Life's too Short for Bad Java

If you use a computer, you’ve probably heard of Java. It’s a technology to allow active content in your browser when surfing the internet. Sadly, it is also one of the most exploited tools around, often used by hackers to install malware on your computer without you even knowing it. Over one hundred vulnerabilities are found in Java every year, forcing users to upgrade seemingly weekly. Even just last week, Oracle released an out-of-band patch for Java for a vulnerability in the installer, that allowed attackers to attach whatever they wanted to the install process. I suspects hackers must be already taking advantage of the flaw for Oracle to release an emergency patch. Oracle normally releases patches 4 times a year and this particular vulnerability only scores 7 out of 10 on the vulnerability index, so there must be some attacks already using this hole – a zero-day exploit.
 
The constant stream of Java security issues has prompted Google and Microsoft to remove support for Java, with Mozilla (makers of FireFox) following by the end of 2016. Microsoft’s SilverLight and Adobe’s Flash are also in the firing line. Think of your internet browser as a piece of glass. The bigger the surface area of the glass, the more likely it is to be hit by a stray ball or stone. Adding Java, SilverLight and Flash greatly enlarges the attack surface of your browser. Newer technologies, like HTML5, provide a similar active experience without making the attack surface bigger, so sites that still use Java should migrate now.
 
Larger businesses are typically protected with good patching regimes and Intrusion Prevention Systems (IPS). Smaller and Mid-sized businesses should look at technology like Unified Threat Management, which provide many added benefits like URL filtering and protection from Ransomware as well as IPS. Home users should ensure they keep Java up to date and only download updates from java.com. Finally, it is always good to have up-to-date antivirus software.