“Going on a Java binge”

By John

No, this isn’t about coffee and how much is too much for someone. Rather an attempt to let everyone know there’s another important piece of software that needs updating. It’s just as important as updating your operating system, browser software, and anti-virus program. It’s called Java, and shouldn’t be confused with JavaScript. They share some similar names but the two languages are otherwise unrelated and have very different semantics.

Java is a programming and computing platform widely used for stand-alone and web-based applications/applets, including utilities, games, and business applications. The platform was first released by Sun Microsystems in 1995. Many applications and websites require end-users to have Java installed, and the software is used extensively because of its flexibility.  Once a program has been created and compiled in Java, it will run on a variety of software and operating system platforms (such as Windows and Macs).

What are the potential cyber security concerns?

There has been a rapid increase in the amount of malware that attempts to exploit vulnerabilities in Java.  In the second quarter of 2010, there were an estimated 500,000 exploits, up from virtually zero a year before. Between Q2 2010 and the middle of Q3, that figure had increased to more than six million.[1]

The attacks are based in part on older versions of Java.  When a newer version of Java is released and installed on a machine, the older version does not automatically get uninstalled.  This behavior was intended to provide an easy way to roll back to an older version in case of compatibility issues. However, there is an exploit code publically available on the Internet that hackers are using which detects whether previous versions of Java are installed on a user’s machine and exploits the vulnerabilities that exist in those versions.

What can I do to be safe?

It’s important that we are installing the latest version of Java released by Oracle.  To confirm the correct version, visit Java’s web site (www.java.com) and click on the “Do I have Java?” link underneath the “Free Java Download” button. Then click on the “Verify Java version” button.  Read the information after the page refreshes and follow the instructions.

Because older versions of Java are not automatically removed when newer versions are installed, it is recommended that users take the extra step of uninstalling the older versions if they are not needed. Home users typically do not need the older versions of Java installed once they have upgraded their Java software.

Keeping old and unsupported versions of Java on your system presents a serious security risk. Removing older versions of Java from your system ensures that Java applications will run with the most up-to-date security and performance improvements on your system. You can safely remove older versions of Java from your system by following the instructions on Java uninstallation instructions for Windows page.

It’s a good idea to get into a routine of checking the version of your Java at least once a month.  And remember, always keep your operating system, browser software, and anti-virus software up to date.

For more information on the Java exploit take look at these articles:

Microsoft:

http://blogs.technet.com/b/mmpc/archive/2010/10/18/have-you-checked-the-java.aspx

ZDNet:

http://www.zdnet.co.uk/blogs/security-bullet-in-10000166/microsoft-warns-of-java-exploit-rise-10020826/

Techworld:

http://news.techworld.com/security/3246147/mac-users-hit-with-windows-style-koobface-trojan/

Cisco:

 

http://blogs.cisco.com/security/java-exploits-another-example-of-tomorrows-threat-landscape-today-2/

SANS Internet Storm Center:

http://isc.sans.edu/diary.html?storyid=9916

---

[1] http://www.zdnet.co.uk/blogs/security-bullet-in-10000166/microsoft-warns-of-java-exploit-rise-10020826/