Re: Java - JRE, SDK Java Web Start



Dear jfvanmeter@xxxxxxxxxxx,

Vulnerability in JRE itself can not be exploited directly. It can only
be exploited through some JAVA-enabled application, browser in most
cases. In case of e.g. JAVA-based Cisco VoIP software, vulnerability in
JRE can only be exploited in case vulnerability is in in some function
used with remote user-supplied arguments. It's rare enough case for
Java. In this case, I believe, Cisco (or write any different vendor
here) should issue an update for it's software. It's not necessary for
Cisco to update software every time JRE is updated, if vulnerability
doesn't affect Cisco product installation.

--Monday, July 16, 2007, 7:18:37 PM, you wrote to vuln-dev@xxxxxxxxxxxxxxxxx:

jcn> How does everyone feel about java being installed by vendors
jcn> in a propriety path i.e. program files\mysoftware\bin\jre\1.4.0\
jcn> and never patching it.

jcn> I ran an enterprise scan to looking for javaws.exe and found
jcn> it in 175 unique paths. Should they be held accountable for the
jcn> patching of java when they install it?

jcn> I had one vendor who installed java 1.3 and 1.4, and when I
jcn> ask them about it. There statement was “you don’t have the modules
jcn> that require those versions you can just delete them”

jcn> How does everyone patch Java that is not installed in its default location?


--
~/ZARAZA http://securityvulns.com/