It has been hard to miss there is a problem with Java. Homeland Security is warning us that it is not safe to run Java on our computers. Our government is warning us… I would say we should listen since there is no politics involved in this comment.
We are constantly bombarded with threats but this one seemed more “threatening.” I won’t repeat what others have explained about the issue here, there is plenty of information on the internet on this particular vulnerability. The problem is there is plenty of misinformation as well.
Let’s discuss how to dig through the information the next time something like this happens.
While I haven’t gotten one lately, there used to be a rash of emails from time to time that warned of the latest technological terror. They acted like a chain letter, explaining that you should send the email to everyone you knew. I used to call these “low-tech viruses” since they caused people to worry and bog down the email systems of small companies. So the first step in monitoring your threats is to not get excited until you research claims.
Next, when you see an article about the latest vulnerability or virus, ask yourself what type of resource it is. If you read it on The Onion (www.theonion.com), you might want to check elsewhere. If you read it on CNN you probably want to dig a little into the problem. While The Onion specializes in entertaining, semi-real, pseudo-news articles, CNN is a legitimate news source. However, the CNN may not be technical enough to get the answers you need.
So where should you look? If there is a report of a new virus, check the website of your anti-virus software. They will likely have good information and if your AVS is protecting you. If there is a vulnerability like this Java issue, check websites that are technology related. PC Magazine (www.pcmag.com) has good information written in plain English. If it is a vulnerability or a flaw in a software, check out http://web.nvd.nist.gov/view/vuln/search this is the National Vulnerability Database (NVD) search engine. You may see a reference to a CVE number when reading about a vulnerability, this is the site where you can find the details about the vulnerability.
CVE stands for Common Vulnerabilities and Exposures. It is a reference number for information security vulnerabilities and exposures. It is maintained by the MITRE Corporation with funding from the Cyber Security Division of the US Department of Homeland Security. By going to this site you can get lots of techy information and links to more information.
This past week’s issue with Java was given the reference number of CVE-2013-0422. By using this number of searching “java 2013” in the above NVD search engine, you will find information about its impact and exploitability as well as links to lots of other sources of information. Some are very technical while others are more plain English but these links have been vetted to some extent for reliable information.
The bottom line is when you hear about the latest threat to your computer, use some common sense. Start with Googling the threat. Then think about which websites seem the most reliable. CNN, Washington Post, and NY Times are probably good the type of resource you would want for the first step. They are reliable and have the resources to vet their information but will probably lack the technical details you may want for your research. If you can get info from the US Government, like the NVD, it is probably reliable. Some sources may have good intentions but not the technical know-how to provide you with the sound information you need. Unfortunately, sometimes the source you want to hear from isn’t talking. When the Java vulnerability broke on Thursday, Oracle (who owns Java) was silent. They may have been busy trying to fix the problem but my cynical view is that they didn’t want to say anything that could make them look worse.
The most important advice I can give is to not ignore it and don’t assume it doesn’t affect you. Stay informed, do your research, and work with your IT department and/or vendors. Also, remember to ask “WHY?” My father used to say “never accept the first answer without a follow-up question.” If your IT vendor says that you don’t have to worry, ask them how they know that and how can they can make you sleep better.