Remove Old Versions of Java and Flash

by on November 4, 2007 in Security

Part of a holistic approach to workstation security includes keeping your applications up-to-date. I’ve long recommended using Secunia’s Software Inspector to determine if you are using insecure versions of software. If it detects an insecure version of software it will provide you with a direct link to the updated package, unfortunately this may not be enough.

For some reasons to major software vendors, Sun Microsystems and Adobe, don’t see the need to remove old versions of their software through the updated package. This is as unbelievable as it is unacceptable. Specifically I’m speaking of the Sun Java and Adobe Flash applications.

Java – You can install the latest version of Java and it will not remove the old version. Not only does this lead to a false sense of security since older versions of Java can be specficially called it is also a waste of disk space. Each version of Java is 100Mb+ and I routinely see 3 versions on a system. So prior to installing the updated Java package make sure you remove the old version via “Add or Remove Programs”.

Flash – Same song second verse. Flash is a program found on almost every computer but may not be listed as a standalone application, this can make removing Adobe Flash can be a bit trickier. If Flash does show up in Add/Remove then simple uninstall prior to installing the new version. If it doesn’t you can download Adobe’s Flash Uninstaller to do the job for you. Make sure you close all web browsers, chat clients, etc… prior to running the Uninstaller. If you are extra paranoid Go to C:\WINDOWS\System32\Macromedia\Flash\ (or equivalent path for your Windows installation) and delete all .ocx files.

The goal is to ensure that Secunia’s Software Inspector detects only the latest patched versions of applications.

Adobe… Sun… Fix this please.

Tagged as: Utilities

  • Randallrocks

    thanks. i wondered if you could. (comp’s way faster now)

    ~Randallrocks
    http://randallrocksblog.blogspot.com/

  • Smiling Carcass

    Sometimes Secunia detects multiple versions of flash, some out of date because applications have .ocx and .dll files associated with flash in their own program folders. Neither the flash installer nor the uninstaller will replace or delete these, and we would probably complain if they did mess with files in independent program folders. Either update the software and if this fails replace the old .ocx and .dll’s with the latest versions. I did this by searching my own machine for newer versions of the files and fixed it that way. Be aware, though, that this can be intuitive and not for the faint hearted since some of the newer files will have exactly the same file names, the .dll’s in particular, but the .ocx’s tend to have slightly different names such as Flash9b.ocx being replaced with Flash9d.ocx.
    So it isn’t all Adobe’s fault!

  • Tsu Doh Nimh

    Thanks for the info, I’ll update the post. I appreciate the comment.

  • Smiling Carcass

    Glad to help. It can be a very frustrating experience to follow advice that others have found useful and have it not work for you, particularly if you don’t know why. This will explain to others a possible ‘why’ if your otherwise excellent advice doesn’t work for them.
    And I do agree, Java and Flash do have a nasty habit of leaving traces around your machine. Just it’s not always their fault.

  • Smiling Carcass

    Just another little tip- Secunia will tell you where the outdated files are. If you click the button next to the flash files that passed Secunia’s scan, it will tell you where these files are located and you can copy the files that passed into the directory where they are old files and ok the replacement. While this has always worked for me, don’t shout at me if it soesn’t work for you- set a restore point, at least!

  • MikeVirtual

    Have done the same thing Smiling Carcass suggests (overwriting flash files) for ages with no problems. I tried doing similar for Java but with problems:

    Installed Adobe CS3 Web Premium, which installs Java local to Version Cue and also Flash, so despite installing latest version of Java and removing old versions from Add/Remove programs, I am still left with 2 insecure versions.

    First, I tried overwriting entire java/bin directory in Flash CS3 with files from latest java install – broke Flash CS3 – hung if you tried to import video (which uses java).

  • MikeVirtual

    Next, reverted to original java/bin directory in Flash CS3, then overwritten just the java.exe file. This stops secunia psi reporting the software is insecure.

    I presume this is merely fooling secunia psi into thinking the software is updated.

    Any one know if this is the case?

Previous post:

Next post: