Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

10 Facts: Secure Java For Business Use

Businesses that rely on Java must now take additional steps to keep employees safe. Here's where to start.

11 Security Sights Seen Only At Black Hat
11 Security Sights Seen Only At Black Hat
(click image for larger view and for slideshow)
5. Enforce Java Restrictions With Management Tools

Enable Java, or disable Java? In fact, using Java doesn't have to be an all-or-nothing proposition. "There are multiple approaches to mitigating this issue, depending on a variety of factors, such as network architecture, the degree of employee IT literacy or other security measures running at the network perimeter," said Bitdefender's Botezatu.

For example, for businesses that don't outright block Java extensions in employees' browsers, "there are a number of third-party group policy tools that offer a high level of centralized management for the Java environment," said Botezatu. He named PolicyPak as one possibility, noting that "this centralized management application also allows remote disabling of Java in the event of a serious flaw."

"Alternatively, basic settings can be configured via GPO (Group Policies) by the network administrator to disable plug-ins [on a] per browser [basis], or to enforce additional security restrictions on Java," he said.

6. Lock Down Java Extension With White List

For any business that keeps its Java browser extensions activated, veteran Oracle bug-finder Adam Gowdiak, who heads the Poland-based firm Security Explorations, recommends never accessing untrusted websites when Java is enabled. In other words, if you have to access a website that requires Java in the browser, then enable it, visit the site, and promptly disable Java. But good luck enforcing that approach with employees.

Another approach is to use a browser extension that runs interference. For example, NoScript for Firefox offers whitelisting for websites, so only known-trusted sites can be allowed to run Java in the browser.

7. Consider Maintaining Separate, Java-Only Browser

Another workaround for the Java security risk is to designate one browser for general use, on which Java hasn't been installed. Then use an entirely different browser for any site that requires Java. "At this moment, we are advising users to only enable the Java plug-in in a browser they use for specific tasks -- not in the primary browser used for Web surfing," said Botezatu.

8. Oracle: Patch Faster

Beyond point technologies for securing Java, Gowdiak at Security Explorations said via email that Oracle could improve Java security simply by devoting more resources to fixing its code. "Oracle should rethink its Java patch release policy," he said. "The company needs to take into account that critical security flaws in its widely used Java software may affect hundreds of millions of users. Months of delays in delivering a patch for a security bug may unnecessarily expose users to the risk of being attacked."

9. Upcoming: New Java Every Two Years

One timing change announced by Oracle -- just last week -- is that with the introduction of Java 8, which is scheduled to be released in September, it plans to begin releasing new versions of the open source software every two years. According to Oracle, the increasing complexity of Java has made it more difficult for the company to release new versions of the software in a timely manner.

But will the change lead to marked security improvements? "It's difficult to actually conclude anything" based on the new Java updating announcement, said Gowdiak. "The two-year cycle for major Java releases does not [guarantee] that Java code would be more secure or that patches for security vulnerabilities found would be released quicker."

10. Improvement: Separate Desktop Java From Browser Java

To make it easier for businesses to secure Java, Oracle could also ship different types of Java separately. "The [security] problem is exacerbated by the bundling of the browser extension -- used by websites to create more interactive components -- with the main Java runtime environment, used to create desktop applications," said DeMesy at Stach & Liu. "This often results in end users unknowingly installing and exposing the Java browser plug-in to attackers."

In other words, one quick fix would be to allow businesses to install the Java runtime environment on desktops, without having to install the browser extension as well. "Since so few websites legitimately use the Java Web browser extension, it is most prudent to disable it entirely," said DeMesy, or else to "only re-enable it for specific sites determined to be trustworthy."

Previous
2 of 2
Next
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Mathew
50%
50%
Mathew,
User Rank: Apprentice
1/16/2013 | 10:11:51 AM
re: 10 Facts: Secure Java For Business Use
Great idea to separate the browsers, then enforce that separation. Sounds like an elegant -- and yes, above all still quite usable -- solution for any business or person needing to use a browser that runs the Java plug-in.
Mathew
50%
50%
Mathew,
User Rank: Apprentice
1/16/2013 | 10:11:07 AM
re: 10 Facts: Secure Java For Business Use
Hi Kraegan, thanks for the question. The vulnerability is in the Java runtime environment on desktops, with the worry focusing on the Java browser plug-in. JavaScript is not affected.
verdumont456
50%
50%
verdumont456,
User Rank: Apprentice
1/15/2013 | 7:53:01 PM
re: 10 Facts: Secure Java For Business Use
This problem was solved at my previous employer by allowing Firefox to be installed on to the Desktops. Users were advised to use IE for accessing intranet apps (internal apps) and FF for general browsing. Lot of our internal apps were using client side java applets (for some reason). Users didn't complain a bit. Always, there is a danger that some employees might use IE for surfing internet, but there was a security setting, which would prompt users whenever Java applets are used on the "Internet" sites. I guess that provided some degree of protection without compromising the usability
Kraegan
50%
50%
Kraegan,
User Rank: Apprentice
1/15/2013 | 5:37:28 PM
re: 10 Facts: Secure Java For Business Use
Sun Java architecture or Javascript server side processing language? I'm not quite sure which this article is referring to.
News
US Formally Attributes SolarWinds Attack to Russian Intelligence Agency
Jai Vijayan, Contributing Writer,  4/15/2021
News
Dependency Problems Increase for Open Source Components
Robert Lemos, Contributing Writer,  4/14/2021
News
FBI Operation Remotely Removes Web Shells From Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/14/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: Tell him only Kevin Mitnick and the President know the launch codes.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-31607
PUBLISHED: 2021-04-23
In SaltStack Salt 2016.9 through 3002.6, a command injection vulnerability exists in the snapper module that allows for local privilege escalation on a minion. The attack requires that a file is created with a pathname that is backed up by snapper, and that the master calls the snapper.diff function...
CVE-2021-31597
PUBLISHED: 2021-04-23
The xmlhttprequest-ssl package before 1.6.1 for Node.js disables SSL certificate validation by default, because rejectUnauthorized (when the property exists but is undefined) is considered to be false within the https.request function of Node.js. In other words, no certificate is ever rejected.
CVE-2021-2296
PUBLISHED: 2021-04-22
Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). The supported version that is affected is Prior to 6.1.20. Difficult to exploit vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromi...
CVE-2021-2297
PUBLISHED: 2021-04-22
Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). The supported version that is affected is Prior to 6.1.20. Difficult to exploit vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromi...
CVE-2021-2298
PUBLISHED: 2021-04-22
Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.23 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attac...