Over the weekend, the Department of Homeland Security’s cyber division, called US-CERT (Computer Emergency Readiness Team) issued a warning to users of the popular Java programming language—a coding platform that has existed for decades—because of vital security holes it may create. The alert said that Java 7 Update 10 and earlier versions of the software contain a critical vulnerability that can allow a remote, unauthenticated attacker to execute arbitrary commands on your system. The episode serves as a reminder (or warning!) that many of the software programs we run on a day-to-day basis could provide attackers with ample opportunity to enter our electronic devices—along with all the data within them—with little effort.
Java is a widely used computer language that allows computer programmers to write a variety of Internet applications and other software programs utilizing one set of code that can run on almost any computer. Java is designed to be portable and ubiquitous, and indeed is advertised on their website as: “Java technology is everywhere!” Almost every electronic device conceivable uses some amount of Java programming. Computers and cells phones are the obvious users of Java, since they use it to accomplish essential functions when accessing the Internet. DVD players, lottery ticket machines, medical devices, parking payment stations, and automobile navigation systems are just a few examples of others.
Experts believe hackers have found a major security flaw in Java 7, the latest version for Web browsers, that creates an opening for criminal activity and other high-tech mischief. Even just browsing the web could be enough to allow hackers to gain access to this latest security hole to steal credit-card numbers, banking credentials, passwords and commit other types of computer crimes. Java is so widely used that the software has become a favorite exploit for hackers. According to security software maker Kaspersky Lab, last year alone Java was responsible for 50% of all cyber attacks in which hackers broke into computers by exploiting software bugs. And the instructions needed to exploit this security flaw are readily available on the Internet (don’t try this!). Anybody using browsers for PCs or Mac is at risk, though Apple is taking steps to block Java 7 and prompted users to install the new update to its built-in XProtect system to disable all version of Java.
Oracle, the maker of Java, released an emergency software update (available on Oracle’s Web site) last night, which is supposed to fix the security issue. Security experts, however, warn that the update from Oracle leaves several critical security flaws unfixed and that it could take them two years to fix all the security bugs that have currently been identified.
As pointed out in a recent article on Forbes,
“the reality is that the security flaw in the Java programming language will likely [continue to] find vulnerabilities in a wide range of industries. Perhaps a firm’s research and development system is hacked and that company’s trade secrets and intellectual property find their way to a low-cost competitor in another country. Perhaps a firm’s inventory system is hacked and knowledge of shortages in certain equipment is used to squeeze the company by a supplier. And then, there are the banks with all of our financial data. Let your imagination run.”
So, what can you do in the meantime to protect yourself?
First, check and see if you have Java software on your computer. If you do:
- Upgrade to Java SE 7 update 11. The company provides instructions on how to update the software patch on its website.
- Disable Java, unless it is absolutely necessary to run it in web browsers, even after updating it (recommended by Carnegie Mellon University’s CERT computer security site). Oracle offers detailed instructions on how to disable Java in your web browser.
- Take precaution when using the Internet.