Java: Handle With Care

Software vulnerabilities are published every day, by the hundreds, and most users don’t think much about them, aside from them time it takes them to update their software. But when

Software vulnerabilities are published every day, by the hundreds, and most users don’t think much about them, aside from them time it takes them to update their software. But when it comes to flaws like the latest pair of vulnerabilities in the Java platform–which is installed on hundreds of millions of PCs–users often are at risk for weeks or months without ever knowing it.

Many users may not even realize that they have Java installed on their PCs. It typically comes pre-installed on new machines and it’s one of the many applications and plug-ins that run in the background and escapes the notice of typical users. Java does not, however, escape the notice of attackers. It’s one of their favorite targets, for a variety of reasons, not the least of which is the fact that it’s installed on hundreds of millions of machines and has a slew of vulnerabilities.

Once upon a time, Java was ubiquitous online and users needed to have it installed in order to browse the Web. But that’s no longer the case, and users would do well do disable Java or uninstall it altogether. Security experts recommend that, unless you have a specific need for Java, you disable it, at a minimum.

“We’ve been telling folks to disable Java 10 times a year for the past couple of years now,” HD Moore, a well-known security researcher, said. “It’s really to the point where you should be telling people to keep it disabled all the time.”

Java vulnerabilities often are used in attacks known as “drive-by downloads” in which exploit code for a given flaw is loaded onto a Web site and then used to take advantage of the vulnerability present in a user’s browser. This happens in the background, without the user’s knowledge, and the result is that malware ends up on the victim’s machine and then can be used to steal information silently.

The good news is that users of Kaspersky Lab’s antivirus software and security software have been protected against exploits for the latest Java vulnerabilities for several weeks, thanks to the Automatic Exploit Prevention technology.

“The first appearance of the exploit’s prevention in our KSN community seemed to be January 6th. But as we dig back further, we find related samples from mid-December. So, we have been preventing this 0day in particular for quite some time,” Kurt Baumgartner, a Kaspersky Lab researcher, wrote in an analysis of the recent attacks.

If you’re still running Java, the best advice is to ensure that your security software is up-to-date and that you are conscientious about updating Java whenever a new version is available.

Tips