Disable Java? For agencies, the real question is: Why not?
Here we go again: A new exploit for Java and a new call to disable it in your browser, at least until a fix is issued.
The U.S. Computer Emergency Readiness Team (US-CERT) released the advisory Jan. 10. Oracle released the fix three days later, but the issue is not dead. The CERT of Carnegie Mellon’s Software Engineering Institute advises that “unless it is absolutely necessary to run Java in Web browsers, disable it as described below, even after updating.”
But the solution notes that because of a potential bug in the Java installer, the necessary control panel could be missing in some Windows systems. Also, “we have encountered situations where Java will crash if it has been disabled in the Web browser as described above and then subsequently re-enabled,” the institute’s advisory says. “Reinstalling Java appears to correct this situation.”
So you have to ask yourself, is Java absolutely necessary to my mission? And you have to decide what the pros and cons are of disabling it in your enterprise. It might not be a simple decision.
Java is a widely used programming language for client-server Web applications, and has been a common target since 2010. Exploits are significant concerns because Java runs on so many computers whether or not users are aware of it. If users aren’t aware, it might not be updated regularly.
Oracle issued an out-of-cycle patch in August for a serious vulnerability that resulted in calls to disable Java. The most recent vulnerability was found in Java 7 Update 10, which could allow unauthenticated attackers to remotely execute code. Update 11, released Jan. 13, sets default Java security settings to “high” so that users are prompted before running unsigned or self-signed applets.
“The fix, from our testing, works, so it’s not an issue,” said Gavin O’Gorman, senior threat intelligence analyst at Symantec Security Response. But O’Gorman agrees that disabling Java, and all other browser plug-ins is a good policy, except on trusted sites. “You’re opening yourself up to exploits with any plug-in you enable on your browser,” he said.
What do you lose by disabling Java? “Personally, I don’t see much of a difference,” he said.
But Java is useful. “It is deeply embedded in enterprise applications,” said A.N. Ananth, CEO of Prism Microsystems.
The government has established a Federal Desktop Core Configuration baseline for a variety of operating systems that originally called for disabling Java for all zones. But when it was found that needed Java-based applications failed, this was amended to allow Java at a “high security” (the new default) setting for intranet and trusted-site zones.
“I hesitate to say that government can afford” to turn Java off, although it might be easier for an agency than for a business, said Ananth.
“I’m not for whacking Java completely,” he said. Getting rid of it might eliminate Java-specific vulnerabilities, but new vulnerabilities will come along in whatever replaces it. “The emperor has no clothes,” he said. “Everything you turn on proves to be vulnerable at some point.”
So turn off Java if you don’t need it, but first decide whether or not you need it. And while you’re at it, evaluate all the other tools that could introduce vulnerabilities into your enterprise because nothing is invulnerable.
Posted by William Jackson on Jan 14, 2013 at 9:39 AM