Last week a serious Java-based vulnerability was identified by security experts. The vulnerability allows criminals to exploit the opportunity to silently install malware when a hacked site is visited while using the insecure browser plugin.
Users are advised to upgrade to the latest version of Java (currently, it is Version 7 Update 11) immediately, and to only allow Java code to run from known safe sources and that is properly digitally signed.
MSU system recommendations
Over the weekend, Oracle, who produces Java, issued a critical update patch for all users regardless of operating system.
Numerous university systems require the use of Java, so it is critical for our users to immediately remove old version(s) of Java and install the most current version which reflects Oracle’s current strategy for addressing the vulnerability.
The following is a non-exhaustive list of services at MSU that require that Java be active in the browser:
- Document Viewer (DocView)
- Non-Credit Registration System Administration
- CommVault Administration
- EMC SAN Administration
- JBoss Administration
Please note: Java Version 7 Update 10 and earlier versions of Java 7 running on desktop computers contain a vulnerability that can allow a remote, unauthenticated attacker to execute code on a vulnerable system. EBS applications are run from application servers and are therefore not directly affected by this vulnerability.
Individuals accessing EBS applications using the MSU VPN must install Java Version 7 Update 11 and must uncheck the box for the Ask.com toolbar included in the installer. (Toolbars can affect the operation of EBS applications.)
The newer versions of Java allow users to enable and disable Java from a browser as needed. Additionally, the current version increases the security setting of Java on your machine to a high setting, requiring more user intervention before Java-based code runs.
Windows users can follow installation instructions on Java to remove older versions of Java and install the new version.
Mac Operating System updates have already removed older versions of Java. No additional action is required. Visit Java to download the latest version for your system.
If you have already upgraded and installed the toolbar, or for further technical assistance, contact your local unit technical support department or the IT Services Support Desk at (517) 884-3000. A knowledge base support article on how to avoid Java vulnerability and exploits is also available.