IT personnel, and anyone who reads the news, woke up on January 12th to find an unprecedented announcement in newspapers, on TV, across the blogosphere; everywhere, really. The Department of Homeland Security had issued a warning to ALL computer users to immediately disable Java plugins for their browser due to a vulnerability that could expose untold numbers of computer users to attacks. Here are five things everyone should know about the Java security flaw:
1) Users who rarely upgrade java were actually safer than those who religiously patch and update their software. That’s because this flaw was strictly limited to Java 7, update 10. Those using older versions were unaffected by the attack, which could allow malicious code to escape from the “sandbox” in which Java runs, and run on your PC.
2) It took just about 2 days for Oracle to release an update that fixed the security flaw from the time the DHS sent out its warning. While two days does not sound like much, for many companies that run applications through Java, that period meant that they were either open to attack or unable to perform their jobs. Still, in the grand scheme of bug patches, two days is much better than the track record for companies like Microsoft and Apple that often take weeks to fix obvious and known security problems.
3) Java users still aren’t safe. The very nature of Java means that exploits are very likely through the system. Even after updating to the latest version, many experts suggest that users take caution when using any Java applets through the web. While the update switches the security settings, and forces users to authorize any code that gets run or downloaded, it doesn’t do anything to stop the ability of malicious code to execute if a user clicks “ok”.
4) A strong internet security policy can greatly reduce the inherent risks of Java. Limiting what websites your employees can visit and what applets and programs they can use on machines connected to your company network means that malicious code won’t even get a chance to exploit these kinds of opportunities. Set and enforce browsing and surfing policies.