The Internet Storm Center/SANS Diary published the warning that members of the security community have been advising users for a long time, advising that Sun Microsystems Java and Jscript either be permanently disabled in your browser(s) or “keep as close an eye on JRE versions as you do Microsoft Windows patches!”

The ICS/SANS Diary advisory:

Remove old JRE!
Published: 2007-01-22,
Last Updated: 2007-01-23 00:53:25 UTC
by Adrien de Beaupre (Version: 1)
As new versions of the Sun Java JRE keep coming out to address security vulnerabilities do NOT forget to remove the old versions. It is possible that you may be running Java code in your applications that absolutely require a specific version of the JRE to run, update the applications and then update the JRE, and then remove the old JRE versions. Why? A Java applet can request which version of JRE it wishes to use, that’s why.

ICS/SANS was not the only recognized authority issuing a warning. US-CERT issued Technical Cyber Security Alert TA07-022A indicating:

“The Sun Java Runtime Environment contains multiple vulnerabilities that can allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system.”

US-CERT substantiates the recommendation of ICS/SANS to uninstall the affected versions and disable Java in your browser(s).

The affected versions of Sun Java Runtime Environment (JRE) are listed below.

  • JDK and JRE 5.0 Update 9 and earlier
  • SDK and JRE 1.4.2_12 and earlier
  • SDK and JRE 1.3.1_18 and earlier

Illustrated instructions for updating and removing vulnerable versions are provided in “SunFlowers and SunJava Update.

Security Garden