Start your year off right by staying up to date with your security. The first quarterly Critical Patch Update (CPU) patch from Oracle is now available for download, and constitutes nearly 250 updates spread across its range of over 50 offerings.
Whilst this number might seem a little higher than usual, it’s thought it could be down to an elevation in scanning of Oracle and SAP’s business applications by security researchers. With reams of sensitive data floating around in enterprise systems, specialists predict hackers will increasingly be turning their attention to this segment of the market in the future.
Among the identified threats, there are several issues with the potential to cause a mischief for Java on both client-side and server-side implementations of the platform. Out of a total of eight Java patches, seven are targeted at remotely-exploitable no-authentication-needed vulnerabilities. Three of these are also rated at a less-than-perfect 10/10 on the Common Vulnerability Scoring System (CVSS), and demand urgent attention.
Whilst it’s always advisable to keep as up to date as you can, when you’re dealing with a technology as ubiquitous as Java, it pays to be paranoid. Wolfgang Kandek, CTO of cloudy security vendor Qualys, comments;
“Java has been a technology that has been attacked frequently. Attackers like applet vector, serving a Java application through a web page and taking control of the targeted machine. Oracle has been working over the last year to close down that vector by enabling it only selectively through Deployment Rulesets. The browser vendors have also spend considerable amounts of time to make Java only execute when fully updated or when whitelisted with click-to-play. Microsoft has added Java whitelisting into its EMET tool to add another layer of control.
A complete inventory of your servers and installed software comes in handy to augment a manual application registry that many companies have made mandatory already. Scanning all of your machines will find applications that you were not aware of, plus versions of programs that are outdated and potentially even end-of-life.”
You can bring yourself bang up to date by visiting the official Oracle page. As ever, Oracle also urges home users to head to the the java.com web site to make sure they are using the most up to date version of Java, and bin any obsolete Java SE versions if you can. Given that the latest Java release (JDK 8u72) only dropped yesterday, that might apply to a fair few readers.