Skip navigation

Duo Security is now a part of Cisco

About Cisco

Industry News

Update Java Now to Protect Against Critical Security Vulnerabilities

Oracle recently issued 248 patches in total, affecting over 50 different product lines. About 71 percent of the latest vulnerabilities allow an attacker to exploit them remotely without authentication, according to an analysis from ERPScan.com.

Critical Java SE Vulnerabilities

The most critical vulnerabilities relate to Oracle’s Java Standard Edition (SE), the platform used to develop and deploy Java applications on desktops and servers in order to deliver multimedia content. An attacker can easily exploit a few of the most critical Java vulnerabilities, such as CVE-2016-0494 and CVE-2015-8126 to launch successful attacks, resulting in unauthenticated Operating System takeover including arbitrary code execution.

Other vulnerabilities patched by Oracle (76 deemed critical of the 78 total) affect their E-Business Suite, which include business applications for supply chain, human capital, financial, customer relationship management and many others.

These type of applications are critical to business operations, as they also contain valuable employee and corporate data, such as HR, financial, supplier, customer and other lists. Protecting access to the applications that store this type of data is key to keeping your business safe and secured.

Oracle PeopleSoft is another application suite of business solutions that is often used by the higher education industry. The recent patch update fixes PeopleSoft vulnerabilities that could allow an attacker to steal or manipulate business information.

Exploiting Java Vulnerabilities

Java vulnerabilities are often leveraged as a way to infect machines with malicious code and steal data. They’re packaged into exploit kits, which is a toolkit that hackers use to identify software vulnerabilities on a device.

If a user is running an old, vulnerable version of Java, then the exploit kit will upload and execute malicious code in order to steal their data or control the machine.

Exploit kits can be deployed in drive-by download attacks, which can deploy an exploit kit to anyone that visits an infected website. Or, users may be targeted by clicking on malvertising, that is, ads that have been hacked to serve up a redirect to the exploit kit.

However, Java has been getting better in terms of security, as Oracle and browser providers have implemented some Java applet security changes, as well as denying the execution of unsigned applets.

Update and Patch to Protect Your Users

While Oracle has released patches for legacy Java versions 7 and 6, it’s highly recommended to update to Java 8 if you don’t have a good reason to stay on those older versions. Security downloads for Java SE can be found here.

To detect if your users are running outdated versions of the Java plugin, Duo provides Device Insight and Device Analysis as part of our Duo Access. We distill data on your users’ devices (without the use of agents) into easy-to-read graphs, available in our administrative dashboard. Learn more about Duo's Endpoint Visibility features.

Outdated Java and Flash on Duo's Dashboard

Our Self-Remediation feature lets you enable security notifications to your users. We’ll detect if they’re running an out-of-date version of Java whenever they log in using Duo’s two-factor authentication, and then we’ll provide a link to update their own software.

Protecting access to the applications that store sensitive company data, such as employee and company HR, financial, supplier and other information is one way to strengthen your security posture. Deploy a two-factor authentication solution to add another layer of security to your user logins without slowing them down. Learn more about different solutions in our Two-Factor Authentication Evaluation Guide.