Java Runtime Environment (JRE) 6 Update 20

PSI is showing my Java as patched/secure in IE, FF, & Opera

Hello,

I was trying to update to the newest/latest (Java 6 Update 20), but received the following "Error 20599 unzipping core files failed".  The workaround also did not worked.  Maybe, I did it wrong.  Any help would be great. 

PSI is showing my Java as patched/secure in IE, FF, & Opera

ky:

Interesting.

I'm still seeing PSI saying that JRE 6.0.200.2 is vulnerable and unpatched in all 3 browsers tonight, even after re-booting/re-scanning.

 A (thorough) system inspection by OSI still detects my JRE 6.0.200.2 as up-to-date, and secure.

My method of updating was to uninstall the JRE update 19 in Add/Remove, then install the update 20 (which is the only JRE listed now in Add/Remove). And the Java verification link confirms I have this latest version, working correctly. Add/Remove lists only this latest version.

Frankly, I was not convinced this latest JRE update patched the latest critical vulnerability when I first posted; I'm still not.

And I remained unconvinced of the need to have JRE at all. Brian Krebs has asked the same question:

"If you don’t have Java, then you probably don’t need it. My personal philosophy is that if I don’t need it, I don’t install it or keep it. Java vulnerabilities increasingly are being targeted in automated exploit kits that are sewn into hacked and malicious sites, so by all means if you don’t have a use for it, I say get rid of it. Eliminating unnecessary programs helps reduce what security wonks call the “attack surface” of a system: You’re basically bricking up potential windows and doors into your computer. At any rate, if it turns out you do in fact need Java for some reason, you can always reinstall it."
- http://krebsonsecurity.com/2010/04/java-patch-plugs-27-security-holes/

Good advice!

Hi control_tps.

There is not really a "workaround" for error 20599. What they are trying to tell you is to be sure you do not have any remains of and old java version installed, and then try again. If you already uninstalled Java6U19 or other old version through Add & Remove, go to Documents and settings/User/Application data/Sun/Java and delete. Also any folder in Program files. Download Java from here to your desktop and try again. You could also try JavaRa to get rid of any old java files in your sys. Be aware that I am not sure if JavaRa can work for W7 64bit.

Good luck.

http://www.theregister.co.uk/2010/04/15/emergency_java_patch/

"Oracle on Thursday released an emergency update [6u20] that eliminates the zero-day threat....

There are unconfirmed reports that the patch doesn't completely eliminate the threat... A researcher who asked not to be named said there may be upgrade problems with the npapi plugin used by Firefox that may leave a stale version behind. Internet Explorer should be safe, however."

Joe,

something weird is definitely going on.

Like you, tonight the PSI is again telling me that my 3 browsers are INsecure, by virtue of Java 6u20.

Additionally, the Secunia advisory appears to have been modified... when I posted earlier , "Solution Status" in the upper part of the SA definitely said "vendor patch" (or words to that effect) .... Now it says "unpatched" .    hmm.

You could also try JavaRa  to get rid of any old java files in your sys. Be aware that I am not sure if JavaRa can work for W7 64bit.

I think in Vista/W7, you may need to right-click JavaRa and select 'Run as Administrator'.

I think in Vista/W7, you may need to right-click JavaRa and select 'Run as Administrator'.

Thank you RD.

As a matter of fact JavaRa works with Vista without UAC. According to its web page.

Regards.

PS: The weirdest thing is happening. When I sign in the Forums, an e-mail with the name of Christopher shows up in the e-mail user box. It should be blank. Who is Christopher? Really weird.

I don't know about others, but I am embarking on a "scorched earth"policy  as far as JRE goes. That means uninstalling all JREs,  related ActiveX controls, browser add-ons, kill-bits (enabled or disbled), plug-ins, registry entries, and whatever else I can find, wherever I can find them. My "grief/benefit" ratio has been exceeded.

Hi Joe.

Does that mean that you are reverting to Microsoft VM? or are you disconnecting MVM too?

Just a thought.

Regards

PS: The weirdest thing is happening. When I sign in the Forums, an e-mail with the name of Christopher shows up in the e-mail user box. It should be blank. Who is Christopher? Really weird.

Hernan:

You are not the only one seeing that "Christopher" sign-in. (Whoever he is).

My log-in cookies are history, and signing on takes forever.

I don't know about others, but I am embarking on a "scorched earth"policy  as far as JRE goes.

That means uninstalling all JREs,  related ActiveX controls, browser add-ons, kill-bits (enabled or disbled), plug-ins, registry entries, and whatever else I can find, wherever I can find them.

My "grief/benefit" ratio has been exceeded.

Hernan:

I have no Microsoft VM.

Based on my several days without Java, I don't need it either.

I'm responding to several posts here:

1) No one should be using MVM - Microsoft's Virtual Machine --- at this point.    If you can even find it anymore, it is ancient, and unsupported.   as best as I can recall, Microsoft and Sun came to a legal understanding years ago, in their dispute between MVM and Java, that Microsoft was "giving up" on MVM, and that Sun would have total rights to Java.   So either use an updated (Oracle/Sun) Java... or no java at all... but don't consider finding or reverting to MVM.

2) Joe, I can't fault you with your decision to excise Java from your system.   As I've noted (here or elsewhere), my recent testing has found that the only webpage that I regularly visit that requires Java is the Secunia Online Scanner.

But I also noted that Java can be used by OpenOffice --- in particular, by its (data)Base module.   I have OpenOffice on my systems, but have not done any testing for Java dependence.  

For the time being, I will be keeping Java on one PC, but removing it from another....

3) I have also experienced the "Christopher" e-mail thingy... twice... and will be reporting it elsewhere, unless someone else has beaten me to it.

4) the Secunia advisory for Java... http://secunia.com/advisories/39260/ as of this morning is now showing that the "flaw" in JRE 6u19 has been patched by the release of JRE 6u20.   I am trying to run the Secunia PSI to see what it's claiming... but it hasn't "connected" yet...   EDIT:   This PSI is again showing Java to be secure in my 3 browsers...

EDIT:   I have confirmed that OpenOffice's (data)BASE module... and it's "wizards" (i believe in any module)... will  not  run without Java.   On the other hand, my primary usage of OO is for its CALC (spreadsheet) or occasionally WRITER (word processor) modules, which seem to run (at least in part) without java.

RD,

having tried that on one of my PC's

a) in FF, under tools/add-ons/plugins, i was left with the java development toolkit enabled.

b) winpatrol shows me that the IE activeX control for development toolkit was still enabled.

I don't know about others, but I am embarking on a "scorched earth"policy  as far as JRE goes. That means uninstalling all JREs,  related ActiveX controls, browser add-ons, kill-bits (enabled or disbled), plug-ins, registry entries, and whatever else I can find, wherever I can find them. My "grief/benefit" ratio has been exceeded.

Joe,

After uninstalling your Java, were you still left with the Java Deployment Toolkit ActiveX/Plugin entries in your browsers (IE,FF) ?