Vuln Dev
Java - JRE, SDK Java Web Start Jul 16 2007 03:18PM
jfvanmeter comcast net (3 replies)
Re: Java - JRE, SDK Java Web Start Jul 18 2007 07:19PM
Dear jfvanmeter (at) comcast (dot) net [email concealed],

Vulnerability in JRE itself can not be exploited directly. It can only
be exploited through some JAVA-enabled application, browser in most
cases. In case of e.g. JAVA-based Cisco VoIP software, vulnerability in
JRE can only be exploited in case vulnerability is in in some function
used with remote user-supplied arguments. It's rare enough case for
Java. In this case, I believe, Cisco (or write any different vendor
here) should issue an update for it's software. It's not necessary for
Cisco to update software every time JRE is updated, if vulnerability
doesn't affect Cisco product installation.

--Monday, July 16, 2007, 7:18:37 PM, you wrote to vuln-dev (at) securityfocus (dot) com [email concealed]:

jcn> How does everyone feel about java being installed by vendors
jcn> in a propriety path i.e. program files\mysoftware\bin\jre\1.4.0jcn> and never patching it.

jcn> I ran an enterprise scan to looking for javaws.exe and found
jcn> it in 175 unique paths. Should they be held accountable for the
jcn> patching of java when they install it?

jcn> I had one vendor who installed java 1.3 and 1.4, and when I
jcn> ask them about it. There statement was ?you don?t have the modules
jcn> that require those versions you can just delete them?

jcn> How does everyone patch Java that is not installed in its default location?


[ reply ]
Re: Java - JRE, SDK Java Web Start Jul 17 2007 06:56PM
Blue Boar (BlueBoar thievco com)
Re: Java - JRE, SDK Java Web Start Jul 17 2007 05:57PM
Kish Pent (kish_pent yahoo com)


Privacy Statement
Copyright 2010, SecurityFocus