Secunia Advisory: SA18760
Release Date: 2006-02-08

Critical:
Highly critical
Impact: System access

Where: From remote

Solution Status: Vendor Patch


Software: Sun Java JDK 1.5.x
Sun Java JRE 1.3.x
Sun Java JRE 1.4.x
Sun Java JRE 1.5.x / 5.x
Sun Java SDK 1.3.x
Sun Java SDK 1.4.x


Select a product and view a complete list of all Patched/Unpatched Secunia advisories affecting it.


Description:
Seven vulnerabilities have been reported in Sun Java JRE (Java Runtime Environment), which potentially can be exploited by malicious people to compromise a user's system.

The vulnerabilities are caused due to various unspecified errors in the "reflection" APIs. This may be exploited by a malicious, untrusted applet to read and write local files or execute local applications.

The following releases are affected by one or more of the seven vulnerabilities on Windows, Solaris, and Linux platforms:
* JDK and JRE 5.0 Update 5 and prior
* SDK and JRE 1.4.2_09 and prior
* SDK and JRE 1.3.1_16 and priorhttp://secunia.com/advisories/18760/

The latest version for Windows is jre-1_5_0_06-windows-i586-p.exe, available here (http://www.java.com/en/download/manual.jsp). For dial-up users, it's 16,779,392 bytes, so plug in a movie.

That link is only if you have JDK or JRE version 5. It's update 6 to version 5. If you have JRE 1.3 or 1.4, go here (http://java.sun.com/j2se/1.4.2/download.html). This version is 15.37 MB for the full install. You can install it online for a smaller file size download of 1.35 MB, but many of the other files will still be accessed via the internet, so it will still take quite some time to install.

Realistically though, they're both probably full installs, so it may not really matter. However, Sun recommends you install the correct update based on your currently installed version.

To determine which version you have, open a command prompt. Click Start-Run, type in "cmd" (without the quotes) and click OK. A DOS type window will open. At the prompt, type in "java -fullversion" (again without the quotes, but with the space after "java") and press Enter. It should show your version, such as java full version "1.5.0_02-b09".

I wasn't complete in what I said. The version 5 link above for the JDK (which you probably don't have) is 59.8 MB. OUCH!!!

You'd likely only need the JRE anyway, 16 MB as Doc said (assuming you have version 5 now).

I DLd the latest version and it installed flawlessly (although I went from 1_5_0_02 to 1_5_0_06, so it wasn't a big change). I did change from 1_4_2_? last year, and had no problem with the upgrade.

The JDK (Java Developer Kit) is definitely overkill for the average user. The JRE (Java Runtime Environment) is all that Jane and John Compteruser will need.

Yeah, I suspected it may not matter.

Working with these updates at my company, I have discovered two interesting facts.

1. When installing an update or new install, the older versions are not uninstalled. Although Sun "recommends" leaving the old versions on the computer, I have found no valid reason for doing that, and the older versions take up disk space. So, I recommend you go into Control Panel and uninstall the old versions before installing the new ones.

2. The method Sun gives on their web site for checking the installed version, using a DOS command prompt, does not work. It consistently returns the wrong version number in many instances. If you dig deep enough into their support site, you'll discover a page stating that there is a bug in some versions causing this, and they don't know why. However, they have an online version checker that so far seems to work pretty well here. It can be accessed at: http://java.com/en/download/installed.jsp?detect=jre&try=2