Oracle has released its Critical Patch Update, which is focused on fixing a major Java exploit. Java vulnerabilities are clearly on the rise. Currently, they represent more than 10 percent of all reported vulnerabilities this year (see Nist.gov) and are reported to be the root cause of some of the high profile compromised insider incidents.
What can I do to protect my organization?
In a perfect world, we would advise administrators to disable Java on all browsers, but generally speaking, having IT administratively disable ANY software component on “all user machines” is nearly impossible, especially in today’s bring your own device (BYOD) IT environment. The current case of disabling Java components is no different.
The lesson the world should have already learned from incidents such as the Stuxnet attacks is that protection should be around data rather than around devices. Closely monitoring and controlling data at the source is one part of the solution. Another solution is to look for abusive access patterns to data or patterns that reflect the behavior of an outsider within our perimeter. Coupled with data encapsulation, organizations can achieve true mitigation of such risks.
Additionally, individual users should turn off Java 7 browser plug-ins and only enable them specifically to trusted site (such as the mentioned “Java-powered line of business applications”). See the following link for instruction on how to do so in Google’s Chrome browser here.