By Patrick Marshall

Blog archive
Dirty coffee cups in sink

Disable Java? For agencies, the real question is: Why not?

Here we go again: A new exploit for Java and a new call to disable it in your browser, at least until a fix is issued.

The U.S. Computer Emergency Readiness Team (US-CERT) released the advisory Jan. 10. Oracle released the fix three days later, but the issue is not dead. The CERT of Carnegie Mellon’s Software Engineering Institute advises that “unless it is absolutely necessary to run Java in Web browsers, disable it as described below, even after updating.”

But the solution notes that because of a potential bug in the Java installer, the necessary control panel could be missing in some Windows systems. Also, “we have encountered situations where Java will crash if it has been disabled in the Web browser as described above and then subsequently re-enabled,” the institute’s advisory says. “Reinstalling Java appears to correct this situation.”

So you have to ask yourself, is Java absolutely necessary to my mission? And you have to decide what the pros and cons are of disabling it in your enterprise. It might not be a simple decision.

Java is a widely used programming language for client-server Web applications, and has been a common target since 2010. Exploits are significant concerns because Java runs on so many computers whether or not users are aware of it. If users aren’t aware, it might not be updated regularly.

Oracle issued an out-of-cycle patch in August for a serious vulnerability that resulted in calls to disable Java. The most recent vulnerability was found in Java 7 Update 10, which could allow unauthenticated attackers to remotely execute code. Update 11, released Jan. 13, sets default Java security settings to “high” so that users are prompted before running unsigned or self-signed applets.

“The fix, from our testing, works, so it’s not an issue,” said Gavin O’Gorman, senior threat intelligence analyst at Symantec Security Response. But O’Gorman agrees that disabling Java, and all other browser plug-ins is a good policy, except on trusted sites. “You’re opening yourself up to exploits with any plug-in you enable on your browser,” he said.

What do you lose by disabling Java? “Personally, I don’t see much of a difference,” he said.

But Java is useful. “It is deeply embedded in enterprise applications,” said A.N. Ananth, CEO of Prism Microsystems.

The government has established a Federal Desktop Core Configuration baseline for a variety of operating systems that originally called for disabling Java for all zones. But when it was found that needed Java-based applications failed, this was amended to allow Java at a “high security” (the new default) setting for intranet and trusted-site zones.

“I hesitate to say that government can afford” to turn Java off, although it might be easier for an agency than for a business, said Ananth.

“I’m not for whacking Java completely,” he said. Getting rid of it might eliminate Java-specific vulnerabilities, but new vulnerabilities will come along in whatever replaces it. “The emperor has no clothes,” he said. “Everything you turn on proves to be vulnerable at some point.”

So turn off Java if you don’t need it, but first decide whether or not you need it. And while you’re at it, evaluate all the other tools that could introduce vulnerabilities into your enterprise because nothing is invulnerable.

Posted by William Jackson on Jan 14, 2013 at 9:39 AM


  • People
    Federal CIO Suzette Kent

    Federal CIO Kent to exit in July

    During her tenure, Suzette Kent pushed on policies including Trusted Internet Connection, identity management and the creation of the Chief Data Officers Council

  • Defense
    Essye Miller, Director at Defense Information Management, speaks during the Breaking the Gender Barrier panel at the Air Space, Cyber Conference in National Harbor, Md., Sept. 19, 2017. (U.S. Air Force photo/Staff Sgt. Chad Trujillo)

    Essye Miller: The exit interview

    Essye Miller, DOD's outgoing principal deputy CIO, talks about COVID, the state of the tech workforce and the hard conversations DOD has to have to prepare personnel for the future.

Stay Connected

Sign up for our newsletter.

I agree to this site's Privacy Policy.