Java Security Warnings: Cut Through The Confusion by Mathew J. Schwartz
Jan 18, 2013Java Security Warnings: Cut Through The Confusion by Mathew J. Schwartz
Like its Starbucks namesake, the general-purpose Java programming language comes in many different strengths and flavors. But which ones may be harmful to the health of your PC?
The Department of Homeland Security, along with numerous security experts, have recommended that whenever possible, businesses should pull the plug on Java running in their browsers. But the warnings have led to mass confusion: Do they also apply to the general Java runtime environment? And what about JavaScript, Enterprise JavaBeans, embedded Java, JavaFX, Java running on Android or anything else with Java in its name?
The confusion is understandable. After last week's discovery of two zero-day vulnerabilities in Java, which were partially patched by Oracle on Sunday, many technology experts have recommended the following: Deactivate the Java browser plug-in and see if you miss it. If not, then don't reinstall Java.
The confusion is compounded by the difficulty of finding and deactivating Java plug-ins, especially because the latest versions of the Java browser plug-in may not accurately report when they are -- or aren't -- installed. "Your browser lies: Java 7 Update 10 introduced a new checkbox that disables the use of Java in all browsers," says information security consultant Michael Horowitz on his Java version testing site. "By and large, this is a good thing, but there seems to be a failure to communicate between Java and many Web browsers. As a result, all the browsers I have tried so far incorrectly report that Java is not installed when, in fact, it may be installed but this new security feature has been enabled."
[ Learn how to protect yourself and your systems. Read 10 Facts: Secure Java For Business Use. ]
Let's clear up some confusion. First, the current Java-removal advice doesn't apply to JavaScript. "A common mistake is to confuse Java with JavaScript -- which is technically called ECMAScript," says Joe DeMesy, a senior analyst at information security consultancy Stach & Liu, via email. "These are, in fact, entirely different programming languages. While JavaScript has its own interesting history of security problems, the recently disclosed vulnerabilities do not affect JavaScript -- only Java's browser plug-in."
For security reasons, Java developer Sun (now part of Oracle) has restricted which parts of the Java runtime environment the browser plug-in can access. But DeMesy says the recent zero-day bugs have allowed attackers to use malicious websites to exploit plug-ins and gain access to the full Java runtime environment. As a result, attackers can use the Java runtime environment installed on a PC to execute arbitrary code.
The Java browser plug-in risk has been heightened by the fact that Oracle has taken its time to remediate vulnerabilities once they've been disclosed by bug hunters. By some accounts, some of Oracle's patches have also been rushed and sloppy. Also, Java security updates aren't reaching end users because Oracle has failed to offer automatic Java updates, as Adobe did to address out-of-control exploits of the Flash browser plug-in. As a result, the Java plug-in has become an attack magnet.
Notably, a recent study of the Blackhole crimeware kit found that Java bugs were being used to exploit systems in 77% of all successful attacks, compared with 18% of attacks involving a specific PDF vulnerability, 2% involving other PDF vulnerabilities, followed by MDAC, HCP and Flash bugs (1% each). But many of those exploited Java bugs were patched months ago, if not earlier, which leads to only one conclusion: "Java security fixes are not being installed," writes report author and SophosLabs researcher Gabor Szappanos. "Users don't consider Java a direct threat and don't rush into updating their systems." Or perhaps users simply don't know it's even running on their system.
Despite mounting criticism of its handling of Java in the face of regular zero-day vulnerabilities and in-the-wild exploits, Oracle officials haven't sharpened their game. An Oracle spokeswoman this week responded to requests for comment on the latest zero-day vulnerability -- first publicly documented Wednesday by security reporter Brian Krebs -- by pointing to Oracle's security advisory, issued Sunday to accompany Oracle's patch for the two zero-day vulnerabilities discovered last week. When informed by Ars Technica that the update has no information about the new zero-day bug, seen for sale by Krebs about 24 hours after the update was released, the Oracle spokeswoman replied that the company had no additional comment.
Interestingly, JavaScript offers a solution to the Java-meets-browsers security problem. "With modern versions of JavaScript there is little to no need for developers to use Java in the browser," says Stach & Liu's DeMesy. "This is the reason these vulnerabilities are so interesting -- because while the Java browser plug-in is commonly installed, it's not commonly used."
Many capabilities handled via Java browser plug-ins are already available elsewhere, and that will no doubt be the route many end users -- and hopefully developers -- will now pursue. "If WebEx and GoToMeeting didn't need Java, I wouldn't have installed it in the first place," reports one InformationWeek reader. "I've found that you can install their client and that lets you do away with Java. Goodbye Java. I have enough to worry about."
When choosing an endpoint protection product, IT focuses too much on malware detection capabilities and not enough on end users. So instead of building a lab to run three or four endpoint protection products through a gauntlet of malware, get your users in on the decision process. Find out more in the How To Pick Endpoint Protection report. (Free registration required.)