-{ Quote: "Windows users should remove any older versions still installed on their machines, as Sun's installer does not eradicate older versions of the software, which can occupy hundreds of megabytes of disk space. Worse yet, older versions of Java hanging around on systems have in the past left even fully patched Java installations vulnerable to attack." }-Brian Krebs (http://blog.washingtonpost.com/securityfix/2007/07/important_updates_for_adobe_fl.html)

This is one of those cases where newer updates coexist with rather than replace older versions. Imagine if the Windows Operating System since 1985 was updated on your PC like that. :o ::) :wacko:

Hei

However, quoting one of the FAQs from java´s official site:

" Can I remove older versions of the JRE after installing a newer version?

The latest version of the Java Runtime Environment (JRE) contains updates to previous versions. There might be some applications or applets written and tested against a specific version of the JRE.

It is recommended that you keep older versions of the JRE on your system. If you are running low on disk space, you can uninstall older versions of the JRE. "


(http://www.java.com/en/download/faq/5000070400.xml)

In this quote no mention is made of possible security risks of keeping older versions.
If the latest java version is installed, any system info tool (or just checking the advanced properties in IE or the about:plugins in Firefox) will show that the browsers will be using the newer version and not the older ones. (assuming correct installation/update)
So, how can older java installations that are no longer in use through the browser plugin system compromise security ?
Maybe some other applications and/or dowloaded/executed code can take advantage of the older versions ?

I´m not saying that there is no security risk. I would just like to understand better how this is possible if the browsers and other applications are using the more recent, patched version ...

Any ideas ?

Have a fine wednesday.

Jomsviking

A reply on Brian Kreb's blog page.-{ Quote: "Hey Brian - thank you for speaking with me the other day. Just wanted to clarify the point that once folks have the latest release of Java on their system (downloaded from java.com) older versions no longer pose a security threat b/c the Web browsers (IE, Firefox etc.) will only use the newest version to interact with web pages. Also thanks to you who have reported challenges to this thread, we appreciate your feedback and will look into these issues.

Posted by: Bill Curci - Sun Microsystems | July 17, 2007 05:36 PM " }-

Aaaahh, that´s what I thought.

Thanks for the link, ronjor, much appreciated.

Jomsviking

I don't know if Sun has "cleaned up their act", but at one time if you didn't uninstall the older RTE(s) first, Add-Remove would show all versions of Sun Java you had on your system.

And I'm more than a little surprised by the comments quoted from Bill Curci. At one time (including, I thought, right up to the present) there was almost universal agreement that you retained security holes associated with older versions if you didn't totally uninstall (and manually clean out related folders) before installing the new one.

(Edit) Unrelated to the above, does 12 megs download for the latest offline-install version sound about right?? I thought I remembered previous offline-installs as being more like 30-odd megs.

-{ Quote: "I don't know if Sun has "cleaned up their act", but at one time if you didn't uninstall the older RTE(s) first, Add-Remove would show all versions of Sun Java you had on your system.

And I'm more than a little surprised by the comments quoted from Bill Curci. At one time (including, I thought, right up to the present) there was almost universal agreement that you retained security holes associated with older versions if you didn't totally uninstall (and manually clean out related folders) before installing the new one.

(Edit) Unrelated to the above, does 12 megs download for the latest offline-install version sound about right?? I thought I remembered previous offline-installs as being more like 30-odd megs." }-

I got the same information from some help forums that you need to remove old versions because your system could still be compromised if they were not removed.

As for the download file sizes, I searched the Java.com site and version 1.5.12 was 15.88 MB in size. The most current 1.6.2 version is 13.89 MB in size. I don't see 12 MB or 30 MB anywhere. My results are based on the JRE software for Windows.

Thanks, ccsito. That 12 megs I referred to was based on 2 or 3 day old recollection, but I guess I was in the right ballpark. Funny, thought I remembered the offline versions as much bigger than that.

The online version is much smaller, a few hundred K, but of course that's because it in turn downloads the rest of what's needed.

I did do a search and the Java 1.4.2_15 was 14.92 MB in size, so it looks like the older versions were more bloated. Guess they were removing a lot of coding in the later updates. Maybe poor programming? ??? :-X