How to hone an effective vulnerability management program
A comprehensive collection of articles, videos and more, hand-picked by our editors
Oracle recently released patches for several dozen Java vulnerabilities, but shortly afterward I saw that Java...
By submitting your personal information, you agree that TechTarget and its partners may contact you regarding relevant content, products and special offers.
was immediately compromised (again) by a sandbox-bypass exploit. As a policy, is Java generally secure when using the latest version, or has Java patching become an exercise in futility?
Ask the expert!
SearchSecurity expert Nick Lewis is standing by to answer your questions about enterprise security threats. Submit your question via email. (All questions are anonymous.)
Java patching is almost an exercise in futility at this point, but not quite. The large number of patches, the complexity of the Java patching process and the version dependence issues all make it more difficult for enterprises and end users alike to keep the Java Runtime Environment (JRE) updated.
The large number of security patches for Java are less concerning than the frequency and consistency of patching being required. The JRE contains functionality that checks for and installs updates, but this does not necessarily remove old, vulnerable versions or help enterprises that require patches to be tested before they are applied. Consumers might still be better protected by keeping the auto-update functionality enabled and having the JRE check regularly for updates, but if patches are not tested, an update could break critical enterprise applications. Depending on each individual enterprise's security stance, the potential risk of an application breaking might be more acceptable than users running compromised versions of Java on their desktops.
Enterprises should remember that not all reported Java vulnerabilities affect all versions or the JRE. For example, some Java vulnerabilities are found only in the Java server-side components. Sandbox escapes are particularly problematic; the JRE sandbox is intended to be a core security functionality for Java, protecting endpoints from complete compromise. To minimize the impact of such a JRE vulnerability being exploited, implement other endpoint security controls (e.g., not allowing end users to have administrative access) to prevent the complete compromise of the endpoint. If the JRE is required, the enterprise must either ensure the most current version is in use or disable the JRE in the browser.
Related Q&A from Nick Lewis
Locky ransomware has, again, changed tactics by moving to using LNK files for distribution. Expert Nick Lewis explains how enterprises can adjust ...continue reading
Hajime malware was discovered to have links to the Mirai botnet that launched powerful DDoS attacks last year. Expert Nick Lewis explains how Hajime ...continue reading
Drammer, or a deterministic Rowhammer attack, was found to be more effective on ARM-based mobile devices. Expert Nick Lewis explains the issue with ...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.