Should a Java Runtime Environment (JRE) be kept up to date?
How important is it to keep a Java Runtime Environment (JRE) up to date? If my browser patches are up to date, am I still at risk?
It is vitally important for you to keep your Java Runtime Environment (JRE)
up to date. On a regular basis, Sun Microsystems Inc., as well as other JRE software creators and distributors like BEA Systems Inc., Red Hat Inc., and Avaya Inc., release patches for critical flaws in their JRE implementations. These vulnerabilities could allow an attacker to break out of the Java "sandbox" and take over the entire machine. If you surf to a site with an out-of-date JRE, that Web site could push back a Java applet that could bypass all of Java's security restrictions, letting the attacker take over your machine. Your question is very timely; critical security flaws are discovered in JRE implementations two or three times per year. Unfortunately, most users don't apply these patches, as they are unaware of the great security risks posed by a vulnerable JRE.
Simply patching your browser isn't enough to keep your JRE up to date, because the JRE is patched independently of the browser that launches it. Compounding the problem, most JREs don't remind the user to download security updates, unlike many other applications that often annoy users with frequent upgrade prompts. Thus, you need to devise a plan for distributing JRE patches regularly across your enterprise. Such patches are especially important for machines used to manage our critical infrastructures; many enterprise applications, security tools and network infrastructure devices and systems use Java-based GUIs. If an attacker compromises such systems, enterprise control could totally unravel. Patch these machines diligently, either manually (if there are a small number of them), or by using an automated patching tool, such as Microsoft's Systems Management Server (SMS) or Shavlik Technologies' NetChk Protect.
More informationEd Skoudis explains how to develop patch management policies for the third-party applications in your enterprise.
Is Java security getting worse? Joel Dubin weighs in on the debate.
This was first published in January 2008