Sun Java finally addresses a serious security issue
Some of us have been complaining for a long time (more than a year and a half) about Sun's refusal to ensure that old versions of Sun Java are uninstalled when a user updates to the latest version of the Sun Java product. Why was it so important that Sun uninstall old versions? Because:
- Hostile applications were able to access old versions of Sun Java. Yes, that's right, if you updated to a 'patched' version of Sun Java the bad guys could still get to the old stuff and use it to compromise your system.
- It takes up a slew of unnecessary disk space.
What was really scary was that, as Sun finally admits, "there are no reliable symptoms that would indicate that a specific release of the JRE is being used if that specified release of the JRE is already installed on the system and accessible by the Java Plug-in or Java Web Start."
The primary reason given for Sun's refusal to remove old versions of their client as part of installing the new was that removing an old version may break an application that only works with it. Not our problem. Sun should not expose *ALL* users to risk because some unknown application run by some unknown person may break. Let 'em avoid updates and let the rest of us get safe.
Sun have *finally* done something about the problem:
The change means that applications can only use the latest version of the Sun Java Plugin that has been installed. BUT (there is always a but), applications can still call an older version of Web Start. Sure, users will see a security warning if this occurs and will have to grant the application permission to access the older version but as we all know, too many people are click happy, and may not understand the implication of allowing this to occur.
Previous commentaries on Sun Java:
Sun Java Vulnerabilities continue - August 2005:
Sun Java Vulnerabilties - March 2005:
Sun Java Vulnerabilities... again - February 2006: