From: 3APA3A (3APA3ASECURITY.NNOV.RU)
Date: Wed Jul 18 2007 - 14:19:58 CDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Dear jfvanmetercomcast.net,

 Vulnerability in JRE itself can not be exploited directly. It can only
 be exploited through some JAVA-enabled application, browser in most
 cases. In case of e.g. JAVA-based Cisco VoIP software, vulnerability in
 JRE can only be exploited in case vulnerability is in in some function
 used with remote user-supplied arguments. It's rare enough case for
 Java. In this case, I believe, Cisco (or write any different vendor
 here) should issue an update for it's software. It's not necessary for
 Cisco to update software every time JRE is updated, if vulnerability
 doesn't affect Cisco product installation.

--Monday, July 16, 2007, 7:18:37 PM, you wrote to vuln-devsecurityfocus.com:

jcn> How does everyone feel about java being installed by vendors
jcn> in a propriety path i.e. program files\mysoftware\bin\jre\1.4.0\
jcn> and never patching it.

jcn> I ran an enterprise scan to looking for javaws.exe and found
jcn> it in 175 unique paths. Should they be held accountable for the
jcn> patching of java when they install it?

jcn> I had one vendor who installed java 1.3 and 1.4, and when I
jcn> ask them about it. There statement was “you don’t have the modules
jcn> that require those versions you can just delete them”

jcn> How does everyone patch Java that is not installed in its default location?

--
~/ZARAZA http://securityvulns.com/

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]