Featuring fresh takes and real-time analysis from HuffPost's signature lineup of contributors
David Emm

GET UPDATES FROM David Emm
 

Java Exploits - Do You Need to Be Worried?

Posted: 06/03/2013 11:59

After reading the recent headlines about 'Java exploits' or 'Java vulnerabilities', you may be worried about what's installed on your personal computers and laptops. The targeting of well-known and regularly used social networks such as Twitter and Facebook naturally make the headlines. But Java-based attacks are not solely aimed at large corporations - the issue of cybercrime can be much closer to home for all of us.

For those of you who don't know, Java is a programming language and computing platform. One of its big advantages is that it's platform-independent - in other words, programs written in Java will run regardless of the operating system installed on the computer. The Java Runtime Environment (JRE) and Java Plug-ins installed on a desktop or laptop enable utilities, games and business applications to run. Java is widely-used - it's often installed automatically when you buy a PC. However, since so many people are unaware of its presence, it often gets overlooked; and if it's not updated this leaves a gap that can be exploited by cybercriminals.

Targeting vulnerabilities in software installed on a computer is a key method used by cybercriminals to install malware on their victims' computers. This is only viable if weaknesses actually exist, and the risk can be easily reduced by keeping software up to date. Java vulnerabilities alone currently account for more than 50 per cent of cybercriminal attacks. This isn't surprising, since cybercriminals typically focus their attention on applications that are widely-used and are likely to not be updated for the longest time - giving them a sufficient window of opportunity to achieve their goals. Java is not only installed on many computers (1.1 billion, according to Oracle), but updates are installed on-demand - not automatically, meaning a lack of people actually bother to update it. As a result, there's a deep pool of potential victims.

There are several reasons why Java doesn't get updated. Java updates are typically made available every three months - so between updates, cybercriminals can make free use of any newly-discovered vulnerability. Sometimes, however, it's just a question of inertia - people are busy and simply put off doing the update 'for another time'. This is especially true if it's not clear that there's a security dimension to the update, in which case people don't feel a sense of urgency in applying the patch and believe they won't be victim to an attack. With all of these threats at bay, you may be thinking why not just delete Java?

The growth in the number of Java exploits during 2012 has led some to suggest that the best solution may be to remove Java from our computers altogether. I don't believe this is realistic. Java is still a very popular platform, a lot of software depends on it (e.g. web servers, content management systems, databases, development environments, as well as various desktop applications), so the truth is we need it. We can switch it off for better security, but then we won't be able to run any programme that uses the Java platform, minimising what we are able to use our computers for.

Additionally, disabling this, or any other application, is not a universal solution for security threats - we might as well suggest not switching on a computer to stay safe. New vulnerabilities will always be discovered in the software we use. If our best defence to a threat is to disable, in the long term this does no good for the industry. We need to be looking at better ways to defend our systems and data.

It is, of course, important for everyone to regularly review the software they use. If you no longer need it, remove it from your system. Java is often installed by default, even where it's not necessarily needed. If it then remains unpatched, it becomes a potential security risk. Some Internet security solutions also include the ability to check a computer for applications which need upgrading, and even to block attempts to exploit vulnerabilities - so-called 'zero-day exploits'. So, the answer is not to delete a program that you need, but to ensure you keep your computer updated and don't leave cracks for cybercriminals to infiltrate.

 

Follow David Emm on Twitter: www.twitter.com/@KasperskyUK

FOLLOW UK TECH