Another Critical Java Update
Oracle released its quarterly critical patch update across its product lines (although I must say putting "quarterly" and "critical" next to each other seems a bit odd), including fixes for 37 Java vulnerabilities, 4 of which have a Common Vulnerability Scoring System (CVSS) score of 10, which is as toxic as you can get. A CVSS score of 10 indicates that the system may be easily compromised remotely (and unauthenticated). 6 of the 37 vulnerabilities apply to both client and server products.
Oracle recommends updating to the latest patch revision, (Java 7 Update 55). If you are on a Windows desktop, the autoupdater should have started annoying you already. Take the update.
As Brian Krebs points out, this would be another good time to consider if you really need Java on your workstation:
I’ve long urged end users to junk Java unless they have a specific use for it (this advice does not scale for businesses, which often have legacy and custom applications that rely on Java). This widely installed and powerful program is riddled with security holes, and is a top target of malware writers and miscreants.
If you have an affirmative use or need for Java, unplug it from the browser unless and until you’re at a site that requires it (or at least take advantage of click-to-play). The latest versions of Java let users disable Java content in web browsers through the Java Control Panel. Alternatively, consider a dual-browser approach, unplugging Java from the browser you use for everyday surfing, and leaving it plugged in to a second browser that you only use for sites that require Java.
This is not new advice from Krebs or from me. Do whatever you can to keep your business running while reducing your attack surface as much as possible.
As for the server side, while updating Java on application servers is painful, with vulnerabilities of this severity, you should probably start regression testing the update.
About Andy Sherman
Andy Sherman, Eden Technologies’ security practice lead has a PhD in physics from Rensselaer Polytechnic Institute and started his career in the academic world. He then went to AT&T Bell Laboratories where he discovered the power – and hazards – of large distributed computer networks. It was also at Bell Labs, during the early days of the Internet, that Andy became interested in the security problems associated with public networks. From Bell Labs Andy moved to the financial services industry. There he worked on a large range of infrastructure design, deployment, and management projects, but is best known for his 15+ years in information and technology security.