Some of you may have heard that there is a serious security problem with JAVA 7 (the default version). Luckily most patent attorneys are still running Java 6 in order to interact with the USPTO’s PAIR and EFS-Web servers. According to reports, JAVA 6 does not suffer from the problem?
Security experts are not confident that this update resolves the security hole[1]. One cause for skepticism is that the present vulnerability is a variant of an older vulnerability that Oracle knew about and already failed once to neutralize with their previous update, 7u10[2].
[1] link to zdnet.com
[2] link to arstechnica.com
An security update is available (7u11), as of 2013-01-13; that might be easier than installing 6:
link to oracle.com
I’ll also plug iEFS (http://iefsapp.com), with which I am inextricably and financially affiliated. iEFS maintains its own secure, compatible version of Java so that incidents like this don’t affect your access to PAIR and EFS-Web.
Also, a correction to my earlier comment: Justice.gov was not defaced, only sent offline. The Java vulnerability cannot be exploited by such an attack. However, the DOJ site has been defaced in the past: link to articles.latimes.com
You’re correct that the vulnerability does not affect Java 6, according to US-CERT: link to us-cert.gov
But there may be more patent practitioners running Java 7 than you think. Carl Oppedahl has established that, contrary to USPTO warnings, PAIR and EFS-Web are compatible with Java 7 in practice; only E-Patent Reference is inoperable. I believe his firm had upgraded when the vulnerability was published.
If you’re running Java 7 and need Private PAIR, you have two options.
This is theoretically safe because one expects USPTO never to host a malicious applet that exploits the vulnerability. Of course, bets are off if uspto.gov is ever compromised the way jusice.gov was today: “>http://www.huffingtonpost.com/2013/01/14/anonymous-hacks-mit_n_2472728.html.
Adam Gowdiak, a researcher with Poland’s Security Explorations who has discovered several bugs in the software over the past year, told Reuters that the update leaves unfixed several other, notable security issues.
“We don’t dare to tell users that it’s safe to enable Java again,” Gowdiak told Reuters. Some security consultants are advising businesses to remove Java from the browsers of all employees except for those who absolutely need to use the technology, the site reported
But no liability for the distributor of the flawed software, right?
Comments are closed.