How to hone an effective vulnerability management program
A comprehensive collection of articles, videos and more, hand-picked by our editors
Oracle recently released patches for several dozen Java vulnerabilities, but shortly afterward I saw that Java...
By submitting your personal information, you agree that TechTarget and its partners may contact you regarding relevant content, products and special offers.
was immediately compromised (again) by a sandbox-bypass exploit. As a policy, is Java generally secure when using the latest version, or has Java patching become an exercise in futility?
Ask the expert!
SearchSecurity expert Nick Lewis is standing by to answer your questions about enterprise security threats. Submit your question via email. (All questions are anonymous.)
Java patching is almost an exercise in futility at this point, but not quite. The large number of patches, the complexity of the Java patching process and the version dependence issues all make it more difficult for enterprises and end users alike to keep the Java Runtime Environment (JRE) updated.
The large number of security patches for Java are less concerning than the frequency and consistency of patching being required. The JRE contains functionality that checks for and installs updates, but this does not necessarily remove old, vulnerable versions or help enterprises that require patches to be tested before they are applied. Consumers might still be better protected by keeping the auto-update functionality enabled and having the JRE check regularly for updates, but if patches are not tested, an update could break critical enterprise applications. Depending on each individual enterprise's security stance, the potential risk of an application breaking might be more acceptable than users running compromised versions of Java on their desktops.
Enterprises should remember that not all reported Java vulnerabilities affect all versions or the JRE. For example, some Java vulnerabilities are found only in the Java server-side components. Sandbox escapes are particularly problematic; the JRE sandbox is intended to be a core security functionality for Java, protecting endpoints from complete compromise. To minimize the impact of such a JRE vulnerability being exploited, implement other endpoint security controls (e.g., not allowing end users to have administrative access) to prevent the complete compromise of the endpoint. If the JRE is required, the enterprise must either ensure the most current version is in use or disable the JRE in the browser.
Related Q&A from Nick Lewis
An HTTPS session with a reused nonce is vulnerable to the Forbidden attack. Expert Nick Lewis explains how the attack works, and how to properly ...continue reading
The Irongate malware has been discovered to have similar functionality to Stuxnet. Expert Nick Lewis explains how enterprises can protect their ICS ...continue reading
APT groups have been continuously exploiting a flaw in Microsoft Office, despite it having been patched. Expert Nick Lewis explains how these attacks...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.