Got Java? Even if you’ve applied the urgent out-of-band patch from Oracle, you may want to disable or uninstall Java itself. It turns out that the patch has its own flaws that make Java vulnerable to new attacks.
According to security experts, Oracle's Java patch resolves the multiple “zero-day” vulnerabilities currently being exploited by attacks in the wild. However, it also leaves open a vulnerability—which was discovered and reported to Oracle earlier this year—that could allow an attacker to bypass the Java sandbox protection and execute malicious code on the target system.
Oracle’s Java has become the new low-hanging fruit. Attackers used to target Adobe products as the weak link in the security chain, but Adobe has worked diligently to improve the security of its products, and—more importantly—the speed and predictability of its patches and updates. As a result, the focus has shifted to Oracle, and Oracle seems ill prepared to respond.
The alleged zero-day flaws exploited by attackers aren’t truly “zero-day.” The vulnerabilities were discovered and reported to Oracle in April. Oracle ostensibly planned to address them at some point—hopefully in the routine update scheduled for this fall. It seems evident that leaving critical flaws open for months gives attackers too much time and leaves customers at a distinct disadvantage.
Security Explorations—the Polish security researchers who raised the alarm over the flaw contained in the new Java patch—says that Oracle has quite a few more unpatched vulnerabilities on its plate. Out of 29 issues reported to Oracle this year, 25 of them are yet to be addressed.
You should definitely have some sort of anti-malware or general security tool in place across all of your devices—Windows and Mac PCs, smartphones, and tablets. Security tools can often detect unknown threats by identifying certain malicious behaviors, and security vendors are generally much faster at responding to detect and block new threats to protect you while you wait for a patch for the affected products.
Even with security software in place, though, there’s no need to leave your devices open to undue risk. If you use Java frequently, or rely on it for specific tasks, you’ll need to apply the patches from Oracle, and just keep your guard up for the next threat. However, if you don’t really use Java on a regular basis, by all means go ahead and disable or remove it.
When Apple finally got around to patching its version of Java to address the Flashback malware plaguing Mac OS X systems, it also took proactive steps that others should learn from. Apple implemented a system that automatically disables Java if it’s not being used. If Java is inactive for 35 days, Apple simply turns it off to remove it as a potential attack vector.
Until or unless Oracle cleans up its act and comes up with a much more streamlined and effective way of dealing with known vulnerabilities, it makes sense to take a hint from Apple.