I’ve written here several times before (most recently last October) about some of the security issues with Oracle’s Java software. Lately, Java has been in the news again, because of a new, serious security vulnerability recently discovered in the latest version of the software.
Java has proved to be, over the years, a rich source of security vulnerabilities, at least in part because it is widely installed across multiple platforms (including Windows, Mac OS X, and Linux), making it an attractive target. Also, unlike a typical application software package, installing a new version of the Java environment did not necessarily remove older versions that had been installed previously. (This was done, I think, because the definition of the language was evolving, and a new version was not guaranteed to be 100% compatible with an older one.) This meant that, although the updated software might fix security flaws, the old version, complete with flaws, was still there to be exploited.
I won’t take the time and space here to relate the history of the latest vulnerability. (If you are interested, Brian Krebs has a good summary at his Krebs on Security blog.) Oracle issued a Security Alert for this problem, together with a new version of the Java Runtime Environment [JRE], version 7 update 11. (You can download the new version, for all platforms, here.) However, subsequent to that release, testers discovered that the new version fixed only part of the vulnerability, so that an exploit was still possible.
US-CERT has issued a Vulnerability Note (VU#625617) concerning the situation at present. Their recommendation, which I endorse, is that users who require Java should update to version 7 update 11 immediately, and should also disable the Java browser plugin(s). Instructions for doing this are available at the Java site. The Vulnerability Note also contains links to more technical information.
As I wrote in last October’s post (and in another post a couple of years before that), there is a good case that the average individual user is better off without Java on his or her system. I won’t bore you by going through all of it again. If you do decide to install or keep Java, though, please be careful to keep it up to date.
Update Monday, 21 January, 11:13 EST
The SANS Internet Storm Center has a diary post with links to some additional technical information on the latest vulnerability.