On Friday Google's Tavis Ormandy posted on full disclosure about a Java vulnerability that is easily exploited on all versions of Windows. This issue cannot be addressed by simply disabling the Java plug-ins, by my reading of the vulnerability the only way to protect your computer is to stick to browsing only sites that you know are safe or to uninstall Java in its entirety.
According to CNet, Oracle (who owns Sun, who makes Java) is not considering this threat important enough to release an out-of-band patch to address the issue.
To me, this illustrates two important issues:
1) In an Enterprise environment it is critical to be aware of what is installed on your network so that you can have visibility into your exposure when these types of issues arise. I'd also make a case for "less is more" here, you don't need to install Java on every machine in your network, and it's better to only install programs like this on machines that actually require them to do their job so that you limit your risk when a problem like this occurs.
2) You can have the best practices in the world; have your computer fully patched, have anti-virus and anti-malware installed, run a firewall on your network, etc... and still be exposed to critical vulnerabilities because a vendor decides that something like this isn't important enough to require an emergency patch.
In this case the only advice I can give you is to raise the "Internet Security Alert" system to orange, and to exercise extreme caution when using your browser until a patch is released. Then again, that's the advice I give every day...
About Me
- Jonathan Watts
- Los Angeles, CA, United States
- I have over 15 years of professional experience in the I.T. field, working with individuals and small to mid-size businesses. I've received a certificate in Project Management from UCLA, and I am a member of PMI. I have expertise in Active Directory, Open Directory, VMWare, Windows, Mac OSX, *nix, Exchange, IIS, Cisco, Forefront TMG, MARS, ACS, CSA, EMC, NetApp, and Websense. I've worked in all aspects of I.T., from end-user support to engineering and design.
Subscribe
Posts
Comments