Further to the Security Alert posted yesterday on the subject, we would like to keep you updated on the situation:
(1) Temporary measure to avoid risk due to the Java zero-day vulnerability
Due to the high risk of the vulnerability found with Java Version 7 Update 10 (Java v7u10) and earlier versions of Update, users are advised to disable Java for all web-browsers until a solution/patch is available to fix the problem. The procedures for disabling this Java version for the different computer platforms are documented in the java website: www.java.com/en/download/help/disable_browser.xml
Our colleagues have been communicating with members of the Departmental Information Security Coordination Group in advising the mitigation in departments.
(2) Implications to HKU central IT Services:
We have done a review of the IT services supported by ITS. Most of the generally accessible Central IT Services through HKU Portal would not be affected and continue to work properly when the Java setting for web-browsers is disabled, except the following applications:
- Departmental Inventory system (DIS)
- Financial Functions for Operational Staff (FFOS)
- Facilities and Space Management Information / Departmental Rooms Information
- Long leave application
- IHP facilities booking system
- CEDARS facilities (banner sites, rooms) booking system
- HKUSU rooms booking system
For the time being, users who require to use the above applications or any other web applications that require Java, can temporary enable Java by selecting the option “Enable Java content in the browser” and turn it off afterwards through the Java Control Panel that is described in the website: www.java.com/en/download/help/disable_browser.xml as stated in (1).
(3) Java 7 Update 11
Oracle has just released Java 7 Update 11 with vulnerability fixes on 13 January 2013 and advised users to install this update to address the widely publicized security issue. On the other hand, there are reports from security experts that this new update still leaves certain unfixed critical security flaws. We would therefore recommend keeping Java disabled for browsers until we have a clearer picture on the solution.
Finally, we would like to remind our users that security intrusion by hackers is happening every day. We should be very vigilant in refraining from accessing unknown websites, say those introduced by unsolicited spam/phishing emails, and always stay alert in upholding the information security measures to enable HKU to stay safe in the Internet connected world. ITS will closely follow up the Java zero-day vulnerability issue and update you for further actions and information.
If you have any enquiry, please send email to firstname.lastname@example.org.
Thank you for your attention.
Oracle updates Java, security expert says it still has bugs: http://www.reuters.com/article/2013/01/13/us-java-oracle-security-idUSBRE90C0JB20130113
Oracle Update Release Notes: http://www.oracle.com/technetwork/java/javase/7u11-relnotes-1896856.html
Information Security Team