JRE flaw: How bad is it?

I’ve seen several reports since Friday regarding the Java Runtime Environment (JRE) flaws Sun Microsystems recently patched. In one report, security expert Chris Gatford from penetration testing vendor Pure Hacking said of the vulnerabilities: “This is as bad as it gets.” The story also played up some ominous details in an AusCERT advisory.

The F-Secure blog warned that you can get hacked just by viewing a Web page containing malicious Java content.

I tend to be skeptical when security experts start saying things like “as bad as it gets,” or “potentially catastrophic” because in most instances the threat turns out to be much less serious in the minds of the IT professionals I interview.

At the same time, I’ve often found that people will ignore legitimate threats unless they are scared into action. And to be sure, the JRE flaws are to be taken seriously, since, as Gatford rightly noted: “Java runs on everything: cell phones, PDAs, and PCs.”

And the SANS Internet Storm Center Web site offered prudent advice when it said, “Because Java is browser independent it has potential to impact many, many devices. It is recommended that you patch all Java devices as soon as possible.”

But remember that this isn’t the first time Java security vulnerabilities have been found and fixed, and in previous cases it was never “as bad as it gets.” After all, the Internet didn’t collapse.

In the end, the advice for this and other flaws is always the same: Apply patches for these vulnerabilities whenever they are available, practice defense-in-depth (in other words, protect your IT assets with layers of security comprised of a mix of security tools and user policies) and consistently remind users in the workplace to stay off of Web sites that are not from trusted sources. If someone is visiting porn and gambling sites, favorite places for attackers to hide malicious exploits, then they’re asking for trouble anyway.

This isn’t the first Java flaw ever and it certainly won’t be the last. For those who heed the advice above — which IT security professionals have given me many times over — there is no reason to panic.

I’ve covered all kinds of cyber threats in the last few years, and most of the time when I ask IT pros if their operations were affected by a particular attack that garnered a mountain of headlines, they tell me they were unaffected because they practice defense-in-depth. I’ve gotten similar feedback when writing about warnings of up-and-coming threats, be it the risks of instant messaging and perpetually evolving malware or the challenges of intrusion defense.

I’ve also found when interviewing IT professionals that they tend to be unmoved when security vendors push the panic button. To many, it looks like nothing more than an attempt to drum up some business.

I’m interested in any feedback readers have on this topic. Is FUD necessary in the face of certain threats, or are you simply being told what you already know in hopes that you’ll purchase the latest and greatest security product?

Technorati Tags: JRE+flaw, JRE, messaging+security, IM+security, Sun+Microsystems