It’s easy for news to be missed in the days leading up to a holiday weekend when everyone’s in a hurry for some relaxation time. Cybersecurity, of course, never goes on vacation. In fact, it isn’t unusual for there to be a major breach or other incident during holiday lulls because it’s less likely to be noticed.
Some important news at the end of last week that may have been overlooked involves Java. If you haven’t updated from Java 6, you are vulnerable to a Zero Day attack. As ZDNet explains:
The vulnerability ‘can be exploited only through sandboxed Java Web Start applications and sandboxed Java applets,’ according to Oracle’s Java SE Critical Patch Update Advisory in June. The bug was assigned a score of ten out of ten in Oracle’s Common Vulnerability Scoring System—rating the flaw of extreme importance.
Java 6 is an older version of Java, and as Qualys CTO Wolfgang Kandek said, if you can, you should upgrade to Java 7 as soon as possible. But as with IE6, many companies are still using Java 6. Kandek explained why:
We see still very high rates of Java 6 installed, approximately 50%, which we attribute to the lock-in that organizations experience when they run software applications that require the use of Java 6. I have talked to organizations that have pointed out that they cannot update or disable Java because it would affect business critical applications. So in essence, they accept the risk of outdated Java in order to be able to continue to do business. Some of the organizations have moved to contain Java, but that seems to be a rather rare effort.
The issue was also found in Java 7, but it has been patched. An update for Java 6 is available only for paying clients because Java 6 has been retired. The last publicly available update was in February.
If you continue to use Java 6, Kandek suggested that you may want to try whitelisting Java applets. Internet Explorer supports this out of the box through its concept of “Zones.” While this is not a perfect solution, it should deal with the most common attack vector—an applet embedded in a Web page.
It is frustrating to see that Java continues to have so many security problems, but it is equally exasperating to see how slowly organizations move to upgraded and supposedly more secure versions. Oracle announced that it will delay next year’s release of Java 8 to make sure it gets the security kinks worked out. But I have to wonder if it will matter? If folks haven’t upgraded to Java 7 yet, how long will it take for them to upgrade to Java 8?