When it comes to security, Sun tends to be subject to much less criticism than some other system software vendors we could mention. But one reader thinks that a little more scrutiny of Sun would be a good thing, particularly in terms of how it handles Java security updates. The reader first wrote me in early July about his frustration with keeping up with Sun's oversized and numerous Java updates, and also with When it comes to security, Sun tends to be subject to much less criticism than some other system software vendors we could mention. But one reader thinks that a little more scrutiny of Sun would be a good thing, particularly in terms of how it handles Java security updates.The reader first wrote me in early July about his frustration with keeping up with Sun’s oversized and numerous Java updates, and also with keeping the old updates from piling up. “Sun continues patching the JVM every few months, and gets in streaks where they patch every few weeks,” the reader wrote. “Although I run the jusched.exe process on several PCs that supposedly monitors the Sun site for updates and takes up cycles and memory, I still had no idea that Java 1.5.0.7X came out several weeks ago, until I read it in an enthusiast’s posting. Sure enough, there it was on the Sun Web site. So I installed it and as usual, 1.5.0.6X was still installed. I uninstalled it and sure enough, some folders for it (and 1.5.0.5X!) were still around … From Sun’s explanation, it would seem the Java architecture is so flawed that removing files and folders from older versions breaks stuff, since it can’t rely on something like the Registry for versioning. So instead it leaves the old versions on the disk — which, by the way, could allow the exploits the update is guarding against to be executed anyway. What kind of security is that?”In September, the reader wrote again. “Just so you know, 1.5.0.7X was withdrawn, replaced with 1.5.0.6X for several weeks, then replaced with 1.5.0.8X, then that was in turn withdrawn and the Java site reverted — ONCE AGAIN — to 1.5.0.6X. Last time I checked, 1.5.0.8X was not available. Pitiful – doesn’t Sun do any quality control before they release their bloatware to the world?” Last week the reader wrote in again to say the beat still goes on, this time with the now-released Java Runtime Environment 1.5.0.9X. “If you go to the Java.com site that is what you will get,” the reader wrote. “In the meantime, .update 6X was the last ‘official release. According to some channels, update .8X was issued for Vista compatibility, so that the Aero UI was not disabled while the JVM was loaded. However, until the other day, if you visited the site with Vista RC 1 the Java version you were presented to download was Update 6. Since I last wrote, if you used the Java verification applet on the Java site, you were told: ‘Congratulations! You Have the Latest Version of Java!’ whether you had .6X, .7X, or .8X. Confused yet? And note that .9X also was patched immediately on release from b01 to b03 — really nice regression testing, huh? And they are still continuing in the grand Sun tradition of not automatically removing the older version when the update is installed.”Why, the reader wonders, isn’t Sun getting the same kind of heat over its less-than-secure security updates that Microsoft is? “Unlike Microsoft’s security issues, Sun gets a free ride on security patches for Java. No flames, no editorial comment. I suspect that this is due to the concept that Java runs in a ‘sandbox’ so it can’t harm a PC like an ActiveX component. I know I have been asked to give those permissions to a Java app, so I guess I miss the distinction. For me, Sun’s cross -platform promises for Java have just turned into cross-platform insecurity.”Read and post comments about this story here. Technology Industry