Network News

X My Profile
View More Activity

Java Update Promises to Remove Older Versions

Sun Microsystems has released another version of its Java software client. The update, JRE6 Update 10, contains no new security fixes to the most recent version, JRE6 Update 7, but it does appear to fulfill a promise the company made long ago to stop littering users' PCs with outdated, insecure versions of the software.

java.jpg

Readers of this blog know I am no fan of Java. It's a huge, extremely powerful program that frequently needs updating to protect users from evil sites that might wish to leverage the program's interactivity and power to do bad things. Another reason I've railed against Java is that Sun's updates don't remove old versions. As a result, if you've been keeping up with the Java security updates, chances are you have at least three or four previous versions of Java on your system -- each taking up more than 100MB worth of disk space.

While there's no sign Java users will need to update less frequently, Update 10 now claims to include "patch in place" capability, meaning future updates will remove older versions upon install.

It's nice that Sun has finally heeded the calls from its user base, but since we don't have an Update 11 yet, it's hard to tell how well this patch in place process will work. What's more, while Update 10 promises to remove itself whenever Sun ships the next post-Update 10 release, it doesn't remove any pre-Update 10 versions hanging around the user's system.

Who cares about a few older versions of Java hanging around in this age of 500GB hard drives, you ask? In previous updates, Sun has acknowledged that it would be possible for Web sites to invoke older, insecure versions of the software still present on the user's machine, even if the latest, patched version was installed and set as the authoritative version to be used by both the operating system and the user's default Web browser.

Sun subsequently implemented technology to block sites from invoking older, insecure versions of Java. But then in July, security researcher John Heasman outlined a method by which attackers could bypass that protection.

One final note: When I went to test this new version, I realized that I haven't had Java installed on my Windows Vista machine since I bought it several months ago. Apparently, I haven't needed the program since then either.

By Brian Krebs  |  October 27, 2008; 7:05 AM ET
Categories:  From the Bunker , New Patches , Safety Tips  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   Del.icio.us   StumbleUpon   Technorati   Google Buzz   Previous: Data-Stealing Trojan Exploiting Just-Patched Windows Flaw
Next: ICANN De-Accredits EstDomains for CEO's Fraud Convictions

Comments

When tried, not only did it not uninstall Update 7, but it also installed a "Java Quick Starter" addon to Firefox which can be disabled but cannot be uninstalled. Yuck.

Posted by: Jenny6 | October 27, 2008 9:14 AM | Report abuse

@Jenny6 - Are you using Vista by chance?

Posted by: Brian Krebs | October 27, 2008 9:26 AM | Report abuse

Hmmm ... this could be a problem in some instances. For example, Blackboard and WebCT, popular course management systems, specify particular versions of Java, and if you don't have them, the system doesn't work properly.

Posted by: kcbrady | October 27, 2008 10:38 AM | Report abuse

Wow, my XP Pro laptop, about a year since last system build, had 5 'lumps' of Java in the add-remove panel. Ridiculous.

Posted by: Late2Bass | October 27, 2008 10:40 AM | Report abuse

Still using XP.

Posted by: Jenny6 | October 27, 2008 11:28 AM | Report abuse

I got the Java Quickstart for Firefox as well. Not too sure I see a downside? If it gets in the way, It appears simple to disable.

Posted by: Late2Bass | October 27, 2008 11:36 AM | Report abuse

Well, it looks like a promising start. Lets see how it turns out.

"Hmmm ... this could be a problem in some instances. For example, Blackboard and WebCT, popular course management systems, specify particular versions of Java, and if you don't have them, the system doesn't work properly."

I agree, I've seen a few programs that required specific versions of java. Hopefully they will become more agile and change with the updates.

Posted by: BidenPC | October 27, 2008 11:58 AM | Report abuse

Java Quick Starter is also added as a service on Windows XP. Task Manager shows it as jqs.exe and the description is "Prefetches JRE files for faster startup of Java applets and applications." My system shows approximately 1 MB of memory in use with a peak memory usage of 16 MB.

Posted by: Hoku1 | October 28, 2008 1:21 AM | Report abuse

Can I remove the older versions of Java from the machines myself? Would there be a problem with that, i.e., other issues popping up? If there is no problem, what would be the procedure for removal of these outdated, memory-hog programs?

Posted by: bubbad | October 28, 2008 3:57 AM | Report abuse

Bubbad -- You can remove them from the Windows Add/Remove feature in the Windows Control Panel. And there is no reason home users need to keep old versions of Java on their systems.

Posted by: Brian Krebs | October 28, 2008 9:49 AM | Report abuse

One of the pleasing aspects of this JRE update is that at 96.8 MB, it is nearly 40 MB leaner than the update it replaces. In this era of constantly increasing bloat, I can only applaud Sun's work....

Henri

Posted by: mhenriday | October 28, 2008 1:13 PM | Report abuse

I currently have windows xpsp3 on my laptop. Can I go to my control panel & remove the old Java Updates without harming the system?

Posted by: pmeehan1 | October 28, 2008 2:17 PM | Report abuse

pmeehan1, sometimes you'll have problems loading a java update if you delete the update it's replacing first. Otherwise, you should be able to delete older versions without a problem.

Posted by: Heron | October 28, 2008 3:13 PM | Report abuse

BKrebs,

Thanks for the response for how to remove the unnecessary Java programs. I'm going to do this.

Posted by: bubbad | October 28, 2008 4:36 PM | Report abuse

I loaded the update but didn't know what the Java Quickstart plugin was on Firefox so I disabled it. After that, I could not get Firefox to run. It crashed every time on both admin or limited accounts on Win XP. I decided to uninstall Firefox altogether and reinstalled it then left the Quickstart thing alone. I'm no expert, maybe there was an easier way, but it shouldn't be this complicated.

Posted by: jbdc | October 28, 2008 10:04 PM | Report abuse

Update 10 did not remove 7 on my XP machine. Also, make sure you read and uncheck the box if you don't want quickstart.

Posted by: Marusa | October 29, 2008 4:59 PM | Report abuse

There can be local information stored in earlier versions that would need to be retained. One example is the file fontconfig.properties, which one may need to edit in order to use the right fonts in certain Java apps (in my case, to define a Bengali script font). This file is stored in C:\Program Files\Java\jre1.6.0_07\lib, i.e. in the directory occupied by the current release. Every time I update Java, I have to copy this file over to the new version's lib directory. This is a Very Bad design; it ought to be stored in some localization directory (like C:\Documents and Settings\All Users\Application Data), so it doesn't need to be copied with each update. Perhaps it is fixed with this new update?

(BTW, the instructions for editing fontconfig.properties are at http://java.sun.com/j2se/1.5.0/docs/guide/intl/fontconfig.html.)

Posted by: mcswell | November 1, 2008 3:20 PM | Report abuse

The comments to this entry are closed.

 
 
RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company