Oracle CPU, a wake-up call for Java security

February 20, 2013

Oracle has released its Critical Patch Update, which is focused on fixing a major Java exploit. Java vulnerabilities are clearly on the rise. Currently, they represent more than 10 percent of all reported vulnerabilities this year (see Nist.gov) and are reported to be the root cause of some of the high profile compromised insider incidents.

What can I do to protect my organization?

In a perfect world, we would advise administrators to disable Java on all browsers, but generally speaking, having IT administratively disable ANY software component on “all user machines” is nearly impossible, especially in today’s bring your own device (BYOD) IT environment. The current case of disabling Java components is no different.

The lesson the world should have already learned from incidents such as the Stuxnet attacks is that protection should be around data rather than around devices. Closely monitoring and controlling data at the source is one part of the solution. Another solution is to look for abusive access patterns to data or patterns that reflect the behavior of an outsider within our perimeter. Coupled with data encapsulation, organizations can achieve true mitigation of such risks.

Additionally, individual users should turn off Java 7 browser plug-ins and only enable them specifically to trusted site (such as the mentioned “Java-powered line of business applications”). See the following link for instruction on how to do so in Google’s Chrome browser here.

Posted by Barry Shteiman at 05:34:42 PM | Barry Shteiman, Tal Be'ery

Comments

There is a secondary issue with Java patches - they are largely not installed by end users.

While OS patches are (should/can) be automated, java patches are significantly harder to roll out.

End users, if following good practice, are not local administrators on their machines, this means when you get the "there is an update" message for Java, if you click it, it normally fails to install. At that point end users ignore it.

Few smaller businesses have patch management systems to control this (other priorities to focus on).

Adobe suffers the same issue, but at least it asks for a admin password.

So, until the patch is easier to deploy in a typical scenario, the advice to uninstall still seems to be prudent.

(Comment refer to a Windows platform, not sure how they translate to other OSes)

Posted by: Colin Robbins | February 21, 2013 at 12:41 AM

Verify your Comment

Previewing your Comment

Posted by: |

This is only a preview. Your comment has not yet been posted.

Your comment could not be posted. Error type:

Your comment has been saved. Comments are moderated and will not appear until approved by the author. Post another comment

The letters and numbers you entered did not match the image. Please try again.

As a final step before posting your comment, enter the letters and numbers you see in the image below. This prevents automated programs from posting comments.

Having trouble reading this image? View an alternate.