How to hone an effective vulnerability management program
A comprehensive collection of articles, videos and more, hand-picked by our editors
Oracle recently released patches for several dozen Java vulnerabilities, but shortly afterward I saw that Java...
By submitting your email address, you agree to receive emails regarding relevant topic offers from TechTarget and its partners. You can withdraw your consent at any time. Contact TechTarget at 275 Grove Street, Newton, MA.
was immediately compromised (again) by a sandbox-bypass exploit. As a policy, is Java generally secure when using the latest version, or has Java patching become an exercise in futility?
Ask the expert!
SearchSecurity expert Nick Lewis is standing by to answer your questions about enterprise security threats. Submit your question via email. (All questions are anonymous.)
Java patching is almost an exercise in futility at this point, but not quite. The large number of patches, the complexity of the Java patching process and the version dependence issues all make it more difficult for enterprises and end users alike to keep the Java Runtime Environment (JRE) updated.
The large number of security patches for Java are less concerning than the frequency and consistency of patching being required. The JRE contains functionality that checks for and installs updates, but this does not necessarily remove old, vulnerable versions or help enterprises that require patches to be tested before they are applied. Consumers might still be better protected by keeping the auto-update functionality enabled and having the JRE check regularly for updates, but if patches are not tested, an update could break critical enterprise applications. Depending on each individual enterprise's security stance, the potential risk of an application breaking might be more acceptable than users running compromised versions of Java on their desktops.
Enterprises should remember that not all reported Java vulnerabilities affect all versions or the JRE. For example, some Java vulnerabilities are found only in the Java server-side components. Sandbox escapes are particularly problematic; the JRE sandbox is intended to be a core security functionality for Java, protecting endpoints from complete compromise. To minimize the impact of such a JRE vulnerability being exploited, implement other endpoint security controls (e.g., not allowing end users to have administrative access) to prevent the complete compromise of the endpoint. If the JRE is required, the enterprise must either ensure the most current version is in use or disable the JRE in the browser.
Related Q&A from Nick Lewis
The new Trochilus RAT can avoid detection in cyberespionage attacks. Expert Nick Lewis explains how it works, and if enterprises need to adapt their ...continue reading
The Asacub Trojan has new banking malware features. Expert Nick Lewis explains how it made this transition and what enterprises should be watching ...continue reading
BlackEnergy malware may have been part of the attacks on Ukrainian utility and media companies. Expert Nick Lewis explains how this malware works and...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.