If you don't really need Java, get rid of it

Oracle patched Java to defend against attacks in the wild, but the patch contains flaws that open Java up to different threats.

Got Java? Even if you've applied the urgent out-of-band patch from Oracle, you may want to disable or uninstall Java itself. It turns out that the patch has its own flaws that make Java vulnerable to new attacks.

According to security experts, Oracle's Java patch resolves the multiple "zero-day" vulnerabilities currently being exploited by attacks in the wild. However, it also leaves open a vulnerability--which was discovered and reported to Oracle earlier this year--that could allow an attacker to bypass the Java sandbox protection and execute malicious code on the target system.

Oracle's Java has become the new low-hanging fruit. Attackers used to target Adobe products as the weak link in the security chain, but Adobe has worked diligently to improve the security of its products, and--more importantly--the speed and predictability of its patches and updates. As a result, the focus has shifted to Oracle, and Oracle seems ill prepared to respond.

The alleged zero-day flaws exploited by attackers aren't truly "zero-day." The vulnerabilities were discovered and reported to Oracle in April. Oracle ostensibly planned to address them at some point--hopefully in the routine update scheduled for this fall. It seems evident that leaving critical flaws open for months gives attackers too much time and leaves customers at a distinct disadvantage.

Security Explorations--the Polish security researchers who raised the alarm over the flaw contained in the new Java patch--says that Oracle has quite a few more unpatched vulnerabilities on its plate. Out of 29 issues reported to Oracle this year, 25 of them are yet to be addressed.

You should definitely have some sort of anti-malware or general security tool in place across all of your devices--Windows and Mac PCs, smartphones, and tablets. Security tools can often detect unknown threats by identifying certain malicious behaviors, and security vendors are generally much faster at responding to detect and block new threats to protect you while you wait for a patch for the affected products.

Even with security software in place, though, there's no need to leave your devices open to undue risk. If you use Java frequently, or rely on it for specific tasks, you'll need to apply the patches from Oracle, and just keep your guard up for the next threat. However, if you don't really use Java on a regular basis, by all means go ahead and disable or remove it.

When Apple finally got around to patching its version of Java to address the Flashback malware plaguing Mac OS X systems, it also took proactive steps that others should learn from. Apple implemented a system that automatically disables Java if it's not being used. If Java is inactive for 35 days, Apple simply turns it off to remove it as a potential attack vector.

Until or unless Oracle cleans up its act and comes up with a much more streamlined and effective way of dealing with known vulnerabilities, it makes sense to take a hint from Apple.

Join the CSO newsletter!

Error: Please check your email address.
Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Charles Ripley

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place