What are the security repercussions if I remove older Java updates on client systems? They seem to take up quite...
a bit of memory.
The Sun Java Runtime Environment (JRE) allows users to run Java applications in a browser or as standalone programs. Java is a great technology, but what a pain the updates can be! People rail against Microsoft's constant flow of patches, but Java security updates are getting pretty frequent, too. What many people find irritating is the fact that new versions of Java don't automatically uninstall the older versions, which results in each previous version of Java often taking up over 100 MB of disk space. Perhaps an even greater concern is that these older, superfluous versions can pose a security problem.
It has been acknowledged by Sun Microsystems Inc. that malicious websites could possibly invoke these outdated versions of the software still present on a user's machine, even if the latest, patched version has been installed and set as the authoritative version to be used by both the user's default Web browser and the operating system.
Sun did try to prevent sites from invoking these older, insecure versions of Java, but in July of last year, security researcher John Heasman of Next Generation Security Software Ltd. outlined a method by which attackers could bypass that protection. Sun has since released JRE6 Update 10, which includes "patch in place" capability, meaning future updates will remove older versions upon installation. Having just updated my own PC to Version 6 Update 12, I can confirm this feature works. However, it doesn't remove any pre-Update 10 versions you may have on your machine.
Unless you are running older Java applications that were version-specific, you should uninstall all older versions of Java from your system. You can safely remove older Java updates manually from your PC by following the instructions on the Windows Java instructions page. If you do have any version-specific Java applications, contact the provider or developer as it is their responsibility to rectify their applet code in order to ensure compatibility with all Java versions.
Dig Deeper on Web Application Security
Related Q&A from Michael Cobb
Amazon disabled native encryption capabilities in the latest Fire OS version. Expert Michael Cobb explains what this means for security, and if ...continue reading
A pirated app called Happy Daily English beat Apple's App Store security review. Expert Michael Cobb explains how it works and what security teams ...continue reading
The Lenovo SHAREit file-sharing app has a hardcoded password vulnerability, among other issues. Expert Michael Cobb explains these flaws and how to ...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.