Categories

JAVA DATEBASE
Technology Network Community
Oracle Database
Fusion Middleware
Development Tools
Java
Desktop
Server & Storage Systems
Enterprise Management
Berkeley DB Family
Cloud Computing
Big Data
Business Intelligence
Architecture
Migration and Modernization
E-Business Suite
Siebel
PeopleSoft Enterprise
JD Edwards World
Industries
JD Edwards EnterpriseOne
User Productivity Kit Pro (UPK) and Tutor
Governance, Risk & Compliance (GRC)
Master Data Management (MDM)
Oracle CRM On Demand
On Demand: SaaS and Managed Applications
AutoVue Enterprise Visualization
Primavera
ATG
Agile PLM
Endeca Experience Management
Fusion Applications
Archived Forums

 



Tags

New To Java


Java Web Start vulnerability question


Hello,  I am very new to the Java world and am trying to determine a couple of things I hope you might help me with.  We were recently advised of a security issue with Java Web Start (http://sunsolve.sun.com/search/document.do?assetkey=1-26-102957-1). I ran a query for installations of javaws.exe, which produced a wide range of results. Our default here is JRE 6 but there are certain applications which install older versions of the javaws.exe file for various functions (that is, most all systems have JRE 6 but some have older versions of javaws.exe as well).  My two questions are:  1. Does the presence of older javaws.exe files on a system that is up-to-date with JRE 6 (which includes its own version of javaws.exe) mean a system is vulnerable? My thought is that if the javaws file is present it can be used to execute untrusted apps.  2. Can those older individual javaws.exe files be updated in some fashion (without installing the full older JRE) to prevent exploitation? Granted, we'd need to contact the vendors of the apps which installed those older versions to ensure no product functionality problems occur.  I hope I haven't confused the issues/terms too much - just trying to get a handle on what the Java Web Start does and how we can mitigate the vulnerability with those older file versions.   Thanks very much for your help!  cheers /td

1. Does the presence of older javaws.exe files on a system that is up-to-date with JRE 6 (which includes its own version of javaws.exe) mean a system is vulnerable? My thought is that if the javaws file is present it can be used to execute untrusted apps.  Only if the older javaws.exe is used to run said untrusted apps.  Generally, once you've installed the newer version, that is the one registered to be used when launching a webstart app.  However, the question is, is the flaw in the JRE or javaws.exe itself?  Cuz in WebStart apps, I believe you can say the app should run in version x.y.z..  But I'm not sure of the practical affect of this.    2. Can those older individual javaws.exe files be updated in some fashion (without installing the full older JRE) to prevent exploitation? Granted, we'd need to contact the vendors of the apps which installed those older versions to ensure no product functionality problems occur.  No, you can't update those.  But do these apps you mention having their own older JREs use javaws.exe?  Cuz most apps installing a JRE with itself is not running as a WebStart app, they run as a regular app, typically with javaw.exe, which doesn't have any of those security restrictions and can delete whatever files it wants to anyway.    I hope I haven't confused the issues/terms too much - just trying to get a handle on what the Java Web Start does and how we can mitigate the vulnerability with those older file versions.   With the newer version installed as the default JRE for the system, you should not have a problem.


Related Links

printf
Send formatted sms
Splitting class into multiple classes (simple fix I think)
Why we cannot override a method marked as static ?
Java EE Glassfish Tomcat 7.0
Question on getters and setters
Very quick question
Why go for a static inner class than a regular static class
why do I get this error?
why do I get this error?
Branching Statements
Need help on how to use HttpClient.
ArrayList Reference VS Object
accessing static field of class in a jar file
Newbie question
Input/Output File problem