After online hackers discovered a security hole in the popular software platform Java, UTPA’s Information Securities department disabled Java plug-in for Internet Explorer from UTPA computers Jan. 12. An alert was also sent to students and faculty on the same day regarding Java’s vulnerability.
Java, a programming language and computing platform created by Sun Microsystems in 1995, powers programs such as games and business applications. It runs on more than 850 million personal computers worldwide, according to the website of Java’s parent company, Oracle Corporation.
The nationwide online threat was reportedly caused by attackers with a high-end crimeware toolkit known as Blackhole. Dubbed as a “New Year’s gift” by its creator, who goes by the nickname “Paunch” in an underground forum, the attack on Java 7 update 10 was reported Jan. 10 by an independent malware researcher online. The threat was confirmed by researchers from security firm AlienVault that same day.
In response to Java’s zero-day exploit, Joe Voje, UTPA chief information security officer, said the first step taken was to disable Java plug-in from UTPA centrally managed computers for non-trusted zones, browsers attempting to access a non-UTPA owned or contracted web site).
“People usually install software they don’t always need,” Voje said. “Not all websites require Java nowadays. We recommend that students keep track of software they use and need.”
The term zero-day refers to an attack that exploits a previously unknown vulnerability before the owner of the software knows about it.
“In a ‘zero-day’, the software vulnerability has been identified but does not have a direct path,” Voje explained. “It’s basically in the wild.”
Voje said a zero-day attack gives someone the ability to put malicious codes on a website. The individual who was using the vulnerable Java version would then browse to a website and the malicious code would be pushed to the computer. Potentially a backdoor can be installed in the computer and the hacker could then have access to the individual’s personal information.
He said it was confirmed that the current version of Java used by UTPA was not affected by the exploit. UTPA’s computer systems did not experience any malicious activity and no confidential information from the University was compromised as a result of Java’s vulnerability.
Java’s zero-day, which can potentially be found in operating systems such as Microsoft Windows, Mac, and Linux, can result in electronic crimes, such as identity theft, spear phishing (which is an email fraud attempt that targets organizations’ confidential data) and malware, which is software that damages computer systems.
Java also experienced a similar zero-day exploit back in August 2012. In an article in Computerworld, Patrik Runald, security research director at Websense, said his team found more than 100 unique domains with the Java exploit. Due to Java’s many security issues in the past, Voje said Information Securities will continue to monitor the situation.
As a result of the recent scenario, representatives of Oracle issued a new and safer update for Java with a patch Jan. 13 in which its security settings are set higher. Another update was made Feb. 1 to address 50 security vulnerabilities. Voje expressed that Java’s patches explain why there haven’t been many exploits.
“Oracle is a very large and successful software company,” UTPA’s Voje expressed. “I am confident that they will eventually address these particular security issues and continue to provide useful software to the Internet community.”
However, UTPA’s Information Securities still suggest that computer users disable or uninstall Java from their web browsers at home.
If some people might still need Java to access certain websites, Voje suggests doing so with safety precautions. Blackboard, for example, might require Java. Students can continue to use the software safely by adding Blackboard as a “trusted site” in the settings section of the web browser, he explained.
Another alternative for users who need Java for certain applications is to activate Java in one browser and unplug it in another browser for everyday use.
This is not the first time UTPA’s Information Securities has experienced similar risks.
“It’s an ongoing battle,” Voje said. “But zero days are not all common. Patches usually fixes flaws before they are known by the public.”
To prevent becoming a victim of an online exploit, Voje urges computer users to patch and update their system when available. He said people should use a personal firewall and disable features one don’t need on the computer and enable them only when one does. He also recommended people keep track of their online activity.
“We encourage people to remain alert while online and be careful with what you keep on your computer and share,” Voje said. “Always be mindful of what you do on the Internet.”
Jerald Hughes, a computer information systems professor at UTPA, believes it’s OK to trust Java as long as students stay current and update by downloading its latest version. He said all software ages and becomes vulnerable over time.
“Basically, don’t trust any software, until you have good reason to think it’s OK,” Hughes said. “You know where it came from, the software company has a good reputation, you’ve looked at the reviews, you got it from a trustworthy place and your protection software has scanned it for safety.”
According to Hughes, the hardest part about staying safe online is keeping up to date.
“When Java, Firefox, Adobe, or any of your software wants to update, do it,” Hughes said. “All the antivirus software suites now come with a piece which scans the websites you’re going to and warns you if they look dangerous—use it.”