Java install security issues?

Similar Messages

• Java IDE Security Issues

  I'm evaluating Java IDE's. My boss wants me to evaluate IDE security issues. I can't think of any issues, or how an IDE can have anything to do with security, but didn't want to sweep it under the rug without asking all of you security experts.
  Are there any security concerns when selecting a Java IDE?

  Yeah, you confirmed what I already knew I suppose.
  Unfortunately, I know nothing if this organization, as
  I'm only consulting. The management here INSISTS that
  security be addressed, but I think it's out of scope
  for Java IDE selection. Thanks!In that context, things like "supports HTTPS and ssh access for remote development" may be exactly what they're looking for. It lets managers say "Yes we considered security in making this purchase, and yes the developers of this tool take security seriously." Doesn't mean that security is ever going to impact the actual use of the product.
  Remember that a portion of any management decision goes to insuring you can show a good-faith effort to avoid problems, when/if they happen down the road and someone's looking for a fall guy...
  Good luck!
  Grant

• What should I do to limit my exposure to Java 7 security issue?

  I was just reading about the new malware exploiting Java 7 in Windows, Unix systems? SHould I be concerned about this malware in OS X?

  You could always revert to Java 6. Details in
  Java for OS X 2012-006: How to re-enable the Apple-provided Java SE 6 applet plug-in and Web Start functionality.

• HT1338 There is a lot of talk about the Java security issues and the ability to download a patch fix, do i need to do this or will software update pick this up for me?

  There is a lot of talk about the Java security issues and the ability to download an apple patch fix, do i need to do this or will software update pick this up for me?

  Thanks for that, how do I establish if I have Java installed as on Safari preferences it indicates the following
  Web content - Enable Java
                      - Enable JavaScript

• Script issue,Java install from script, push out to servers.

  this is a non standard install for Java that has to be installed from a script.  basically this script will run against a given amount of servers, stop the required services ( pertains to the application that requires Java on the server), uninstall
  java, install java, configure java with correct parameters and security permissions then lastly output a log file to the server that is running the script (folder) of each server .  each server will have thier own text file.   so two issues first
  java uninstalls but does not install due to a permissions error, and the other  issue that is occuring is there should be a log file for each server the
  log file will have the server name as the file namey, the script will look at the server list and run the code on that server so basically the script
  will run at the same time on all the servers, and create log file for each server and put in the folder i designate.  - this is not occuring based on the Powershell script below. what parameter is missing below. thanks
  $user = Read-Host 'Username:'
  $pass = Read-Host 'Password:'
  $result = "D:\Temp\" + $env:COMPUTERNAME +"_JavaUpdate.log"
  $copyfinal = "\\wsive005pap\d$\BatchFiles\Java_Update\"
  #Stop NCSB and Tomcat Services
  Stop-Service Tomcat7
  Stop-Service "NuanceCSB"
  #Uninstall Java
  Get-WmiObject -Class win32_product | ? {$_.Vendor -like "*Oracle*"} | % {msiexec /x "$($_.IdentifyingNumber)" /qn | Out-Null}
  Start-Sleep -s 120
  "Java 7 Uninstalled" | Out-File $result -append
  #Install Java
  $JRE = "D:\Installations\NVP 4.0 Install\jre-7u76-windows-i586.exe"
  & $JRE /s INSTALLDIR=D:\Apps\Progra~1\Java\jre7\ /l D:\Temp\javainstall.log | Out-Null
  Start-Sleep -s 240
  "Java 7 Installed" | Out-File $result -append
  #Configure Java
  $pattern = "security.provider.10=sun.security.mscapi.SunMSCAPI"
  $javasec = "D:\APPS\Program Files (x86)\Java\jre7\lib\security\java.security"
  $viecore = "security.provider.11=cryptix.provider.Cryptix"
  (Get-Content $javasec) |
      Foreach-Object{
          if($_ -match $pattern)
              $_ 
              $viecore
          } else {
              $_ 
       } | Set-Content $javasec
  "Java Configured" | Out-File $result -append
  #Start NCSB and Tomcat Services
  Start-Service Tomcat7
  Start-Service "NuanceCSB"
  #Updating log files and push to the central server
  $javaver = gci "D:\APPS\Program Files (x86)\Java\jre7\bin\java.exe"
  $tomcatver = "D:\APPS\Program Files (x86)\Apache Software Foundation\Tomcat 7.0_Tomcat7\lib\catalina.jar"
  "*****Check Java and Tomcat Version*****" | Out-File $result -append
  & $javaver -cp $tomcatver org.apache.catalina.util.ServerInfo | Out-File $result -append
  "*****Check Services Started*****" | Out-File $result -append
  Get-Service | Where-Object {$_.Name -eq "NuanceCSB"} | Out-File $result -append
  Get-Service | Where-Object {$_.Name -eq "Tomcat7"} | Out-File $result -append
  "*****Check Java Security File*****" | Out-File $result -append
  Select-String -Path $javasec -Pattern "cryptix" | Out-File $result -append
  "*****Print log file for CTI connections*****" | Out-File $result -append
  Get-Content "D:\APPS\NuanceCSB\logs\stdout.log" | Out-File $result -append
  "*****Print log file for connector*****" | Out-File $result -append
  Get-Content "D:\APPS\NuanceCSB\logs\CSB.log" | Out-File $result -append
  NET USE \\wsive005pap\d$ $pass /user:CORP\$user
  Copy-Item $result $copyfinal
  NET USE \\wsive005pap\d$ /delete

  Hi Gow,
  I would like to know how did you deploy the .ps1 script on remote computers like using task scheduler or something else, please make sure the user account you used to run this script on every server has enough permission.
  According to your script, it will produce a log file under "D:\Temp\" and this file will be copied to the destination
  \\wsive005pap\d$\BatchFiles\Java_Update\, please check the username and the password, and also make sure the folder exist before copy, then test the script below separately:
  $user = Read-Host 'Username:'
  $pass = Read-Host 'Password:'
  $result = "D:\Temp\" + $env:COMPUTERNAME +"_JavaUpdate.log"
  $copyfinal = "\\wsive005pap\d$\BatchFiles\Java_Update\"
  Get-Content "D:\APPS\NuanceCSB\logs\stdout.log" | Out-File $result -append
  Get-Content "D:\APPS\NuanceCSB\logs\CSB.log" | Out-File $result -append
  NET USE \\wsive005pap\d$ $pass /user:CORP\$user
  get-item \\wsive005pap\d$\BatchFiles\Java_Update\
  Copy-Item $result $copyfinal
  NET USE \\wsive005pap\d$ /delete
  If there is anything else regarding this issue, please feel free to post back.
  Best Regards,
  Anna Wang
  Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected]

• HT5642 I need to update iOS 6.1.3 on my iPad2 to 6.1.6, due to security issue. Why is no update available? I do NOT want to install iOS 7, due to memory limitations.

  I need to update iOS 6.1.3 on my iPad2 to 6.1.6, due to security issue. Why is no update available? I do NOT want to install iOS 7, due to memory limitations.

  Any upgrade will be to the most recent, compatible version, in this case 7.0.6.

• I heard there was a security breach in Java installed in Macs and that there is a patch to fix it.  But that's all I know.  Is there more info available?

  I heard there was a security breach in Java installed in Macs and that there is a patch to fix it, but that's all I know.  Does anyone know how to fix it?

  There isn't a patch for a computer running Leopard .
  Leopard and earlier users see recommendations at: https://discussions.apple.com/thread/3872491

• Why is Java Deployment Toolkit (click-to-play) blocked, also the referenced bug is closed and there are no security issues known in Version 7 U51?

  I think it is important to block unsecure addons. But if you do so there should be an open bug assigened. The referenced bug for this add-on is allready resolved so I do not know why this plugin is disabled. https://bugzilla.mozilla.org/show_bug.cgi?id=636633
  I have the problem that I want to use Secure_Auth that is using the Java Deployment Kit in such a nasty way (via javascript) that firefox doesn't see that the deployment kit should be started. Therefore I will not be asked to allow this plugin always for this web site. Since there is no documentation available how to do this configuration in a config file I am stuck at the moment.
  I'm a liitle bit suprised that blocking all versions (even secure versions) is a way to get a good user experience.
  Regards
  Martin

  ''MG_DAU wrote:''
  The referenced bug for this add-on is allready resolved so I do not know why this plugin is disabled. https://bugzilla.mozilla.org/show_bug.cgi?id=636633
  That's a bug report in the Blocklisting component, meaning it's a request to add an add-on to the blocklist. The fact that it's marked as fixed means the add-on has been added to the blocklist.
  * https://addons.mozilla.org/firefox/blocked/p428
  * [[Add-ons that cause stability or security issues are put on a blocklist]]
  Given that there's no way to disable Click-to-Play for this plug-in (the only options are Ask to Activate or Never Activate), if Firefox doesn't trigger a Click-to-Play prompt, I see no way to use it apart from disabling the entire blocklist. This carries a considerable security risk, as no plug-ins will be blocked or set to Click-to-Play, including known malware. If you're sure you want to go through with it, set ''extensions.blocklist.enabled'' to '''false''' in [http://kb.mozillazine.org/About:config about:config].

• Security issue with a website and java

  I am having trouble getting Java to work on a website, the message tells me that I have a security issue  but I don't know how to fix it??

  The site may be sending Firefox for Android a page that is not correctly formed.
  We have a feature in Firefox 39 which will allow the request desktop site menu item to show the full desktop site.

• What to do about the recent Java security issue?

  I am reading about the Java security issue. Do I need to do something with Safari?

  Open Safari preferences, click on the Security icon in the toolbar. Uncheck the Enable Java option.

• How do i fix the message to update java deployment kit when I already have the lastest version of java installed?

  I keep getting a message that "An important update is available for Java Deployment Toolkit 7.0.400.43". I click on "Update Now" and I get taken to the Mozilla Plug-in check page. A brief message shows at the top of the page that tells me some plugins are out of date and then disappears. The plugin checks show all plugins are up to date. I have uninstalled/reinstalled Java more than once and run a registry cleaner, but once I install Java the same messages appear. I am on a Windows XP machine and I am running an older version of Firefox (9.0) because addons for some of my other software don't work with newer versions of firefox. Can I get rid of the message or do I have to live with it because I use an older version of firefox?

  Please update to Firefox 23.0.1 IMMEDIATELY. Old versions are extremely vulnerable to security issues, and all your add-ons should work if they work in Firefox 10 anyway.

• Other web browsers and security issues?

  Since even an Apple KB article recognizes the need for an additional browser and because of Safari's limitations and problems, I'm going to try switching to another browser (most likely OmniWeb and am looking at Firefox, Shira and Opera also though perhaps not as a primary browser) but I'm wondering about their ability to keep on top of any security issues for Mac? (and how do you keep up with security updates?)
  Though perhaps unfounded, at least with Safari, I feel that Apple has a vested interest in keeping on top of security issues (for Safari and Java) and I can readily find out about security updates via software updater.

  Most of the other Mac browsers have their adherents. They are all good browsers (I have 7 browsers installed to test various web sites and for change-of-pace usage). They all have their strengths and they all have their weaknesses. Only iCab and OmniWeb are still shareware, the rest are now or always have been free (Opera just recently stopped charging for its browser).
  I have settled on Firefox as my alternate browser and I use it maybe just a tad more than Safari, but I do switch back and forth between them. The Mozilla foundation is good at getting security updates out when needed. Firefox has a button on the toolbar to check for updates. One nice thing about Firefox is that you can install free extensions which enhance the features available. I have one to supplement tab features, one to control iTunes from Firefox's status bar, one to help me format messages in discussion forums, and one to block ads.
  I prefer OmniWeb for doing intensive research because of the way it handles tabs in its sidebar, showing me which ones I've looked at and which ones I haven't, and giving me great flexibility in rearranging tabs, which are viewable as thumbnails or text names (I have had up to a hundred or so tabs open in OmniWeb.
  Shiira is good and its fast. I have not checked for updates for a while, but the last time I updated there was still a problem with Shiira kicking you out of logged-in sites when you moved from page to page with in web site. This may have been fixed by now - they were aware of the problem back then.
  Camino is a native OS X cousin of Firefox and is also fast, but is not updated as often.
  I would stay away from Mozilla or Netscape unless you need all the additional modules they have and which take up hard disk space. Firefox and Camino represent the browser module of Mozilla/Netscape. Mozilla and Netscape have modules for email, irc chat, newsgroups, and for creating and editing web pages. Netscape is a branded and slightly customized version of Mozilla and is not updated as often.
  Opera is a nice browser and some use it as their main browser, but I have not seen anything that really stands out for me, but that does not mean it is not worth a look.
  I would stay away from abandonware Internet Explorer.
  As for checking for updates, several of them, as with many Mac programs, now have a menu item that allows you to check for updates. Most of them also announce their updates on both VersionTracker and MacUpdate.
  Happy Exploring.

• Java card confusing Issues!!!!!!! java card architecture, advantage!!!!!

  QUESTION -1
  As I know about architecture of any application is -
                  //normal java software                          java card                                  java card
                    //  1                                               2                                      3
  1-            application program                        host application                           host application
  2-                     JVM                                   Applets                                       Applets
  3-              operating system                JCRE(which contain all classes, JVM ....)                 JCRE(act as a O.S too)
  4                    hardware                              Operating system                                 H/W
  5                                                                        hardwareWhat do u think- case 2 is right? or 3 is!!!!!!!!!!!
  I think - case 3 is right!!!!
  As i study from several sources , JCRE is complete package - it behaves as a operation system and use the functionality of component it contain. I also think if i will purchase a java card from any vendor , it would have JCRE inside it (means everthing inside it,), i only need to develop the applet according to my requirement and install it by on card installer program
  QUESTION 2- what is the advantage of java card.?
  // I think.
  as i read out , i got the line that it is platform independent and support multiple application. applicaton point of
  view , I am agree but how it is platfrom independent. if we use java card for smart card development, then
  i will purchase Java card from differnt vendor , all will provide me card with supported jcre inside it, so why
  this is advantage here?
  // in case of window based application , it really make sense  because if i will make any window application with java
  // i can run it in windows , linux , unix and most of os flavours, here i can see the beauty of java language.
  Clear me this and add some other java card advantages, which make java card goodquestion 3-
  Now I am capaple to make simple applets, so I want to check the entire java card process atleast once before
  going in deep of something, I am thinking to implement prepaid card concept , i made it applet for it ,it will
  contain a page with 2 text box ( 1- for recharge 2- for money deduction ) and two button , with button click i
  want to select the applet and want to pass the apdu.
  ( a) how i can make host window application ? (i think awt will work for me? , *
  i never make any java window application yet) *
  ( b) still i dont have any java card , i want to make it by using simulator, is it possible?
    (c) in this scenario what framework i need to study Ex. Import javacard.framework.* for making
  applet or from where i need to start.Regards:
  rohit pathak
  Edited by: rohit pathak on Feb 9, 2012 10:10 PM

  Hi,
  QUESTION -1
  As I know about architecture of any application is -
  //normal java software                          java card                                  java card
  //  1                                               2                                      3
  1-            application program                        host application                           host application
  2-                     JVM                                   Applets                                       Applets
  3-              operating system                JCRE(which contain all classes, JVM ....)                 JCRE(act as a O.S too)
  4                    hardware                              Operating system                                 H/W
  5                                                                        hardwareWhat do u think- case 2 is right? or 3 is!!!!!!!!!!! If you are using Java Card then JCRE+JVM = OS and if you put this on ein package 3 then 3 is correct according to me.
  As i study from several sources , JCRE is complete package - it behaves as a operation system and use the functionality of component it contain. I also think if i will purchase a java card from any vendor , it would have JCRE inside it (means everthing inside it,), i only need to develop the applet according to my requirement and install it by on card installer program Actually it depends. There can be following models in this regards:
  1. Buy a empty smart card, Install your own OS and then write your applets for it.
  2. As you said, Buy a card with preloaded OS and then write applets for it.
  QUESTION 2- what is the advantage of java card.?
  * Interoperable: Applets developed with Java Card technology will run on any Java Card technology-enabled smart card, independently of the card vendor and underlying hardware.
  * Secure: Java Card technology relies on the inherent security of the Java programming language to provide a secure execution environment. Designed through an open process, the platform's proven industry deployments and security evaluations ensure that card issuers benefit from the most capable and secure technology available today.
  * Multi-Application-Capable: Java Card technology enables multiple applications to co-exist securely on a single smart card.
  * Dynamic: New applications can be installed securely after a card has been issued, enabling card issuers to respond to their customer's changing needs dynamically.
  * Compatible with Existing Standards: The Java Card API is compatible with international standards for smart cards such as ISO7816, or EMV. Major industry-specific standards such as Global Platform and ETSI refer to it.
  * Developers creating Java Card applications enjoy all the advantages of working in the Java programming language:
  Object-oriented programming yields greater code modularity and reusability, leading to higher programmer productivity.
  Protection features characteristic of the Java programming language apply to Java Card applets, enforcing strong typing and protection attributes.
  Powerful off-the-shelf development tools are readily available.
  source: http://java.sun.com/javacard/overview.jsp
  And also, in case of SIM card if you are using java card then RAM is possible and native cards don't have this ability.
  question 3
  Now I am capaple to make simple applets, so I want to check the entire java card process atleast once before
  going in deep of something, I am thinking to implement prepaid card concept , i made it applet for it ,it will
  contain a page with 2 text box ( 1- for recharge 2- for money deduction ) and two button , with button click i
  want to select the applet and want to pass the apdu.
  ( a) how i can make host window application ? (i think awt will work for me? , *You can use swing for this to make interface and use smartcardIO http://docs.oracle.com/javase/6/docs/jre/api/security/smartcardio/spec/javax/smartcardio/package-summary.html for sending APDUs.
  i never make any java window application yet) * It is easy you can look here and start: http://www.roseindia.net/java/example/java/swing/
  ( b) still i dont have any java card , i want to make it by using simulator, is it possible?Actually, smartcardIO will only interact with actuall card and for simulator you will have to use console for sending APDUs.
  (c) in this scenario what framework i need to study Ex. Import javacard.framework.* for making
  applet or from where i need to start.For your current case it is enough and for host app you should study smartcardio as i mentioned above.
  Hope it helps.
  Regards
  Umer

• Spoof dialog Boxes security issue

  Hi all
  Any one out there aware of this security issue with Safari
  "Secunia Research has discovered a vulnerability in various browser's, which can be exploited by malicious web sites to spoof dialog boxes.
  The problem is that JavaScript dialog boxes do not display or include their origin, which allows a new window to open e.g. a prompt dialog box, which appears to be from a trusted site."
  I found the above by accident as i was looking up something else.
  If you go to Secunia site and try the test you may find that you are also vulnerable.
  http://secunia.com/multiple_browser'sdialog_origin_vulnerabilitytest/
  The only way i found to stop the spoof dialog box was to turn off enable plug-ins in preferences. However i don't have any plug-ins in my Safari plug-in folder.
  I'am running safari 1.3(v312) however it would appear that it also effects version 2.2 of Safari too. Also i have installed the latest update but to no effect. Other browser effect are:-
  _ Internet Explorer for Mac
  - Internet Explorer
  - Opera
  - iCab
  - Mozilla / FireFox / Camino
  My question is, is this vulnerability true, or just a setup
  Any comments welcome.
  ~Tim

  Hi,
  The issue is resolved, but I don't know what caused this error.
  I uninstalled the java components and BO then I deleted the BO folder under program files, then I deleted all BO entries in the registry.
  Finally I reinstalled everything except the service pack and that finally worked. I don't know the cause of this error.
  Regards,
  Marcela

• Security issues with Lion

  Anyone know what the real deal is with OS X Lion security.  I've heard lots of things about how the recent Blackhat conference in Las Vegas said that Apple's security was not as good as Windows 7's.  Anyone know anything about this?  Thanks in advance for any feedback or input.

  JB2909 wrote:
  I've downloaded Java for OS X Lion 2012-001 to fix the security issues with Java but when I open it to install it gives me an error message saying don't open it as it has a disk image issue (?) and may make my computer less secure or cause other issues? I don't understand why it would cause security risks when it is supposed to be a patch to fix them?!  Is it safe to go ahead and open/install?
  Could that be why Apple has released Java for OS X Lion 2012-002 here: http://support.apple.com/kb/DL1515 ?