Sun Java Vulnerabilities... again
Check this out:
http://sunsolve.sun.com/search/document.do?assetkey=1-26-102171-1
"Seven (7) vulnerabilities with the use of "reflection" APIs in the Java Runtime Environment may independently allow an untrusted applet to elevate its privileges. For example an applet may grant itself permissions to read and write local files or execute local applications that are accessible to the user running the untrusted applet....
... It is recommended that affected versions be removed from your system. For more information, please see the installation notes on the respective java.sun.com download pages."
Ok, so why the hell does Sun Java leave vulnerable versions of their software installed when we update? You have to go in and manually remove the exploitable stuff via add/remove programs.
Historical blogposts:
http://msmvps.com/blogs/spywaresucks/archive/2005/08/22/63670.aspx
http://msmvps.com/blogs/spywaresucks/archive/2005/03/25/39584.aspx
My understanding of Sun's attitude to this problem is that there are some applications out there (invariably business applications) that will only work with a particular version of Java, therefore they will not automatically remove old versions of their product to avoid breaking said applications.
Sun have got things back to front.
The internet community as a whole should not be exposed to risk because of the needs of a minority.
Applications that break with later versions of Java should be updated so that users are not exposed to risk.
It is the responsibility of any business that depends on applications that may be broken by a java update to ensure that they don't download incompatible updates, and lock down their network so that their users are not put at risk by the use of vulnerable versions of Java.
It is not the responsibility of the Internet Community as a whole to be left at risk just because there is an old programme that may be in use somewhere in the world that will break if java is updated.
There is some real nasty malware/spyware out there that targets vulerable versions of Sun Java and the protection of the Internet Community as a whole should take priority.
Let the applications that may be broken by newer versions of Java, and the businesses that use them, look after themselves by not updating. Don't leave the rest of us exposed to risk.