In my blog entry last Friday, I mentioned some confusion over the Java update. This centers around three points, 1) Sun’s version nomenclature, 2) Conflicting info from Sun on what is the current version, and 3) Whether you need to uninstall your current JRE before installing the newer version.
The first item isn’t too difficult, and is more annoying than anything else, but I still wish Sun would just make up its mind and use one consistent versioning system. Basically, you’ll see the same version called two different things, depending on where you’re at. Version 1.6.0_04 is also referred to as Java Version 6,Update 4, etc.
Item number 2 is a little more annoying. If you go to www.java.com, it will tell you that the “recommended” version is Version 6 Update 3; however, go to java.sun.com, and you’ll be offered Version 6 Update 4, which is the update that contains the latest round of security patches. Also, if you are relying on the “auto update” feature of the Java control panel, it will tell you that you are currently up to date, even if you only have Update 3. Finally, Sun still supports Version 5 (or 1.5.x) and is still releasing security patches for it as well. If for some reason you have to run 5 instead of 6, the current version for it is Version 5 Update 14.
My recommendation: go to http://java.sun.com/javase/downloads and manually download JRE 6 Update 4, and install it yourself.
The third item is by far the most complicated, and I haven’t been able to find an authoritative answer. The original problem is that installing new versions of the JRE would still leave the old versions in place and callable. Sun did this for compatibility reasons. However, the downside was that if there was a serious security hole, simply installing the new version did not prevent you from being exploited. At some point along the way, Sun realized the error of their ways, and addressed this. BUT, the way they did it was NOT to remove the old version, but to make the older versions uncallable (One has to wonder why they did it that way, but I’m sure they have their reasons). This has obviously led to a lot of conflicting opinions about whether one should completely uninstall the existing JRE before installing the new version, and some folks still claim that despite what Sun says, these older versions are still exploitable (however those are all just opinions, I didn’t see anyone offering proofs). I’ve personally decided that I’m OK with just installing the new version, but if you want to be absolutely sure, you can always do the uninstall, but you’ll have to do it manually, and the scope of that is beyond this blog. However, google “uninstall Sun Java” and you’ll find lots of opinions on the best way to do this.
