------------------------------------------------------------------------------------------------------------------------------

You are correct that the previous vulnerable versions can still be called by malware. We forwarded your e-mail along to the Java group and they let us know that they are currently investigating your suggestions of updating the java.com pages and the auto update uninstallation issue and appreciate the feedback. We will follow-up with any further updates.

Best regards,

Sun Security Coordination Team

security-alert@sun.com
========================================================================

After waiting 6 months I sent them another email inquiring if this issued had been addressed. There was no reply.

Apparently, Sun appreciates the feedback but will not address the issue. Thus, the genesis of this article. Their behavior is not acceptable and shows a cavalier attitude towards the users of Sun Java. Why is Sun not being held accountable ? Well, they are now. Concerned Users of Sun Java may want to contact them at the above email address to express their displeasure.

Another article that deals with this situation can be viewed here : Sun Java Vulnerabilities continue
http://msmvps.com/spywaresucks/archive/2005/08/22/63670.aspx "
Posted on Wednesday, 31 August 2005 @ 10:40:34 UTC by Paul (3194 reads)
[ Trackback ]		image

"Sun Java (J2SE/JRE) Automatic Update Vulnerability" | Login/Create an Account | 2 comments | Search
Threshold
The comments are owned by the poster. We aren't responsible for their content.

No Comments Allowed for Anonymous, please register

Re: Sun Java (J2SE/JRE) Automatic Update Vulnerability (Score: 1)
by Pierre (Peter)  on Thursday, 01 September 2005 @ 01:18:27 UTC
(User Info | Send a Message)
Very interesting and I will now uninstall all versions and start from scratch. I also have the original Microsoft Java installed before they had a fallout.


 
Login
spacer
Nickname

Password

Security Code: Type Security Code: Usage signifies AUP acceptance
· New User? · Click here to create a registered account.
block bottom
Related Links
spacer
· del.icio.us!
· digg it!
· reddit!
· TrackBack (0)
· PHP HomePage
· HotScripts
· W3 Consortium
· More about Security Hole
· News by Paul

Most read story about Security Hole:
Windows Media Player, Spyware and Trojan
block bottom
Article Rating
spacer
Average Score: 4.5
Votes: 2


Please take a second and vote for this article:

Bad
Regular
Good
Very Good
Excellent
block bottom
Options
spacer

Printer Friendly Page  Printer Friendly Page
block bottom
2002-2008 © Computer Cops LLC dba CastleCops®. All rights reserved.
Acceptable Use Policy. Use signifies your agreement.
161ppm 0.155s (0.016s)
Making cybercriminals unhappy since 2002*
In Memory of Trpm
spacer spacer