Sun Java Vulnerabilities continue
I'm wondering just how long, and how loud, we have to yell before Sun wake up to themselves.
I was prompted to update to Sun Java VM version 5.0 Update 4 so I download and installed. Once more, the Sun Java installer did NOT remove or overwrite older, vulnerable versions of Sun Java on my system.
I posted about this problem MONTHS ago; other MVPs have posted about the problem - we have all written to Sun warning them that they are leaving computers at risk by not removing vulnerable versions of their product during an update. Their reaction? We'll pass on your feedback.
Well, that ain't good enough!!
When we install a newer version of software that has been patched to lock out vulnerabilities, we expect to be safe, yes?
When it comes to Sun's Java Runtime Environment, the answer is NO!!!!
I strongly recommend that you go to Add/Remove Programs and see how many versions you have installed (at 100+meg per version!)
Did you know that old versions of Java's runtime are not overwritten when you update, and that malware designed to take advantage of java vulnerabilities can access those vulnerable older versions? I ask you, what is the use of updating if the bad guys can come along and keep using the old stuff anyway? I can almost here them laughing.
Sun Java recommend in their FAQ that older versions of their JRE be kept on computers - BAD ADVICE!!!
Those of us who are lucky enough to have heard of http://sunsolve.sun.com, and know that Sun release Alert Notifications, and know how to find them, also know that Sun recommends that affected versions of the JRE be removed from a computer (see Docs 57707, 57740, 57708 and 57591)!
Bad advice - advice that is directly contradicted in the Alert Notifications - is being given to new users that are the primary audience and users of FAQs. The FAQ needs to be rewritten to advise users to remove older versions of the JRE, unless there is a mission critical application that only runs on an older version. If there is such a mission critical application, Sun should strongly recommend that said mission critical application be updated to be compatible with the latest version of the JRE.
Uninstall all those older versions of the Sun Java Runtime - go on- go and do it now.