Oracle recently released patches for several dozen Java vulnerabilities, but shortly afterward I saw that Java...
By submitting your personal information, you agree that TechTarget and its partners may contact you regarding relevant content, products and special offers.
was immediately compromised (again) by a sandbox-bypass exploit. As a policy, is Java generally secure when using the latest version, or has Java patching become an exercise in futility?
Ask the expert!
SearchSecurity expert Nick Lewis is standing by to answer your questions about enterprise security threats. Submit your question via email. (All questions are anonymous.)
Java patching is almost an exercise in futility at this point, but not quite. The large number of patches, the complexity of the Java patching process and the version dependence issues all make it more difficult for enterprises and end users alike to keep the Java Runtime Environment (JRE) updated.
The large number of security patches for Java are less concerning than the frequency and consistency of patching being required. The JRE contains functionality that checks for and installs updates, but this does not necessarily remove old, vulnerable versions or help enterprises that require patches to be tested before they are applied. Consumers might still be better protected by keeping the auto-update functionality enabled and having the JRE check regularly for updates, but if patches are not tested, an update could break critical enterprise applications. Depending on each individual enterprise's security stance, the potential risk of an application breaking might be more acceptable than users running compromised versions of Java on their desktops.
Enterprises should remember that not all reported Java vulnerabilities affect all versions or the JRE. For example, some Java vulnerabilities are found only in the Java server-side components. Sandbox escapes are particularly problematic; the JRE sandbox is intended to be a core security functionality for Java, protecting endpoints from complete compromise. To minimize the impact of such a JRE vulnerability being exploited, implement other endpoint security controls (e.g., not allowing end users to have administrative access) to prevent the complete compromise of the endpoint. If the JRE is required, the enterprise must either ensure the most current version is in use or disable the JRE in the browser.
Related Q&A from Nick Lewis
When NSA cyberweapons went public, attackers bundled them into the EternalRocks malware. Nick Lewis takes a closer look at this new threat and ...continue reading
A Google Docs phishing attack used OAuth tokens to affect more than a million Gmail users. Nick Lewis explains how it happened, and how to defend ...continue reading
A vulnerability in Microsoft's Windows Defender antivirus tool left users open to remote code exploitation. Expert Nick Lewis explains how it ...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.