Mozilla has also shut off auto-loading of plug-ins like Java for their Firefox users. While this is less disruptive than the Apple blacklisting technique, it would still be best for patches to be automatically applied through the application. Java isn’t necessarily an enterprise software concern. It’s primarily at the desktop level. For concerns on that level, automatic patching is definitely best.
Many organizations, including the Department of Homeland Security, have recommended that users disable Java completely. While this is certainly a good way to prevent issues on your machine, it may not be a realistic option for some people. Many applications run on Java and users will quickly become frustrated when these don’t work, and will re-enable Java as a result. It’s difficult to just walk away. So while we wait for a realistic option like HTML 5 to gain steam, remember to always apply the latest patches as they are available to ensure your machine is as secure as possible. If you have to install Java, install the latest version. When you install the newest version, Oracle will allow you to uninstall all previous versions, which ensures that you are only running the latest, most secure version of the software. It also offers a single check box to disable Java.
According to Paul Henry, security and forensic analyst at Lumension, it’s going to be a rough Valentine’s Day for many IT admins this month. With ongoing issues with Java and 12 bulletins from Microsoft, including five critical issues and many restarts, it’s going to be a very disruptive Patch Tuesday.
It’s disturbing to note how many different Microsoft platforms are critically affected this month. Everything from Windows XP to the new Windows RT is critically impacted. It’s never a good sign when your current code base is impacted. There are also many more bulletins this month than we’ve seen in the last few months. Henry noted in December that 2012 brought more consistency and stability to Patch Tuesday than we saw in 2011. He hopes that this month is a one-time spike and not a return to the yo-yo pattern of 2011.