Problem solve Get help with specific problems with your technologies, process and projects.

Should a Java Runtime Environment (JRE) be kept up to date?

Critical security flaws are often discovered in Java Runtime Environment implementations. Unfortunately, most users don't apply any appropriate patches. Ed Skoudis reveals the security risks posed by a vulnerable JRE.

How important is it to keep a Java Runtime Environment (JRE) up to date? If my browser patches are up to date, am I still at risk?
It is vitally important for you to keep your Java Runtime Environment (JRE) up to date. On a regular basis, Sun Microsystems Inc., as well as other JRE software creators and distributors like BEA Systems Inc., Red Hat Inc., and Avaya Inc., release patches for critical flaws in their JRE implementations. These vulnerabilities could allow an attacker to break out of the Java "sandbox" and take over the entire machine. If you surf to a site with an out-of-date JRE, that Web site could push back a Java applet that could bypass all of Java's security restrictions, letting the attacker take over your machine. Your question is very timely; critical security flaws are discovered in JRE implementations two or three times per year. Unfortunately, most users don't apply these patches, as they are unaware of the great security risks posed by a vulnerable JRE.

Simply patching your browser isn't enough to keep your JRE up to date, because the JRE is patched independently of the browser that launches it. Compounding the problem, most JREs don't remind the user to download security updates, unlike many other applications that often annoy users with frequent upgrade prompts. Thus, you need to devise a plan for distributing JRE patches regularly across your enterprise. Such patches are especially important for machines used to manage our critical infrastructures; many enterprise applications, security tools and network infrastructure devices and systems use Java-based GUIs. If an attacker compromises such systems, enterprise control could totally unravel. Patch these machines diligently, either manually (if there are a small number of them), or by using an automated patching tool, such as Microsoft's Systems Management Server (SMS) or Shavlik Technologies' NetChk Protect.

More information

This was last published in January 2008

Dig Deeper on Productivity apps and messaging security