For the past 15 years or so, IT administrators have been under the misperception that updating Java would address its security issues. They have been told that to improve security, they should continuously and aggressively deploy Java updates on all of their endpoints. Unfortunately, updating is not the same as upgrading. Until very recently, those updates have failed to deliver the promised security upgrade because they have not removed older, highly vulnerable versions of Java they were intended to replace. As a result, most organizations have multiple versions of Java on their endpoints, including some that were released at the same time as Windows 95.