Spyware Sucks
“There is no magic fairy dust protecting Macs" – Dai Zovi, author of “The Mac Hacker’s Handbook"

Sun Java finally addresses a serious security issue

August 26th 2006 in Uncategorized

Some of us have been complaining for a long time (more than a year and a half) about Sun’s refusal to ensure that old versions of Sun Java are uninstalled when a user updates to the latest version of the Sun Java product.  Why was it so important that Sun uninstall old versions? Because:



  1. Hostile applications were able to access old versions of Sun Java.  Yes, that’s right, if you updated to a ‘patched’ version of Sun Java the bad guys could still get to the old stuff and use it to compromise your system.

  2. It takes up a slew of unnecessary disk space.

What was really scary was that, as Sun finally admits, “there are no reliable symptoms that would indicate that a specific release of the JRE is being used if that specified release of the JRE is already installed on the system and accessible by the Java Plug-in or Java Web Start.”


The primary reason given for Sun’s refusal to remove old versions of their client as part of installing the new was that removing an old version may break an application that only works with it.  Not our problem.  Sun should not expose *ALL* users to risk because some unknown application run by some unknown person may break.  Let ’em avoid updates and let the rest of us get safe.


Sun have *finally* done something about the problem:
http://sunsolve.sun.com/search/document.do?assetkey=1-26-102557-1


The change means that applications can only use the latest version of the Sun Java Plugin that has been installed.  BUT (there is always a but), applications can still call an older version of Web Start.  Sure, users will see a security warning if this occurs and will have to grant the application permission to access the older version but as we all know, too many people are click happy, and may not understand the implication of allowing this to occur.


Previous commentaries on Sun Java:


Sun Java Vulnerabilities continue – August 2005:
http://msmvps.com/blogs/spywaresucks/archive/2005/08/22/63670.aspx


Sun Java Vulnerabilties – March 2005:
http://msmvps.com/blogs/spywaresucks/archive/2005/03/25/39584.aspx


Sun Java Vulnerabilities… again – February 2006:
http://msmvps.com/blogs/spywaresucks/archive/2006/02/08/82919.aspx


Comments are closed.

Very useful:http://blogs.msdn.com/ie/attachment/715071.ashx

Previous Entry

Microsoft’s Phishing Filter is proving to be quite a success, thanks not only to all of the IE7 and MSN/Windows Live Toolbar users who are actively reporting phishing sites, but also thanks to data sharing between MS and third party data sources.
Recently MS have been adding up to 17,000 URLS a month to its Phishing Filter […]

Next Entry

Archives