java update icon appears in task tray

[Mike F from TN]

Shortly after installing Vista Service Pack 1, I discovered an icon in my
task tray that urges me to update Java. Here is the detail:
Java SE Runtime Environment 6 Update 3:
"C:\Program Files\java\jre1.6.0_03\bin\jucheck.exe"

I am a user only. Don't even know or care what Java is unless it's needed on
my pc. I don't do games or other resource-intense stuff like music. I do do a
lot of photos, Word docs, and financial things. Do I need this update, and if
not, how the blazes do I get it off my task tray? Thanks, Mike

 

[Gene K]

Mike,
Yes, you need Java to access many Web Sites. Go get the update.
Gene K

 

[Mike F from TN]

Thanks, Gene. I have heard there are some security issues with Java. Can you
explain, before I go ahead and update? Mike

 

[Alias]

Thanks, Gene. I have heard there are some security issues with Java.

And that's why it's important to keep it up-to-date.

Can you

explain, before I go ahead and update? Mike

After you install the update, go to the Control Panel/Add Remove
Programs and remove all the Java entries except the latest one.

Alias

 

[Qu0ll]

Thanks, Gene. I have heard there are some security issues with Java. Can
you
explain, before I go ahead and update? Mike

I'd be interested to investigate those supposed security issues. Java is
just about the most secure software you will ever find.

Use it without fear.

--
And loving it,

-Q
_________________________________________________
(e-mail address removed)
(Replace the "SixFour" with numbers to email me)

 

[Mike F from TN]

Perhaps I worded that wrong. As a user only and not very literate in this
area, I don't know how to express such questions. What I heard was that some
websites can do nasty things to our computers and that Java applets (or some
such word) were the culprits. Does that help?

 

[Qu0ll]

Perhaps I worded that wrong. As a user only and not very literate in this
area, I don't know how to express such questions. What I heard was that
some
websites can do nasty things to our computers and that Java applets (or
some
such word) were the culprits. Does that help?

I really don't know where you heard such nonsense! Java applets run in
so-called "sandbox" which significantly restricts what they can do. They
cannot access your local computer unless the applet is signed by a security
company AND you explicitly give it permission to do so. Almost all applets
are unsigned which means that it is impossible for them to do *anything* to
your computer let alone nasty things.

Java applets are much, much safer than Microsoft ActiveX controls and, as I
said, you can use them with absolute confidence. There may be web sites
that do nasty things to computers but they have nothing to do with Java.

--
And loving it,

-Q
_________________________________________________
(e-mail address removed)
(Replace the "SixFour" with numbers to email me)

 

[Gene K]

Mike,
I have heard of security issus with Java; however, I have no specific
knowledge of the facts. It is likely that the update may fix those holes.
There are security issues with all software, Java (and javascript) included.
You will never feel completely safe. GET THE UPDATE.
Gene K

 

[MowGreen [MVP]]

No matter what Sun claims it's java runtimes are almost *always*
vulnerable to applets escalating privileges. Here's the latest brouhaha
theory:

More details on the Pwn2Own Flash flaw that won the Vista machine
http://blogs.zdnet.com/security/?p=993

So my guess, and I feel it is an educated one (of course time will tell), is that Sotirov
helped out by providing some additional hacker ninjitsu by helping Macaulay load this Flash
attack through a Java Applet, thus turning off any DEP protections the operating system provides.
Heck, I wouldn’t even be surprised if he used the applet to do some fancy heap spraying to load
the shellcode from the heap.

There has been an never ending issuance of Sec bulletins from Sun that
involve said applet escalation. The latest ones were:

http://sunsolve.sun.com/search/document.do?assetkey=1-66-233321-1

Two security vulnerabilities in the Java Runtime Environment Virtual Machine may independently
allow an untrusted application or applet that is downloaded from a website to elevate its
privileges. For example, the application or applet may grant itself permissions to read and write
local files or execute local applications that are accessible to the user running the untrusted
application or applet.
http://sunsolve.sun.com/search/document.do?assetkey=1-66-233324-1

A security vulnerability in the Java Plug-in may allow an applet that is downloaded from a
website to bypass the same origin policy and leverage this flaw to execute local applications
that are accessible to the user running the untrusted applet.
http://sunsolve.sun.com/search/document.do?assetkey=1-66-233325-1

A vulnerability in the Java Runtime Environment image parsing library may allow an untrusted
application or applet that is downloaded from a website to elevate its privileges. For example,
the application or applet may grant itself permissions to read and write local files or execute
local applications that are accessible to the user running the untrusted application or applet.

And then one discovers that the java autoupdater leaves the older,
'affected' versions installed. Not only is that a security risk, no
matter what Sun claims, but disk space is being hogged by said older,
'affected' versions.
IF, as Sun claims, said older, 'affected' versions can not be called by
malware authors then why is this included at the *very bottom* of all
Sun Sec bulletins ? -

Note: When installing a new version of the product from a source other than a Solaris patch, it
is recommended that the old affected versions be removed from your system. To remove old affected
versions on the Windows platform, please see:
http://java.com/en/download/help/uninstall_java.xml

Java has been uninstalled on all of my systems and there have been
absolutely NO issues using any web site.


MowGreen [MVP 2003-2008]
===============
*-343-* FDNY
Never Forgotten
===============