Malware

Jettisoning Java: Damned if You Do, Damned if You Don’t

The U.S. Department of Homeland Security is urging computer users to disable or uninstall Java due to a serious flaw in Runtime Environment (JRE) 7.

The DHS’ Computer Emergency Readiness Team warned Thursday evening that it was being exploited in the wild and could allow an attacker to execute arbitrary code on vulnerable systems.

CERT recommended that Java be disabled in Web browsers. It pointed users to the Solution section of the US-CERT Alert and to the Oracle Technical Note Setting the Security Level of the Java Client for information on how to do that.

Another Zero-Day Alarm

The warning is bad news for Java, which has been the target of more than its fair share of zero-day exploits.

“I’ve said it before and I’ll say it again; if you don’t need Java, disable it,” Andrew Storms, director of security operations for nCircle, told TechNewsWorld.

“It’s a drive-by bug, so little user interaction is necessary, and people won’t even know they’ve been attacked until it’s too late,” he explained. “Although current attacks are focused on Windows, this bug isn’t operating system specific, so no one will be safe for long — especially since major exploit kits now include attacks.”

The potential consequences of exploit are high, noted Tyler Shields, senior security researcher at Veracode.

An attack “can lead to theft of sensitive data, use of the compromised computer as a zombie or botnet node, and continued attacker persistence on the system,” he told TechNewsWorld.

What to Do?

The obvious solution is to follow CERT’s warning and turn off Java. Many consumers probably don’t know if they are using it or not in their browsers, but “if you aren’t sure, find out now and turn it off,” said Storms.

Users can follow these links to turn off Java browser plug-ins:

Low Compliance Expected

Unfortunately, many consumers and businesses are not likely to take this advice. If they did, they wouldn’t be able to view sites they need or like for work or play.

In short, the suggested workaround “is conceptually difficult and likely to not be implemented by many end users unless they are forced to comply,” Shields said.

It may be more difficult for businesses to disable Java than for consumers.

“Many companies have used Java as a primary component to their websites and internal Web-based applications,” Jerry Irvine, CIO of Prescient Solutions, told TechNewsWorld. “For these companies, balancing the risk with the requirement of continuing to perform day-to-day functions is a major issue.”

If you disable Java blindly, you’re going to break a lot of functionality, A.N. Ananth, CEO of EventTracker, told TechNewsWorld.

“This means a tremendous disruption to your company’s operations,” he said. “Government organizations may be able to consider this, but commercial ones will cringe at the prospect.”

Risk Assessment Time

Still, some sort of analysis of the pros and cons of ditching Java is necessary, Ananth continued.

“When confronted with a vulnerability — today it’s an attack on Java, tomorrow it will be something else — the systemic response needs to be an assessment of the risk to the enterprise, starting with the most critical systems,” he explained.

“If this assessment shows that you’re vulnerable to an attack no matter what you do, and the risk of loss is beyond the threshold of acceptance — then sure, consider disabling Java,” Ananth said.

Basically, none of the choices confronting businesses that have applications reliant on Java are palatable, nCircle’s Storms said. “The continuing stream of serious Java bugs has got to be discouraging for businesses that rely on it — it certainly makes alternatives like HTML5 look more attractive.”

1 Comment

  • And, this one is just lovely confusing. Why? Because there is java, and javascript. The later is impossible to avoid using at all, but, presumably, wouldn’t have the same exploits. The other.. is ***mandatory*** when visiting certain sites, where the existing javascript + browser features, can’t do what is necessary to deliver a result. A good example of that being apps that show how certain things work in math (since you need to be able to adjust variables, and have the animation change, based on that, and javascript doesn’t do either of those things well). Why? Because one is a script language, the other is an actual language. And, of course, this is also what makes it more dangerous. It can do things on the machine that the other ones just can’t.

    Generally though, if they mean Javascript, not "java"… then you would be breaking like 99.9% of all web pages out there. But, you don’t need the full blown thing, for 98% of them. But, the average user, which is to say, the sort of people that might not also have plugins installed to prevent script from running, unless allowed/whitelisted, etc., and wouldn’t know what is safe, are not going to have a clue what the difference is.

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

Technewsworld Channels