Software companies seem to be losing their longstanding battle with the hacking community. In a recent blog post, Eric P. Maurice, who is the director of Software Security Assurance for Oracle, reported a devastating new software vulnerability that, while somewhat complex to execute, can result in the complete compromise of a user’s system.
Designated CVE-2016-0603, this exploit manifests itself in the software’s installation routine, which could actually be malware in disguise. In order to get around this problem, the company, through Mr. Maurice, recommends that you delete any old copies of Java or the installer from your machine, visit Java.com to ensure that all previous versions have been completely removed, and to get a guaranteed clean copy of the installer. He underscored the point that getting your installer from any other source could result in the total compromise of the user’s system.
This is a widespread, pervasive security flaw that impacts users of Java 6, 7 and 8. Users who currently have version 6 installed, and do not wish to upgrade to version 9, should install 6.113, which is the patched version of the software. Users of version 7 should either upgrade to version 8.73, which is patched, or version 9.
This revelation comes not long after Oracle made the announcement that it was planning to dump its Java browser plug-in entirely, due to numerous security issues with it. Of course, the plug-in itself won’t magically disappear. It is used by literally millions of web developers around the world, but given that support for it is disappearing, those who choose to continue designing their sites around its capabilities are on notice, as are people who use the plugin to view the content those developers create. In the absence of ongoing support, new security flaws won’t be patched when discovered, which makes surfing the web that much more dangerous.
The best course of action, if at all possible, is to steer clear of Java (including the plugin) until the most pervasive of the security flaws can be patched over. If that’s not possible, then at the very least, you’ll want to be sure your IT staff is on guard and watching for potential threats from this direction. If you have any questions or concerns about your company’s network, and its potential vulnerabilities, it never hurts to get an outside expert’s opinion. Contact a qualified independent network security consultant for a detailed analysis so you know where your weak points are, and what to do about them.