One way to get outdated plugins on your computer

Only two days ago I wrote how browser plugins are the biggest security risk today. And yesterday I experienced first-hand how one would get outdated and insecure plugins installed. I installed Lexware Steuer 2009 (for the German readers: yes, that’s the one you get at Aldi and that always gets good marks in software tests). And then Secunia PSI went berserk warning me about various security threats on my computer. Turned out, this application installed without even telling me: Java Runtime Environment 1.6.0 Update 2 (released July 2007, current version is 1.6.0 Update 18), Flash Player ActiveX 9.0.124.0 (released April 2008, current version is 10.0.42.34), MSXML 4.0 SP2 (released June 2003, current version is 4.0 SP3).

Uninstalling the first two (luckily unnecessary for the core functionality) and updating the last one (required, the application won’t work with MSXML 6.0) solved the problem for me. However, I wonder how many people didn’t notice the security holes being installed on their computer. Also, somebody who isn’t aware of ever installing Java won’t be inclined to update it either. I wonder whether packaging up applications with outdated libraries is common for software you buy on CD (obviously, I don’t do that very often). While I understand that this software is supposed to be installable/usable without an internet connection (you cannot simply download the latest Java version), is packaging up the most recent versions really too much to ask?

Comments

  • Anthony Hughes

    I couldn’t agree more. Plugins are a huge problem in today’s landscape. I recently noticed, on my parents computer, they had 4 different versions of the JRE Plugin installed (oldest being 1.6u4). This was a direct result of the Java Updater service not being given the functionality to either update the local files or to just uninstall the old files and install the new ones. Removing the old plugins from Add/Remove Programs cleaned this up

    However, this is unnerving that a company like Sun have a particularly low bar when it comes to garbage collection.

    Wladimir Palant

    Newer JRE versions no longer leave the old version on disk – but that only works starting with 1.6.0u10. If some application installed an older version then the updater will not be able to remove it. And recently it has been demonstrated that these left-overs are still a security risk even if a newer version has been installed next to them. Ouch… But at least now the blame is shifted from Sun to vendors who still package these old Java versions (not that Sun is out of the woods, Java update experience is still horrible).

  • johnjbarton

    “I wonder whether packaging up applications with outdated libraries is common for software you buy on CD (obviously, I don’t do that very often).”

    In today’s world, the average user always installs out-of-date software. That is because the average user is installing (on average) a very popular program. Intense competitors chase popular programs, so they all must add new features rapidly. Thus all popular programs are out of date upon install these days.

  • Robert Kaiser

    On Windows, this has been common practice for years, if not decades: Some installation package, disk or CD installs all libraries and apps it depends on in the versions that was just available to the one creating the package, he has tested hist software to work with and that he has licensed to put on the installation media.
    Very often this ends up being outdated Adobe/Macromedia and Microsoft apps and libs, or Java. I earlier times, when Windows didn’t allow to install several different, possibly incompatible versions of the same library on the system (another hole to look at, btw), you could easily end up overwriting a newer library version with an older one and breaking some other application in the process.

    The only decent way I saw that can solve that is when one single entity compiles and packages almost every application and library of software you have installed, be it yourself or an external entity, and that one cares about consistency and being up-to-date in terms of security. For obvious reasons, that only works reasonably with FOSS and is one of the nicest advantages of Linux distros.

  • LorenzoC

    Firefox can tell you if plugins are outdated.
    Problem is in some situations you can’ update the plugin for some reasons, like in my case I am using Win2K on a computer and you don’t have Quicktime or Windows Media Player updates for it. Yes, you can disable/remove the outdated plugins.

  • Daniel Howard

    Wow. The OS should support basic management of software dependencies and keeping things up to date. When I run Windows, Windows wants to update itself, and Internet Explorer, then Java wants to update itself, then Firefox wants to update itself, then when you launch Firefox it wants to update its plugins . . . this isn’t how we do things in Unix land.

    Admittedly, managing software dependencies, especially when software breaks backward compatibility and requires multiple versions available, is a tricky business, but then Microsoft is charging $200 for a copy of Windows 7, so you really should get something out of that . . .

    PS Your web site’s comment system is a tad frustrating: load page, take a shower, read, write a comment, hit “Preview”, told “403 timeout” error, copy comments, reload, paste, handle phone call, time out, copy, reload, paste . . . BLAH! Make it better, please. Thanks!

    Sincerely,
    -daniel

    Wladimir Palant

    Checked the logs – apparently, your comment got rejected by the anti-spam system twice. It won’t let you post if the comment form is more than one hour old. I didn’t really expect this to be an issue for somebody, will increase the timeout to six hours. That should be enough to take a shower?

  • Robert Dell

    the time to wait until the net times out is adjustable. it’s a standard of 5 minutes but you can drop it down to 30 seconds if you like but you’ll be getting dropped pages once in a while, sometimes when you really NEED them like clicking purchase if you do.