Standards & Guidelines - Java
Think you are safe from Java exploits because you updated to the latest version? You may not. Did you remove the old version after you upgraded?
As new versions of the Sun Java JRE keep coming out to address security vulnerabilities, the installer does NOT remove the old versions. This is due to that fact that you may be running Java code in your applications that absolutely require a specific version of the JRE to run. Therefore, Sun does not want to automate the removal. Every time you do an update, it simply adds the new one, it does not remove the old version, just .
The best practice for Java is to:
- Update the applications if required
- Update the JRE
- REMOVE the old JRE versions
Go to Add Remove Programs and see if you have more than one version of Java installed
Why? A Java applet can request which version of JRE it wishes to use, that's why.
An attacker an write code that requests a vulnerable version. Even if you have updated your Java client, if you did not uninstall the old version you are still vulnerable.
We would like to thank to the Handlers at the SAN Internet Storm Center for this information. |
