26 total posts
Oracle Security Alert for CVE-2012-4681
This Security Alert addresses security issues CVE-2012-4681 (US-CERT Alert TA12-240A) and two other vulnerabilities affecting Java running in web browsers on desktops. These vulnerabilities are not applicable to Java running on servers or standalone Java desktop applications. They also do not affect Oracle server-based software.
These vulnerabilities may be remotely exploitable without authentication, i.e., they may be exploited over a network without the need for a username and password. To be successfully exploited, an unsuspecting user running an affected release in a browser will need to visit a malicious web page that leverages this vulnerability. Successful exploits can impact the availability, integrity, and confidentiality of the user's system.
In addition, this Security Alert includes a security-in-depth fix in the AWT subcomponent of the Java Runtime Environment.
Due to the severity of these vulnerabilities, the public disclosure of technical details and the reported exploitation of CVE-2012-4681 "in the wild," Oracle strongly recommends that customers apply the updates provided by this Security Alert as soon as possible.
Supported Products Affected:
Security vulnerabilities addressed by this Security Alert affect the products listed in the categories below. Please click on the link in the Patch Availability column or in the Patch Availability Table to access the documentation for those patches.
Affected product releases and versions:
JDK and JRE 7 Update 6 and before - Patch Availability: Java SE
JDK and JRE 6 Update 34 and before - Patch Availability: Java SE
Patch Availability Table and Risk Matrix:
Java SE fixes in this Security Alert are cumulative; this latest update includes all fixes from previous Critical Patch Updates and Security Alerts.
For additional details see: http://www.oracle.com/technetwork/topics/security/alert-cve-2012-4681-1835715.html
Security Fix for Critical Java Flaw
Posted by Brian Krebs @ his "Krebs on Security" Blog:
Security Fix for Critical Java Flaw Released
Oracle has issued an urgent update to close a dangerous security hole in its Java software that attackers have been using to deploy malicious software. The patch comes amid revelations that Oracle was notified in April about this vulnerability and a number other other potentially unpatched Java flaws.
The patch fixes a critical flaw in the latest version of Java 7 that is now being widely exploited. Users with vulnerable versions of Java installed can have malware silently planted on their systems just by browsing to a hacked or malicious Web site.
The update brings Java 7 to Update 7, and appears to fix the flaw being exploited and several other security holes. Oracle also released a security update for systems running Java 6, which brings that version to Java 6 Update 35.
Today's patches are emergency, out-of-schedule updates for Oracle, which previously was not planning to release security updates for Java until October. Although it may appear that Oracle responded swiftly to the discovery of extremely dangerous flaws in its software, Security Explorations — a research firm from Poland — says it alerted Oracle about this vulnerability and 30 others back in April. It's not yet clear how many of those vulnerabilities were patched in this release.
"We ... expected that the most serious of them would be fixed by June 2012 Java CPU," said Security Explorations CEO and founder Adam Gowdiak told The Register's Neil McAllister. "But it didn't happen and Oracle left many issues unpatched with plans to address them in the next Java [updates]."
Continued : http://krebsonsecurity.com/2012/08/security-fix-for-critical-java-flaw-released/
The download site(s) can be found here
Glad to help whenever I can...
I had trouble finding the download site, so I listed it here to make it easier for others to find. Seems like we're updating Java almost every month now. I'm using Firefox as my main browser and hardly ever use IE, because it loads so slow. Therefore, every time there's an update I have to install two Java versions.
Can't seem to get new one
When I go to Java and download the Update 7, I can get the file fine. It's when installing I run into problems. I do have Java 7 Update 5 now. Here's what I get when installing --
The feature you are trying to use is on a network resource that is unavailable.
Click OK to try again, or enter an alternate path to a folder containing the installation package jre1.7.0_05c.msi" in the box below.
Error 1714. The older version of Java& Update 7 cannot be removed.
When doing a search on my computer for jre1.7.0_05c.msi, I do not find it.
How important is it to have Java? Is Adobe Flash Player similar? I get that with no problems.
Julea, Try This...
First, please uninstall any versions of Java on your computer from the Control Panel.. Next, visit the link below, then download and run the JavaRa program and let it find and remove any remnants it can find.
Once that's done, download and run the free-ware version of the Revo Uninstaller to see if it can find any remnants of Java still remaining.. If found, remove them.
Next, if you still can't install the newest version of Java, AND...if you're good at registry editing, you'll need to search the registry for any remaining Java keys that can be removed. BE SURE to make a backup of the registry before deleting such. The link below will give you good information about which keys are used by Java and need to be removed..
After using both of the above tools to clean Java from the computer, reinstall the latest version of Java using the Java 7 Up7 OFFLINE installer from the link below. (If you've got a 64 bit version of Windows, install BOTH the x86 and the x64 versions of Java. You'll need it for both versions of your browsers.):
Hope this helps.
Griff -- must have more problems than what I knew about!
I tried to unstall my java installs from the control panel and cannot do it. I wish I knew how to attach a screen shot here and I could show you what I get. It says "The feature you are trying to use is on a network source that is unavailable." It says something about the installer but it'd sure be better if I could give you a screen shot.
The java listings are:
Java FX 2.1.1 installed 7/10/12
Java (TM) 7 Update 5 - 7/10/12
Java (TM) 6 Update 31 - 4/12/12
Java (TM) 6 Update 25 - 8/13/12
Java (TM) 6 Update 14 (64 bit) 11/11/09
Java SE Development Kit 7 Update 7 - 9/4/12
All but the 64 bit one show Oracle. The FX entry shows Oracle Corporation. The 64 bit one shows Sun Microsystems, Inc.
If You Can't Uninstall From The Control Panel
...then continue on with the other steps mentioned.. JavaRa, RevoUninstaller, and the registry edits should allow you to remove all things Java from the system.
Hope this helps.
Hey Grif -- I did it
I finally figured out how the revouninstaller works. I was closing it out to soon because it gave me some messages that I didn't realize I could get past them -- something about uninstalling only program that are on pc. When I click the OK in the box rather than the red x, it continued on to where it would let me work with the registry items. I found out last evening at our local computer club meeting that I needed to click on the ADVANCED part. Maybe that was mentioned in here someplace, and I just plain ole missed it if it was. Anyway, that was the trick and I got all the old versions of Java off of my pc without the error messages, etc. I was also able to go to the links you provided and got both the 64 bit and 32 bit latest updates and got them installed fine. So, I'm finally a happy camper. This has been bugging the heck outta me and glad it's finally resolved.
Thanks again to you and Carol for all your help. You all are the bestest!
Yipee! Good Job...
And a YAY!! from me! :)
I knew you weren't going to give up on it.
ROFLMAO -- You know me too well
and we've not even met in real life. Sure seems like I know some of you all here though. Let's see, how many years have I been coming here now -- I think I started about 2002 or 2003. What would the world do without cnet forums!!
Javara Worked for me
I followed Griff's suggestions and it worked perfectly.
There's A New Java 7 Update 9 Available
If you installed Java 7 Update 7 from the link I provided earlier, and didn't install the newest Java 7 Update 9, you should consider uninstalling the older Update 7 and installing Update 9. (Assuming things are working correctly now, you should be able to uninstall Update 7 from the Control Panel.) The newer version contains a number of security fixes and is the correct version to use at this time.. A link to the new version is below:
Hope this helps.
I'd rather you wait until Grif returns. We both have different setups. And we both had different errors. But I thought I'd share this with you.
I've never had a problem installing or removing any software. Or not until recently.
I noticed not long after installing Java 7, the latest Java 6 was still installed. When I tried to uninstall it, I received an error message indicating I couldn't install it. Keep in mind, I was trying to UNinstall it.
As always, I ran JavaRa. It didn't (or couldn't) uninstall it. I've used it in the past, only to remove leftover files. I created a restore point and made a back up of the registry. ( A bit excessive!! )
I then ran the Revo Uninstaller. As an added precaution, just prior to letting Revo remove any registry entries, I checked the reg location/s to make sure the entries it wanted to remove were correct and safe to remove. They were.
All this to say, the Revo Uninstaller removed the prior version of Java, with the exception of a couple registry entries.
Lastly and unrelated. You asked in your OP how important it was to have Java. It's only important if you use applications which rely on it. If you don't need it, why keep it? Another option would be to disable the plugin in your most often used browser. You can use the least often used browser to access the sites which need it.
For example, if you use Firefox as your default browser, disable the plugin. Say you use Secunia's Software Inspector which makes use of Java. Access Secunia's site using IE with Java enabled. Make any sense? Or is it.. clear as mud? It's just an option to consider, if you want (or need) to keep it. Also "less risky".
Grif can also address the question. But do wait for him. As mentioned above, we have differing situations. I only wanted you to know, the Revo Uninstaller was able to remove Java in my case.
Best of luck with it..
This sounds great; however --
I can't seem to get the Revo pro to stay up long enough to get anything accomplished before the darn buy now dialogue box comes up. It says I must have a serial #. Well, I really don't want to buy it. So -- any other ideas. I'm about ready to take my chances and forget this mess as it's becoming pretty frustrating.
Seems Like You Didn't Download The Freeware Version?
After downloading the freeware version, run it to install the program, then allow it to open.. The program will open AND a browser window will also open asking your to pay.. Simply close the browser window and run the uninstaller program which is open.
Hope this helps.
Oops - but have it now
I also ran it and darn if I don't get the same message for any of the Java entries I try to uninstall -- which is --
The feature you are trying to use is on a network resrouce that is unavailable. Clock OK to try again or enter an alternate path to a folder containing the installation package jre1.7.0_05-c.msi' in the box below.
Further down it shows this: Source - c:Users/Julea/AppData/LocalLow/Sun/Java/jre1.7
Guess I'm hopeless as if I do a search for jre1.7 nothing comes up.
Perhaps I should leave well enough alone and just go with the flow. I'm not having any issues but sure am with trying to uninstall the dang things.
You Get That Message With Revo Uninstaller?
And if push comes to shove, you can simply do the registry search to remove all things Java.
Hope this helps.
Hi Grif -- I did try Carol's suggestion below your post and it was to no avail -- sameo sameo. I get the same error message(s) no matter what I try to do.
As for the registry -- I did go into regedit and did a search for Java -- only 1 item came up. Must I search each of the categories in the left pane?
At this point, I'm tempted just to take my chances and hope I don't get hit. Guess I can disable Java as not sure how much I even use it. I'm kind of at a loss at this point.
Thanks for all your help.
After Opening "regedit"....
...first be sure to create a backup of the registry....in Windows 7 (I assume you're using Win7), after opening 'regedit', click once on "Computer" in the left window, then click "File" in the upper left, choose "Export" and create a backup registry file named "backup.reg" to your desktop. Next, click on "Edit" in the upper left, then select "Find".. Type "java" in the "Find What" line, making sure that CHECK marks are in all the boxes next to "keys", "value", and "data", then click on the "Find next" button.
Now press the "F3" key to find the next java listing in the registry. Below is a Java.com link of their method for removing such keys:
By the way, performing a complete search and removal of all java items is a little daunting.. There are a bunch.
So, if you're not feeling up to it, I understand entirely.
Hope this helps.
Glad you understand - I'm basically chicken on this one
I think this is definitely more than I want to take on - however, I do appreciate all the info. I'm going to wait until our next computer club open house -- I usually work the 2-3 monthly that we have, and will get some help from the instructor there. I've always been intrigued with the registry anyway and have looked around alot and even made a change when only 1 little line was involved; but I peeked and I'm really not sure in all this what to leave and not to leave (LOL).
So, until then, I'm stuck with the old and hope I'll be ok. I'll go ahead and disable and see if I need it at the sites I visit.
Thanks again to all.
Thanks for your help Carol -- nothing seems to work re: this situation. I just get the same error messages and I'm about ready to quit messin' with it.