Q

Should a Java Runtime Environment (JRE) be kept up to date?

Critical security flaws are often discovered in Java Runtime Environment implementations. Unfortunately, most users don't apply any appropriate patches. Ed Skoudis reveals the security risks posed by a vulnerable JRE.

How important is it to keep a Java Runtime Environment (JRE) up to date? If my browser patches are up to date, am I still at risk?
It is vitally important for you to keep your Java Runtime Environment (JRE) up to date. On a regular basis, Sun Microsystems Inc., as well as other JRE software creators and distributors like BEA Systems Inc., Red Hat Inc., and Avaya Inc., release patches for critical flaws in their JRE implementations. These vulnerabilities could allow an attacker to break out of the Java "sandbox" and take over the entire machine. If you surf to a site with an out-of-date JRE, that Web site could push back a Java applet that could bypass all of Java's security restrictions, letting the attacker take over your machine. Your question is very timely; critical security flaws are discovered in JRE implementations two or three times per year. Unfortunately, most users don't apply these patches, as they are unaware of the great security risks posed by a vulnerable JRE.

Simply patching your browser isn't enough to keep your JRE up to date, because the JRE is patched independently of the browser that launches it. Compounding the problem, most JREs don't remind the user to download security updates, unlike many other applications that often annoy users with frequent upgrade prompts. Thus, you need to devise a plan for distributing JRE patches regularly across your enterprise. Such patches are especially...

important for machines used to manage our critical infrastructures; many enterprise applications, security tools and network infrastructure devices and systems use Java-based GUIs. If an attacker compromises such systems, enterprise control could totally unravel. Patch these machines diligently, either manually (if there are a small number of them), or by using an automated patching tool, such as Microsoft's Systems Management Server (SMS) or Shavlik Technologies' NetChk Protect.

More information

  • Ed Skoudis explains how to develop patch management policies for the third-party applications in your enterprise.
  • Is Java security getting worse? Joel Dubin weighs in on the debate.
  • This was first published in January 2008

    Dig deeper on Securing Productivity Applications

    Pro+

    Features

    Enjoy the benefits of Pro+ membership, learn more and join.

    Have a question for an expert?

    Please add a title for your question

    Get answers from a TechTarget expert on whatever's puzzling you.

    You will be able to add details on the next page.

    0 comments

    Oldest 

    Forgot Password?

    No problem! Submit your e-mail address below. We'll send you an email containing your password.

    Your password has been sent to:

    -ADS BY GOOGLE

    SearchCloudSecurity

    SearchNetworking

    SearchCIO

    SearchConsumerization

    SearchEnterpriseDesktop

    SearchCloudComputing

    ComputerWeekly

    Close