Insecure Java JRE in Adobe CS5

Topic

New Reply

Originally, I had a 100% secure ‘bill of health’ from Secunia. I then installed full version of Adobe Design Premium CS5 (no prior version of software existed) on Win7 Pro 32-bit; Prior to installing CS5, I already had the latest Java Standard Edition Ver.6 Update 20 (build 1.6.0_20-b02) installed. After updating everything using Adobe Application Manager, I ran Secunia PSI 1.5.0.2 and was notified the following 4 programs are insecure:
Sun Java JRE 1.6.x / 6.x 6.0.180.7
Sun Java JRE 1.6.x / 6.x (Requires uninstall) 6.0.180.7
Sun Java JRE 1.6.x / 6.x (Requires uninstall) 6.0.160.1
Sun Java JRE 1.6.x / 6.x (Requires uninstall) 6.0.160.1
The locations are under Users…, ProgramDataAdobe… and Program Files…(for two separate components of the Adobe suite); Whereas the secure Java SE Ver.6 Update 20 resides at Program FilesMozilla Firefoxextensions…

So I uninstalled Java (update 20) from Control Panel>Programs and Features>Uninstall Or Change A Program and ran PSI… no change.
I reinstalled Java (Update 20) twice and ran PSI… no change.
The problem is that the above 4 JRE installations do not appear independently in Control Panel>Programs and Features>Uninstall Or Change A Program. They are included in the single entry for CS5 with no ability to remove individual Java components. So I know of no way of removing them using Windows.

I contacted Adobe Support. They told me since this is a 3rd party software issue, I need to contact java.com directly and referred me to online chat support. Adobe said online chat support would be free. However, the page the Adobe support person gave me calls it “fee-for-service” and most problems cost about $75 to fix.

Java’s support site suggested using Windows Install Cleanup utility from Microsoft. I downloaded the new version that reportedly works with Win7 but the 4 old Java entries do not appear (only the Update 20).

A Secunia forum suggested a tool (JavaRa) to remove all the old dross except for the version just installed, but it doesn’t seem to be able to remove anything other than previous versions of Java in the same location. Also, there seems to be a question whether it even removes anything from the Registry. It’s official site does not claim that it works with Win7.

So my questions are:
1) Does anyone out there know how can I update the 4 java.exe files (both now and in the future) to make my computer secure?
OR
2) Does anyone know whether simply renaming or deleting the 4 java.exe files will make my computer secure without disabling any CS5 functionality (until Adobe comes up with a fix)?

Reply | Quote

Replies

Try this link http://java.com/en/download/help/uninstall_java.xml

Reply | Quote

Thank you Roderunner for the hyperlink you sent, but I mentioned in my original post that the 4 files in question do not appear in the Add and Remove Programs window (Uninstall Or Change A Program in Win7). And I earlier mentioned also that neither do they appear in the Microsoft Windows Installer Cleanup Utility as well. But thanks for your effort anyway.

Reply | Quote

You can simply delete the directories containing the offending Java JRE installations. Most likely they start with a directory named “jre” that has subdirectories such as “bin”, “lib”, etc. with java.exe appearing in the bin directory.

Based on your location of the Java SE 6u20, I suspect that you installed the Java support within Firefox, and not within Windows as a whole. You might want to do that also. Go to http://java.sun.com and download and install the JRE from there. After installing, add a JAVA_HOME entry to you system properties (Computer | Properties | Advanced System Settings | Environment Variables) with the value being the installation directory (its C:Program FilesJavajre6 on my system).

Most likely the above steps should work, but not having Adobe Creative Suite I cannot verify that. Usually, Java applications are started via a BAT file, and that BAT file sets the Java environment. Usually, the BAT file will let you override the built in environment (which is most likely the JRE directories under Adobe that you deleted) by setting JAVA_HOME to point to a different environment. If the Adobe engineers were reasonably intelligent, that is what they would have done (I would never release any Java products without this capability) and everything will go OK. If that is not the case, you can usually go into the BAT file and modify it to use the JRE in Program Files. One other possibility is that there is an Adobe configuration file the identifies the location of the JRE; in that case you can just edit that file to point to new location. Fortunately all this stuff is usually in text files and can be edited with any decent text editor (I prefer NotePad++ from http://notepad-plus-plus.org/).

Reply | Quote

Well Peter, first, thank you very much for taking the time to respond. Your explanation was very helpful.

As you suggested, I had already installed the latest Java from their download site. In my initial post, I accidentally listed the Mozilla Foxfire/ extensions… as the file location because that was the location of the “Java Console 6.x (extension for Firefox)”. But I did not notice that further down the list Secunia ALSO lists “Sun Java JRE…” at the same path as yours; C:Program FilesJavajre6bin (please note that the java.exe appears on my machine in the bin folder). I also have the latest version of java.exe installed at C:WindowsSystem32

If I can please trouble you, I still have 3 remaining questions:

1) You suggested deleting the “jre” directories. Would there be any advantage in simply renaming the java.exe files instead? The reason I ask is that Secunia made a distinction that uninstall is required for some of the files (see secuniascreenshot.jpg).

2) If deleting IS best, should I also delete another file that Secunia did not identify as insecure but is nonetheless an older version 5 of java.exe (5.0.110.3). I think it might be part of Acrobat 9 Pro, which is installed from a separate DVD in the CS5 package. I found this older version when it appeared along with the others when I did a search using “java.exe” (quotations included, see screenshot.jpg attachment) The location is D:Program FilesAdobeDesigner 8.2jrebin

3) When making the JAVA_HOME entry, should I use “C:Program FilesJavajre6bin” or “C:Program FilesJavajre6” (see note above).

Reply | Quote

Thanks so much Roderunner and Peter! I live on the other side of the world and will try your suggestions in the morning when I wake up.I’ll let you know the results in a later post. Thanks again

Reply | Quote

If you’re still having issues, try uninstalling all versions of Java, then install the newest version.
Do some mild os cleanup and a fresh boot after the uninstallation and prior to it’s reinstallation.

Old and non secure versions should be uninstalled completely before newer ones are added, otherwise
Secunia will continue to flag them.

Reply | Quote

Thank you Clint. However, you said “uninstall”. That is my dilemma.

In my original post you will note that I am unable to uninstall them using Windows. It has been proposed to delete the entire folder where the version 6 java.exes reside. My question is whether or not doing so, without doing anything in the registry, will cause problems when running CS5.

Also, the version 5 java.exe does not show up as flagged in Secunia. Is there a need to get rid of that too?

Reply | Quote

1) Deleting is sufficient – I suspect that the directions given by Secunia are canned – in other words it has no idea what it is talking about, it just sees the JRE and any time it sees it it posts that message. You obviously cannot uninstall since the JREs in question were installed as part of Adobe CS, so unless you want to uninstall Adobe CS the only option you have is to delete the files. My guess is that the Adobe CS installed simply copied the jre directory from the installation media. Note that it is not necessary to install Java in order to use it – the older versions I have on my desktop I copied from an older system on which I did originally install them. There is a little magic that happens during installation (an entry is made under HKLMSoftwareJavaSoft in the registry), but that is easily worked around. Of course, you can just rename the exe files, but that renders the jre useless but leaves the files on disk taking up space.

2) Yes, go ahead and delete that too.

3) Use “C:Program FilesJavajre6” – the exe file should always be at %JAVA_HOME%binjava.exe

Finally, since I don’t have Adobe CS (it’s too much $$$ for what I need) and cannot verify any of this, you should first hide the jre directory (I suggest zipping it up into a ZIP file and deleting the jre directory) and see if removing the jre directory causes any issues. If it doesn’t, you can then delete the ZIP files. If you run into problems, you can simply unzip the ZIP files to restore the jre directory. And in that case let me know, I have one other idea.

Reply | Quote

Peter,
May I say… OUTSTANDING!!! Thank you so much. Great idea about zipping the jres in case something goes wrong later. I opened all applications in question and they seemed to work just fine fine. Secunia is rewarding me with a secure 100% and you now have a very grateful friend. Please keep up the excellent contributions to this wonderful site. Thanks again,
Brady

Reply | Quote

Peter, in a previous post you mentioned having one more idea. I re-installed everything VERY CAREFULLY but when starting Adobe Flash Professional CS5 I get the warning below (attachment)… Curious that neither Dreamweaver, Flash Catalyst nor Acrobat Pro 9 produce any errors since those were the ones we deleted their JRE/JMV folders… any thoughts?

Reply | Quote

Are we talking about accumulated versions of Java within the Adobe CS5 program itself?

Reply | Quote

Are we talking about accumulated versions of Java within the Adobe CS5 program itself?

Yes.

Reply | Quote

Brady, I’m glad that things are working for you. Hang on to the ZIP files as long as you can – it is hard to tell what the JREs that came with Adobe CS are used for so it could be some time before you stumble upon something that just does not work because the JREs were removed.

Reply | Quote

Thanks Peter, Good advice. I do not now have any lack of disk space. Actually, today I plan to try un/re-installing to test a few things. Because I earlier read a resource that mentioned the problems of activation if the suite has any hardware changes, I decided to skip activation until I was sure my system was ‘up to snuff’. However, during installation it was mentioned that activation may occur automatically. So, I unplugged my Internet connection during install with the result that now I am unable to access online help directly from any of the applications. I also had a message box appear during installation that asked whether I wanted my Sandboxie utility to work with CS5. I can’t remember what I clicked (…I know, really dumb…). I also have none of the suite icons appear after installation. Online help did not help. So, needless to say, I will try to clean up everything and start over. Anyway thanks again for all your help. Your Fix worked great! SINCERELY, Brady

Reply | Quote

I was afraid something like this would happen – as soon as you ran something that required a web server you would run into issues since Java was not there. One possibility is to dig through the CS installation to find where this server is being started and fix it up to use the JRE you installed. But that is a lot of work, especially if you are not sure what to look for. The other possibility is easier: recreate the jre directories that you zipped up and removed. Don’t unzip the zip file; instead copy the the c:Program FilesJavajre6 directory as, for example, c:Program FilesAdobeAdobe Flash Catalyst CS5JRE. Check that java.exe is at c:Program FilesAdobeAdobe Flash Catalyst CS5JREbinjava.exe, that is where the software expects it (within a bin directory under the jre directory). Do this for all the locations listed in the image you posted previously. Then try working with Flash again. The end result is that the “bad” JREs that Secunia complained about will have been replaced by the “good” JRE the you installed yourself. Hopefully, then Secunia, Adobe, and more importantly, you, will be happy.

Reply | Quote

Peter, again, thank you for taking the time to write. If you are online now, I have a quick question before I start: The one java.exe resides at D:Program FilesAdobeAdobe Dreamweaver CS5JVMbinjava.exe. Obviously, I need to make the path match what Flash will be looking for but might the contents of a JRE folder be different from the contents of a JVM folder?

Reply | Quote

I used only one of the entries from the screen shots you posted earlier, guessing at which one Flash might be using. You should use my instructions as a template, substituting the paths as appropriate. So, yes, since that earlier screen shot had the path D:Program FilesAdobeAdobe Dreamweaver CS5JVM, then the location of java.exe would be d:Program FilesAdobeAdobe Dreamweaver CS5JVMbinjava.exe. (Just now saw that in your screen shot the Adobe is on D: but I used C: in my example; sorry, that is an oversight on my part.)

At least, that is my guess. I am hoping that the JVM directory did not contain a JDK, in which case the locations are a little bit different. Tell me, in the ZIP file you created from the JVM directory, what are the top level directories? For a JRE they would be bin and lib, for a JDK they would be bin, lib, jre and possibly a few others.

Reply | Quote

Yes, you seem to be correct about JVM. It does not seem to include JDK,

I checked all the folders inside bin and lib and only came up with one PNG file that said jdk_header (in the lib folder)

And Dreamweaver has no errors. Neither does Flash Catalyst. Only Flash Professional (by the way, all three were installed on a separate physical drive D:).

I reinstalled Flash Pro from the installation disk and updated. Afterward, C:ProgramDataAdobeCS5jrebinjava.exe changed to version 6.0.180.7, (however, Java’s latest version is 6.0.200.2). I fired up Flash Pro… no errors. When I zipped and deleted the jre folder though, the error returned on opening Flash Pro. So this the culprit!

When I pasted the latest C:Program FilesJavajre6 folder (CONTENTS) into the CS5 jre folder (since, obviously the folder name is different) everything works fine now when opening Flash Pro. So, it seems that Acrobat 9, Dreamweaver and Flash Catalyst can live (or at least open) without the jre contents OR they are smart enough to follow the JAVA_HOME system properties entry… but Flash Pro is the exception. I will just have to remember to patch it manually when future Java updates are released. That’s live-able. But I sure wish that Adobe Support was more wiling to listen to this glitch, so that they can update it themselves.

Thanks again Peter for all your help!

Reply | Quote

Glad you are up and running. If you have more issues, let me know!

Reply | Quote

Well Peter, when trying to update to Dreamweaver’s version 11.0.2, the update failed. It may have something to do with zipping the JVM folder. I will keep you posted

Reply | Quote

Yes Peter, FYI in the end Adobe’s updater would not work due to removing the jre folder contents. The only fix was to restore by unziping the contents and then re-install Dreamweaver from the original DVD- then apply the update- then everything worked. Although I have still been unable to get anything definitive from either Adobe or Sun, from a previous thread at Secunia’s forum, it seems that is is ‘plausible’ that the JAVA used at CS5’s scattered locations are purely for the installer/updater. The fix (if you can call it that) with the least impact offered was to rename the java.exe files and leave the rest of the folder in place. I just need to remember to take off and then put back on the disguise again each time new updates are released. Time will tell if this works any better than unzipping. Too bad Adobe hasn’t indicated that they want to take time to make their customer’s life simpler. There are many complaints about this issue on their forum.

Reply | Quote