Should a Java Runtime Environment (JRE) be kept up to date?

Critical security flaws are often discovered in Java Runtime Environment implementations. Unfortunately, most users don't apply any appropriate patches. Ed Skoudis reveals the security risks posed by a vulnerable JRE.

Ed Skoudis

Counter Hack

How important is it to keep a Java Runtime Environment (JRE) up to date? If my browser patches are up to date, am I still at risk?

It is vitally important for you to keep your Java Runtime Environment (JRE) up to date. On a regular basis, Sun Microsystems Inc., as well as other JRE software creators and distributors like BEA Systems Inc., Red Hat Inc., and Avaya Inc., release patches for critical flaws in their JRE implementations. These vulnerabilities could allow an attacker to break out of the Java "sandbox" and take over the entire machine. If you surf to a site with an out-of-date JRE, that Web site could push back a Java applet that could bypass all of Java's security restrictions, letting the attacker take over your machine. Your question is very timely; critical security flaws are discovered in JRE implementations two or three times per year. Unfortunately, most users don't apply these patches, as they are unaware of the great security risks posed by a vulnerable JRE.

Simply patching your browser isn't enough to keep your JRE up to date, because the JRE is patched independently...

Step 2 of 2:

You forgot to provide an Email Address.

This email address doesn’t appear to be valid.

This email address is already registered. Please login.

You have exceeded the maximum character limit.

Please provide a Corporate E-mail Address.
- I agree to TechTarget’s Terms of Use, Privacy Policy, and the transfer of my information to the United States for processing to provide me with relevant information as described in our Privacy Policy.
Please check the box if you want to proceed.
- I agree to my information being processed by TechTarget and its Partners to contact me via phone, email, or other means regarding information relevant to my professional interests. I may unsubscribe at any time.
Please check the box if you want to proceed.

of the browser that launches it. Compounding the problem, most JREs don't remind the user to download security updates, unlike many other applications that often annoy users with frequent upgrade prompts. Thus, you need to devise a plan for distributing JRE patches regularly across your enterprise. Such patches are especially important for machines used to manage our critical infrastructures; many enterprise applications, security tools and network infrastructure devices and systems use Java-based GUIs. If an attacker compromises such systems, enterprise control could totally unravel. Patch these machines diligently, either manually (if there are a small number of them), or by using an automated patching tool, such as Microsoft's Systems Management Server (SMS) or Shavlik Technologies' NetChk Protect.

More information

Ed Skoudis explains how to develop patch management policies for the third-party applications in your enterprise.
Is Java security getting worse? Joel Dubin weighs in on the debate.

This was last published in January 2008

Dig Deeper on Productivity apps and messaging security

All
News
Get Started
Evaluate
Manage
Problem Solve

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

Meet all of our Information Security experts

View all Information Security questions and answers

Related Resources

Dig Deeper on Productivity apps and messaging security

Related Q&A from Ed Skoudis

Have a question for an expert?

Start the conversation

0 comments

Register

Login

Forgot your password?

Your password has been sent to:

Please create a username to comment.