Important Updates for Adobe Flash, Sun's Java

Discussion in 'other security issues & news' started by ronjor, Jul 17, 2007.

Thread Status:
Not open for further replies.
  1. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,727
    Location:
    Texas
    Brian Krebs
     
  2. ccsito

    ccsito Registered Member

    Joined:
    Jul 27, 2006
    Posts:
    1,579
    Location:
    Nation's Capital
    This is one of those cases where newer updates coexist with rather than replace older versions. Imagine if the Windows Operating System since 1985 was updated on your PC like that. :eek: :rolleyes: o_O
     
  3. Jomsviking

    Jomsviking Registered Member

    Joined:
    Apr 16, 2007
    Posts:
    55
    Hei

    However, quoting one of the FAQs from java´s official site:

    " Can I remove older versions of the JRE after installing a newer version?

    The latest version of the Java Runtime Environment (JRE) contains updates to previous versions. There might be some applications or applets written and tested against a specific version of the JRE.

    It is recommended that you keep older versions of the JRE on your system. If you are running low on disk
    space, you can uninstall older versions of the JRE. "


    (http://www.java.com/en/download/faq/5000070400.xml)

    In this quote no mention is made of possible security risks of keeping older versions.
    If the latest java version is installed, any system info tool (or just checking the advanced properties in IE or the about:plugins in Firefox) will show that the browsers will be using the newer version and not the older ones. (assuming correct installation/update)
    So, how can older java installations that are no longer in use through the browser plugin system compromise security ?
    Maybe some other applications and/or dowloaded/executed code can take advantage of the older versions ?

    I´m not saying that there is no security risk. I would just like to understand better how this is possible if the browsers and other applications are using the more recent, patched version ...

    Any ideas ?

    Have a fine wednesday.

    Jomsviking
     
  4. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,727
    Location:
    Texas
    A reply on Brian Kreb's blog page.
     
  5. Jomsviking

    Jomsviking Registered Member

    Joined:
    Apr 16, 2007
    Posts:
    55
    Aaaahh, that´s what I thought.

    Thanks for the link, ronjor, much appreciated.

    Jomsviking
     
  6. MikeBCda

    MikeBCda Registered Member

    Joined:
    Jan 5, 2004
    Posts:
    1,627
    Location:
    southern Ont. Canada
    I don't know if Sun has "cleaned up their act", but at one time if you didn't uninstall the older RTE(s) first, Add-Remove would show all versions of Sun Java you had on your system.

    And I'm more than a little surprised by the comments quoted from Bill Curci. At one time (including, I thought, right up to the present) there was almost universal agreement that you retained security holes associated with older versions if you didn't totally uninstall (and manually clean out related folders) before installing the new one.

    (Edit) Unrelated to the above, does 12 megs download for the latest offline-install version sound about right?? I thought I remembered previous offline-installs as being more like 30-odd megs.
     
  7. ccsito

    ccsito Registered Member

    Joined:
    Jul 27, 2006
    Posts:
    1,579
    Location:
    Nation's Capital
    I got the same information from some help forums that you need to remove old versions because your system could still be compromised if they were not removed.

    As for the download file sizes, I searched the Java.com site and version 1.5.12 was 15.88 MB in size. The most current 1.6.2 version is 13.89 MB in size. I don't see 12 MB or 30 MB anywhere. My results are based on the JRE software for Windows.
     
  8. MikeBCda

    MikeBCda Registered Member

    Joined:
    Jan 5, 2004
    Posts:
    1,627
    Location:
    southern Ont. Canada
    Thanks, ccsito. That 12 megs I referred to was based on 2 or 3 day old recollection, but I guess I was in the right ballpark. Funny, thought I remembered the offline versions as much bigger than that.

    The online version is much smaller, a few hundred K, but of course that's because it in turn downloads the rest of what's needed.
     
  9. ccsito

    ccsito Registered Member

    Joined:
    Jul 27, 2006
    Posts:
    1,579
    Location:
    Nation's Capital
    I did do a search and the Java 1.4.2_15 was 14.92 MB in size, so it looks like the older versions were more bloated. Guess they were removing a lot of coding in the later updates. Maybe poor programming? o_O :blink:
     
Loading...
Thread Status:
Not open for further replies.