Why Today Is a Very Good Day to Update Java on Your Computer
Consider yourself warned: Today is a very good day to update the version of Java running on your computer. This applies to you whether you run Windows, Mac OS X or Linux. If you’ve noticed your machine suggesting that you update Java, do it right away.
The reason? A scary vulnerability in Java that was detected over the summer, and which Oracle has subsequently fixed, is being exploited by people who create the malware and crimeware that causes so many headaches for home users and corporate IT departments.
The risk is especially acute at large companies with big fleets of desktops and notebooks to manage. If you’re a home user, the patch is easy to install. But most employees don’t have administrative privileges on their work desktops or notebooks, so someone from the IT department has to come and install the patch for them.
That’s a big, time-consuming process, says HD Moore, chief security officer at Rapid7, a Cambridge, Mass-based company that specializes in helping companies stay ahead of new computer security vulnerabilities. He’s also the chief architect of Metasploit, which Rapid7 owns.
One of the reasons this particular vulnerability is so bad is that even after it was detected and fixed, it wasn’t fully understood how dangerous it is, Moore says. Crimeware creators somehow figured it out ahead of most security researchers, and started adding code to Web sites designed to take advantage of it. And that’s especially dangerous at this time of the year, when people are shopping online both at home and the office. “It’s kind of like a perfect storm,” Moore told me yesterday. Add to that the fact that many companies have IT staff taking vacation during the holiday season, and the timing couldn’t be worse.
Enterprise is historically bad at patching Java vulnerabilities anyway, because it doesn’t have the same automatic update tools that Windows or Adobe Flash does. “The tools for patching Java aren’t that great,” Moore told me. “A Java update just isn’t treated with the same fervor as a Windows update.”
So how bad is this one? The National Vulnerability Database rates it a 10 out of 10 on the severity scale, and also rates it as “low” on the access complexity scale — meaning it’s really easy for the bad guys to carry out an attack using it.
Security blogger Brian Krebs discovered the vulnerability being “weaponized,” that is, built into the software that computer criminals buy on the black market. For instance, those who have bought something called the Blackhole Exploit Kit, a $4,000 software toolkit used to target Windows machines, are getting automatic updates that include tools to take advantage of the Java vulnerability.
What to do until you can get all your machines updated with the latest version of Java? Simple, really: Disable it and block it at the firewall, until all the machines on the network that need the update have it, Moore says.
Rapid7, incidentally, is a security company on the rise. Just last month it raised a $50 million series C round of funding, led by Technology Crossover Ventures and joined by previous investors Bain Capital Ventures; Tim McAdam, a TCV partner, joined Rapid7′s board.