Jump to content

Dire warnings about new JAVA vulnerability


Nomen

Recommended Posts

There are new warnings out right now advising everyone to disable or uninstall their JAVA jre (for those running Windoze or OSX).

All I can figure out right now is that JAVA version 7 is being fingered, and there is proof-of-concept code out there (somewhere) that I'd love to get my hands on just to see if JAVA 6 running on Win-98 is vulnerable to this exploit (I'm betting it's not).

Is anyone here looking into this?

Link to comment
Share on other sites


all I know that whole java 6 version was so **** exploitable that I got infected by rouge that planted itself to SYSTEM account

and then naturally used good old internet explorer to screw things up

all NT's were vulnerable to this, probably 9x line too

Link to comment
Share on other sites

The last version of Java that I've managed to get working on this win-98 system is version 6 update 30 (which is a full year old at this point). The most recent is update 38. Has anyone here been able to get any of the more recent updates working under win-98? If so - how exactly did you do it?

Link to comment
Share on other sites

The last version of Java that I've managed to get working on this win-98 system is version 6 update 30 (which is a full year old at this point).  The most recent is update 38.  Has anyone here been able to get any of the more recent updates working under win-98?  If so - how exactly did you do it?

You must install KernelEX and Kext. Read the Wiki and the Kext: DIY KernelEx extensions topic.

Link to comment
Share on other sites

Nope, the Version 7.x series and RUMORS of the 6.x series. This news is several days old with the same dire warning of "disable it".

If you research it, it is a "hole" in a specific part of Java that most users don't install (search for "MBEANS") BUT may be affected by accessing a... SERVER that has it AND is "infected".

edit - Here is the specific US-CERT KB just so you know that this "dire warning" is going viral and the "news" websites are misleading. The KB says absolutely nothing of anything other than Java 7.x.

JMX docs (Java Management Extensions) also Netbeans (MBEANS-related). Here is a fairly clear definition of JMX and what its purpose is and who might have it installed.

Bottom line - This has to do with the JDK on a Server Machine and Untrusted Applets downloaded and run on a Client Machine.

Edited by submix8c
Link to comment
Share on other sites

Of course I already have Kex (there's no way to install any version of JAVA version 6 without it).

I'm asking if anyone has something more recent than Java version 6 update 30 installed. If so, are there EASY, EXPLICIT instructions for it. The threads for the DIY kex extensions ARE NOT EASY TO FOLLOW - they are very disorganized. In the past, I've tried to install update 31 or 32 but it didin't seem to work.

Are you saying that a custom DIY Kex extension *is necessary* to install a more recent JAVA update?

Link to comment
Share on other sites

Of course I already have Kex (there's no way to install any version of JAVA version 6 without it).

I'm asking if anyone has something more recent than Java version 6 update 30 installed. If so, are there EASY, EXPLICIT instructions for it. The threads for the DIY kex extensions ARE NOT EASY TO FOLLOW - they are very disorganized. In the past, I've tried to install update 31 or 32 but it didin't seem to work.

Are you saying that a custom DIY Kex extension *is necessary* to install a more recent JAVA update?

Installing Kext is a little off topic. But yes, GetSystemWow64DirectoryA=z2e120 must added to the .ini file.

1. Paste the downloaded Kstubxxx.ini and Kstubxxx.dll in your KernelEX folder. It doesn't matter which version you use 626, 730 or 822 it should work.

2. Add GetSystemWow64DirectoryA=z2e120 to the ini file under [Kernel32.dll].

3. Add Kstubxxx to the core.ini in the kernelEX folder: contents=Kstub626,std,kexbases,kexbasen

4. reboot

=> msi or silent and check out the vulnerability on 98

Edited by schwups
Link to comment
Share on other sites

You missed the part about Mozilla and JRE6 u37/u38, didn't you? PLEASE read the links I gave - "Erring on the side of caution"...

What is a Java Applet. Also here and here

Definition of: Java applet

A Java program that is downloaded from the server and run from the browser. The Java Virtual Machine built into the browser is interpreting the instructions. Contrast with Java application.

If you RUN an infected one, THEN you "get bit". I thought I made that clear. AND if you look in the LINKS I gave there is ALSO something called "Click To Play" which can be Enabled in Firefox Configuration.

Again, go ahead and disable - have fun playing Runescape. ;)

edit - and this will explain how this exploit "could" happen.

edit2 - does this help a thirst for more information (re - settings and the Applet executions)?

This whole "dire warning" thing is about simple common sense.

Edited by submix8c
Link to comment
Share on other sites

Of course I already have Kex (there's no way to install any version of JAVA version 6 without it).

No. Java 6u7 works without Kex.

OLD Java SE 6.0 (a.k.a. 1.6.0) Update 7 (6u7):

Direct download [15.1 MB, right-click to save!]

is the LAST Update compatible with Windows 95/OSR1/OSR2/98/98 SP1/98 SE/NT4 SP6a/ME, but you MUST ignore "Warning: This is not a supported Operating System!" error message!

Edited by LoneCrusader
Link to comment
Share on other sites

Within the past 2 days, I've performed some maintainence on a handful of PC's (some running XP, some running 7) where I've discovered that Firefox's JAVA plugin had been disabled - and NOT by the owner of the system. (I've not seen this on any win-98 systems).

Is anyone else seeing this?

Is Mozilla doing this - or Oracle? (or Microsoft?)

And how?

Edited by Nomen
Link to comment
Share on other sites

??? Post #7 and Post#9...

YES, Mozilla is disabling!

Did I mention "Click To Play" :yes: ? See this -

https://blog.mozilla.org/security/2013/01/11/protecting-users-against-java-vulnerability/

edit - forgot to mention -

Java Platform SE U38 6.0.380.5 (IOW 1.6.0.38)

on Firefox 11.0.0.4454 and NOT disabled!

From Post #5

The KB says absolutely nothing of anything other than Java 7.x.
Everyone in a Tizzy (latest EPA-approved automobile). Edited by submix8c
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...