Hopefully you've either updated Java, or removed it from your computer

JavaYou've updated Java, right?

I mean, that's the right thing to have done if you still have Java on your computer - particularly if you have chosen to leave it enabled inside your browser.

Oracle issued a Godzilla-sized Critical Patch Update on Tuesday, fixing a stonking 193 new security vulnerabilities in its software.

Many of these fixes are for software which is used by enterprises, and are unlikely to be of interest to the typical computer user.

But amongst the updates are 25 fixes for software that many computer users do have installed: Java.

Included in the Java update is a patch for the recently-discovered zero-day vulnerability in Java (CVE-2015-2590) that has been actively exploited in the wild by the Pawn Storm hacking gang.

The security hole was particularly notable because it is thought to be the first new zero-day vulnerability that has targeted Java for two years.

Chess pawnsThe Pawn Storm hacking gang, which some suspect to be backed by a nation state, has been running a sophisticated malware campaign for some time targeting government, media and military organisations in the United States, Pakistan, and across Europe.

Operation Pawn Storm was recently implicated in the attack which compromised parts of the White House computer system, for instance.

But even if you don't work for a government, the military, a media organisation... even if you aren't a political activist who has ruffled a few feathers... it makes sense to keep your systems protected and running the very latest versions of software. So, update Java (and make sure not to allow it to foist other software onto your computer while you do it).

Of course, the alternative is not to run Java at all. Running the software on your computer increases your attack surface, and opens up more opportunities for hackers to attack.

At the very least, consider disabling Java in your browsers.

If you really do have in-house websites or visit sites that require you to have Java enabled in your browser, perhaps consider having a secondary browser that you only use when visiting those sites - rather than leaving the technology turned on in your regular browser for all of your surfing.

For full details of Oracle's critical patch update, visit its website.

Tags: , , ,

Smashing Security podcast
Check out "Smashing Security", the new weekly audio podcast, with Graham Cluley, Carole Theriault, and special guests from the world of information security.

"Three people having fun in an industry often focused on bad news" • "It's brilliant!" • "The Top Gear of computer security"

Latest episode:

Subscribe to the free GCHQ newsletter

, , ,

5 Responses

  1. Monicaxir

    July 16, 2015 at 12:33 pm #

    I use virtualization to protect myself from a lot of these exploits, Comodo's free antivirus has a great free virtualized desktop option that's great if you use multi monitor set ups. It really does hinder any zero day exploits from any number of unpatched weaknesses and can be selected at the touch of a button! Additionally I also use Oracles virtuabox with tiny Linux or if i'm doing banking I just boot my machine with an Ubuntu live disk with Firefox for real security on a n operating system that is clean and fresh each time with nowhere for anything to hide! (p.s Graham I actually know you through your other hidden interest of interactive fiction, small world!)

  2. Andy

    July 16, 2015 at 4:50 pm #

    "Of course, the alternative is not to run Java at all."

    That'll go down well with the kids when Minecraft stops working…

    Surely Minecraft players must be the biggest group of Java users at the moment – and most of them are kids who wouldn't know how to update and hopefully don't have the admin password anyway…

    *goes off to update the children's PC*

    • Techno in reply to Andy.

      July 17, 2015 at 6:59 am #

      Just looked into this and apparently Minecraft doesn't require a separate Java installation on your machine anymore as it is now bundled with the game:

      http://microsoft-news.com/its-time-to-uninstall-java-from-your-pc-minecraft-doesnt-need-java-installed-anymore/

      • Anonymous in reply to Techno.

        July 17, 2015 at 8:29 am #

        I wonder if that means that Minecraft will lag behind in updating its internal version of Java (akin to older versions of Flash being kept inside Shockwave).

      • Andy in reply to Techno.

        July 17, 2015 at 7:49 pm #

        @Techno – thanks, I wasn't aware of that. Looks like a good idea.

Leave a Reply