You may have heard via various news outlets about a security vulnerability in Oracle Java SE 7 that can potentially impact your systems. This is a serious vulnerability that does require your consideration. The security hole applies to Java applets and can affect all browsers (Internet Explorer, Mozilla, Chrome…). It does not apply to standalone Java applications or server-side Java installs.
The Risk
If you inadvertently click on a compromised Java applet, your system could become infected. This risk became more apparent when included in exploit packs, “crimeware” that hackers rent to use in attacks. However, you must click on the link to become infected—to be successfully exploited, the attacker must trick an unsuspecting user into clicking to a malicious site.
The Security Patch
Oracle has issued a security patch to address the issue. The update will also change the default Java Security Level setting from Medium to High. This will ensure that you are always prompted to confirm an action before running any unsigned Java applet. Although the patch will certainly help rectify the security risk, it remains undetermined if it completely solves it.
Regardless, Daystar advises all clients to install the Java patch immediately.
Additional Options
Disable Java
The simple answer to provide ultimate protection from this vulnerability is to disable Java on your devices. The downside is that it will render inoperable some of the Websites you use regularly and possibly rely on.
If you wish to disable Java, but find that you cannot load a critical Website you must access, consider using two browsers. Your main browser (e.g. Internet Explorer) would have Java disabled, while your secondary browser (e.g. Chrome) would have Java enabled and only be used for specific Websites.
*Should you disable Java, we still recommend issuing the patch.
Keep Java & Educate Users
If disabling Java is too disruptive, it may be advisable complete your security patch, keep Java enabled, and educate users to employ responsible browsing practices.
Some good reminders to communicate to users include:
- Do not visit sites that are questionable. If it doesn’t feel right, leave the site.
- Do not click on links sent to you unexpectedly, or validate that the user did purposely send them to you before clicking on them.
- Validate (below), that you have your Java settings on high. This will warn you that something is attempting to run. If you do not understand the warning message, do not click the “OK” button to download the program.
- If something isn’t acting right on your PC or laptop, let someone know immediately so it can be scanned and possibly cleaned.
- If you are leaving Java active, make sure you install the most current patch – released today.
If you have any questions regarding the Java risk, installing the security patch, disabling Java, or educating your users, please do not hesitate to contact Daystar’s Professional Services Group immediately. E-mail support@daystarinc.com, submit a ticket in your client portal, or call support at 603.766.5924 x3. Please note that standard service rates will apply.
