Only two days ago I wrote how browser plugins are the biggest security risk today. And yesterday I experienced first-hand how one would get outdated and insecure plugins installed. I installed Lexware Steuer 2009 (for the German readers: yes, that’s the one you get at Aldi and that always gets good marks in software tests). And then Secunia PSI went berserk warning me about various security threats on my computer. Turned out, this application installed without even telling me: Java Runtime Environment 1.6.0 Update 2 (released July 2007, current version is 1.6.0 Update 18), Flash Player ActiveX 18.104.22.168 (released April 2008, current version is 10.0.42.34), MSXML 4.0 SP2 (released June 2003, current version is 4.0 SP3).
Uninstalling the first two (luckily unnecessary for the core functionality) and updating the last one (required, the application won’t work with MSXML 6.0) solved the problem for me. However, I wonder how many people didn’t notice the security holes being installed on their computer. Also, somebody who isn’t aware of ever installing Java won’t be inclined to update it either. I wonder whether packaging up applications with outdated libraries is common for software you buy on CD (obviously, I don’t do that very often). While I understand that this software is supposed to be installable/usable without an internet connection (you cannot simply download the latest Java version), is packaging up the most recent versions really too much to ask?