Oracle issued a gargantuan security update that fixes 25 separate security flaws in Java, including one zero-day that has been actively exploited in the wild. Unless there is some sort of absolute business imperative that requires your use of Java it’s time to just remove the software from your PC.
I wrote this blog post about the latest Java security concerns:
Headlines about Adobe Flash zero-day exploits and calls for the execution of Adobe Flash dominated headlines over the past week or so in the wake of the Hacking Team hack. Meanwhile, Oracle pushed out a security update. The Oracle update fixed 193 security vulnerabilities—yes one, nine, three…just seven short of 200—including 25 just for Java. While we’re tossing Adobe Flash overboard let’s send Java with it.
Java and Flash are like the twin harbingers of doom when it comes to computer security. They’re like a devastating tag team attack. At any given point if there isn’t a zero-day flaw to exploit in Adobe Flash there’s probably one in Java—and vice versa.
In a post imploring users to update or just remove Java completely Graham Cluley points out, “The security hole was particularly notable because it is thought to be the first new zero-day vulnerability that has targeted Java for two years.”
I agree with Cluley, but I would emphasize the “thought to be” a little more. The Java zero-day is the first that has been publicly disclosed and patched in a couple years. However, the very nature of zero-days is that we don’t know about them until we know about them.
A couple weeks ago you might have assumed Adobe Flash was relatively secure. Then the Hacking Team hack revealed that the company had kept three different Adobe Flash zero-day exploits in its arsenal to enable it to install software on target computers without the users knowledge. It seems likely that there are Java zero-day exploits out there we just don’t know about.
Read the full post on CSOOnline.com: Just get rid of Java finally.