Java exploits account for 87% of total web exploits – Cisco 2013 Annual Security Report
This month’s release of the Oracle Java SE Critical Patch Update includes patches for 42 vulnerabilities. Vulnerabilities in the Oracle Java SE Java Runtime Environment (JRE) component have received widespread attention as of late because of the potential for an attacker to bypass security restrictions, access sensitive information, execute arbitrary code, or cause a denial of service condition. To make matters worse, Java vulnerabilities are often harnessed by exploit packs with tremendous success.
Many in the industry, as well as Cisco analysts, advise against having Java installed unless absolutely necessary. And if you must have Java installed, they advise using only the Java plug-in and Java Web Start provided with the latest JDK or JRE 7 release. But is there more to it than that?
In addition to the many Cisco alerts and Event Responses published on the topic of Java security, we recently released the Java Security Best Practices Guide, available on the Cisco Security Intelligence Operations (SIO) Portal. This guide discusses how Java operates in web browsers and the risk it presents, along with best practices and mitigation techniques for securing your network. This guide steps beyond the well-worn “keep Java up to date” to include more advanced guidance, such as using multiple browsers and even virtual machines.