What to do About Java?

Another bad Java bug (CVE-2016-0636) was revealed recently; in this case it was actually a bug that was found back in 2013 and was just never patched properly. The vulnerability was publicly exposed a couple of weeks ago, and Oracle released a patch just this week.

But either way, it's the same sad, old song: your computer's Java installation could allow a malicious webpage to quickly, quietly, and entirely take complete control. All your files, all your processes, exposed. Everything you have access to on the network, the attacker has access to.

But what can you do about it? There will always be vulnerabilities popping up, and Java is an essential part of using the web, so we're just stuck with it, right?

Well, that may have been (or seemed) true ten, or even five, years ago, but Java apps on the web have been declining in popularity for a long time. Most of go weeks or months without doing anything online that requires the use of a Java runtime interpreter on our workstations. Back in 2012 I was working at a client we had helped get rid of some very serious intrusions. We were helping them to ensure that they wouldn't get re-infected and allow the intruders back in. At that time, new Java zero-days were being announced monthly or so, and Java was the most popular web-based infection vector. So we check out EVERY Java applet that was accessed from inside this large organization. The result? Over 90% of the Java applets that browsers attempted to load were malicious! Weeks would go by where we would see not one legitimate Java applet in use. And that was four years ago. Chances are, there is little Java actually in use in your organization.

If you're not ready to simply uninstall Java from workstations across your organization, the next best thing is to sharply limit your exposure to Java exploits by using it only as needed.

If you support multiple browsers on the desktop, consider removing Java support from all but one. Internet Explorer is probably the one to use with Java, mostly because disabling it in IE is much more complex. In Chrome and Firefox, it's quite easy (see instructions below). The browser that still allows Java can be used for internal applications and external sites that have a business need for Java, and can be restricted to be used for nothing else. If the only sites that require Java are internal, consider using the proxy settings in IE to disable all external web access for IE so that it can only be used for internal applications.

For Windows users:
Mozilla Firefox: From the main menu, select Add-ons, then disable the Java plugin (there may be more than one). (See above.)

Google Chrome: Type "chrome://plugins" into the browser address bar. You can click "disable" to disable Java in the browser entirely, or "Always allowed to run" so the browser will require you to give permission each time if Java is to run.

Internet Explorer: Well, it's pretty complicated. CERT and Microsoft have directions for doing this, but it is not nearly as straightforward as with Firefox and Chrome.

For Mac users:
Safari: Click Safari -> Preferences, then the Security tab (uncheck “Enable Java”). See above.

Chrome and Firefox work substantially the same was as on Windows (if you use your Google account to login to Chrome, your choices here will even follow you from one computer to another).

Comments

Post a Comment

Popular posts from this blog

Weekly Infosec News Brief: 14-20 March

Image
Major Media Websites Caught up inNew Malicious Advertising Attacks Last week multiple major advertising networks, including Google's DoubleClick, AppNexus, Rubicon, and AOL were abused by attackers to serve up malicious advertisements on major media sites. These malicious advertisements were redirecting to the "Angler" exploit kit, which uses multiple means to attempt to compromise a browser and install malware. While such malicious ads are common on smaller websites, they are not unheard-of on major media sites. This outbreak, however, was unusually large and long-lived, lasting at least the better part of two days. Given how common malicious web ads are, some security experts are recommending the use of ad blocking technology in web browsers. http://www.computerworld.com/article/3044565/security/advertising-based-cyberattacks-hit-bbc-new-york-times-msn.html Malicious Macros in Word Documents Used to Install Malware with No Files Needed Everything old is new a
Read more

Weekly Infosec News Brief 20-26 July

Image
FBI Sees Massive Increase in Espionage, Including Industrial Espionage, Against the US The FBI on Thursday issued a press release discussing what they believe is an increasing threat of economic espionage against US companies. They estimate that such espionage may cost the US as much as "hundreds of billions" of dollars a year. This espionage is not just directed against large industrial companies, but any place where trade secrets and innovations might be found, including third-party organizations (e.g. business partners, vendors, consultants, lawyers, etc.) affiliated with targeted companies. A key take-away is that the threat is more widespread than most people think, and that few organizations are immune. https://www.fbi.gov/news/pressrel/press-releases/fbi-announces-economic-espionage-awareness-campaign http://www.cnn.com/2015/07/24/politics/fbi-economic-espionage/ Microsoft Releases Out-of-Cycle Patch for Critical Font Driver Bug A flaw uncovered in connecti
Read more

Weekly Infosec News Brief: 22-28 February

Image
Ransomware Observed to Jump from One Device to Another via the Cloud Researchers described last week an incident where they observed malicious "ransomware" propagating from one device to another via cloud-based file synchronization. When the ransomware encrypted files on one machine that synchronized files to a specific folder, it spread to other PCs that synchronized to that same folder. This type of phenomenon is simply another reason for organizations to serious consider limiting or eliminating the use of such file-synchronizing software within their networks. http://www.scmagazine.com/researchers-confirm-cases-of-ransomware-encryption-jumping-devices-via-cloud-apps/article/479572/ New OpenSSL Patches Soon to Come The OpenSSL project team announced last Thursday that they are working on patches to fix at least two "high" severity vulnerabilities in OpenSSL. This is the software that powers the cryptographic security layer of many web servers, browser
Read more