Hopefully you’ve either updated Java, or removed it from your computer

Graham Cluley

JavaYou’ve updated Java, right?

I mean, that’s the right thing to have done if you still have Java on your computer – particularly if you have chosen to leave it enabled inside your browser.

Oracle issued a Godzilla-sized Critical Patch Update on Tuesday, fixing a stonking 193 new security vulnerabilities in its software.

Many of these fixes are for software which is used by enterprises, and are unlikely to be of interest to the typical computer user.

But amongst the updates are 25 fixes for software that many computer users do have installed: Java.

Included in the Java update is a patch for the recently-discovered zero-day vulnerability in Java (CVE-2015-2590) that has been actively exploited in the wild by the Pawn Storm hacking gang.

The security hole was particularly notable because it is thought to be the first new zero-day vulnerability that has targeted Java for two years.

Chess pawnsThe Pawn Storm hacking gang, which some suspect to be backed by a nation state, has been running a sophisticated malware campaign for some time targeting government, media and military organisations in the United States, Pakistan, and across Europe.

Operation Pawn Storm was recently implicated in the attack which compromised parts of the White House computer system, for instance.

But even if you don’t work for a government, the military, a media organisation… even if you aren’t a political activist who has ruffled a few feathers… it makes sense to keep your systems protected and running the very latest versions of software. So, update Java (and make sure not to allow it to foist other software onto your computer while you do it).

Of course, the alternative is not to run Java at all. Running the software on your computer increases your attack surface, and opens up more opportunities for hackers to attack.

At the very least, consider disabling Java in your browsers.

If you really do have in-house websites or visit sites that require you to have Java enabled in your browser, perhaps consider having a secondary browser that you only use when visiting those sites – rather than leaving the technology turned on in your regular browser for all of your surfing.

For full details of Oracle’s critical patch update, visit its website.

Graham Cluley Graham Cluley is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s when he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows. Now an independent security analyst, he regularly makes media appearances and is an international public speaker on the topic of computer security, hackers, and online privacy. Follow him on Twitter at @gcluley, or drop him an email.

5 Replies to “Hopefully you’ve either updated Java, or removed it from your computer”

  1. I use virtualization to protect myself from a lot of these exploits, Comodo's free antivirus has a great free virtualized desktop option that's great if you use multi monitor set ups. It really does hinder any zero day exploits from any number of unpatched weaknesses and can be selected at the touch of a button! Additionally I also use Oracles virtuabox with tiny Linux or if i'm doing banking I just boot my machine with an Ubuntu live disk with Firefox for real security on a n operating system that is clean and fresh each time with nowhere for anything to hide! (p.s Graham I actually know you through your other hidden interest of interactive fiction, small world!)

  2. "Of course, the alternative is not to run Java at all."

    That'll go down well with the kids when Minecraft stops working…

    Surely Minecraft players must be the biggest group of Java users at the moment – and most of them are kids who wouldn't know how to update and hopefully don't have the admin password anyway…

    *goes off to update the children's PC*

    1. Just looked into this and apparently Minecraft doesn't require a separate Java installation on your machine anymore as it is now bundled with the game:

      http://microsoft-news.com/its-time-to-uninstall-java-from-your-pc-minecraft-doesnt-need-java-installed-anymore/

      1. I wonder if that means that Minecraft will lag behind in updating its internal version of Java (akin to older versions of Flash being kept inside Shockwave).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Never miss a thing. Sign up for the free GCHQ newsletter from Graham Cluley.
GET EMAIL UPDATES