Just as normal people are looking forward to a long weekend, and beleaguered, maligned and under-appreciated system administrators and engineers are licking their lips, not at chocolate but at a weekend of essential maintenance, new builds and upgrades, enter stage left Oracle with a brand new super high, exploitable, nasty vulnerability in, you guessed it……… JAVA.
We aren’t sure why Java bugs don’t get their own cool names (like Heartbleed, Shellshock, Ghost, Venom, etc.), this one goes by its CVE tag: CVE-2016-0636
You can read the Oracle announcement here.
This particular vulnerability could be delivered via code on a compromised, or for that matter deliberately nasty website, you know something that you might land on when you mistype ashleymadison or even bbc.
It enables unauthorised access to your machine, which could then be compromised and used to extract your data, followed by being used as a launch pad for further exploitation on your company network. Joy oh Joy.
Like Oracle, we recommend that you upgrade Java immediately and if you trust your life to auto-update please check that it has worked and advise your holidaying colleagues to do the same.
At ITC, we recommend that our customers have a good understanding of what is connected to their networks and have the capability to automatically remove devices that may have out of date software, like Java, OpenSSL or even antivirus or perhaps just move those devices to a locked down segment for treatment or punishment, or both. A virtual dungeon, so to speak.
This functionality forms a key part of our NetSure360 managed security service. We would love to discuss and demonstrate it to you. If you would like to know more, please contact us at: [email protected] or 020 7517 3900.
Have a happy Easter and if you are going to church, please say a prayer for the end of Java.
