Vulnerability Development mailing list archives
Re: Java - JRE, SDK Java Web Start
From: 3APA3A <3APA3A () SECURITY NNOV RU>
Date: Wed, 18 Jul 2007 23:19:58 +0400
Dear jfvanmeter () comcast net, Vulnerability in JRE itself can not be exploited directly. It can only be exploited through some JAVA-enabled application, browser in most cases. In case of e.g. JAVA-based Cisco VoIP software, vulnerability in JRE can only be exploited in case vulnerability is in in some function used with remote user-supplied arguments. It's rare enough case for Java. In this case, I believe, Cisco (or write any different vendor here) should issue an update for it's software. It's not necessary for Cisco to update software every time JRE is updated, if vulnerability doesn't affect Cisco product installation. --Monday, July 16, 2007, 7:18:37 PM, you wrote to vuln-dev () securityfocus com: jcn> How does everyone feel about java being installed by vendors jcn> in a propriety path i.e. program files\mysoftware\bin\jre\1.4.0\ jcn> and never patching it. jcn> I ran an enterprise scan to looking for javaws.exe and found jcn> it in 175 unique paths. Should they be held accountable for the jcn> patching of java when they install it? jcn> I had one vendor who installed java 1.3 and 1.4, and when I jcn> ask them about it. There statement was “you don’t have the modules jcn> that require those versions you can just delete them” jcn> How does everyone patch Java that is not installed in its default location? -- ~/ZARAZA http://securityvulns.com/
Current thread:
- Java - JRE, SDK Java Web Start jfvanmeter (Jul 17)
- Re: Java - JRE, SDK Java Web Start Kish Pent (Jul 17)
- Re: Java - JRE, SDK Java Web Start Blue Boar (Jul 17)
- Re: Java - JRE, SDK Java Web Start 3APA3A (Jul 18)
- <Possible follow-ups>
- Re: Java - JRE, SDK Java Web Start jfvanmeter (Jul 18)