[Nomen]

There are new warnings out right now advising everyone to disable or uninstall their JAVA jre (for those running Windoze or OSX).

All I can figure out right now is that JAVA version 7 is being fingered, and there is proof-of-concept code out there (somewhere) that I'd love to get my hands on just to see if JAVA 6 running on Win-98 is vulnerable to this exploit (I'm betting it's not).

Is anyone here looking into this?

[vinifera]

all I know that whole java 6 version was so **** exploitable that I got infected by rouge that planted itself to SYSTEM account
and then naturally used good old internet explorer to screw things up

all NT's were vulnerable to this, probably 9x line too

[Nomen]

The last version of Java that I've managed to get working on this win-98 system is version 6 update 30 (which is a full year old at this point). The most recent is update 38. Has anyone here been able to get any of the more recent updates working under win-98? If so - how exactly did you do it?

[schwups]

Nomen, on 12 January 2013 - 08:43 AM, said:

The last version of Java that I've managed to get working on this win-98 system is version 6 update 30 (which is a full year old at this point).  The most recent is update 38.  Has anyone here been able to get any of the more recent updates working under win-98?  If so - how exactly did you do it?

You must install KernelEX and Kext. Read the Wiki and the Kext: DIY KernelEx extensions topic.

[submix8c]

Nope, the Version 7.x series and RUMORS of the 6.x series. This news is several days old with the same dire warning of "disable it".

If you research it, it is a "hole" in a specific part of Java that most users don't install (search for "MBEANS") BUT may be affected by accessing a... SERVER that has it AND is "infected".

edit - Here is the specific US-CERT KB just so you know that this "dire warning" is going viral and the "news" websites are misleading. The KB says absolutely nothing of anything other than Java 7.x.

JMX docs (Java Management Extensions) also Netbeans (MBEANS-related). Here is a fairly clear definition of JMX and what its purpose is and who might have it installed.

Bottom line - This has to do with the JDK on a Server Machine and Untrusted Applets downloaded and run on a Client Machine.

This post has been edited by submix8c: 12 January 2013 - 09:56 AM

[Nomen]

Of course I already have Kex (there's no way to install any version of JAVA version 6 without it).

I'm asking if anyone has something more recent than Java version 6 update 30 installed. If so, are there EASY, EXPLICIT instructions for it. The threads for the DIY kex extensions ARE NOT EASY TO FOLLOW - they are very disorganized. In the past, I've tried to install update 31 or 32 but it didin't seem to work.

Are you saying that a custom DIY Kex extension *is necessary* to install a more recent JAVA update?

[submix8c]

(heh-heh...) Looks like installing that will open the exploit as well. Guess I should disable my version-38 too?

Yep, the "sky is falling".

[schwups]

Nomen, on 12 January 2013 - 09:40 AM, said:

Of course I already have Kex (there's no way to install any version of JAVA version 6 without it).

I'm asking if anyone has something more recent than Java version 6 update 30 installed.  If so, are there EASY, EXPLICIT instructions for it.  The threads for the DIY kex extensions ARE NOT EASY TO FOLLOW - they are very disorganized.  In the past, I've tried to install update 31 or 32 but it didin't seem to work.

Are you saying that a custom DIY Kex extension *is necessary* to install a more recent JAVA update?

Installing Kext is a little off topic. But yes, GetSystemWow64DirectoryA=z2e120 must added to the .ini file. 

1. Paste the downloaded Kstubxxx.ini and Kstubxxx.dll in your KernelEX folder. It doesn't matter which version you use 626, 730 or 822 it should work.

2. Add GetSystemWow64DirectoryA=z2e120 to the ini file under [Kernel32.dll].

3. Add Kstubxxx to the core.ini in the kernelEX folder: contents=Kstub626,std,kexbases,kexbasen

4. reboot

=> msi or silent  and check out the vulnerability on 98 

This post has been edited by schwups: 12 January 2013 - 10:32 AM

[submix8c]

You missed the part about Mozilla and JRE6 u37/u38, didn't you? PLEASE read the links I gave - "Erring on the side of caution"...

What is a Java Applet. Also here and here

Quote

Definition of: Java applet

A Java program that is downloaded from the server and run from the browser. The Java Virtual Machine built into the browser is interpreting the instructions. Contrast with Java application.

If you RUN an infected one, THEN you "get bit". I thought I made that clear. AND if you look in the LINKS I gave there is ALSO something called "Click To Play" which can be Enabled in Firefox Configuration.

Again, go ahead and disable - have fun playing Runescape.

edit - and this will explain how this exploit "could" happen.

edit2 - does this help a thirst for more information (re - settings and the Applet executions)?

This whole "dire warning" thing is about simple common sense.

This post has been edited by submix8c: 12 January 2013 - 11:24 AM

[LoneCrusader]

Nomen, on 12 January 2013 - 09:40 AM, said:

Of course I already have Kex (there's no way to install any version of JAVA version 6 without it).

No. Java 6u7 works without Kex.

MDGx.com said:

OLD Java SE 6.0 (a.k.a. 1.6.0) Update 7 (6u7):
Direct download [15.1 MB, right-click to save!]
is the LAST Update compatible with Windows 95/OSR1/OSR2/98/98 SP1/98 SE/NT4 SP6a/ME, but you MUST ignore "Warning: This is not a supported Operating System!" error message!

This post has been edited by LoneCrusader: 12 January 2013 - 03:44 PM

[Fredledingue]

I confirm Java 6u7 works without Kex. I have it on my PC without Kex installed. But it's the last version to do so.

[schwups]

Java 7 Update 11 released - Bug Fixes Release Notes  CVE-2013-0422 and see link of submix8c (post 5) revised: 14 Jan 2013

This post has been edited by schwups: 14 January 2013 - 08:04 AM

[Nomen]

Within the past 2 days, I've performed some maintainence on a handful of PC's (some running XP, some running 7) where I've discovered that Firefox's JAVA plugin had been disabled - and NOT by the owner of the system. (I've not seen this on any win-98 systems).

Is anyone else seeing this?

Is Mozilla doing this - or Oracle? (or Microsoft?)

And how?

This post has been edited by Nomen: 14 January 2013 - 10:21 AM

[submix8c]

??? Post #7 and Post#9...

YES, Mozilla is disabling!

Did I mention "Click To Play" ? See this -
https://blog.mozilla...-vulnerability/

edit - forgot to mention -
Java™ Platform SE U38 6.0.380.5 (IOW 1.6.0.38)
on Firefox 11.0.0.4454 and NOT disabled!
From Post #5

Quote

The KB says absolutely nothing of anything other than Java 7.x.

Everyone in a Tizzy (latest EPA-approved automobile).

This post has been edited by submix8c: 14 January 2013 - 10:48 AM

[war59312]

So guess they are NOT patching java 6 atm.

[dencorso]

submix8c, on 14 January 2013 - 10:39 AM, said:

edit - forgot to mention -
Java™ Platform SE U38 6.0.380.5 (IOW 1.6.0.38)
on Firefox 11.0.0.4454 and NOT disabled!

war59312, on 14 January 2013 - 01:12 PM, said:

So guess they are NOT patching java 6 atm.

Michael Horowitz (of"Defensive Computing") said:

UPDATE: On Jan. 13, 2013 Oracle released Java 7 Update 11 to fix the latest security flaw. Java 6 was not updated as the latest problem was limited to Java 7.

Source:This post at "Defensive Computing"

[Nomen]

schwups, on 12 January 2013 - 10:15 AM, said:

Installing Kext is a little off topic. But yes, GetSystemWow64DirectoryA=z2e120 must added to the .ini file.

Ok, I did all that, ran the MSI, and version 6 update 38 appeared to install without errors. Restarted. Java is missing from control panel. Found javacpl.cpl in CAB file. Ran it, turned off "Next generation plugin" setting. Restarted.

Using FF 2.0.0.20, went to javatester.org/version, and got these errors:

"The new java plug-in requires a recent version of the firefox browser (firefox 3 or later)"

Click Ok, then get this error:

"The plug-in performed an illegal operation. You are strongly advised to restart firefox."

JRE 6 update 30 previously was working fine on FF 2.0.0.20. Any ideas to get this new update 38 working?

Edit: Ok, I forgot to rename the "plugin" directory. It works fine now.

This post has been edited by Nomen: 16 January 2013 - 09:49 PM

[egrabrych]

JRE Version 6 Update 39: http://java.com/en/d...d/manual_v6.jsp

[CharlotteTheHarlot]

egrabrych, on 02 February 2013 - 01:55 PM, said:

JRE Version 6 Update 39: http://java.com/en/d...d/manual_v6.jsp

Thanks for the link.

Has anyone using 32-bit Windows been able to download the 64-bit offline installers? They are using browser sniffing and even the "manual" download for JRE 6 or 7 64-bit installs are blocked. Arrrggh!

[submix8c]

??? I got mine via FF - both of them (JRE6U39).