Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

10 Facts: Secure Java For Business Use

Businesses that rely on Java must now take additional steps to keep employees safe. Here's where to start.

Who Is Hacking U.S. Banks? 8 Facts
Who Is Hacking U.S. Banks? 8 Facts
(click image for larger view and for slideshow)
Is Java safe to use? That's the refrain heard after every round of new zero-day vulnerabilities that get spotted in Java, followed days or weeks later by related patches from Oracle.

But the question still stands: Is the Java programming language -- which encompasses client-side desktop applications and Web browser extensions, embedded platforms, as well as Java running on smartphones such as Android -- safe to use? Or is it an over-targeted time bomb that's best avoided by anyone with an ounce of security sense?

Here are 10 related facts:

1. Security Concern: Client-Side Java

To be clear, the current Java security worries center on client-side Java, and the prevalence with which attackers have been finding and exploiting vulnerabilities in Java browser extensions. The latest threat has been the two zero-day vulnerabilities in Java 7 first publicly detailed last week, which allow attackers to run arbitrary code on vulnerable machines. Oracle Sunday released an update, dubbed Java 7 Update 11, that fixes or works around the flaws.

Monday, however, security firm Immunity reported that the fix from Oracle only repairs one of the two zero-day flaws. "Only one of the two bugs were fixed, making Java still vulnerable to one of the bugs used in the exploit found in the wild," said security researcher Esteban Guillardoy at Immunity in a blog post.

2. Second Zero-Day Vulnerability Remains A Vulnerability

But the other component wasn't patched per se, but rather addressed via new, default security settings in Java, which now require a user to authorize any Java applet that wants to run.

[ The attacks just keep on coming. Read Red October Espionage Network Rivals Flame. ]

Unfortunately, that "fix" now puts more security onus on users. "In theory, this should reduce the impact of malicious applets. However, because users can still expressly authorize these malicious applets, users may still be affected," said Jonathan Leopando, a technical communications specialist at Trend Micro, in a blog post.

Furthermore, the unpatched vulnerability remains. Using that bug, "an attacker with enough knowledge of the Java code base and the help of another zero day bug to replace the one [that's been] fixed can easily continue compromising users," said Guillardoy, provided the attacker launches the exploit using a signed Java applet.

3. DHS Recommends: Disable Java

In the wake of the Sunday part-patch, the Department of Homeland Security Monday said that from a risk standpoint, Java remains too hot to handle. "Unless it is absolutely necessary to run Java in Web browsers, disable it ... even after updating to 7u11," according to the DHS advisory (which also details exactly how to disable Java). "This will help mitigate other Java vulnerabilities that may be discovered in the future."

The tail end of the advisory encapsulates many security experts' current thinking: Disabling Java today ensures businesses won't be unknowingly compromised by future zero-day Java vulnerabilities. Or as Bogdan Botezatu, a senior e-threat analyst at security software vendor Bitdefender, put it via email: "As [Java] attacks are highly likely to hit from the Web, the absence of the plug-in would dramatically cut down on the attack surface."

4. Danger: Java Continues To Be Attack Magnet

Attack surface is the operative phrase, because zero-day Java vulnerabilities continue to be sought after by online criminals or anyone else seeking to exploit targeted PCs. "These types of vulnerabilities are attractive to criminals because Java is somewhat platform agnostic -- so the same vulnerability can be used to reliably exploit a variety of targets -- and historically, Oracle has been slow to release fixes, which maximizes the timeframe in which the exploit can be utilized," said Joe DeMesy, a senior analyst at information security consultancy Stach & Liu, via email.

Indeed, the Red October espionage malware (nicknamed "Rocra") first publicly detailed Monday by Kaspersky Lab includes an attack module for exploiting a Java vulnerability (CVE-2011-3544) that was patched in October 2011. But the most recent Rocra attack module designed to exploit the vulnerability was compiled in February 2012, reported security firm Seculert. That lag highlights how even after a patch had been released, attackers still expected to find exploitable machines four months later.

Previous
1 of 2
Next
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Mathew
50%
50%
Mathew,
User Rank: Apprentice
1/16/2013 | 10:11:51 AM
re: 10 Facts: Secure Java For Business Use
Great idea to separate the browsers, then enforce that separation. Sounds like an elegant -- and yes, above all still quite usable -- solution for any business or person needing to use a browser that runs the Java plug-in.
Mathew
50%
50%
Mathew,
User Rank: Apprentice
1/16/2013 | 10:11:07 AM
re: 10 Facts: Secure Java For Business Use
Hi Kraegan, thanks for the question. The vulnerability is in the Java runtime environment on desktops, with the worry focusing on the Java browser plug-in. JavaScript is not affected.
verdumont456
50%
50%
verdumont456,
User Rank: Apprentice
1/15/2013 | 7:53:01 PM
re: 10 Facts: Secure Java For Business Use
This problem was solved at my previous employer by allowing Firefox to be installed on to the Desktops. Users were advised to use IE for accessing intranet apps (internal apps) and FF for general browsing. Lot of our internal apps were using client side java applets (for some reason). Users didn't complain a bit. Always, there is a danger that some employees might use IE for surfing internet, but there was a security setting, which would prompt users whenever Java applets are used on the "Internet" sites. I guess that provided some degree of protection without compromising the usability
Kraegan
50%
50%
Kraegan,
User Rank: Apprentice
1/15/2013 | 5:37:28 PM
re: 10 Facts: Secure Java For Business Use
Sun Java architecture or Javascript server side processing language? I'm not quite sure which this article is referring to.
Commentary
How SolarWinds Busted Up Our Assumptions About Code Signing
Dr. Jethro Beekman, Technical Director,  3/3/2021
News
'ObliqueRAT' Now Hides Behind Images on Compromised Websites
Jai Vijayan, Contributing Writer,  3/2/2021
News
Attackers Turn Struggling Software Projects Into Trojan Horses
Robert Lemos, Contributing Writer,  2/26/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-28042
PUBLISHED: 2021-03-05
Deutsche Post Mailoptimizer 4.3 before 2020-11-09 allows Directory Traversal via a crafted ZIP archive to the Upload feature or the MO Connect component. This can lead to remote code execution.
CVE-2021-28041
PUBLISHED: 2021-03-05
ssh-agent in OpenSSH before 8.5 has a double free that may be relevant in a few less-common scenarios, such as unconstrained agent-socket access on a legacy operating system, or the forwarding of an agent to an attacker-controlled host.
CVE-2021-3377
PUBLISHED: 2021-03-05
The npm package ansi_up converts ANSI escape codes into HTML. In ansi_up v4, ANSI escape codes can be used to create HTML hyperlinks. Due to insufficient URL sanitization, this feature is affected by a cross-site scripting (XSS) vulnerability. This issue is fixed in v5.0.0.
CVE-2021-3420
PUBLISHED: 2021-03-05
A flaw was found in newlib in versions prior to 4.0.0. Improper overflow validation in the memory allocation functions mEMALIGn, pvALLOc, nano_memalign, nano_valloc, nano_pvalloc could case an integer overflow, leading to an allocation of a small buffer and then to a heap-based buffer overflow.
CVE-2020-29020
PUBLISHED: 2021-03-05
Improper Access Control vulnerability in web service of Secomea SiteManager allows remote attacker to access the web UI from the internet using the configured credentials. This issue affects: Secomea SiteManager All versions prior to 9.4.620527004 on Hardware.