Java Security Warnings: Cut Through The Confusion by Mathew J. Schwartz
Like its Starbucks namesake, the general-purpose Java programming language comes in many different strengths and flavors. But which ones may be harmful to the health of your PC?
The confusion is understandable. After last week's discovery of two zero-day vulnerabilities in Java, which were partially patched by Oracle on Sunday, many technology experts have recommended the following: Deactivate the Java browser plug-in and see if you miss it. If not, then don't reinstall Java.
The confusion is compounded by the difficulty of finding and deactivating Java plug-ins, especially because the latest versions of the Java browser plug-in may not accurately report when they are -- or aren't -- installed. "Your browser lies: Java 7 Update 10 introduced a new checkbox that disables the use of Java in all browsers," says information security consultant Michael Horowitz on his Java version testing site. "By and large, this is a good thing, but there seems to be a failure to communicate between Java and many Web browsers. As a result, all the browsers I have tried so far incorrectly report that Java is not installed when, in fact, it may be installed but this new security feature has been enabled."
[ Learn how to protect yourself and your systems. Read 10 Facts: Secure Java For Business Use. ]
For security reasons, Java developer Sun (now part of Oracle) has restricted which parts of the Java runtime environment the browser plug-in can access. But DeMesy says the recent zero-day bugs have allowed attackers to use malicious websites to exploit plug-ins and gain access to the full Java runtime environment. As a result, attackers can use the Java runtime environment installed on a PC to execute arbitrary code.
The Java browser plug-in risk has been heightened by the fact that Oracle has taken its time to remediate vulnerabilities once they've been disclosed by bug hunters. By some accounts, some of Oracle's patches have also been rushed and sloppy. Also, Java security updates aren't reaching end users because Oracle has failed to offer automatic Java updates, as Adobe did to address out-of-control exploits of the Flash browser plug-in. As a result, the Java plug-in has become an attack magnet.
Notably, a recent study of the Blackhole crimeware kit found that Java bugs were being used to exploit systems in 77% of all successful attacks, compared with 18% of attacks involving a specific PDF vulnerability, 2% involving other PDF vulnerabilities, followed by MDAC, HCP and Flash bugs (1% each). But many of those exploited Java bugs were patched months ago, if not earlier, which leads to only one conclusion: "Java security fixes are not being installed," writes report author and SophosLabs researcher Gabor Szappanos. "Users don't consider Java a direct threat and don't rush into updating their systems." Or perhaps users simply don't know it's even running on their system.
Despite mounting criticism of its handling of Java in the face of regular zero-day vulnerabilities and in-the-wild exploits, Oracle officials haven't sharpened their game. An Oracle spokeswoman this week responded to requests for comment on the latest zero-day vulnerability -- first publicly documented Wednesday by security reporter Brian Krebs -- by pointing to Oracle's security advisory, issued Sunday to accompany Oracle's patch for the two zero-day vulnerabilities discovered last week. When informed by Ars Technica that the update has no information about the new zero-day bug, seen for sale by Krebs about 24 hours after the update was released, the Oracle spokeswoman replied that the company had no additional comment.
Many capabilities handled via Java browser plug-ins are already available elsewhere, and that will no doubt be the route many end users -- and hopefully developers -- will now pursue. "If WebEx and GoToMeeting didn't need Java, I wouldn't have installed it in the first place," reports one InformationWeek reader. "I've found that you can install their client and that lets you do away with Java. Goodbye Java. I have enough to worry about."
When choosing an endpoint protection product, IT focuses too much on malware detection capabilities and not enough on end users. So instead of building a lab to run three or four endpoint protection products through a gauntlet of malware, get your users in on the decision process. Find out more in the How To Pick Endpoint Protection report. (Free registration required.)