I’ve lost track of how many times I’ve asked security experts about Java’s security problems. I don’t know why I bother anymore because the answer is always the same: Uninstall it from your computer.
However, I suspect most people don’t do that. I know I almost never think about Java until I see a pop-up that tells me that I need Java when I visit a website while using the computer without Java installed or I get a Java update alert on a computer I rarely use.
A Java zero-day surfaced Sunday night. Currently, there is no patch for this vulnerability and Rapid7 is recommending that users take this vulnerability seriously and completely disable Java until a fix is available.
The Rapid7 alert was followed up by FireEye, which reported:
New Java zero-day vulnerability has been spotted in the wild. We have seen this unpatched exploit being used in limited targeted attacks. Most of the recent Java run-time environments i.e., JRE 1.7x are vulnerable. In my lab environment, I was able to successfully exploit my test machine against latest version of FireFox with JRE version 1.7 update 6 installed.
An infected computer could be used as a drone for a malware botnet, according to ZDNet.
No one knows when Oracle will release a patch for this new vulnerability in Java, which is why Rapid7 suggests disabling Java for the time being (or maybe for good?). But is that a course that IT pros will want to tackle? On the other hand, is it worth the risk to company computers to not disable Java?
Like I said earlier, this new zero-day vulnerability may be the one that triggers a discussion on whether or not Java is worth the hassle and the security risk.