I hope this comes as no surprise to our readers, it is extremely important to keep your version of Java up to date. We have seen many campaigns from large corporations recently including Apple, Microsoft, Google, and even the Department of Defense warning to completely disable Java and if you must use it turn it on for individual sites.
This is what is so surprising about the discovery of Java 6 Update 7 being bundled with Yahoo’s SiteBuilder download. I do not know if SiteBuilder just doesn’t work with the newest release of Java or if it’s a huge oversight by Yahoo. We will update you once there is an official statement from Yahoo on the matter.
This version is more than four years old and with age it’s safe to assume it is extremely vulnerable to exploitation. Java 6 Update 7 was released in the summer of 2008 and even at that time was insecure, the most recent version of Java 6 is Update 39 which in itself patched at least 50 security holes. Just to throw a little math at this scenario the version of Java Yahoo is pushing is 32 updates behind the most recent release and even if all of them patched only half the vulnerabilities we are looking at around 800 exploits that could be used to compromise PC’s and other devices running Java.
I would encourage all users of SiteBuilder to either discontinue use for now or isolate their use into a virtual machine until Yahoo addresses this issue. The main reason Java has gained so much attention from the security community is because it is the single biggest source of malware infections across the PC industry. Crimeware and Exploit kits are packed into websites and exploit user’s machines with ease running outdated versions of Java but we will save this topic for another day, for now, and always, please keep your Java installations up to date here.
Do you or your organization use Yahoo SiteBuilder? As always, please share your comments and feedback below.
[via Brian Krebs]