Security sw alerts Java as risk in FS Indexing

Support and Announcements for the LDS Tech Java Web Application Platform (setup, configuration, bugs, feedback).
barrowsr
New Member
Posts: 2
Joined: Mon Dec 05, 2011 9:34 am

Security sw alerts Java as risk in FS Indexing

Postby barrowsr » Mon Dec 05, 2011 9:55 am

Security software on my PC has alerted me to a threat because of a Java .exe (v. 6.0.200.2) when using FamilySearch Indexing program. Version 6.0.290.11 has been released for fix to critical vulnerabilities. Is there a timetable for incorporation of the new Java sw in the Indexing program?

russellhltn
Community Administrator
Posts: 20781
Joined: Sat Jan 20, 2007 2:53 pm
Location: U.S.

Postby russellhltn » Mon Dec 05, 2011 10:30 am

Last time I checked, Java.exe wasn't packaged as part of the FamilySearch Indexing program, but a separate module that's used by FS. I'd suggest going ahead and updating your Java. You can do that by going into Control Panel > Java. At the same time you can change the settings to automatically update, as it needs to be updated rather frequently.
Have you searched the Wiki?
Try using a Google search by adding "site:tech.lds.org/wiki" to the search criteria.

barrowsr
New Member
Posts: 2
Joined: Mon Dec 05, 2011 9:34 am

Postby barrowsr » Tue Dec 06, 2011 9:49 pm

I should explain how this alert came about and the actions I took. The security software flagged this path in FamilySearch (C:\Program Files\FamilySearch Indexing\indexing.familysearch.org\jre\bin\java.exe, version 6.0.200.2). I started to look around for information on Java since I normally don't run it. KrebsonSecurity.com reported version 6.0.200.2 had been updated to version 6.0.290.11 (http://krebsonsecurity.com/2011/11/public-java-exploit-amps-up-threat-level/) to address in excess of 19 threats . I downloaded the newest FamilySearch and installed it. Again my security sw flagged the path as noted above. Next I downloaded the latest Java to see if that would help since that had been a fix a few years ago for a version of Sun's OpenOffice where Sun had updated everything but the Java component. Loading the newest Java did not fix the java.exe in FamilySearch so I removed Java and FamilySearch from my PC. I did not get any security alert at that point. So I installed FamilySearch again, ran the security sw and there was the alert once more. Having said all this how can I be sure that the module you mentioned has been updated? Please pardon the long-winded explanation.

russellhltn
Community Administrator
Posts: 20781
Joined: Sat Jan 20, 2007 2:53 pm
Location: U.S.

Postby russellhltn » Tue Dec 06, 2011 9:53 pm

barrowsr wrote:The security software flagged this path in FamilySearch (C:\Program Files\FamilySearch Indexing\indexing.familysearch.org\jre\bin\java.exe, version 6.0.200.2).


It appears then I was wrong and that FS does package a copy of Java within itself.

Not being a developer, I'm not sure how big a problem it is. A malicious website would have to somehow get a hold that that install of Java to take advantage of the vulnerabilities.

Note that few if any of the FS developers come to these forums. You might try over at forums.familysearch.org.
Have you searched the Wiki?

Try using a Google search by adding "site:tech.lds.org/wiki" to the search criteria.

User avatar
aebrown
Community Administrator
Posts: 14693
Joined: Tue Nov 27, 2007 8:48 pm
Location: Sandy, Utah

Postby aebrown » Tue Dec 06, 2011 10:09 pm

barrowsr wrote:how can I be sure that the module you mentioned has been updated?


You can manually update the java version used by FamilySearch Indexing if you would like to, as follows:

  1. Download the latest version of Java (currently version 6, update 29) from java.com -- but don't do the basic install; instead go to the manual installation page. Find the version corresponding to your operating system and download it.
  2. Run the Java installer you just downloaded.
  3. On the opening screen of the Java installer, notice that there is a checkbox for "Change destination folder"; make sure that box is checked before you click the Install button.
  4. Navigate to the folder where the FSI version of Java is installed (C:\Program Files\FamilySearch Indexing\indexing.familysearch.org\jre).
  5. Complete the installation.
  6. When the installation is complete, your security software should no longer complain about Java being out of date.
I ran through this process myself, and FSI still works fine with update 29 of Java 6.
Questions that can benefit the larger community should be asked in a public forum, not a private message.


Return to “Java Web Project Support (Stack)”

Who is online

Users browsing this forum: No registered users and 1 guest