More Java Warnings, More Java Worries

The attractiveness of unpatched Java as an attack entry-point continues to grow, as do calls for all users to patch Java immediately. But in order to do that, you need to know who's running which version of Java.Unpatched Java seems poised to become the top attack platform, at least for the moment, prompting even louder warnings for users to get the latest Java updates, and get them now.

Leaving aside the universe of users who rarely if ever patch anything -- most of the recent Java exploits take advantage of vulnerabilities for which patches had long been available -- the challenge to businesses that do patch is the variety of Java installs that may be present throughout their business. Nor should you overlook the possibility of unpatched Java iterations on home and personal devices that employees may use occasionally for work.

Oracle itself posted this list of affected Java versions.

A thorough audit of Java versions in your business is more essential than ever.

But, frankly, Java is only the attack-opportunity of the moment. Once a large enough number of users wake up and patch their Java, the exploiters will move on to the next big vulnerability. You can bet that they're already looking for it.

Which imposes even more pain -- or at least effort -- on businesses seeking to establish and maintain up-to-date defenses.

A thorough audit and inventory of all the apps, gadgets, widgets and other possible entry points in your business may not seem practical -- but it sure seems necessary.

The inventory and audit should include not only what's installed, but what the patch status is, including a review, vendor by vendor, of patch availability and patch scheduling.

Clearly a task worthy of Sisyphus, and possibly just as futile in a world where new apps, new exploitable bells, new vulnerable whistle are only a click away.

A simpler -- and I use the word advisedly -- solution might be to introduce a form of application whitelisting, establishing and making clear throughout your company which programs are allowed on company equipment, and restricting users only to those programs. At the very least, such an approach, if adhered to, reduces the number of programs you're monitoring for vulnerabilities and patches.

As long as we're taking about "the very least," you should certainly ask yourself how many of your employees actually use or even need Java on their devices, and eliminate installs accordingly.

Either approach -- audit/review/patch or whitelist/prohibit -- requires plenty of extra effort, diligence, ongoing vigilance. But the alternative -- doing nothing or, nearly as bad, doing just enough and doing that haphazardly -- virtually guarantees that you'll be spending plenty of extra effort playing catchup, and possibly playing it too late.

Oracle's Critical Patch Updates are here.