Security vulnerabilities in older versions of the Java Plug-in
843811Dec 13 2004 — edited Jan 5 2005If I have an old version of the Java Plug-in installed and it has a known security vulnerability, is there any way to prevent that vulnerability from being exploited?
In the past, certain releases of the Java Plug-in have been identified with security vulnerabilites. Although it is possible to download a newer version of the Java Plug-in, the vulnerable version of the Plug-in remains on the Windows workstation unless it is deliberately removed. Furthermore, it is possible to write html that requires a specific version of the Java Plug-in should be used, even if it is not the newest version on the machine.
Some users have a good reason for keeping a vulnerable version of the Java Plug-in installed; it may be the only version that a particular application runs on. How do users in this situation protect themselves from attacks that seek to exploit the vulnerabilities of an older Java Plug-in?
Is it possible to configure Internet Explorer and other browsers to only use older Plug-ins for certain applications? IE 6 has a security zone setting for "Run Active-X Controls and Plug-ins" where the value can be set to "Administrator Approved". Is this a good way to protect against this form of attack? Are there other ways to do this?