Earlier this year, I wrote about how small businesses with no use for Java may want to consider disabling it. At the time I made that recommendation, new unpatched vulnerabilities threatened the security of computers that had Java installed.
Java bugs compromising computers is not a new problem. Indeed, even large organizations such as Apple and Facebook have succumbed to “watering hole” style attacks that targeted Java, where hackers compromised popular websites to plant malware that attack unsuspecting visitors.
Take a Preventative Security Stance
Historically, Oracle has been lax about keeping Java security up-to-date. However, the company has since adopted a more aggressive and proactive stance in identifying and eliminating software bugs in its client-side Java runtime environment. Indeed, Oracle recently released a critical patch update that resolves at least 40 security flaws.
This more aggressive approach is crucial, given how Java’s cross-platform capability has ironically made it a highly economical—and attractive—target for hackers looking for ways to attack the most popular computer platforms.
Slow-to-Update Companies at Risk
Unfortunately, a new report suggests that this increased emphasize on security may not be adequate to make a difference to the bottom line. According to Websense Security Labs, the majority of users are still vulnerable to Java exploits by virtue of not having the most recent version of Java installed.
Consider the facts: The average adoption of the latest version of Java stands at less than 3 percent a week after the release of the Version 7 Update 21 patch, rising to about 7 percent a month after its release. This means that more than 90 percent of systems with Java are potentially vulnerable to attacks that exploit known and resolved security problems.
Moreover, it is also worth considering that the “busiest period of patch adoption” was identified as the second week after release. This gives attackers up to a week to glean information about new bugs, weaponize it, and exploit it on most security-conscious SMBs before they can deploy the software update.
Removing Java is One Solution
One possible solution would be to remove the Java runtime environment entirely for users that do not require it. While doing so may seem like succumbing to fear and uncertainty, the fact remains that many smaller businesses simply do not have the resources or time to constantly ensure that all software updates are properly downloaded and correctly installed.
Moreover, the stagnation and declining popularity of Java on websites mean that businesses face a disproportionate level of risk for minimal benefits, and they may perhaps be better off without Java. Finally, while the attacks on Apple and Facebook were quickly discovered and isolated, these enterprises have more comprehensive security measures in place than most small businesses.
Do you have the Java runtime environment installed in your small business? What steps do you take to ensure that Java and other applications are properly updated?
Paul Mah covers technology for SMBs for Small Business Computing and for IT Business Edge. He also shares his passion for and knowledge of everything from networking to operating systems as an instructor at Republic Polytechnic in Singapore, and is a contributor to a number of tech sites, including Ars Technica and TechRepublic.
|Do you have a comment or question about this article or other small business topics in general? Speak out in the SmallBusinessComputing.com Forums. Join the discussion today!|