What are the security repercussions if I remove older Java updates on client systems? They seem to take up quite...
a bit of memory.
The Sun Java Runtime Environment (JRE) allows users to run Java applications in a browser or as standalone programs. Java is a great technology, but what a pain the updates can be! People rail against Microsoft's constant flow of patches, but Java security updates are getting pretty frequent, too. What many people find irritating is the fact that new versions of Java don't automatically uninstall the older versions, which results in each previous version of Java often taking up over 100 MB of disk space. Perhaps an even greater concern is that these older, superfluous versions can pose a security problem.
It has been acknowledged by Sun Microsystems Inc. that malicious websites could possibly invoke these outdated versions of the software still present on a user's machine, even if the latest, patched version has been installed and set as the authoritative version to be used by both the user's default Web browser and the operating system.
Sun did try to prevent sites from invoking these older, insecure versions of Java, but in July of last year, security researcher John Heasman of Next Generation Security Software Ltd. outlined a method by which attackers could bypass that protection. Sun has since released JRE6 Update 10, which includes "patch in place" capability, meaning future updates will remove older versions upon installation. Having just updated my own PC to Version 6 Update 12, I can confirm this feature works. However, it doesn't remove any pre-Update 10 versions you may have on your machine.
Unless you are running older Java applications that were version-specific, you should uninstall all older versions of Java from your system. You can safely remove older Java updates manually from your PC by following the instructions on the Windows Java instructions page. If you do have any version-specific Java applications, contact the provider or developer as it is their responsibility to rectify their applet code in order to ensure compatibility with all Java versions.
Dig Deeper on Web application and API security best practices
Related Q&A from Michael Cobb
A technique known as the GhostHook attack can get around PatchGuard, but Microsoft hasn't patched the flaw. Expert Michael Cobb explains why, as well...continue reading
Software developed by the hacking group Platinum takes advantage of Intel AMT to bypass the built-in Windows firewall. Expert Michael Cobb explains ...continue reading
Tensions between the U.S. and Russia have led to source code reviews on security products, but the process isn't new. Expert Michael Cobb explains ...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.