Jump to content

Welcome to MSFN Forum
Register now to gain access to all of our features. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more. This message will be removed once you have signed in.
Login to Account Create an Account


Photo

Dire warnings about new JAVA vulnerability

- - - - -

  • Please log in to reply
78 replies to this topic

#1
Nomen

Nomen

    Member

  • Member
  • PipPip
  • 191 posts
  • OS:98SE
  • Country: Country Flag
There are new warnings out right now advising everyone to disable or uninstall their JAVA jre (for those running Windoze or OSX).

All I can figure out right now is that JAVA version 7 is being fingered, and there is proof-of-concept code out there (somewhere) that I'd love to get my hands on just to see if JAVA 6 running on Win-98 is vulnerable to this exploit (I'm betting it's not).

Is anyone here looking into this?


How to remove advertisement from MSFN

#2
vinifera

vinifera

    <°)))><

  • Member
  • PipPipPipPipPip
  • 963 posts
  • OS:Windows 7 x86
  • Country: Country Flag
all I know that whole java 6 version was so **** exploitable that I got infected by rouge that planted itself to SYSTEM account
and then naturally used good old internet explorer to screw things up

all NT's were vulnerable to this, probably 9x line too
If you want true Windows user experience
try Longhorn builds: 3718, 4029, 4066

#3
Nomen

Nomen

    Member

  • Member
  • PipPip
  • 191 posts
  • OS:98SE
  • Country: Country Flag
The last version of Java that I've managed to get working on this win-98 system is version 6 update 30 (which is a full year old at this point). The most recent is update 38. Has anyone here been able to get any of the more recent updates working under win-98? If so - how exactly did you do it?

#4
schwups

schwups

    schwups

  • Member
  • PipPipPip
  • 414 posts
  • OS:ME
  • Country: Country Flag

The last version of Java that I've managed to get working on this win-98 system is version 6 update 30 (which is a full year old at this point).  The most recent is update 38.  Has anyone here been able to get any of the more recent updates working under win-98?  If so - how exactly did you do it?

You must install KernelEX and Kext. Read the Wiki and the Kext: DIY KernelEx extensions topic.




#5
submix8c

submix8c

    Inconceivable!

  • Patrons
  • 4,263 posts
  • OS:none specified
  • Country: Country Flag
Nope, the Version 7.x series and RUMORS of the 6.x series. This news is several days old with the same dire warning of "disable it".

If you research it, it is a "hole" in a specific part of Java that most users don't install (search for "MBEANS") BUT may be affected by accessing a... SERVER that has it AND is "infected".

edit - Here is the specific US-CERT KB just so you know that this "dire warning" is going viral and the "news" websites are misleading. The KB says absolutely nothing of anything other than Java 7.x.

JMX docs (Java Management Extensions) also Netbeans (MBEANS-related). Here is a fairly clear definition of JMX and what its purpose is and who might have it installed.

Bottom line - This has to do with the JDK on a Server Machine and Untrusted Applets downloaded and run on a Client Machine.

Edited by submix8c, 12 January 2013 - 09:56 AM.

Someday the tyrants will be unthroned... Jason "Jay" Chasteen; RIP, bro!

Posted Image


#6
Nomen

Nomen

    Member

  • Member
  • PipPip
  • 191 posts
  • OS:98SE
  • Country: Country Flag
Of course I already have Kex (there's no way to install any version of JAVA version 6 without it).

I'm asking if anyone has something more recent than Java version 6 update 30 installed. If so, are there EASY, EXPLICIT instructions for it. The threads for the DIY kex extensions ARE NOT EASY TO FOLLOW - they are very disorganized. In the past, I've tried to install update 31 or 32 but it didin't seem to work.

Are you saying that a custom DIY Kex extension *is necessary* to install a more recent JAVA update?

#7
submix8c

submix8c

    Inconceivable!

  • Patrons
  • 4,263 posts
  • OS:none specified
  • Country: Country Flag
(heh-heh...) Looks like installing that will open the exploit as well. Guess I should disable my version-38 too?

Yep, the "sky is falling". :w00t:

Someday the tyrants will be unthroned... Jason "Jay" Chasteen; RIP, bro!

Posted Image


#8
schwups

schwups

    schwups

  • Member
  • PipPipPip
  • 414 posts
  • OS:ME
  • Country: Country Flag

Of course I already have Kex (there's no way to install any version of JAVA version 6 without it).

I'm asking if anyone has something more recent than Java version 6 update 30 installed.  If so, are there EASY, EXPLICIT instructions for it.  The threads for the DIY kex extensions ARE NOT EASY TO FOLLOW - they are very disorganized.  In the past, I've tried to install update 31 or 32 but it didin't seem to work.

Are you saying that a custom DIY Kex extension *is necessary* to install a more recent JAVA update?


Installing Kext is a little off topic. But yes, GetSystemWow64DirectoryA=z2e120 must added to the .ini file. 

1. Paste the downloaded Kstubxxx.ini and Kstubxxx.dll in your KernelEX folder. It doesn't matter which version you use 626, 730 or 822 it should work.

2. Add GetSystemWow64DirectoryA=z2e120 to the ini file under [Kernel32.dll].

3. Add Kstubxxx to the core.ini in the kernelEX folder: contents=Kstub626,std,kexbases,kexbasen

4. reboot

=> msi or silent  and check out the vulnerability on 98 

Edited by schwups, 12 January 2013 - 10:32 AM.


#9
submix8c

submix8c

    Inconceivable!

  • Patrons
  • 4,263 posts
  • OS:none specified
  • Country: Country Flag
You missed the part about Mozilla and JRE6 u37/u38, didn't you? PLEASE read the links I gave - "Erring on the side of caution"...

What is a Java Applet. Also here and here

Definition of: Java applet

A Java program that is downloaded from the server and run from the browser. The Java Virtual Machine built into the browser is interpreting the instructions. Contrast with Java application.


If you RUN an infected one, THEN you "get bit". I thought I made that clear. AND if you look in the LINKS I gave there is ALSO something called "Click To Play" which can be Enabled in Firefox Configuration.

Again, go ahead and disable - have fun playing Runescape. ;)

edit - and this will explain how this exploit "could" happen.

edit2 - does this help a thirst for more information (re - settings and the Applet executions)?

This whole "dire warning" thing is about simple common sense.

Edited by submix8c, 12 January 2013 - 11:24 AM.

Someday the tyrants will be unthroned... Jason "Jay" Chasteen; RIP, bro!

Posted Image


#10
LoneCrusader

LoneCrusader

    Resistere pro causa resistentiam.

  • MSFN Sponsor
  • 809 posts
  • OS:98SE
  • Country: Country Flag

Donator

Of course I already have Kex (there's no way to install any version of JAVA version 6 without it).

No. Java 6u7 works without Kex.

OLD Java SE 6.0 (a.k.a. 1.6.0) Update 7 (6u7):
Direct download [15.1 MB, right-click to save!]
is the LAST Update compatible with Windows 95/OSR1/OSR2/98/98 SP1/98 SE/NT4 SP6a/ME, but you MUST ignore "Warning: This is not a supported Operating System!" error message!


Edited by LoneCrusader, 12 January 2013 - 03:44 PM.


#11
Fredledingue

Fredledingue

    MSFN Expert

  • Member
  • PipPipPipPipPipPip
  • 1,267 posts
  • OS:98SE
  • Country: Country Flag
I confirm Java 6u7 works without Kex. I have it on my PC without Kex installed. But it's the last version to do so.

HTASoft.com

superchargedwindows9xig1.png
Still Using W98SE+++ ...Daily.

#12
schwups

schwups

    schwups

  • Member
  • PipPipPip
  • 414 posts
  • OS:ME
  • Country: Country Flag
Java 7 Update 11 released - Bug Fixes Release Notes  CVE-2013-0422 and see link of submix8c (post 5) revised: 14 Jan 2013

Edited by schwups, 14 January 2013 - 08:04 AM.


#13
Nomen

Nomen

    Member

  • Member
  • PipPip
  • 191 posts
  • OS:98SE
  • Country: Country Flag
Within the past 2 days, I've performed some maintainence on a handful of PC's (some running XP, some running 7) where I've discovered that Firefox's JAVA plugin had been disabled - and NOT by the owner of the system. (I've not seen this on any win-98 systems).

Is anyone else seeing this?

Is Mozilla doing this - or Oracle? (or Microsoft?)

And how?

Edited by Nomen, 14 January 2013 - 10:21 AM.


#14
submix8c

submix8c

    Inconceivable!

  • Patrons
  • 4,263 posts
  • OS:none specified
  • Country: Country Flag
??? Post #7 and Post#9...

YES, Mozilla is disabling!

Did I mention "Click To Play" :yes: ? See this -
https://blog.mozilla...-vulnerability/

edit - forgot to mention -
Java™ Platform SE U38 6.0.380.5 (IOW 1.6.0.38)
on Firefox 11.0.0.4454 and NOT disabled!
From Post #5

The KB says absolutely nothing of anything other than Java 7.x.

Everyone in a Tizzy (latest EPA-approved automobile).

Edited by submix8c, 14 January 2013 - 10:48 AM.

Someday the tyrants will be unthroned... Jason "Jay" Chasteen; RIP, bro!

Posted Image


#15
war59312

war59312

    Will's Blog

  • Member
  • PipPipPipPipPip
  • 932 posts
So guess they are NOT patching java 6 atm. :(
Ad Muncher Usage Statistics for v4.73 Beta Build 30552/2275
Adverts removed by Ad Muncher: 2,200,586
Approximate bandwidth saved: 17,192 MB
Counter started: April 2, 2003

#16
dencorso

dencorso

    Adiuvat plus qui nihil obstat

  • Supervisor
  • 5,850 posts
  • OS:98SE
  • Country: Country Flag

Donator

edit - forgot to mention -
Java™ Platform SE U38 6.0.380.5 (IOW 1.6.0.38)
on Firefox 11.0.0.4454 and NOT disabled!

So guess they are NOT patching java 6 atm. :(

UPDATE: On Jan. 13, 2013 Oracle released Java 7 Update 11 to fix the latest security flaw. Java 6 was not updated as the latest problem was limited to Java 7.

Source:This post at "Defensive Computing"

#17
Nomen

Nomen

    Member

  • Member
  • PipPip
  • 191 posts
  • OS:98SE
  • Country: Country Flag

Installing Kext is a little off topic. But yes, GetSystemWow64DirectoryA=z2e120 must added to the .ini file.

Ok, I did all that, ran the MSI, and version 6 update 38 appeared to install without errors. Restarted. Java is missing from control panel. Found javacpl.cpl in CAB file. Ran it, turned off "Next generation plugin" setting. Restarted.

Using FF 2.0.0.20, went to javatester.org/version, and got these errors:

"The new java plug-in requires a recent version of the firefox browser (firefox 3 or later)"

Click Ok, then get this error:

"The plug-in performed an illegal operation. You are strongly advised to restart firefox."

JRE 6 update 30 previously was working fine on FF 2.0.0.20. Any ideas to get this new update 38 working?

Edit: Ok, I forgot to rename the "plugin" directory. It works fine now.

Edited by Nomen, 16 January 2013 - 09:49 PM.


#18
egrabrych

egrabrych

    Junior

  • Member
  • Pip
  • 84 posts
  • OS:98SE
  • Country: Country Flag

Donator

JRE Version 6 Update 39: http://java.com/en/d...d/manual_v6.jsp

#19
CharlotteTheHarlot

CharlotteTheHarlot

    MSFN Master

  • Member
  • PipPipPipPipPipPipPipPip
  • 2,054 posts
  • OS:none specified
  • Country: Country Flag

JRE Version 6 Update 39: http://java.com/en/d...d/manual_v6.jsp

Thanks for the link.

Has anyone using 32-bit Windows been able to download the 64-bit offline installers? They are using browser sniffing and even the "manual" download for JRE 6 or 7 64-bit installs are blocked. Arrrggh! :realmad:

... Let him who hath understanding reckon the Number Of The Beast ...


#20
submix8c

submix8c

    Inconceivable!

  • Patrons
  • 4,263 posts
  • OS:none specified
  • Country: Country Flag
??? I got mine via FF - both of them (JRE6U39).

Someday the tyrants will be unthroned... Jason "Jay" Chasteen; RIP, bro!

Posted Image


#21
CharlotteTheHarlot

CharlotteTheHarlot

    MSFN Master

  • Member
  • PipPipPipPipPipPipPipPip
  • 2,054 posts
  • OS:none specified
  • Country: Country Flag

??? I got mine via FF - both of them (JRE6U39).

Just checked Firefox too, same as Opera. After hitting all the 64-bit links it bounces back to 32-bit download.

What's funny is that right there on the main page is Linux 32 and 64, Solaris 32 and 64. They browser sniff for Windows naturally and this system here is 32-bit.

Anyone saved the direct download links? They are unfortunately compund URLs with session strings so they might not work though. Looking for both JRE 6 and 7 64-bit offline installers.

... Let him who hath understanding reckon the Number Of The Beast ...


#22
CharlotteTheHarlot

CharlotteTheHarlot

    MSFN Master

  • Member
  • PipPipPipPipPipPipPipPip
  • 2,054 posts
  • OS:none specified
  • Country: Country Flag
Problem Solved: ( while using 32-bit Windows ) the latest JRE 6 and 7 offline 32-bit ( -i586 ) installers can be downloaded with no problem.
But trying to grab the 64-bit ( -x64 ) cannot and no amount of clicking around the Sun links in Opera or Firefox would work because of their stupid browser sniffing.

Here is how I got them. First, note that these two 32-bit offline installers can be downloaded just fine ...

jre-6u39-windows-i586.exe
jre-7u13-windows-i586.exe


From memory I knew that you can just replace the -i586 with -x64, resulting in the filenames we are looking for ...

jre-6u39-windows-x64.exe
jre-7u13-windows-x64.exe


However, simply altering the download URLs used for the first two above cannot work due to their complex ( and ridiculous ) URL scheme with sessionid and more.
Furthermore, dropping these filenames into the Oracle/Sun webpage search field of course also does not work ( seriously Oracle? *** )
But drop them into Google as is and it returns a perfectly valid webpage with the file listed. Here are the pages ...

jre-6u39-windows-x64.exe ... webpage
jre-7u13-windows-x64.exe ... webpage

So if you are running 32-bit Windows and just want the offline installers for 64-bit JRE you can click those links and select the file ... for now.

*** ... Dear Oracle, how ironic is it that the King Kong of databases fails to locate a simple string submitted into your search box? How come Google can index your site better than you can? :whistle:

EDIT: typos

Edited by CharlotteTheHarlot, 03 February 2013 - 02:36 PM.

... Let him who hath understanding reckon the Number Of The Beast ...


#23
Nomen

Nomen

    Member

  • Member
  • PipPip
  • 191 posts
  • OS:98SE
  • Country: Country Flag
On this system (win-98se), using FF 2.0.0.20, with no modification to the user-agent string, I am easily able to download the file "jre-6u39-windows-x64.exe" with no issues.

When I change the user-agent to Firefox 12/Win 7 32-bit, I keep getting an error when trying to download the file:

===========
Sorry!
In order to download products from Oracle Technology Network you must agree to the OTN license terms.
Be sure that...
Your browser has "cookies" and JavaScript enabled.
You clicked on "Accept License" for the product you wish to download.
You attempt the download within 30 minutes of accepting the license.
===========

I met all of the above 3 conditions, but it still get that error. I then changed my user-agent to Firefox 15.0a1 Windows 7 64-bit (verified by external web-site "whatsmyos.com") and still get the above error (yes, I re-load the web page after changing the user-agent).

But then I go back to my default user-agent (Firefox 2, Windows 98) and have no problems downloading the file.

#24
submix8c

submix8c

    Inconceivable!

  • Patrons
  • 4,263 posts
  • OS:none specified
  • Country: Country Flag
Firefox 11.0.0.4454 + NoScript 2.6.3 (JRE6U39 - NOT the JRE7) .... No problem... Of course, I WILL note (didn't mention before) that the FIRST time it downloaded "badly" (went too quick even though "claimed" full size downloaded) - didn't trust so did the i586, then RE-did the x64. Got them both sitting right here...

Someday the tyrants will be unthroned... Jason "Jay" Chasteen; RIP, bro!

Posted Image


#25
CharlotteTheHarlot

CharlotteTheHarlot

    MSFN Master

  • Member
  • PipPipPipPipPipPipPipPip
  • 2,054 posts
  • OS:none specified
  • Country: Country Flag

I WILL note (didn't mention before) that the FIRST time it downloaded "badly" (went too quick even though "claimed" full size downloaded)

Look at the alleged EXE file, it will be a PHP script or an HTML page. Got more than a few of those while experimenting!

... Let him who hath understanding reckon the Number Of The Beast ...





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users



How to remove advertisement from MSFN