What the latest Java flaw really means

As the firestorm around the zero-day Java flaw swirls higher, here's what you need to know -- and do -- about this extraordinary threat

1 2 Page 2
Page 2 of 2

Most security exploits target specific JVM versions and may not work on Java running alone on a desktop. On the other hand, Java exploits may target Java beans or Java servlets -- but in general, server-side threats appear to be rarer. Not every Java exploit is equally threatening; it depends on which Java component is installed and what the exploit does.

In the latest case, Java exploit CVE-2013-0422 impacted Java's Runtime Engine (JRE), which means that most of those 1.1 billion desktops are vulnerable. Several sources (including Symantec) found that the zero-day exploit was included in several widely sold malicious hacker exploit kits.

If you need Java, keep it patched -- you'll be far ahead in the game and significantly reduce risk. I've yet to see Java appropriately patched in any environment. None -- not a single one, even those companies that think (and say) they have patching under control. If you want to patch Java correctly in the enterprise, it's probably going to take a specialized project team with the backing of senior management. Without those requirements, you're going to fail and the exploits (most of which would be blocked by patches) will continue to take down your computers.

How scared should you be?
Is this Java exploit the one we should really be afraid of? Will it go around the world and quickly infect everyone like MS.Blaster or SQL.Slammer?

The heightened global publicity this flaw has received will ensure many hackers will pursue exploits. Plus, serious white hat hackers, including H.D. Moore and Dave Aitel, have confirmed that additional bugs still exist after the latest Oracle patch -- and point to Java as a more reliable exploitation vector than the browser hosting it.

But the major obstacle that prevents Java exploits from becoming superfast-spreading worms is that they almost always require client-side user interaction to infect a computer. The world's fastest worms and viruses self-replicate; once launched by a single person, they could infect an entire network or a whole enterprise. Java exploits, on the other hand, usually work machine by machine, with each activation exploiting only one computer. This factor by itself almost guarantees that Java exploits will not tear across the world like the infamous worms of the past.

On the other hand, the sheer ubiquity of Java could result in very high infection rates at a more leisurely pace. Java is everywhere, and enterprises can't uninstall or disable it.

Ultimately, no one can predict which malware programs will go nuclear. Each year dozens have that potential. But for every Nimda, Codered, Iloveyou, or Conficker, there are millions of similar exploits you never heard of. Why one malware program takes off in popularity while its twin lies dormant has always been a mystery to me (and every other antimalware researcher). If we could predict which Trojan or worm would go nuclear out of the tens of millions of rogue programs released each month, our antivirus programs would be a lot faster and their definition databases a lot smaller.

Nonetheless, this latest zero-day exploit could be Java's tipping point. Already, every company I've talked to in the last few months wanted to remove Java because of its nearly constant exploitation. They may not be able to get rid of it, but they're talking about it. Oracle needs to do something dramatic or it could find Java washed away in a storm of protest.

This story, "What the latest Java flaw really means," was originally published at InfoWorld.com. Keep up on the latest developments in network security and read more of Roger Grimes' Security Adviser blog at InfoWorld.com. For the latest business technology news, follow InfoWorld.com on Twitter.

Copyright © 2013 IDG Communications, Inc.

1 2 Page 2
Page 2 of 2
7 hot cybersecurity trends (and 2 going cold)