Java security issue update

I spent the morning reading about this vulnerability. The products affected, options to defend against it and when we might see a fix.

Options for defense at this point are to disable the Java plug-in for all browsers. Anyone on our monitoring, I can accomplish that in one fell swoop with a simple script. Issue there, is how many websites need Java to function, especially an issue for our Independent Insurance Agencies. Next is to find your Java 7 installs and downgrade them to Java 6. I have seen a few articles with conflicting information, saying Java 6 can be affected as well. Last defense is to limit web browsing to essential sites. And that is what I am going to recommend.

Oracle, who bought Java in 2010, is saying they will have a patch out by Tuesday at the latest. The two solutions above involve a bit of effort at a larger business. Of course my official recommendation has to be to disable Java, but I understand that might not be feasible.

If you are unable to follow through with disabling Java, I would send out an email to all your users. No non-essential web sites. Limit any web sites that have advertisements that could have malicious code.

Until we have a patch.

Sites include:

News sites, yes even reputable ones, they all have ads.
Social Media sites, especially Facebook,
Web searches that involve visiting sites you are not familiar with or that contain advertisements.

If you need to visit these sites. Perhaps you use Firefox with no scripts allowed and Java disabled.

Remember, this is a zero-day vulnerability. As we found out the other day. A fully patched Windows 7 machine with antivirus and a powerful firewall didn’t stop an infection.
Your only real defense is user training and enforcing business only browsing.

Written by Bret Erickson or Passkey Computer Services
http://www.passkeyinc.com @passkeycs