JAVA updates

There is some interesting info in the latest updates to the ISC diary entry on SUN JAVA.\
In the original entry the writer notes that the latest version of SUN JAVA attempts to solve the problem where not only does installing an updated version of JAVA not remove earlier versions, the earlier versions can be specifically requested by the bad guys. That’s right, its like installing a patch, but letting the bad guy ignore it if they choose to. That problem is rather old, but SUN is addressing it by having the latest version of JAVA prompt the user if an older, potentially vulnerable version is requested.
So why not just remove the earlier vulnerable version you might ask. Many bad web applications specifically require a bad version of JAVA, so you cant uninstall the bad version if you want to use that website. You are forced to wait for the original developer to provide an update. Ciscoworks VMS is one example of such a site.
So here is what is new, a reader of the ISC wrote in to suggest that you create a CLSID pointing requests for the older vulnerable version to the newer version (stay within the same 1.42, 1.5 family). It may not work for every site, but its worth a shot. I thought that was the best tip so far on the ISC site this month and it wasn’t even part of their tip of the day segment. ๐Ÿ™‚