The U.S. Department of Homeland Security issued a warning concerning a security vulnerability in Oracle’s Java software on Thursday and has recommended that users disable the software on their computers, sticking to this recommendation even after Oracle released an update with a fix on Sunday. Oracle released Java 7 Update 11 with a patch addressing the exploit in this and earlier versions.
It is rare for an exploit to warrant a statement from the government or to garner as much press coverage as this one is doing. Various reports claim that hackers have been taking advantage of the breach in Java 7 Update 10 to install malware that allows them to take control of computers remotely, demanding payment to return control to the user (called “ransomware“), as well as crimes such as identity theft and a host of other nefarious deeds that can be carried out with stolen credentials. This is especially disconcerting for law firms, whose sensitive data may be at the mercy of hackers.
There are two courses of action (or three, if you count doing nothing-not recommended):
1. Patch Java
This is the approach that Kraft Kennedy is taking with its own internal systems.
- If you are currently running Java 6 on your workstation, make sure that you are on the latest version-Java 6 Update 38.
- If you are on Java 7, update to the latest version, which is currently Java 7 Update 11.
Go to this page to check your current version of Java and upgrade if required.
Many of our clients do not permit users to update software themselves. If this is the case, contact your IT team if they have not communicated with you about this issue.
2. Disable Java
This is still the Department of Homeland Security’s official recommendation.
If you don’t need Java for any of your critical line-of-business applications, disable Java completely on your workstations or only enable it for those people who require it for their job functionality. While this option eliminates the threat completely, many websites and online services that use Java may not function.
Follow these directions to disable the software.
According to Reuters, Java was to blame for about half of all cyber attacks in the last year, an exceedingly high amount. Many believe Java to still be unsafe even with the upgrade and even that it may take up to two years for this single exploit to be fixed. Deployed on as many as 850 million computers, Java is widespread and puts a great deal of users at risk.
Java’s future as an applet may be uncertain in the light of the frequent security risks it poses and also its declining prevalence and necessity for browsing the web. The software is facing a lot of competition from the big browsers’ support of Javascript.
We encourage all our clients to continue to be proactive about patching systems. These types of problems frequently and usually do not receive this much attention.