CYBEREYE

Time to give up on Java?

With the release by Oracle of an out-of cycle patch for the latest vulnerability in Java 7, the zero-day window has officially closed (although exploitation of unpatched installations could continue for years). But agencies still have to decide whether the benefits of running Java outweigh the risks.

It would be extreme to declare that Java has outlived its usefulness, but the recent patch does not end the threat or eliminate the question of whether to disable it.

“You don’t know when the next zero-day will come up,” said Stephen Cobb, security evangelist at the security company Eset. “It’s an alternative to keeping up with the patching process. The consensus in the security industry now is you should turn it off in the browser, if not remove it from the machine.”


Related coverage:

Oracle issues patch for Java flaws; attacks tied to Nitro gang

Zero-day exploit hits Java – should you just turn it off?


What would you lose by disabling or removing it? “It’s hard to say if you don’t know what they are using it for,” Cobb said. “The decision to take it off a system is one the IT shop should make.”

The current concerns about Java began with the discovery of malware exploiting a flaw in Java 7 that lets a Java applet grant itself permission to execute arbitrary operating system commands. U.S. Computer Emergency Readiness Team on Aug. 27 issued an alert recommending that the Java plug-in be disabled “to protect against this and future vulnerabilities.” It was updated to include information on the Aug. 30 Java update.

Java is a widely-used programming language for client-server Web applications, and exploits against it are not new. Java has been a common target since 2010 and attacks are a significant concern because Java is running on so many computers and because many users often are not aware of it and do not update it regularly.

This is compounded by the fact that Oracle only issues updates quarterly (the next regular update is due in October), and in the enterprise environment, testing and installing patches can be a lengthy process with a low priority that often falls behind schedule. The result is a large installed base of outdated and vulnerable software that does not require a zero-day exploit to allow compromise.

The government has established a Federal Desktop Core Configuration baseline for a variety of operating systems that currently enables Java. The original FDCC release called for disabling Java for all zones, but when it was found that necessary Java-based applications failed this was amended to allow Java at a “high security” setting for intranet and trusted sites zones.

Because the impact of removing Java will vary from one organization to another, a reasonable option is to disable it on the browser to find out what breaks. If it creates a problem, it can always be turned back on. This basically is the approach taken by Google’s Chrome browser, Cobb said. It does not run Java by default, but asks the user on a case-by-case basis. This is not perfect because the user has to know whether to trust the website. But it’s a start.

If you decide to disable Java, the US-CERT alert and a number of other blogs and announcements provide instructions and links for disabling it in different browsers. Unfortunately, Microsoft’s Internet Explorer, one of the most popular browsers, does not make the job easy.

“Disabling the Java plug-in for Internet Explorer is significantly more complicated than with other browsers,” US-CERT says. “There are multiple ways for a web page to invoke a Java applet, and multiple ways to configure Java plug-in support.”

In the meantime, there is the new Oracle patch to deal with, which is both good news and bad news. The good news, of course, is that there is a patch that can protect from current threats. The bad news is that the patch has to be tested before it is rolled out to ensure that it doesn’t break things in your environment, which is not necessarily a simple task.

“It’s something I wouldn’t want to be doing over the Labor Day weekend,” Cobb said.

 

About the Author

William Jackson is freelance writer and the author of the CyberEye blog.

Reader Comments

Fri, Sep 7, 2012 Andy

If we start complaining about Java being just marketing hype and closed source, then let's here the same complaining about any other programming language interpreter or compiler that happens to be popular and only available for use in binary executable form. Any language that can be used to run a relational database in real time can't be that slow (ever hear of "Derby"?). Remember when relational databases were considered too complex to even implement? Any slowness of a program due to its programming language these days is likely due to the overhead of the OS, not the language. As far as vulnerabilities of any software these days, there are 3 choices; stop using computers, use computers completely stand-alone, or accept and deal with the risks of networked computers. Sticking your head in the sand doesn't do anyone any good.

Thu, Sep 6, 2012 Vern

So why not remove IE or whatever software has security risks. Java is no different than any other piece of software. to be secure you need to keep it patched.

Thu, Sep 6, 2012

The problem isn't Java, it's the crap programmers colleges are producing these days.

Thu, Sep 6, 2012 DigitalJoe

Let's not forget that it was the brilliance of JAVA that let us write cross-platform compatible applications. Applications that have proliferated across the world seamlessly to almost every hardware platform. Java has saved organizations hundreds of millions of dollars in development and deployment costs. Now with a software language that is so widely used for good is also used for bad. Java is at crossroads. Or Oracle is at a crossroads. Since Oracle assimilated SUN, I have been skeptical of their commitment to Java's continued growth and maturity. With a quarterly, release schedule from Oracle, organization will have to develop mitigations to the vulnerabilities. This also tells where Oracle true commitment lies. Additionally, the IT shops are not the ones who should decide to the remove Java. Java is everywhere. It's on our phones, TVs, DVD players, mp3 players. It's at the heart of many of web enabled applications and services. Turning off Java without careful planning, will break business processes across the globe. If this zero-day vulnerability is that bad, then we are looking at a Y2K-like event to really solve it. Solving Y2K was not trivial to solve. It took careful analysis and planning to fix the broken software. Similar thinking and planning should be implored. Just turning off Java is non-trivial.

Tue, Sep 4, 2012

Great. I'm getting ready to start an applied IT graduate program and the first thing I have to take is intro to JAVA. I haven't programmed in a couple decades and grew up learning things like FORTRAN, C, and even a bit of COBOL. I'd hate to learn something new and see it tossed out the window.

Show All Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above