Middleware Software

There are many software packages out there that when you update or upgrade it to a newer version the old version is not removed. Middleware software such as .Net Framework, Oracle WebLogic, Java Runtime Engine, etc., are especially bad about this. Things like .Net Framework from Microsoft are often overlooked as it is assumed that it is updated by Windows Update and that there is only one version installed.

When a software update doesn't remove old versions they leave the vulnerabilities in them on the computer. Thinking that you are safe from a vulnerability in old software because you have the new version is dangerous mindset, you need to remove the old versions as well.  For some software, removing the old version isn't simple or easy as there might be dependencies on that exact version. Java Runtime Engine (JRE) is a perfect example of this as things written on top of JRE is usually written to a very specific version, and you simple can't remove that version of JRE without breaking stuff. Careful analysis need to be performed as what is dependent on that version and if that specific version has an update.  Another example is .Net Framework. There are a lot of things still depending on .Net Framework 3.5, while others are using version 4.8. If a vulnerability is discovered in version 3.5, installing version 6 is not the best solution. The proper solution is to find the latest update to version 3.5, at the time of this writing that is 3.5 SP1. If you have confirmed that a vulnerable version is in fact not in use anymore, then you need to remove it according to manufacturer instructions. Sometimes that is done via add/remove software, sometimes there is a standalone uninstaller and sometimes you need to manually remove it.