On January 10, the U.S. Computer Emergency Readiness Team of the U.S. Department of Homeland Security subjected Oracle Corp.'s Java security problems to the public eye when it issued a rare alert concerning a vulnerability in Java software, warning that "web browsers using the Java 7 plug-in are at high risk." The browser add-on, which facilitates online activities such as playing interactive games and chatting with friends, warrants close scrutiny from those responsible for security at law firms.
On January 11, Reuters reported that "hackers have figured out how to exploit Java to install malicious software [to] commit crimes ranging from identity theft to making an infected computer part of an ad-hock network of computers that can be used to attack websites."
The government advised users to disable the add-on on their computers, reiterating the warning even after Oracle released an updatethree days later purporting to patch the breach. The alert states, "This and previous Java vulnerabilities have been widely targeted by attackers, and new Java vulnerabilities are likely to be discovered." Indeed, although it has garnered a great deal of media coverage, this is only the latest in a continuous line of threats from the Java software, a preferred target for hackers. The burgeoning awareness surrounding Java's flaws may change the way law firms regard patching and online security.
The glitch that prompted an official statement from Homeland Security was a"zero-day" vulnerability, a gap that hackers can take advantage of as soon as they are aware of its existence, forcing responding developers to create a fix for it after users have already been exposed. This particular hole, present in Java 7 Update 10 and earlier versions, lets hackers install malicious applications to steal credentials and hijack control of computers, after which they may demand payment to return the hostage machine. The ease with which a computer may become infected is disturbing clicking on spam messages and links on pornography sites can lead users to infect their computers, but, more worryingly, reputable sites running advertisements that use Java pose a veritable risk as well.
Nor does it take particular skill to hack a computer via Java. The exploit code (with which hackers can "exploit" the hole in Java's security) is readily available for cybercriminals to download. A study from Sophos, a U.K.-based company that offers data security services, found that using the Blackhole exploit kit, the most popular hacking kit, hackers were able to use Java successfully 77 percent of the time to infiltrate systems. That is a disconcertingly high statistic considering the software's ubiquity. Knowing this, and that law firms are becoming more and more frequently the targets of hacking, it is not hard to imagine a cyberthief intent on gaining insider information about a merger or patent using Java as a gateway to the confidential data.
January's highly publicized bug was only the latest in a pattern of vulnerabilities in Java and patches from its developer, Oracle. A similar scare occurred in August; Oracle likewise responded with an emergency patch. These patches, however, are increasingly met with skepticism. The Next Web reports that Oracle has known about the latest issue since October, having been informed of it by Security Explorations, a Poland-based security research company. Oracle subsequently released a fix, but it failed to address the problem in its entirety. This oversight left gapsthat would eventually lead to the vulnerability exposed in January. Many experts opine (and Homeland Security seems to agree) that Java continues to be a weak spot in internet browsing and it should be disabled. Apple apparently concurs, and blocks the Java plug-in up to the current version on its operating system, OS X.
Benjamin Edelman, associate professor of business administration at Harvard, is among those who are criticizing Java's updates for surreptitiously bundling other software installations along with the updates. For example, a user updating or installing Java may find themselves with an Ask.com toolbar in their browserafter clicking "next" when prompted. Edelman writes on his blog, "It is troubling to see Oracle profit from this security flaw by using a security update as an opportunity to push users to install extra advertising software."
According to Oracle, Java is deployed on an estimated 850 million computers worldwide. Considering how often new security flaws are discovered in the software, and the possibility that work can continue as usual without Java, should law firms continue running the add-on?
Law firms should take a granular approach and evaluate Java as it applies to the business functions of each role. No longer should it be considered standard-issue for each individual. Can lawyers perform at the same level without using Java? If the answer is yes, then the added security of disabling Java would certainly be worth it. Disabling Java may cause inconveniences while surfing the web, but it most likely won't interfere with an attorney's or other law firm professional's work.
These types of breaches happen often, though they usually receive much less attention than the Java incident. In January, Reuters reported that "Java was responsible for 50 percent of all cyberattacks last year in which hackers broke into computers by exploiting software bugs," citing security provider Kaspersky Lab. "That was followed by Adobe Reader, which was involved in 28 percent of all incidents. Microsoft Windows and Internet Explorer were involved in about 3 percent of incidents," Reuters noted.
In light of the emerging information concerning Java, the security conversation seems to be shifting. It is not enough now to passively accept updates from manufacturers to feel at ease about their applications. A broader range of perspectives, including those of security researchers and official government opinion should be considered as well.
Marcus Bluestein (firstname.lastname@example.org) is CTO, and Nina Lukina (email@example.com) is a business analyst, at the New York offices of Kraft & Kennedy Inc.