You’ve updated Java, right?
I mean, that’s the right thing to have done if you still have Java on your computer – particularly if you have chosen to leave it enabled inside your browser.
Oracle issued a Godzilla-sized Critical Patch Update on Tuesday, fixing a stonking 193 new security vulnerabilities in its software.
Many of these fixes are for software which is used by enterprises, and are unlikely to be of interest to the typical computer user.
But amongst the updates are 25 fixes for software that many computer users do have installed: Java.
Included in the Java update is a patch for the recently-discovered zero-day vulnerability in Java (CVE-2015-2590) that has been actively exploited in the wild by the Pawn Storm hacking gang.
The security hole was particularly notable because it is thought to be the first new zero-day vulnerability that has targeted Java for two years.
The Pawn Storm hacking gang, which some suspect to be backed by a nation state, has been running a sophisticated malware campaign for some time targeting government, media and military organisations in the United States, Pakistan, and across Europe.
Operation Pawn Storm was recently implicated in the attack which compromised parts of the White House computer system, for instance.
But even if you don’t work for a government, the military, a media organisation… even if you aren’t a political activist who has ruffled a few feathers… it makes sense to keep your systems protected and running the very latest versions of software. So, update Java (and make sure not to allow it to foist other software onto your computer while you do it).
Of course, the alternative is not to run Java at all. Running the software on your computer increases your attack surface, and opens up more opportunities for hackers to attack.
At the very least, consider disabling Java in your browsers.
If you really do have in-house websites or visit sites that require you to have Java enabled in your browser, perhaps consider having a secondary browser that you only use when visiting those sites – rather than leaving the technology turned on in your regular browser for all of your surfing.
For full details of Oracle’s critical patch update, visit its website.
Found this article interesting? Follow Graham Cluley on Twitter to read more of the exclusive content we post.