Given the severity of the recent Java Vulnerability as noted by US-CERT on Thursday, HumanIPO sought the advice of a Java expert in South Africa to understand whether the threat is as severe as suspected.
Mark Clarke, Founder and Chief Technology Officer at Johannesburg based Jumping Bean, believes the bulk of the negative reaction to the “Java 7 Update 10” vulnerability is due mainly to “Oracle paying the price for not considering the larger developer and user community”.
Clarke should know about Oracle’s supposed neglect of the larger developer and user community across the world as his company, Jumping Bean, is a training and certification provider for Java, PHP and Linux. He also participates and gets involved in the Java community across the continent.
Jumping Bean is at the “coal face” of Java application development with notable clients across the African continent including First National Bank and Eskom in South Africa and the Revenue Authority in Malawi.
Clarke elaborated on the systems affected: “According to reports on CERT and the US government’s National Vulnerability Database, the latest exploit only affects Java 7 standard edition, the latest release of the Java platform from Oracle.
“The exploit relates to Java running in a browser and not Java running on servers or on embedded system such as TV’s, phones, blu-ray players and automotive systems.”
Clarke also echoed what the USA’s Homeland Security Department said when issuing a warning to its citizens that they disable Java in their web browsers.
He explained the people most at risk of being “exploited” due to this vulnerability are those “users browsing the web, with the Java browser plugin enabled, and visiting a site that has pages crafted to take advantage of the exploit. Care should be taken as it is not necessarily dodgy site that may host the exploit as any compromised site may be used to attached a users machine.”
Despite Oracle having released “an out-of-band patch” over the weekend to fix the problem, Clarke believes the best solution for now is to disable Java in your browser except in cases where you require Java for a “trusted site which requires Java, such as a banking site”.
In such a case he suggests using Google Chrome or Firefox, which both allow you to select which sites to enable Java for and disable it for the rest.
As far as developers are concerned, Clarke states that they are not affected much given that not many web sites run Java these days.
He explains: “From a developer’s perspective there is not much to worry about, unless of course your web site uses Java. If it does then the worry is more than that, due to security concerns, users will disable Java and your site won’t work. But it is an exploit from a compromised site that infects user machines, it doesn’t attach the server itself but the client machine.
“People should also be aware that any plugin that allow execution of code is a threat, this includes scripting languages like the ubiquitous JavaScript.”