This April, Oracle announced that it will no longer be supporting Java 6 and encouraged all users to update to Java 7. Yet, despite these urgings, more than half of all users still use Java 6.
What's the danger of using Java 6? When a company stops "supporting" a version of its software or programming language, it will no longer release updates to fix security weaknesses.
Trendmicro, a leading cyber security firm, details the Java 6 security weaknesses in the blog post, “Java 6 Zero-Day Exploit Pushes Users to Shift to Latest Java Version.” Here's what you need to know:
- Hackers can exploit Java 6 to install ransomware, a type of malware that locks user data and won't release it until users pay money to hackers. Ransomware attacks have been growing tremendously fast. There were twice as many in the first quarter of 2013 as there were in the first quarter of 2012.
- The Java 6 weakness will affect businesses more than individuals, because organizations are slower to update software than individuals.
Why are businesses slower to update than individuals? Because they tend to have multiple computers and have to worry about compatibility. This partially explains why, as I mentioned at the outset, more than 50 percent of users are still using Java 6 even though there are significant security concerns.
The Strange Truth about Security Updates
Security updates are great. They fix security flaws and bolster a user's defense against new attacks. But they also have one unintended consequence: security patches show hackers the flaws in old software.
After Oracle rolled out Java 7, hackers descended on the new version, picking it apart to find out what improvements the software company made. By doing so, they were able to find security flaws in Java 6. In essence, Oracle "tipped its hand" when it updated.
Protecting Programmers: Cyber Security Options
Java is everywhere. You can't avoid using it, which means hackers can use security flaws in old versions to attack countless businesses. These security attacks expose you to lawsuits.
IT professionals can be sued when software or client websites they built are hacked through flaws in Java, even if the flaw is comes from the Java programming language itself and not because of the particular code you wrote or the site you built. Ouch.
It may not seem fair that you're responsible for a flaw in Oracle's product, but it's true. You can be sued when hackers exploit these security flaws to install ransomware on client computers. (For more about Cyber Risk in Java check out the article "Java Function Exposes All Android Users to Bitcoin Theft, Highlights Errors & Omissions Liability").
So what can programmers do? Here are some options:
- Keep your software up to date. Remember that security patches make new versions of software safer, but they also expose old software to more security threats.
- Remind your clients to update their software. IT consultants should be especially diligent about this. Microsoft has announced that it will stop supporting Windows XP and old versions of Office in April 2014. By doing so, they will expose many of your clients to cyber risks. Whether it's XP, Office, or Java, if their clients are running outdated software, IT consultants could be liable for security breaches.
- Protect your business from hacks with First Party Cyber Liability Insurance. This policy pays for the costs of many different cyber attacks on your business (including the introduction of ransomware).
- Protect yourself against lawsuits from clients. If your programs or software are hacked on client computers and your clients decide to sue, a Third Party Cyber Liability Insurance policy can cover your legal costs.
To get an idea about the cost of Technology Insurance, take a look at these sample insurance quotes. To get a custom-tailored insurance quote from some of the highest-rated cyber liability insurance carriers, contact a TechInsurance agent.