Java insecurity: Options are few
By now, you’ve probably heard that Java has once again been the target of another 0-day exploit thanks to underlying weakness in the Java code. This is not the first time that Java has been in this position. Just last summer, a 0-day exploit was making the rounds thanks to a different coding issue. Some experts predict that it could take Oracle up to two years to fix all of the vulnerabilities in the Java code, so it’s more than likely that we’ll be facing similar news in the not-too-distant future.
With January’s news about the exploit hitting all of the networks, security experts and even the Department of Homeland Security issued dire warnings with the recommendation that users take immediate steps to fully disable Java in their web browsers. These discussions surrounding the decision about whether or not to disable Java continue to make the rounds even though Oracle issued an emergency patch a couple of weeks ago, although additional vulnerabilities have been discovered since its release.
It should be noted that these newest vulnerabilities directly affect Java 7 SE only. While one of the vulnerabilities is present in Java SE 6, it is not considered high risk in Java SE 6, as exploiting it first requires exploiting a Java 7 SE-only flaw (not present in Java SE 6).
The specific flaw this January was one that could allow an attacker to exploit a security weakness and run arbitrary code on the host system. Any web browser using the Java 7 plugin was affected – and continues to be affected by newly discovered flaws. A security company’s test revealed that the exploit worked on a fully-patched 32-bit Windows 7 system under Firefox, Internet Explorer, Opera, Chrome, and Safari; in other words, every browser was at risk.
To disable or not…
While home users have been warned to disable Java in their browsers as soon as possible, enterprises don’t always have that luxury. A number of enterprise applications rely on the ability for browsers to invoke Java applets. However, even some enterprises are taking steps to protect themselves by disabling Java in their web browsers and some browser vendors have taken things a step further. Even Oracle has gotten into the game by making it easier
With the latest updates from Oracle, Oracle has made it easier to disable Java in all browsers on the system. Here are instructions. In addition, the latest patches from Oracle also change Java security settings to require user authorization before executing applets that could attempt to exploit as-yet-undiscovered vulnerabilities.
Here are the four routes that I see organizations taking with regard to Java:
- Maintain the “status quo”. Keep Java and browser plug ins patched and keep it enabled. This approach is required for organizations that rely on Java applets in web browsers. This is the riskiest option of the bunch.
- Run in a sandbox. For organizations that really want to disable browser-based Java but are unable to do so, there could be a confined virtual machine sandbox that’s used for this purpose. While an attractive option on the surface, this option comes with massive administrative overhead.
- Selectively disable Java plugins. I see this option as being the most palatable. Keep Java browser-enabled just for systems that require Java applets tools and disable it for everyone else. In doing so, you minimize the exploit risk while ensuring that your tools remain available.
- Kill it… kill it now. This is the knee-jerk, operations-affecting decision. For some, security may be so tight that Java just has to go altogether. In doing so, it’s possible that an app or two might get taken down with it. I don’t see this route being taken by very many people. While the recent vulnerabilities have been shown to affect only browser-based Java plug ins, there are some out there disabling Java across the board.
On the browser front, some browser vendors have taken steps to protect their users from potential Java vulnerabilities. Right now, Apple and Firefox have taken the most substantial steps. Apple has updated its security mechanisms to disallow old and unpatched versions of Java from running in the browser. Firefox has added even recent versions of Java to its “Click to Play” list, which is a mechanism intended to help users prevent drive-by downloads that could result in malware infestation or exploitation of vulnerabilities.