a lot of J2SE Runtime Enviroment version??

Guest · Feb 8, 2006

I just updated my J2SE Runtime Enviroment to version 1.5.0_06-b05. Is it ok
to uninstall the older version?

I have the following older version J2SE Runtime Enviroment installed:
1.4.1_02
1.4.2_07
1.5.0_04
1.5.0_06

Randy Knobloch · Feb 8, 2006

balem said:
I just updated my J2SE Runtime Enviroment to version 1.5.0_06-b05. Is it ok
to uninstall the older version?

You want J2SE Runtime Environment 5.0 Update 6.
Here: http://java.com/en/download/index.jsp

I have the following older version J2SE Runtime Enviroment installed:
1.4.1_02
1.4.2_07
1.5.0_04
1.5.0_06

Delete the above older builds from Add/Remove Programs as they pose an exploit
threat.

Randy

--
siljaline

MS - MVP Windows (IE/OE) & Security, AH-VSOP
_________________________________________
Security Tools Updates
http://aumha.net/viewforum.php?f=31

Reply to group, as return address
is invalid that we may all benefit.

plun · Feb 8, 2006

Hi Balem and Randy

This URL is also good to verify Java version.

http://www.java.com/en/download/installed.jsp

Question to Randy:

If a user looks around in different security forums a lot of
"experts" recommend to uninstall all Java versions before latest.

I have not seen any comments from Sun or Microsoft about this
issue.

What is right or wrong with this ?
We have seen some outbreaks with trojans probably using
Java "black holes" but no one can show any evidence about this.

So it´s strange that Sun don´t comment this ???

regards
plun

Larry · Feb 8, 2006

Randy, after seeing your response, I checked my Java console in Control
Panel. I verified I had auto-update selected. I verified my version as
Version 1.5.0 (build 1.5.0_06-b05), note this is the same as the OP. After
briefly wondering why my updater wasn't working, I went ahead and hit the
Update Now button. It told me I already had the latest. Can you explain what
I'm missing? Thanks.
Larry

Larry · Feb 8, 2006

Also, I went to the website plun suggested, and got this response.........

JAVA SOFTWARE for Your Computer
VERIFY YOUR JAVA SOFTWARE INSTALLATION

We detected your Java environment as follows;
Description Your Environment

Java Runtime Vendor: Sun Microsystems Inc.
Java Runtime Version 1.5.0_06

CONGRATULATIONS, you have the Latest version of Java!

I'm confused about your recommendation. Please explain. Thanks.
Larry

plun · Feb 9, 2006

Hi Larry

Java is a mess and for you this is OK

Randy wrote
"You want J2SE Runtime Environment 5.0 Update 6."

"Java Runtime Version 1.5.0_06" , it´s the same
as Randy recommend. J"2"SE is confusing.

regards
plun

Larry · Feb 9, 2006

Randy, I found my answer, JRE (which I have) is different from J2SE (which the OP has). Here's the official write-up....
..http://java.com/en/download/faq/java_diff.xml. Sorry for the bother.
Larry

Larry · Feb 9, 2006

Randy, I found my answer, JRE (which I have) is different from J2SE (which the OP has). Here's the official write-up....
..http://java.com/en/download/faq/java_diff.xml. Sorry for the bother.
Larry

Randy Knobloch · Feb 9, 2006

plun said:
This URL is also good to verify Java version.

http://www.java.com/en/download/installed.jsp

URL is great, use it all the time.

Question to Randy:

If a user looks around in different security forums a lot of
"experts" recommend to uninstall all Java versions before latest.

You may do this before or after the latest update, I'm not sure if it makes
a difference which you perform first.

I have not seen any comments from Sun or Microsoft about this
issue.

Sun Java is not a Microsoft product, as you know - therefore you won't
be seeing any articles that I know of.

Sun's latest statement on the issue:
http://sunsolve.sun.com/search/document.do?assetkey=1-26-102171-1

Randy

--
siljaline

MS - MVP Windows (IE/OE) & Security, AH-VSOP
_________________________________________
Security Tools Updates
http://aumha.net/viewforum.php?f=31

Reply to group, as return address
is invalid that we may all benefit.

Bill Sanderson · Feb 9, 2006

All that link will do is verify the default version--which in general is the
most recent one installed.

Sun DOES comment on this issue in the final paragraph of the advisory here:

http://sunsolve.sun.com/search/document.do?assetkey=1-26-102171-1

Unfortunately, they give very little help about how to find and uninstall
the older vulnerable versions.

--

Bill Sanderson · Feb 9, 2006

Your default version is current, so that's good.

Now you need to go to add or remove programs, and see how many older
versions you still have in place, and remove them.

--

plun · Feb 9, 2006

Hi Randy and Bill

Thanks for that URL !

About MS and comments I believe that it is
an important advisory also for MS to publish with
a reference to Sun.

The challenge is that Java uninstalls are so "damned" boring.

regards
plun

Bill Sanderson · Feb 9, 2006

plun said:
The challenge is that Java uninstalls are so "damned" boring.

Tell me about it--I do them on a couple of dozen pc's regularly.

At least a full-blown Java install isn't boring. I blew Java completely
away at some point in the recent past, and really hadn't noticed that it was
gone until I was testing Sun's instructions for checking the current default
version in place and found that the command didn't exist on my system.

So--I went to Java.com and said Do It.

It was not until there was a brief flash of installshield dialog about the
Google Toolbar that I realized that I hadn't seen any checkbox to unchoose
that option on the install.

Fortunately it was easily found in add or remove programs, and I was able to
remove it even before the install had completed.

So at least there's a little thrill possible during the install operation!

plun · Feb 9, 2006

Hi Bill

I don´t know any other way

and it is boring

It must be possible to have a script that just disables
every earlier versions and then delete all belonging files.

What I also don´t understand is how earlier versions can be vulnerable
?

Just "dead" files and registry settings........... ????

regards
plun

Bill Sanderson · Feb 9, 2006

Agreed--the uninstalling process is boring.

I don't know of any proof that if there is a vulnerability, it is being
exploited.

The evidence for the files constituting a vulnerability is in an email to
Steve Wechsler from a Sun employee. And (but only by inference) the
statement that they make at the end of every vulnerability advisory notice
that removing the vulnerable version is recommended (but only in the
advisory, and even there they don't tell you how to do it.)
--

plun · Feb 9, 2006

Hi

Maybe Randy K can ask around about why earlier versions must
be uninstalled ?

regards
plun

Randy Knobloch · Feb 10, 2006

plun said:
Hi

Maybe Randy K can ask around about why earlier versions must
be uninstalled ?

Good thing I read all the threads that I subscribe to Plun!

My best information is that any Java prior to J2SE Runtime Environment 5.0
Update 6.0 should be uninstalled **after** successful download and installation
of the above update.

As Bill - Jim, etc - may have already stated, the prior builds are subject to
"Vundo"
"WinFixer" parasite infection - extremely tedious and difficult to remove.

This Sun document is the most current that I know of but am told that it is
incomplete.
<http://sunsolve.sun.com/search/document.do?assetkey=1-26-102171-1>

Randy

--
siljaline

MS - MVP Windows (IE/OE) & Security, AH-VSOP
_________________________________________
Security Tools Updates
http://aumha.net/viewforum.php?f=31

Reply to group, as return address
is invalid that we may all benefit.

Bill Sanderson · Feb 10, 2006

Here's the email:
It starts with Steve's message quoted.
Steve's had no further contact from Sun.
----------------------------------------------------------------------------------

2/24/2005 4:01 AM

Hello Steve,

] Reading this Sun Alert ID: 57708
] http://sunsolve.sun.com/search/document.do?assetkey=1-26-57708-1

] It states :
]
] >Note: It is recommended that affected versions be removed from your
system.
] >For more information, please see the installation notes on the respective
] >java.sun.com download pages.

] Neither page that I went to from the link on java.sun.com download page
] state that previous vulnerable versions should be uninstalled :
]
] http://java.com/en/download/help/5000010200.xml
] http://java.com/en/download/help/5000010300.xml
]
] If a User utilizes the automatic update mechanism of the JRE the
] previous vulnerable version is left on the system.
] As I understand it, those previous vulnerable versions can still be
] called by malware. If this is not the case, please set me straight.

You are correct that the previous vulnerable versions can still be
called by malware. We forwarded your e-mail along to the Java group and
they let us know that they are currently investigating your suggestions
of updating the java.com pages and the auto update uninstallation issue
and appreciate the feedback. We will follow-up with any further updates.

Best regards,
Sun Security Coordination Team
(e-mail address removed)

plun · Feb 10, 2006

Randy said:
As Bill - Jim, etc - may have already stated, the prior builds are subject to
"Vundo" "WinFixer" parasite infection - extremely tedious and difficult to
remove.

Hi Randy

Well, as you probably knows I am a fan of Castlecops wiki and
I cannot say it´s difficult to remove....

(And some other MVP and ASAP pages)

So about earlier versions again, are all versions loaded in memory in a
Windows box or is it older applets causing this "Sandbox API bypass" ?

http://www.kb.cert.org/vuls/id/974188

I cannot understand how it works if a user has latest version installed
and also other older versions.

If it is dangerous Sun must include a uninstall function when a upgrade
is performed. IMHO.

regards
plun

Randy Knobloch · Feb 10, 2006

plun said:
Hi Randy

Well, as you probably knows I am a fan of Castlecops wiki and
I cannot say it´s difficult to remove....
(And some other MVP and ASAP pages)

So about earlier versions again, are all versions loaded in memory in a Windows
box or is it older applets causing this "Sandbox API bypass" ?

http://www.kb.cert.org/vuls/id/974188

I cannot understand how it works if a user has latest version installed and also
other older versions.

If it is dangerous Sun must include a uninstall function when a upgrade
is performed. IMHO.

Plun,
To be honest, I am not "behind the ball" with the Sun Java exploits.
MVP - Mow Green, is an active member and buddy of mine at AumHa Forums.
We invite you to join to discuss this.
http://aumha.net/profile.php?mode=register
Once you've received your confirmation email, perhaps we shall see you there?

Regards,

Randy

--
siljaline

MS - MVP Windows (IE/OE) & Security, AH-VSOP
_________________________________________
Security Tools Updates
http://aumha.net/viewforum.php?f=31

Reply to group, as return address
is invalid that we may all benefit.

notice of Java update	5	May 6, 2006
How much Java is needed ?	3	Jan 1, 2007
Java Installation	5	Jan 27, 2005
(Java) J2SE Runtime Environment	1	Aug 25, 2006
VBScript to uninstall older versions of Java on Vista Workstations	0	Apr 7, 2008
Clicking on Sun Java Console in IE causes IE Shutdown	1	Mar 7, 2006
JAVA programs ... How many do I need?	2	Feb 9, 2008
java updates on windows xp	3	Mar 18, 2005

a lot of J2SE Runtime Enviroment version??

Guest

Randy Knobloch

plun

Larry

Larry

plun

Larry

Larry

Randy Knobloch

Bill Sanderson

Bill Sanderson

plun

Bill Sanderson

plun

Bill Sanderson

plun

Randy Knobloch

Bill Sanderson

plun

Randy Knobloch

Ask a Question

Similar Threads