Monday, October 27, 2008 3:22 PM
cmosby
Java Update Promises to Remove Older Versions - Brian Krebs on Computer Security
Brian Krebs on Computer Security
Java Update Promises to Remove Older Versions
Sun Microsystems has released another version of its Java software client. The update, JRE6 Update 10, contains no new security fixes to the most recent version, JRE6 Update 7, but it does appear to fulfill a promise the company made long ago to stop littering users' PCs with outdated, insecure versions of the software.
Readers of this blog know I am no fan of Java. It's a huge, extremely powerful program that frequently needs updating to protect users from evil sites that might wish to leverage the program's interactivity and power to do bad things. Another reason I've railed against Java is that Sun's updates don't remove old versions. As a result, if you've been keeping up with the Java security updates, chances are you have at least three or four previous versions of Java on your system -- each taking up more than 100MB worth of disk space.
While there's no sign Java users will need to update less frequently, Update 10 now claims to include "patch in place" capability, meaning future updates will remove older versions upon install.
It's nice that Sun has finally heeded the calls from its user base, but since we don't have an Update 11 yet, it's hard to tell how well this patch in place process will work. What's more, while Update 10 promises to remove itself whenever Sun ships the next post-Update 10 release, it doesn't remove any pre-Update 10 versions hanging around the user's system.
Who cares about a few older versions of Java hanging around in this age of 500GB hard drives, you ask? In previous updates, Sun has acknowledged that it would be possible for Web sites to invoke older, insecure versions of the software still present on the user's machine, even if the latest, patched version was installed and set as the authoritative version to be used by both the operating system and the user's default Web browser.
Sun subsequently implemented technology to block sites from invoking older, insecure versions of Java. But then in July, security researcher John Heasman outlined a method by which attackers could bypass that protection.
One final note: When I went to test this new version, I realized that I haven't had Java installed on my Windows Vista machine since I bought it several months ago. Apparently, I haven't needed the program since then either.
By Brian Krebs | October 27, 2008; 7:05 AM ET New Patches , From the Bunker , Misc. , Safety Tips
Previous: Data-Stealing Trojan Exploiting Just-Patched Windows Flaw |
Filed under: Patch Management, Internet Applications, Security, Enterprise Applications, Software Vulnerabilites