Mobile employees accessing the internet on their smartphones may not think they are at risk for hacking, but the enterprise should not be lax. The recent weakness in Java 7 security, affecting hundreds of millions of PC users, is a great reminder of the potential threats associated with web browsers in general.
On Thursday, January 10 the U.S. Department of Homeland Security warned web users to disable or uninstall Java software to thwart potential cyberthiefs from spreading malware and malicious software. Such programs could be used for identity theft, deploying bots that bring down the network and other high-tech harmful attacks.
In an uncharacteristic move, Oracle Corp. issued a patch just several days after the DHS warning. Normally, the company releases fixes on a quarterly basis. When installed, the patch addresses how Java applets and applications are run. Instead of launching automatically, users are now prompted to okay the execution.
Hundreds of millions of PC users are at risk although it has not been determined how many have actually been compromised. Symantec
notes it is blocking 300,000 threats a day.
Mobile Phone Threat
Oracle claims that the recent risk only relates to Java SE 7 users and the CVE-2013-0422 security threat in particular.
"These vulnerabilities are not applicable to Java running on servers, standalone Java desktop applications or embedded Java applications," the company said in a security statement.
Unlike PCs, which run on SE 7, many smartphones employ the Java Platform, Micro Edition, designed for embedded systems.
iPhones are not even in the same boat, since Apple has only recently allowed the programming language through a hybrid mobile architecture. (The late Steve Jobs, Apple founder, was quoted as calling Java a big heavyweight ball and chain, and not worth supporting.)
Regardless, mobile devices still have their own web browser threats.
A vulnerability known as CVE-2010-1807 affects the Webkit engine used by iOS, Android, BlackBerry and Windows. According to Juniper
, attackers are targeting these vulnerabilities with "drive-by downloads." That is, when a user visits an infected website, malware is downloaded without the user's knowledge.
Mobile Malware: Bad for Business
Needless to say, mobile malware can easily disrupt the business processes and cause financial headaches as well as security breaches. A virus can hack a device's email, get a hold of all its contacts, steal data, send out nasty spam or simply delete information. Phones can become unusable if infected or locked.
Some malware can actually access the device's camera to take photos at random. In addition, "fake installers" take over applications, turning free apps into pay services via premium SMS messages.