Security Resources

Two Critical Security Issues You Should Tackle Today

warning… if you haven’t already, that is.

There has been a barrage of coverage lately addressing ongoing security issues with Java and Universal Plug-and-Play (UPnP). Summarizing a mountain of detail that is only relevant to a small percentage of users, the takeaway is that almost everyone should: (1) Disable Java in the browser OR uninstall it completely; and (2) Disable UPnP on your router AND test it for remote UPnP vulnerabilities.

Excellent step-by-step instructions are available for uninstalling or restricting Java, but if you are running the latest version, a new control panel setting allows you to easily disconnect Java from your browsers, which is the most common way that it would be exploited. I wanted to remove the software completely, but one of my favorite mind-mapping applications (FreeMind) requires it, so if you are in a similar bind, preventing Java’s use in browsing sessions is the next best thing. Keep in mind, that JavaScript and Java are two completely different things – you will need JavaScript on many web pages for proper functionality, and it is built into the browser, so you will not be altering it by restricting/removing Java. Limiting JavaScript is a good idea (using a plug-in such as NoScript), but again, this is a separate issue.

As for UPnP, the technology is built into many routers, and is supposed to make connection of networked devices easier by automatically opening ports and configuring network settings. Unfortunately, convenience doesn’t always coexist with security, and UPnP has been shown to have a number of vulnerabilities. Your best option: Turn it off in the router’s administration portal, and also run a Shields Up test to ensure that your router is not exposed to attack from outside the network. Keep in mind that some routers have been found to leave UPnP on regardless of the setting in their configuration screen, while others reportedly do not offer an option to disable it, so your mileage may vary…

More on UPnP:
CERT Advisory
Rapid7 Whitepaper