The zero-day window for the latest Java vulnerability has officially closed, but agencies still have to decide whether the benefits of running Java on their computers outweigh the risks.
With the release by Oracle of an out-of cycle patch for the latest vulnerability in Java 7, the zero-day window has officially closed (although exploitation of unpatched installations could continue for years). But agencies still have to decide whether the benefits of running Java outweigh the risks.
It would be extreme to declare that Java has outlived its usefulness, but the recent patch does not end the threat or eliminate the question of whether to disable it.
“You don’t know when the next zero-day will come up,” said Stephen Cobb, security evangelist at the security company Eset. “It’s an alternative to keeping up with the patching process. The consensus in the security industry now is you should turn it off in the browser, if not remove it from the machine.”
What would you lose by disabling or removing it? “It’s hard to say if you don’t know what they are using it for,” Cobb said. “The decision to take it off a system is one the IT shop should make.”
The current concerns about Java began with the discovery of malware exploiting a flaw in Java 7 that lets a Java applet grant itself permission to execute arbitrary operating system commands. U.S. Computer Emergency Readiness Team on Aug. 27 issued an alert recommending that the Java plug-in be disabled “to protect against this and future vulnerabilities.” It was updated to include information on the Aug. 30 Java update.
Java is a widely-used programming language for client-server Web applications, and exploits against it are not new. Java has been a common target since 2010 and attacks are a significant concern because Java is running on so many computers and because many users often are not aware of it and do not update it regularly.
This is compounded by the fact that Oracle only issues updates quarterly (the next regular update is due in October), and in the enterprise environment, testing and installing patches can be a lengthy process with a low priority that often falls behind schedule. The result is a large installed base of outdated and vulnerable software that does not require a zero-day exploit to allow compromise.
The government has established a Federal Desktop Core Configuration baseline for a variety of operating systems that currently enables Java. The original FDCC release called for disabling Java for all zones, but when it was found that necessary Java-based applications failed this was amended to allow Java at a “high security” setting for intranet and trusted sites zones.
Because the impact of removing Java will vary from one organization to another, a reasonable option is to disable it on the browser to find out what breaks. If it creates a problem, it can always be turned back on. This basically is the approach taken by Google’s Chrome browser, Cobb said. It does not run Java by default, but asks the user on a case-by-case basis. This is not perfect because the user has to know whether to trust the website. But it’s a start.
If you decide to disable Java, the US-CERT alert and a number of other blogs and announcements provide instructions and links for disabling it in different browsers. Unfortunately, Microsoft’s Internet Explorer, one of the most popular browsers, does not make the job easy.
“Disabling the Java plug-in for Internet Explorer is significantly more complicated than with other browsers,” US-CERT says. “There are multiple ways for a web page to invoke a Java applet, and multiple ways to configure Java plug-in support.”
In the meantime, there is the new Oracle patch to deal with, which is both good news and bad news. The good news, of course, is that there is a patch that can protect from current threats. The bad news is that the patch has to be tested before it is rolled out to ensure that it doesn’t break things in your environment, which is not necessarily a simple task.
“It’s something I wouldn’t want to be doing over the Labor Day weekend,” Cobb said.