Nomen Posted January 12, 2013 Posted January 12, 2013 There are new warnings out right now advising everyone to disable or uninstall their JAVA jre (for those running Windoze or OSX).All I can figure out right now is that JAVA version 7 is being fingered, and there is proof-of-concept code out there (somewhere) that I'd love to get my hands on just to see if JAVA 6 running on Win-98 is vulnerable to this exploit (I'm betting it's not).Is anyone here looking into this?
vinifera Posted January 12, 2013 Posted January 12, 2013 all I know that whole java 6 version was so **** exploitable that I got infected by rouge that planted itself to SYSTEM accountand then naturally used good old internet explorer to screw things upall NT's were vulnerable to this, probably 9x line too
Nomen Posted January 12, 2013 Author Posted January 12, 2013 The last version of Java that I've managed to get working on this win-98 system is version 6 update 30 (which is a full year old at this point). The most recent is update 38. Has anyone here been able to get any of the more recent updates working under win-98? If so - how exactly did you do it?
schwups Posted January 12, 2013 Posted January 12, 2013 The last version of Java that I've managed to get working on this win-98 system is version 6 update 30 (which is a full year old at this point). The most recent is update 38. Has anyone here been able to get any of the more recent updates working under win-98? If so - how exactly did you do it?You must install KernelEX and Kext. Read the Wiki and the Kext: DIY KernelEx extensions topic.
submix8c Posted January 12, 2013 Posted January 12, 2013 (edited) Nope, the Version 7.x series and RUMORS of the 6.x series. This news is several days old with the same dire warning of "disable it".If you research it, it is a "hole" in a specific part of Java that most users don't install (search for "MBEANS") BUT may be affected by accessing a... SERVER that has it AND is "infected".edit - Here is the specific US-CERT KB just so you know that this "dire warning" is going viral and the "news" websites are misleading. The KB says absolutely nothing of anything other than Java 7.x.JMX docs (Java Management Extensions) also Netbeans (MBEANS-related). Here is a fairly clear definition of JMX and what its purpose is and who might have it installed.Bottom line - This has to do with the JDK on a Server Machine and Untrusted Applets downloaded and run on a Client Machine. Edited January 12, 2013 by submix8c
Nomen Posted January 12, 2013 Author Posted January 12, 2013 Of course I already have Kex (there's no way to install any version of JAVA version 6 without it).I'm asking if anyone has something more recent than Java version 6 update 30 installed. If so, are there EASY, EXPLICIT instructions for it. The threads for the DIY kex extensions ARE NOT EASY TO FOLLOW - they are very disorganized. In the past, I've tried to install update 31 or 32 but it didin't seem to work. Are you saying that a custom DIY Kex extension *is necessary* to install a more recent JAVA update?
submix8c Posted January 12, 2013 Posted January 12, 2013 (heh-heh...) Looks like installing that will open the exploit as well. Guess I should disable my version-38 too?Yep, the "sky is falling".
schwups Posted January 12, 2013 Posted January 12, 2013 (edited) Of course I already have Kex (there's no way to install any version of JAVA version 6 without it).I'm asking if anyone has something more recent than Java version 6 update 30 installed. If so, are there EASY, EXPLICIT instructions for it. The threads for the DIY kex extensions ARE NOT EASY TO FOLLOW - they are very disorganized. In the past, I've tried to install update 31 or 32 but it didin't seem to work. Are you saying that a custom DIY Kex extension *is necessary* to install a more recent JAVA update?Installing Kext is a little off topic. But yes, GetSystemWow64DirectoryA=z2e120 must added to the .ini file. 1. Paste the downloaded Kstubxxx.ini and Kstubxxx.dll in your KernelEX folder. It doesn't matter which version you use 626, 730 or 822 it should work.2. Add GetSystemWow64DirectoryA=z2e120 to the ini file under [Kernel32.dll].3. Add Kstubxxx to the core.ini in the kernelEX folder: contents=Kstub626,std,kexbases,kexbasen4. reboot=> msi or silent and check out the vulnerability on 98 Edited January 12, 2013 by schwups
submix8c Posted January 12, 2013 Posted January 12, 2013 (edited) You missed the part about Mozilla and JRE6 u37/u38, didn't you? PLEASE read the links I gave - "Erring on the side of caution"...What is a Java Applet. Also here and hereDefinition of: Java appletA Java program that is downloaded from the server and run from the browser. The Java Virtual Machine built into the browser is interpreting the instructions. Contrast with Java application.If you RUN an infected one, THEN you "get bit". I thought I made that clear. AND if you look in the LINKS I gave there is ALSO something called "Click To Play" which can be Enabled in Firefox Configuration.Again, go ahead and disable - have fun playing Runescape. edit - and this will explain how this exploit "could" happen.edit2 - does this help a thirst for more information (re - settings and the Applet executions)?This whole "dire warning" thing is about simple common sense. Edited January 12, 2013 by submix8c
LoneCrusader Posted January 12, 2013 Posted January 12, 2013 (edited) Of course I already have Kex (there's no way to install any version of JAVA version 6 without it).No. Java 6u7 works without Kex.OLD Java SE 6.0 (a.k.a. 1.6.0) Update 7 (6u7):Direct download [15.1 MB, right-click to save!]is the LAST Update compatible with Windows 95/OSR1/OSR2/98/98 SP1/98 SE/NT4 SP6a/ME, but you MUST ignore "Warning: This is not a supported Operating System!" error message! Edited January 12, 2013 by LoneCrusader
Fredledingue Posted January 13, 2013 Posted January 13, 2013 I confirm Java 6u7 works without Kex. I have it on my PC without Kex installed. But it's the last version to do so.
schwups Posted January 14, 2013 Posted January 14, 2013 (edited) Java 7 Update 11 released - Bug Fixes Release Notes CVE-2013-0422 and see link of submix8c (post 5) revised: 14 Jan 2013 Edited January 14, 2013 by schwups
Nomen Posted January 14, 2013 Author Posted January 14, 2013 (edited) Within the past 2 days, I've performed some maintainence on a handful of PC's (some running XP, some running 7) where I've discovered that Firefox's JAVA plugin had been disabled - and NOT by the owner of the system. (I've not seen this on any win-98 systems).Is anyone else seeing this?Is Mozilla doing this - or Oracle? (or Microsoft?)And how? Edited January 14, 2013 by Nomen
submix8c Posted January 14, 2013 Posted January 14, 2013 (edited) ??? Post #7 and Post#9...YES, Mozilla is disabling!Did I mention "Click To Play" ? See this -https://blog.mozilla.org/security/2013/01/11/protecting-users-against-java-vulnerability/edit - forgot to mention -Java Platform SE U38 6.0.380.5 (IOW 1.6.0.38)on Firefox 11.0.0.4454 and NOT disabled!From Post #5The KB says absolutely nothing of anything other than Java 7.x.Everyone in a Tizzy (latest EPA-approved automobile). Edited January 14, 2013 by submix8c
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now