Oracle has been under fire for days following attacks against a new zero day flaw in Java. Zero day vulnerabilities are certainly not unique to Oracle, or Java, but many security experts and IT admins are disgruntled over how Oracle’s approach to security in general, and its response to serious incidents like this.
Andrew Storms, director of security operations for nCircle, shared some thoughts about the urgent updates. “Pushing the Java patch out ahead of their regular bulleting is a step in the right direction for Oracle, but it may be too little too late. There has already been some lost confidence in Java. Oracle really needs to step up their security game.”
Wolfgang Kandek, CTO of Qualys, says, “I still recommend disabling Java in the browser using the Java Control Panel. for better security against future threats that tend to come down through the browser attack vector.” Kandek goes on to say that users who actually need to use Java should at least go into the Java Control Panel and uncheck the box labeled “Enable Java content in the browser”.
On the subject of Internet Explorer, Storms said, “The out-of-band IE bulletin should come as no surprise. Microsoft issued an advance notification this weekend announcing their intention to go out-of-band with a single CVE to address the zero-day bug currently being exploited in the wild,” adding, “I wouldn’t be at all surprised to see another IE bulleting in February in addition to today’s patch. Some people moan and complain about the volume of IE patches, but in my book regular browser patches are a good thing. Browsers are the primary window to the Internet for almost everyone so they are constantly under attack by cyber criminals.”
Kandek emphasizes some important information about the IE patch. “Please note that this update is a real patch and not a cumulative update, as we are used to for typical Internet Explorer updates. It is highly recommended to have MS12-077 (the last cumulative Internet Explorer update) installed before applying MS13-008.”
If you use Java and/or Internet Explorer 6, 7, or 8 you should immediately apply the appropriate updates. An alternate solution for Java would be to simply uninstall it if you aren’t actively using it. Windows Vista, Windows 7, and Windows 8 users can also avoid the zero day issue by updating to Internet Explorer 9–which is not affected by this vulnerability.