Jump to content

Dire warnings about new JAVA vulnerability


Nomen

Recommended Posts

edit - forgot to mention -

Java Platform SE U38 6.0.380.5 (IOW 1.6.0.38)

on Firefox 11.0.0.4454 and NOT disabled!

So guess they are NOT patching java 6 atm. :(

UPDATE: On Jan. 13, 2013 Oracle released Java 7 Update 11 to fix the latest security flaw. Java 6 was not updated as the latest problem was limited to Java 7.

Source:This post at "Defensive Computing"

Link to comment
Share on other sites


Installing Kext is a little off topic. But yes, GetSystemWow64DirectoryA=z2e120 must added to the .ini file.

Ok, I did all that, ran the MSI, and version 6 update 38 appeared to install without errors. Restarted. Java is missing from control panel. Found javacpl.cpl in CAB file. Ran it, turned off "Next generation plugin" setting. Restarted.

Using FF 2.0.0.20, went to javatester.org/version, and got these errors:

"The new java plug-in requires a recent version of the firefox browser (firefox 3 or later)"

Click Ok, then get this error:

"The plug-in performed an illegal operation. You are strongly advised to restart firefox."

JRE 6 update 30 previously was working fine on FF 2.0.0.20. Any ideas to get this new update 38 working?

Edit: Ok, I forgot to rename the "plugin" directory. It works fine now.

Edited by Nomen
Link to comment
Share on other sites

  • 3 weeks later...
??? I got mine via FF - both of them (JRE6U39).

Just checked Firefox too, same as Opera. After hitting all the 64-bit links it bounces back to 32-bit download.

What's funny is that right there on the main page is Linux 32 and 64, Solaris 32 and 64. They browser sniff for Windows naturally and this system here is 32-bit.

Anyone saved the direct download links? They are unfortunately compund URLs with session strings so they might not work though. Looking for both JRE 6 and 7 64-bit offline installers.

Link to comment
Share on other sites

Problem Solved: ( while using 32-bit Windows ) the latest JRE 6 and 7 offline 32-bit ( -i586 ) installers can be downloaded with no problem.

But trying to grab the 64-bit ( -x64 ) cannot and no amount of clicking around the Sun links in Opera or Firefox would work because of their stupid browser sniffing.

Here is how I got them. First, note that these two 32-bit offline installers can be downloaded just fine ...

jre-6u39-windows-i586.exe

jre-7u13-windows-i586.exe

From memory I knew that you can just replace the -i586 with -x64, resulting in the filenames we are looking for ...

jre-6u39-windows-x64.exe

jre-7u13-windows-x64.exe

However, simply altering the download URLs used for the first two above cannot work due to their complex ( and ridiculous ) URL scheme with sessionid and more.

Furthermore, dropping these filenames into the Oracle/Sun webpage search field of course also does not work ( seriously Oracle? *** )

But drop them into Google as is and it returns a perfectly valid webpage with the file listed. Here are the pages ...

jre-6u39-windows-x64.exe ... webpage

jre-7u13-windows-x64.exe ... webpage

So if you are running 32-bit Windows and just want the offline installers for 64-bit JRE you can click those links and select the file ... for now.

*** ... Dear Oracle, how ironic is it that the King Kong of databases fails to locate a simple string submitted into your search box? How come Google can index your site better than you can? :whistle:

EDIT: typos

Edited by CharlotteTheHarlot
Link to comment
Share on other sites

On this system (win-98se), using FF 2.0.0.20, with no modification to the user-agent string, I am easily able to download the file "jre-6u39-windows-x64.exe" with no issues.

When I change the user-agent to Firefox 12/Win 7 32-bit, I keep getting an error when trying to download the file:

===========

Sorry!

In order to download products from Oracle Technology Network you must agree to the OTN license terms.

Be sure that...

Your browser has "cookies" and JavaScript enabled.

You clicked on "Accept License" for the product you wish to download.

You attempt the download within 30 minutes of accepting the license.

===========

I met all of the above 3 conditions, but it still get that error. I then changed my user-agent to Firefox 15.0a1 Windows 7 64-bit (verified by external web-site "whatsmyos.com") and still get the above error (yes, I re-load the web page after changing the user-agent).

But then I go back to my default user-agent (Firefox 2, Windows 98) and have no problems downloading the file.

Link to comment
Share on other sites

Firefox 11.0.0.4454 + NoScript 2.6.3 (JRE6U39 - NOT the JRE7) .... No problem... Of course, I WILL note (didn't mention before) that the FIRST time it downloaded "badly" (went too quick even though "claimed" full size downloaded) - didn't trust so did the i586, then RE-did the x64. Got them both sitting right here...

Link to comment
Share on other sites

x64=17,281,456 bytes

MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......

i586=17,021,360 bytes

Not really interested in bothering with unpack. No x64 OS installed ATM to "extract" it anyway. HOWEVER I got this when trying to "run" it...

The image file <path>jre-6u39-windows-x64.exe is valid, but is for a machine type other than the current machine.
It appears good... (note: x64 box sitting next to me "disassembled")

Maybe I just got "lucky". :unsure:

Nope - just did it AGAIN!!! Downloaded fine -

http://java.com/en/download/manual.jsp

http://javadl.sun.com/webapps/download/AutoDL?BundleId=73859

err - above is JRE7U13 (may as well DL them too)

THIS is JRE6U39 -

http://java.com/en/download/manual_v6.jsp

http://javadl.sun.com/webapps/download/AutoDL?BundleId=73923

And it downloaded...

Edited by submix8c
Link to comment
Share on other sites

x64=17,281,456 bytes

MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......

i586=17,021,360 bytes

Not really interested in bothering with unpack. No x64 OS installed ATM to "extract" it anyway. HOWEVER I got this when trying to "run" it...

The image file <path>jre-6u39-windows-x64.exe is valid, but is for a machine type other than the current machine.
It appears good...

(note: x64 box sitting next to me "disassembled")

You're right, those are binaries. While experimenting I received a bunch of ASCII PHP and HTML in place of binaries from the server.

Here is what I successfully downloaded from the Sun website with results shown from NirSoft HashMyFiles ...

-------- FILENAME -------------- SIZE -------------------- MD5 ---------------------------------- SHA1 ------------------------ CRC32 ----

jre-6u39-windows-i586.exe ... 17,021,360 ... 94352006bf3c732c989e070a6c438967 ... d3700efc154a0acc5944f60f8652178487bc9894 ... 79d71166

jre-6u39-windows-x64.exe .... 17,281,456 ... 0328d48b4a6d63a0ac10df0d4f38ccda ... 85264d267e97f77b942ec6215bdaabf0422ee3ce ... 72cc5f73

jre-7u13-windows-i586.exe ... 31,512,992 ... fd6a76916408345e57b28c6afa5b9cfc ... 72ad271c6c7e7d1893a9661aad2854a75e87cd5f ... f915bac9

jre-7u13-windows-x64.exe .... 32,997,280 ... 96dd162939e0c84cdbaadbc0deeca996 ... 0acc9b9d6a7f4ebd255c0cc720a6f452797c487f ... 0e2f6735

Note: I haven't run them yet ( 32-bit or 64-bit ), so I am assuming I have valid files. It looks like the file sizes match yours. Maybe you should see what HashMyFiles has to say.

P.S. oh crap, I just noticed that NirSoft HashMyFiles page says Win2k and above, yet he has both Unicode and Non-Unicode versions on that page for download. I don't remember if I ever tried the Non-Unicode version on Win9x before, has anyone?

Link to comment
Share on other sites

jre-6u39-windows-i586.exe 17,021,360 94352006bf3c732c989e070a6c438967 d3700efc154a0acc5944f60f8652178487bc9894 79d71166

jre-6u39-windows-x64.exe 17,281,456 0328d48b4a6d63a0ac10df0d4f38ccda 85264d267e97f77b942ec6215bdaabf0422ee3ce 72cc5f73

jre-7u13-windows-i586.exe 31,512,992 fd6a76916408345e57b28c6afa5b9cfc 72ad271c6c7e7d1893a9661aad2854a75e87cd5f f915bac9

jre-7u13-windows-x64.exe 32,997,280 96dd162939e0c84cdbaadbc0deeca996 0acc9b9d6a7f4ebd255c0cc720a6f452797c487f 0e2f6735

???

Using Flashget 1.73 Build 128

http://sdlc-esd.sun.com/ESD6/JSCDL/jdk/6u39-b04/jre-6u39-windows-x64.exe?AuthParam=1359930932_335dde157aa64636e823ff1c72657f31&GroupName=JSC&FilePath=/ESD6/JSCDL/jdk/6u39-b04/jre-6u39-windows-x64.exe&File=jre-6u39-windows-x64.exe&BHost=javadl.sun.com

Bear in mind that you have to have the AUTH to actually get it (been there, done that). IOW, you MUST right-click in the Download Page to get it. I always right-click and "open in new tab". ;)

Edited by submix8c
Link to comment
Share on other sites

  • 2 weeks later...

I'm asking if anyone has something more recent than Java version 6 update 30 installed.  If so, are there EASY, EXPLICIT instructions for it.  The threads for the DIY kex extensions ARE NOT EASY TO FOLLOW - they are very disorganized.  In the past, I've tried to install update 31 or 32 but it didin't seem to work.

Are you saying that a custom DIY Kex extension *is necessary* to install a more recent JAVA update?

Installing Kext is a little off topic. But yes, GetSystemWow64DirectoryA=z2e120 must added to the .ini file. 

1. Paste the downloaded Kstubxxx.ini and Kstubxxx.dll in your KernelEX folder. It doesn't matter which version you use 626, 730 or 822 it should work.

2. Add GetSystemWow64DirectoryA=z2e120 to the ini file under [Kernel32.dll].

3. Add Kstubxxx to the core.ini in the kernelEX folder: contents=Kstub626,std,kexbases,kexbasen

4. reboot

=> msi or silent  and check out the vulnerability on 98 

Hmmm ... I've tried installing recent versions of Java 1.6, following the Wiki instructions (mostly the MSI method, but also the silent method) but without success. I have KexStubs installed with the "GetSystemWow64DirectoryA=z2e120" setting, etc. However, I can't even get 6u30 to install, let alone 6u39.

Here's a typical attempt :

1. Run 'jre-6u30-windows-i586.exe', let it crash and die.

2. Navigate to the "%windir%\Application Data\Sun\Java\jre1.6.0_30" directory.

3. Start 'jre1.6.0_30.msi' ...

4. Installation proceeds to about 75% then fails and does a "roll back".

5. The end.

Running the 6u39 installer version is similar, except that the MSI gives an Error 26011 (Unpacking rt failed), whereas 6u30 gives no explanation. According to the Sun/Oracle information, this means I don't have enough free disk space and to allow for at least 100M - rubbish, I have about 300M free on drive C: (which should not be relevant) and about 2G free on drive E: (which in my case is the installation drive, also where temporary files live and die).

Running the installation executable with the "silent" option is, well, just a more "silent" version of failure.

Anyone have some idea on this? Does the newer Java stuff need a P4+ processor with SSE2 or some such (I'm running a P3)?

Joe.

Link to comment
Share on other sites

I'm asking if anyone has something more recent than Java version 6 update 30 installed.  If so, are there EASY, EXPLICIT instructions for it.  The threads for the DIY kex extensions ARE NOT EASY TO FOLLOW - they are very disorganized.  In the past, I've tried to install update 31 or 32 but it didin't seem to work.

Are you saying that a custom DIY Kex extension *is necessary* to install a more recent JAVA update?

Installing Kext is a little off topic. But yes, GetSystemWow64DirectoryA=z2e120 must added to the .ini file. 

1. Paste the downloaded Kstubxxx.ini and Kstubxxx.dll in your KernelEX folder. It doesn't matter which version you use 626, 730 or 822 it should work.

2. Add GetSystemWow64DirectoryA=z2e120 to the ini file under [Kernel32.dll].

3. Add Kstubxxx to the core.ini in the kernelEX folder: contents=Kstub626,std,kexbases,kexbasen

4. reboot

=> msi or silent  and check out the vulnerability on 98 

Hmmm ... I've tried installing recent versions of Java 1.6, following the Wiki instructions (mostly the MSI method, but also the silent method) but without success. I have KexStubs installed with the "GetSystemWow64DirectoryA=z2e120" setting, etc. However, I can't even get 6u30 to install, let alone 6u39.

Here's a typical attempt :

1. Run 'jre-6u30-windows-i586.exe', let it crash and die.

2. Navigate to the "%windir%\Application Data\Sun\Java\jre1.6.0_30" directory.

3. Start 'jre1.6.0_30.msi' ...

4. Installation proceeds to about 75% then fails and does a "roll back".

5. The end.

Running the 6u39 installer version is similar, except that the MSI gives an Error 26011 (Unpacking rt failed), whereas 6u30 gives no explanation. According to the Sun/Oracle information, this means I don't have enough free disk space and to allow for at least 100M - rubbish, I have about 300M free on drive C: (which should not be relevant) and about 2G free on drive E: (which in my case is the installation drive, also where temporary files live and die).

Running the installation executable with the "silent" option is, well, just a more "silent" version of failure.

Anyone have some idea on this? Does the newer Java stuff need a P4+ processor with SSE2 or some such (I'm running a P3)?

Joe.

The error should be logged in your temp folder. 

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...