10 Facts: Secure Java For Business Use by Mathew J. Schwartz
Is Java safe to use? That's the refrain heard after every round of new zero-day vulnerabilities that get spotted in Java, followed days or weeks later by related patches from Oracle.
But the question still stands: Is the Java programming language -- which encompasses client-side desktop applications and Web browser extensions, embedded platforms, as well as Java running on smartphones such as Android -- safe to use? Or is it an over-targeted time bomb that's best avoided by anyone with an ounce of security sense?
Here are 10 related facts:
1. Security Concern: Client-Side Java
To be clear, the current Java security worries center on client-side Java, and the prevalence with which attackers have been finding and exploiting vulnerabilities in Java browser extensions. The latest threat has been the two zero-day vulnerabilities in Java 7 first publicly detailed last week, which allow attackers to run arbitrary code on vulnerable machines. Oracle Sunday released an update, dubbed Java 7 Update 11, that fixes or works around the flaws.
Monday, however, security firm Immunity reported that the fix from Oracle only repairs one of the two zero-day flaws. "Only one of the two bugs were fixed, making Java still vulnerable to one of the bugs used in the exploit found in the wild," said security researcher Esteban Guillardoy at Immunity in a blog post.
2. Second Zero-Day Vulnerability Remains A Vulnerability
But the other component wasn't patched per se, but rather addressed via new, default security settings in Java, which now require a user to authorize any Java applet that wants to run.
[ The attacks just keep on coming. Read Red October Espionage Network Rivals Flame. ]
Unfortunately, that "fix" now puts more security onus on users. "In theory, this should reduce the impact of malicious applets. However, because users can still expressly authorize these malicious applets, users may still be affected," said Jonathan Leopando, a technical communications specialist at Trend Micro, in a blog post.
Furthermore, the unpatched vulnerability remains. Using that bug, "an attacker with enough knowledge of the Java code base and the help of another zero day bug to replace the one [that's been] fixed can easily continue compromising users," said Guillardoy, provided the attacker launches the exploit using a signed Java applet.
3. DHS Recommends: Disable Java
In the wake of the Sunday part-patch, the Department of Homeland Security Monday said that from a risk standpoint, Java remains too hot to handle. "Unless it is absolutely necessary to run Java in Web browsers, disable it ... even after updating to 7u11," according to the DHS advisory (which also details exactly how to disable Java). "This will help mitigate other Java vulnerabilities that may be discovered in the future."
The tail end of the advisory encapsulates many security experts' current thinking: Disabling Java today ensures businesses won't be unknowingly compromised by future zero-day Java vulnerabilities. Or as Bogdan Botezatu, a senior e-threat analyst at security software vendor Bitdefender, put it via email: "As [Java] attacks are highly likely to hit from the Web, the absence of the plug-in would dramatically cut down on the attack surface."
4. Danger: Java Continues To Be Attack Magnet
Attack surface is the operative phrase, because zero-day Java vulnerabilities continue to be sought after by online criminals or anyone else seeking to exploit targeted PCs. "These types of vulnerabilities are attractive to criminals because Java is somewhat platform agnostic -- so the same vulnerability can be used to reliably exploit a variety of targets -- and historically, Oracle has been slow to release fixes, which maximizes the timeframe in which the exploit can be utilized," said Joe DeMesy, a senior analyst at information security consultancy Stach & Liu, via email.
Indeed, the Red October espionage malware (nicknamed "Rocra") first publicly detailed Monday by Kaspersky Lab includes an attack module for exploiting a Java vulnerability (CVE-2011-3544) that was patched in October 2011. But the most recent Rocra attack module designed to exploit the vulnerability was compiled in February 2012, reported security firm Seculert. That lag highlights how even after a patch had been released, attackers still expected to find exploitable machines four months later.
5. Enforce Java Restrictions With Management Tools
Enable Java, or disable Java? In fact, using Java doesn't have to be an all-or-nothing proposition. "There are multiple approaches to mitigating this issue, depending on a variety of factors, such as network architecture, the degree of employee IT literacy or other security measures running at the network perimeter," said Bitdefender's Botezatu.
For example, for businesses that don't outright block Java extensions in employees' browsers, "there are a number of third-party group policy tools that offer a high level of centralized management for the Java environment," said Botezatu. He named PolicyPak as one possibility, noting that "this centralized management application also allows remote disabling of Java in the event of a serious flaw."
"Alternatively, basic settings can be configured via GPO (Group Policies) by the network administrator to disable plug-ins [on a] per browser [basis], or to enforce additional security restrictions on Java," he said.
6. Lock Down Java Extension With White List
For any business that keeps its Java browser extensions activated, veteran Oracle bug-finder Adam Gowdiak, who heads the Poland-based firm Security Explorations, recommends never accessing untrusted websites when Java is enabled. In other words, if you have to access a website that requires Java in the browser, then enable it, visit the site, and promptly disable Java. But good luck enforcing that approach with employees.
Another approach is to use a browser extension that runs interference. For example, NoScript for Firefox offers whitelisting for websites, so only known-trusted sites can be allowed to run Java in the browser.
7. Consider Maintaining Separate, Java-Only Browser
Another workaround for the Java security risk is to designate one browser for general use, on which Java hasn't been installed. Then use an entirely different browser for any site that requires Java. "At this moment, we are advising users to only enable the Java plug-in in a browser they use for specific tasks -- not in the primary browser used for Web surfing," said Botezatu.
8. Oracle: Patch Faster
Beyond point technologies for securing Java, Gowdiak at Security Explorations said via email that Oracle could improve Java security simply by devoting more resources to fixing its code. "Oracle should rethink its Java patch release policy," he said. "The company needs to take into account that critical security flaws in its widely used Java software may affect hundreds of millions of users. Months of delays in delivering a patch for a security bug may unnecessarily expose users to the risk of being attacked."
9. Upcoming: New Java Every Two Years
One timing change announced by Oracle -- just last week -- is that with the introduction of Java 8, which is scheduled to be released in September, it plans to begin releasing new versions of the open source software every two years. According to Oracle, the increasing complexity of Java has made it more difficult for the company to release new versions of the software in a timely manner.
But will the change lead to marked security improvements? "It's difficult to actually conclude anything" based on the new Java updating announcement, said Gowdiak. "The two-year cycle for major Java releases does not [guarantee] that Java code would be more secure or that patches for security vulnerabilities found would be released quicker."
10. Improvement: Separate Desktop Java From Browser Java
To make it easier for businesses to secure Java, Oracle could also ship different types of Java separately. "The [security] problem is exacerbated by the bundling of the browser extension -- used by websites to create more interactive components -- with the main Java runtime environment, used to create desktop applications," said DeMesy at Stach & Liu. "This often results in end users unknowingly installing and exposing the Java browser plug-in to attackers."
In other words, one quick fix would be to allow businesses to install the Java runtime environment on desktops, without having to install the browser extension as well. "Since so few websites legitimately use the Java Web browser extension, it is most prudent to disable it entirely," said DeMesy, or else to "only re-enable it for specific sites determined to be trustworthy."
Recent breaches have tarnished digital certificates, the Web security technology. The new, all-digital Digital Certificates issue of Dark Reading gives five reasons to keep it going. (Free registration required.)