Sun finally admits that previous JRE's WERE vulnerable
Java Plug-in and Java Web Start May Allow Applets and Applications to Run With Unpatched JRE
At the very bottom of the above page it clearly states
Note: It is recommended that affected versions be removed from your system. For more information, see the installation notes on the respective java.sun.com download pages.Note this bulletin, issued August 21st, refers to the 1.5.0_05 JRE and prior. This caught my eye:
The Java Plug-in and Java Web Start both allow applets and applications to specify the version of the Java Runtime Environment (JRE) to run with. However, the versions of Java Web Start and the Java Plug-in listed in Section 2 below may allow applets or applications to run with a specified version of the JRE that does not have the latest security fixes.2. Contributing Factors
* Java Plug-in included with J2SE 5.0 Update 5 and earlier, 1.4.x,
1.3.1, and 1.3.0_02 and later
* Java Web Start included with J2SE 5.0 Update 5 and earlier, and
1.4.2
* Java Web Start 1.2, 1.0.2, 1.0.1, and 1.0
Now they state that
Notes:Which is exactly what I've been complaining about since Feb, 2005.
1. Prior to 5.0 Update 6, an applet could specify the version of the JRE on which it would run. With 5.0 Update 6 and later installed on the Windows platform, all applets are executed with the latest version of the JRE.
So, in effect, removing any JRE prior to 1.5_06 will mitigate any malware running prior, vulnerable versions.
The only reason one would remove 1.5.0_06, or v.07 would be to conserve disk space, according to Sun.
I may be a tad "crazy", but I ain't dumb, Sun. ( Or is that dim sum ;)