By Thomas Scott
Last Tuesday, ITS sent out a mass e-mail regarding the pressing security risks of the Java Plug-in.
This notification came in the wake of a similar warning from the Computer Emergency Readiness Team, an arm of Department of Homeland Security (DHS), on Jan. 10.
According to DHS, Java 7’s 10th patch, released back in December has “a vulnerability that can allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system.”
Yet despite a recent update from Oracle, Java’s proprietor, to remedy what is referred to as a zero-day vulnerability, DHS has not withdrawn its advisory assessment.
A zero-day vulnerability “is usually something that has been found by the…hacking community…that hasn’t been patched necessarily,” explains Shawn Shopmyer, a systems administrator for ITS.
The DHS press release suggests that users disable the plug-in, except when “it is absolutely necessary to run Java in web browsers,” even after updating to the most recent software patch, which Oracle released on Jan. 13.
The California based software giant purchased Sun Microsystems in 2009 and acquired Java’s patents as a result.
Java was first devised at Sun Microsystems in December of 1990 and rose to prominence in the mid-‘90s because it allowed developers to create applications and implement them across different platforms such as Macs or PCs.
DHS claims that such measures “will help mitigate other Java vulnerabilities that may be discovered in the future.”
According to Shopmyer, often “some part of Java is vulnerable such that…[access] privileges could get escalated,” which would permit a hacker to “install something on a user’s system.” This could allow an attacker to run code as an administrator, which could have disastrous consequences. Administrative permissions are often required to modify crucial elements like security settings. ITS has also created a new Security Alerts page to make the Union community more aware of important cyber threats.
According to ITS Chief Information Officer Ellen Yu Borkowski, the new help desk service “is a new focus for [ITS], to look more at IT security…in terms of raising awareness.”
Borkowski continued, “Part of what we’re trying to do is figure out what makes the most sense… to [circulate] in an e-mail [and] which information about patches…should we put just on the webpage so people can just go there and check. So there’s levels we’re obviously going to have to determine and then figure out which ones [merit] notification.”
Campus Internet users can read about a security risk “in the press and come to our website” in order to better determine how crucial that item is. If ITS deems a hazard to be noteworthy, the new page will explain “what [the threat] is and how to fix it.”
ITS has notified students and faculty of “e-mail phishing scams” in the past, but the immense volume of e-mails that were dispatched persuaded ITS to create the new webpage to prevent them from “barraging everybody with…tons of e-mail everyday,” Burkowski claims.
Shopmyer advises campus Internet users that keeping Antimalware and Antivirus programs “up-to-date is…important,” since such software can spot potentially harmful software “even if there isn’t an exact exploit out yet.”
“We’re trying to be a little more proactive,” said Burkowski.
ITS’s security updates and any other helpful information on the Union network or on your computer can be found at its.union.edu/help-desk.