Java security attacks on the rise: How can IT limit the risk?

Attacks targeting Java vulnerabilities are common, including the most recent round of attacks that could affect users running any browser in any OS. What can IT do to limit Java security risks? 

Last week, a serious vulnerability was discovered in the latest version of Java, Java 7 Update 6. The bug could allow criminals to run malicious code on a computer without any interaction from the user, just by tricking the user to visit a malicious or compromised website.

The vulnerability can also be exploited through any web browser, and any operating system — Windows, Linux, or OS X.

To patch this and other vulnerabilities, Oracle published an emergency update — however, the update failed to fix some previously disclosed bugs and opened up at least one vulnerability to attack from hackers, security researchers said.

This isn’t the first time serious Java security vulnerabilities have been found. The last big security scare affecting Mac machines, the Flashback malware, also exploited a Java bug, and according to a 2010 study, nearly a third of PCs run a vulnerable version of Java.

Limit Java security risk

The prevalence of those threats has many IT managers looking for ways to improve Java security in their organizations.

Though it wasn’t the case in the this latest round of attacks, one way to avoid being vulnerable is to keep Java patched and up to date at all times. Of course, many users ignore software patch prompts, so IT will need to find ways to enforce updates and verify that they’ve been installed.

However, the best way to avoid being hit by an attack targeting a Java security vulnerability, according to many experts: Avoid using Java in the first place. In many cases, a browser’s Java plug-in can be disabled without the user noticing. For cases where Java is required, one option is using two browsers — one for normal use with Java disabled, and another that has Java turned on for when it’s needed.