How to hone an effective vulnerability management program
A comprehensive collection of articles, videos and more, hand-picked by our editors
Oracle recently released patches for several dozen Java vulnerabilities, but shortly afterward I saw that Java...
By submitting your personal information, you agree that TechTarget and its partners may contact you regarding relevant content, products and special offers.
was immediately compromised (again) by a sandbox-bypass exploit. As a policy, is Java generally secure when using the latest version, or has Java patching become an exercise in futility?
Ask the expert!
SearchSecurity expert Nick Lewis is standing by to answer your questions about enterprise security threats. Submit your question via email. (All questions are anonymous.)
Java patching is almost an exercise in futility at this point, but not quite. The large number of patches, the complexity of the Java patching process and the version dependence issues all make it more difficult for enterprises and end users alike to keep the Java Runtime Environment (JRE) updated.
The large number of security patches for Java are less concerning than the frequency and consistency of patching being required. The JRE contains functionality that checks for and installs updates, but this does not necessarily remove old, vulnerable versions or help enterprises that require patches to be tested before they are applied. Consumers might still be better protected by keeping the auto-update functionality enabled and having the JRE check regularly for updates, but if patches are not tested, an update could break critical enterprise applications. Depending on each individual enterprise's security stance, the potential risk of an application breaking might be more acceptable than users running compromised versions of Java on their desktops.
Enterprises should remember that not all reported Java vulnerabilities affect all versions or the JRE. For example, some Java vulnerabilities are found only in the Java server-side components. Sandbox escapes are particularly problematic; the JRE sandbox is intended to be a core security functionality for Java, protecting endpoints from complete compromise. To minimize the impact of such a JRE vulnerability being exploited, implement other endpoint security controls (e.g., not allowing end users to have administrative access) to prevent the complete compromise of the endpoint. If the JRE is required, the enterprise must either ensure the most current version is in use or disable the JRE in the browser.
Related Q&A from Nick Lewis
The OurMine hacking group recently used DNS poisoning to attack WikiLeaks and take over its web address. Learn how this attack was performed from ...continue reading
Typosquatting was used by threat actors to spread malware in the NPM registry. Learn from expert Nick Lewis how this method was used and what it ...continue reading
Threat actors are using phishing email campaigns to fool users with tech support scams and fake Blue Screens of Death. Learn how these campaigns work...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.