http://sunsolve.sun.com/search/docum...=1-26-102171-1

"Note: It is recommended that affected versions be removed from your system. For more
information, please see the installation notes on the respective java.sun.com download
pages."

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm

"David H. Lipman" wrote:

Well, which version is NOT affected?

I see that all these cases, that version 1.3.x is not affected.
Should I revert to that version?

How secure is version 1.5.0_05-b05 ?

From: "Virus Guy" <Virus@Guy.com>

| "David H. Lipman" wrote:
|
| Well, which version is NOT affected?
|
| I see that all these cases, that version 1.3.x is not affected.
| Should I revert to that version?
|
| How secure is version 1.5.0_05-b05 ?

Update to and use JRE 5 update 6.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm

Hi Virus Guy - I would strongly recommend against using ANY version prior to
1.5.0_05-b06. Contrary to the Sun Bulletin, a group of MVP's that have been
working on this issue for several months now have come to stongly suspect
that 1.3.x versions contain an exploit that is being utilized by
Winfixer/Vundo and have been recommending against the use of any earlier
version to include specifically the uninstalling of ALL prior versions. See
here: http://www.frsirt.com/english/advisories/2006/0467 and my Blog.


--
Regards, Jim Byrd, MS-MVP/DTS/AH-VSOP
My Blog, Defending Your Machine, here:
http://DefendingYourMachine.blogspot.com/



"Virus Guy" <Virus@Guy.com> wrote in message news:43EA98DA.DE4A9BC9@Guy.com

On Wed, 08 Feb 2006 23:33:56 GMT, "David H. Lipman"
<DLipman~nospam~@Verizon.Net> wrote:

I wonder why security conscious users have Java installed at all. I
dropped it long ago and have never missed it. I know that some
financial institutions require it (and many require IE be used as
well). But other than that risky business, I'm not aware of any
web sites that require it. Comments?

Art
http://home.epix.net/~artnpeg

In article <uuemu15vjr72b8q233p2tn2e60ui9ak2i8@4ax.com>,
null@zilch.com says...

--
They drive like sedated cattle.
On Sunday, it is worse than rush hour.
Because it is rush hour, with No Aim.
[one of Rhodri's (in)famous cab drivers]

Art wrote:

I'm running version 1.5.0_05-b05 and ever since I installed that
version (or perhaps a version or two before it) some page components
(presumably java graphics elements) have the annoying habbit of being
rendered/displayed in other windows that have the current focus (such
as word, excel, etc).

For example, on this page:

http:/www.forexdirectory.net/cad.html

The currency matrix above the chart is frequently drawn on-top of
portions of the screen where it shouldn't be (sometimes even on the
desktop). I don't know what that page would look like without Java...

I don't have the Sun version on my machine, after uninstalling the old
versions I never went to get the new one and so far haven't had anything
tell me it needed it. I do have the Microsoft version though as I
installed the pre SP2 XPHome then used a CD to put SP2 on.
Joan

Art wrote:


----== Posted via Newsfeeds.Com - Unlimited-Unrestricted-Secure Usenet News==----
http://www.newsfeeds.com The #1 Newsgroup Service in the World! 120,000+ Newsgroups
----= East and West-Coast Server Farms - Total Privacy via Encryption =----

Hi Virus Guy - FWIW, that page renders correctly on my machine using IE6SP1
and 1.5.0_05-b06.

--
Regards, Jim Byrd, MS-MVP/DTS/AH-VSOP
My Blog, Defending Your Machine, here:
http://DefendingYourMachine.blogspot.com/



"Virus Guy" <Virus@Guy.com> wrote in message news:43EB516D.4313814C@Guy.com

On that special day, Virus Guy, (Virus@Guy.com) said...

rather empty. At least, if I refuse to let all these advertisment
cookies to be placed on my machine.


Gabriele Neukam

Gabriele.Spamfighter.Neukam@t-online.de


--
Ah, Information. A property, too valuable these days, to give it away,
just so, at no cost.

"Art" <null@zilch.com> wrote in message news:uuemu15vjr72b8q233p2tn2e60ui9ak2i8@4ax.com...
You are the man, Art! Much of the past few years vulnerabilities were because of failed
attempts at making mobile code a safe prospect. No ActiveX, Java, or scripting makes
for a much safer ride IMO.

I had that. But on rebooting it was gone.

Stephen Howe

How many wretched versions of Java are there?

I see

J2EE 1.4 SDK
JDK 5.0 Update 6 with NetBeans 5.0
JDK 5.0 Update 6 with NetBeans 4.1
JDK 5.0 Update 6
JRE 5.0 Update 6

very confusing. I think it is the last that I want.

Yet I already have
jre-1_5_0_06-windows-i586-p.exe
downloaded which claims
J2SE Runtime Environment 5.0 Update 6 inside

I think have just uninstalled the latest.

Yet elsewhere on the Internet I see "b09" suffix (I assume build 9).

Stephen Howe

From: "Stephen Howe" <sjhoweATdialDOTpipexDOTcom>

| How many wretched versions of Java are there?
|
| I see
|
| J2EE 1.4 SDK
| JDK 5.0 Update 6 with NetBeans 5.0
| JDK 5.0 Update 6 with NetBeans 4.1
| JDK 5.0 Update 6
| JRE 5.0 Update 6
|
| very confusing. I think it is the last that I want.
|
| Yet I already have
| jre-1_5_0_06-windows-i586-p.exe
| downloaded which claims
| J2SE Runtime Environment 5.0 Update 6 inside
|
| I think have just uninstalled the latest.
|
| Yet elsewhere on the Internet I see "b09" suffix (I assume build 9).
|
| Stephen Howe
|

From what I see the current version is JRE 5 Update 6.

http://www.java.com/en/download/manual.jsp

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm

Art wrote:
you've made this comment before and it's just as disingenuous now as then...

java is more than just a silly little web toy... asking why people would
have java installed is like asking why people would have .net installed,
or gecko, or ms office... it's an application development platform -
security conscious users could have it installed because they use an
application based on that platform...

it's not a web technology, it's a technology that happens to be useful
on the web... it also happens to be useful in completely unrelated
contexts... some of open office's features require java, for example...
open office happens to be one of the best alternatives to microsoft
office (and therefore good for mitigating the risk of the technological
mono-culture) and is the reference implementation for the open document
format...

there are security risks with java just like there are with windows -
you can mitigate those risks by avoiding the platform entirely or by
keeping it up to date... to each his/her own...

--
"it's not the right time to be sober
now the idiots have taken over
spreading like a social cancer,
is there an answer?"

On Fri, 10 Feb 2006 00:24:58 -0500, kurt wismer <kurtw@sympatico.ca>
wrote:

Disingenuous? Bullshit! I was asking a very genuine and honest
question. The fact that you interpret my quesion is any other way
is disgusting and uncalled for. I consider it to be a personal attack
and a insult.

Art
http://home.epix.net/~artnpeg

Art wrote:
uncalled for except for the fact that your genuine and honest question
has been asked and answered already and you were a party to that...

my contribution (since it would be rude of me to post anyone else's) to
an email discussion with you dated july 11 2005:

"since msjvm has expired, anyone providing a java based service or
application will have to support sun's java at some point (some point
real soon)...

in my own experience (i do use some java applications) some people who
are actively developing java tools for use are not only not using msjvm,
they are forcing their users to install ever increasingly up to date
versions of the sun jvm as a prerequisite to using the latest version of
their own software (not necessarily as some sort of thought out policy
but simply by virtue utilizing features from the latest-and-greatest jvm
release in their software - which is actually not the slightest bit
unusual come to think of it, since passionate developers are always
trying to squeeze the best performance/feature-set/etc into their apps)...

as for getting rid of java entirely, it might be worth noting that some
parts of open office 2.0 will require java in order to operate... i
realize that java is an additional operating platform that could be used
in an attack, but so is .net, and frankly so is ms office... i think it
should be more of a case of recognizing what these things are and
removing those things you don't need (which has benefits outside of
security also)..."

come to think of it, it was remarkably similar to the response i gave
you this time too.. touched on many of the same ideas...

--
"it's not the right time to be sober
now the idiots have taken over
spreading like a social cancer,
is there an answer?"

On Sat, 11 Feb 2006 00:33:43 -0500, kurt wismer <kurtw@sympatico.ca>
wrote:

So polling with the same or a similar question is your opinion
disingenuous. What bullshit.

What's rude (and stupid and arrogant) is calling someone disingenuous
who isn't, and redundantly repeating your previous response.

Average users should be made aware of the fact that they may not have
any need for Java, and that it's a security risk when enabled in a
browser. That's why I ask users if they know whether or not they have
a use for it. If not, it should either be disabled in the browser or
uninstalled to mitigate risk.

That's my concern and interest as always. So go crawl back in your
hole.

Art
http://home.epix.net/~artnpeg

shawn wrote:
....
I'm aware of some software packages written in Java which
come packaged with a JRE (not sure which release, but I"m
sure it is older) to run on Windows. The JRE is only used
with that application and the application is a dedicated
client, used with only a specific server app on dedicated
hosts the customers own. The reason for including a
dedicated JRE is that successive JRE releases were breaking
things.

Q: Is this exploitable, given it is not being used for
general web browsing??

--
Clem
"If you push something hard enough, it will fall over."
- Fudd's first law of opposition

From: "Mr. Uh Clem" <uhclem@DutchElmSt.invalid>

| shawn wrote:
| ...
| come packaged with a JRE (not sure which release, but I"m
| sure it is older) to run on Windows. The JRE is only used
| with that application and the application is a dedicated
| client, used with only a specific server app on dedicated
| hosts the customers own. The reason for including a
| dedicated JRE is that successive JRE releases were breaking
| things.
|
| Q: Is this exploitable, given it is not being used for
| general web browsing??
|

That's a good question. I too have used specific Java apps that come with Java embedded
within the application.

I think it would be best to contact the vendor of that software application and point to the
Sun Java bulletin.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm