Re: Java - JRE, SDK Java Web Start

[3APA3A <3APA3A () SECURITY NNOV RU>]

Dear jfvanmeter () comcast net,

 Vulnerability  in JRE itself can not be exploited directly. It can only
 be  exploited  through  some  JAVA-enabled application, browser in most
 cases. In case of e.g. JAVA-based Cisco VoIP software, vulnerability in
 JRE  can only be exploited in case vulnerability is in in some function
 used  with  remote  user-supplied  arguments. It's rare enough case for
 Java.  In  this  case,  I believe, Cisco (or write any different vendor
 here)  should issue an update for it's software. It's not necessary for
 Cisco  to  update  software every time JRE is updated, if vulnerability
 doesn't affect Cisco product installation.

--Monday, July 16, 2007, 7:18:37 PM, you wrote to vuln-dev () securityfocus com:

jcn> How does everyone feel about java being installed by vendors
jcn> in a propriety path i.e. program files\mysoftware\bin\jre\1.4.0\
jcn> and never patching it. 

jcn> I ran an enterprise scan to looking for javaws.exe and found
jcn> it in 175 unique paths. Should they be held accountable for the
jcn> patching of java when they install it?

jcn> I had one vendor who installed java 1.3 and 1.4, and when I
jcn> ask them about it. There statement was “you don’t have the modules
jcn> that require those versions you can just delete them”

jcn> How does everyone patch Java that is not installed in its default location?


-- 
~/ZARAZA http://securityvulns.com/