Java Security Warnings: Cut Through The Confusion by Mathew J. Schwartz
Jan 18, 2013

Java Security Warnings: Cut Through The Confusion by Mathew J. Schwartz

Like its Starbucks namesake, the general-purpose Java programming language comes in many different strengths and flavors. But which ones may be harmful to the health of your PC?

The Department of Homeland Security, along with numerous security experts, have recommended that whenever possible, businesses should pull the plug on Java running in their browsers. But the warnings have led to mass confusion: Do they also apply to the general Java runtime environment? And what about JavaScript, Enterprise JavaBeans, embedded Java, JavaFX, Java running on Android or anything else with Java in its name?

The confusion is understandable. After last week's discovery of two zero-day vulnerabilities in Java, which were partially patched by Oracle on Sunday, many technology experts have recommended the following: Deactivate the Java browser plug-in and see if you miss it. If not, then don't reinstall Java.

The confusion is compounded by the difficulty of finding and deactivating Java plug-ins, especially because the latest versions of the Java browser plug-in may not accurately report when they are -- or aren't -- installed. "Your browser lies: Java 7 Update 10 introduced a new checkbox that disables the use of Java in all browsers," says information security consultant Michael Horowitz on his Java version testing site. "By and large, this is a good thing, but there seems to be a failure to communicate between Java and many Web browsers. As a result, all the browsers I have tried so far incorrectly report that Java is not installed when, in fact, it may be installed but this new security feature has been enabled."

[ Learn how to protect yourself and your systems. Read 10 Facts: Secure Java For Business Use. ]

Let's clear up some confusion. First, the current Java-removal advice doesn't apply to JavaScript. "A common mistake is to confuse Java with JavaScript -- which is technically called ECMAScript," says Joe DeMesy, a senior analyst at information security consultancy Stach & Liu, via email. "These are, in fact, entirely different programming languages. While JavaScript has its own interesting history of security problems, the recently disclosed vulnerabilities do not affect JavaScript -- only Java's browser plug-in."

For security reasons, Java developer Sun (now part of Oracle) has restricted which parts of the Java runtime environment the browser plug-in can access. But DeMesy says the recent zero-day bugs have allowed attackers to use malicious websites to exploit plug-ins and gain access to the full Java runtime environment. As a result, attackers can use the Java runtime environment installed on a PC to execute arbitrary code.

The Java browser plug-in risk has been heightened by the fact that Oracle has taken its time to remediate vulnerabilities once they've been disclosed by bug hunters. By some accounts, some of Oracle's patches have also been rushed and sloppy. Also, Java security updates aren't reaching end users because Oracle has failed to offer automatic Java updates, as Adobe did to address out-of-control exploits of the Flash browser plug-in. As a result, the Java plug-in has become an attack magnet.

Notably, a recent study of the Blackhole crimeware kit found that Java bugs were being used to exploit systems in 77% of all successful attacks, compared with 18% of attacks involving a specific PDF vulnerability, 2% involving other PDF vulnerabilities, followed by MDAC, HCP and Flash bugs (1% each). But many of those exploited Java bugs were patched months ago, if not earlier, which leads to only one conclusion: "Java security fixes are not being installed," writes report author and SophosLabs researcher Gabor Szappanos. "Users don't consider Java a direct threat and don't rush into updating their systems." Or perhaps users simply don't know it's even running on their system.

Despite mounting criticism of its handling of Java in the face of regular zero-day vulnerabilities and in-the-wild exploits, Oracle officials haven't sharpened their game. An Oracle spokeswoman this week responded to requests for comment on the latest zero-day vulnerability -- first publicly documented Wednesday by security reporter Brian Krebs -- by pointing to Oracle's security advisory, issued Sunday to accompany Oracle's patch for the two zero-day vulnerabilities discovered last week. When informed by Ars Technica that the update has no information about the new zero-day bug, seen for sale by Krebs about 24 hours after the update was released, the Oracle spokeswoman replied that the company had no additional comment.

Interestingly, JavaScript offers a solution to the Java-meets-browsers security problem. "With modern versions of JavaScript there is little to no need for developers to use Java in the browser," says Stach & Liu's DeMesy. "This is the reason these vulnerabilities are so interesting -- because while the Java browser plug-in is commonly installed, it's not commonly used."

Many capabilities handled via Java browser plug-ins are already available elsewhere, and that will no doubt be the route many end users -- and hopefully developers -- will now pursue. "If WebEx and GoToMeeting didn't need Java, I wouldn't have installed it in the first place," reports one InformationWeek reader. "I've found that you can install their client and that lets you do away with Java. Goodbye Java. I have enough to worry about."

When choosing an endpoint protection product, IT focuses too much on malware detection capabilities and not enough on end users. So instead of building a lab to run three or four endpoint protection products through a gauntlet of malware, get your users in on the decision process. Find out more in the How To Pick Endpoint Protection report. (Free registration required.)

May 29.12 | Researchers identify Stuxnet-like malware called 'Flame' By Lucian Constantin

read more

May 18.12 | Even a minor lapse in security protocol can lead to major costs Posted by: Karen Goulart

read more

Apr 03.12 | Global Payments hopes to soon regain PCI compliance after breach

Global Payments hopes to soon regain PCI compliance after breach
read more

Oct 11.11 | Businesses failing to comply with PCI DSS security standards: Verizon and Banktech India News Network, 9/29/2011 10:55:29 AM

Too many businesses are struggling to comply with payment card security standards, putting consumers’ confidential information at risk, according to a report by IT services and solutions provider Verizon. Te report for a second year in a row found compliance lacking on the payment card security front. read more

May 03.11 | Sony data breach update reveals 'bad practices' By Emily Chung, CBC News

The data breach affecting Sony Online Entertainment's 24.6 million accounts is linked to a previously announced cyberattack on Sony's PlayStation Network and Qriocity entertainment service, which affected the personal information of more than 77 million users. Thomas Peter/Reuters read more

Mar 11.11 | Assume you’re always under attack’: experts By: Liam Lahey On: 11 Mar 2011 For: ComputerWorld Canada

Enterprises must make a conscious decision about what information we’re prepared to lose, said an exec with security vendor Symantec. Why companies are missing the mark with security risk management read more

Oct 26.10 | ‘Spear-Phishing’ Attacks Keep on Giving by Kim Zetter,

‘Spear-Phishing’ Attacks Keep on Giving

* By Kim Zetter read more

Sep 16.09 | Web server attacks, poor app patching make for nasty mix Jump in site hacks, lazy Adobe, Sun, Apple program patching to fuel online threats By Gregg Keizer September 15, 2009 03:44 PM ET

Web server attacks, poor app patching make for nasty mix
Jump in site hacks, lazy Adobe, Sun, Apple program patching to fuel online threats
By Gregg Keizer
September 15, 2009 03:44 PM ET read more

Jul 02.09 | Heartland breach cost $12.6 million, CEO says

By Robert Westervelt, News Editor 07 May 2009 |

Heartland Payment Systems Inc. said it was experiencing losses this quarter as a direct result of a massive data breach it disclosed in January when investigators discovered a malicious program sniffing credit card data passing through its systems. read more