You’ve updated Java, right?
I mean, that’s the right thing to have done if you still have Java on your computer – particularly if you have chosen to leave it enabled inside your browser.
Oracle issued a Godzilla-sized Critical Patch Update on Tuesday, fixing a stonking 193 new security vulnerabilities in its software.
Many of these fixes are for software which is used by enterprises, and are unlikely to be of interest to the typical computer user.
But amongst the updates are 25 fixes for software that many computer users do have installed: Java.
Included in the Java update is a patch for the recently-discovered zero-day vulnerability in Java (CVE-2015-2590) that has been actively exploited in the wild by the Pawn Storm hacking gang.
The security hole was particularly notable because it is thought to be the first new zero-day vulnerability that has targeted Java for two years.
The Pawn Storm hacking gang, which some suspect to be backed by a nation state, has been running a sophisticated malware campaign for some time targeting government, media and military organisations in the United States, Pakistan, and across Europe.
Operation Pawn Storm was recently implicated in the attack which compromised parts of the White House computer system, for instance.
But even if you don’t work for a government, the military, a media organisation… even if you aren’t a political activist who has ruffled a few feathers… it makes sense to keep your systems protected and running the very latest versions of software. So, update Java (and make sure not to allow it to foist other software onto your computer while you do it).
Of course, the alternative is not to run Java at all. Running the software on your computer increases your attack surface, and opens up more opportunities for hackers to attack.
At the very least, consider disabling Java in your browsers.
If you really do have in-house websites or visit sites that require you to have Java enabled in your browser, perhaps consider having a secondary browser that you only use when visiting those sites – rather than leaving the technology turned on in your regular browser for all of your surfing.
For full details of Oracle’s critical patch update, visit its website.
Found this article interesting? Follow Graham Cluley on Twitter or Mastodon to read more of the exclusive content we post.
5 comments on “Hopefully you’ve either updated Java, or removed it from your computer”
I use virtualization to protect myself from a lot of these exploits, Comodo's free antivirus has a great free virtualized desktop option that's great if you use multi monitor set ups. It really does hinder any zero day exploits from any number of unpatched weaknesses and can be selected at the touch of a button! Additionally I also use Oracles virtuabox with tiny Linux or if i'm doing banking I just boot my machine with an Ubuntu live disk with Firefox for real security on a n operating system that is clean and fresh each time with nowhere for anything to hide! (p.s Graham I actually know you through your other hidden interest of interactive fiction, small world!)
"Of course, the alternative is not to run Java at all."
That'll go down well with the kids when Minecraft stops working…
Surely Minecraft players must be the biggest group of Java users at the moment – and most of them are kids who wouldn't know how to update and hopefully don't have the admin password anyway…
*goes off to update the children's PC*
Just looked into this and apparently Minecraft doesn't require a separate Java installation on your machine anymore as it is now bundled with the game:
I wonder if that means that Minecraft will lag behind in updating its internal version of Java (akin to older versions of Flash being kept inside Shockwave).
@Techno – thanks, I wasn't aware of that. Looks like a good idea.