Diplo Internet Governance Community

Stay networked. Get informed. Broadcast your projects.

Security Problems with Java? It is better to disable it?

You may have heard about security problems generated by the Java plugin and Java Runtime Environment (JRE). Some security researchers reported that attackers are exploiting vulnerabilities of this popular programming language.
Tod Beardsley, Engineer at Rapid7, said: "Users should disable the Java plug-ins for browsers. Unlike Flash, HTML5 or PDF, no technology is ubiquitous on the Web ... Disable unnecessary functionality provided is good advice - This reduces the possibility of attack s ".
Such advice can be very useful for end users, but not for companies because u na series of common business applications such as conferencing and collaboration are based on the Java runtime, and some data center applications running on Java, says Scott Crawford, research director at analyst firm Enterprise Management Associates industry.
That was not the case a few years ago. Wolfgang Kandek, CTO of Qualys, says that web browsers used to be a prime target for attackers until browser makers developed better security defenses. Attackers turned their attention to other programs as Flash and PDF, but Adobe has put a lot of resources on strengthening its products. now seems that Java is being targeted.
SystemsExperts' Hill see many organizations that are eliminating dependencies of Java applets. "Now people are developing rich web applications with Ajax techniques for Java that run on the server and not on the client side," he says.
How can you ensure Java?
A little background.
 
Oracle, starting Sun, has advanced the development of the Java ecosystem in several areas, including the programming language on the server side and the JRE widespread client side, but the attackers continue to expose serious security vulnerabilities in the JRE . Most of these vulnerabilities are limited to the most common platforms such as MacOS and Windows, but since Java is used in a wide variety of platforms for client software, the impact of vulnerabilities can not be understood well.

Here we will try to talk about the latest series of Java security vulnerabilities and provide some measures to improve the security of Java.
In recent times, it seems like Oracle releases a patch for the vulnerability discussed more recently Java, attackers are one to exploit. Another critical vulnerability was identified in September 2012 , allows an attacker to exploit a security feature core the Java JRE, type safety, to escape the Java sandbox. An attacker could completely compromise the security of a system by exploiting this vulnerability.
Worse, the Java security patches may be giving more opportunities for attackers to exploit: It is believed that the JRE vulnerability that was reported in August 2012 may have been introduced by a previous patch. Error in AWT subcomponent Java also could allow code execution on the local system, avoiding the litter box and result in a system being compromised. When the upgrade of Oracle software exposes new security vulnerabilities, the strength of the cycle development life Java software comes into question. Not all errors are preventable, but it seems clear life cycle development of stronger security is needed to help prevent the introduction of new Java errors.
The reality is that the Java security problem is not going away. Remain vulnerabilities found, exploited and patched by Oracle with variable speed and efficiency. To be fair, the software vendor is facing a difficult task, as it seeks encourage the development of Java to try to keep it secure. has joined Oracle's Java technical debt, resulting in an increasing number of vulnerabilities.
Methods for securing Java.
As mentioned above, some experts recommend disabling Java, but has also been seen that it is easier said than done. Although there are viable alternatives to the software as Adobe Reader, no real alternatives now exist for the Java Runtime Environment. Reality is that many enterprise applications are based on Java, for many organizations, not just disable Java an option.
That said, the standard advice to ensure any client software also apply to JRE, including not install (or uninstall) the JRE if necessary, keeping the JRE to date, removing old versions and patch deployment and security management controls in the client-side end.
But consider additional controls specifically for Java. For example, a company can run the JRE software and necessary in its own virtual machine, run the JRE with reduced permissions (which should be a default policy regardless) and allow the white list applets Java to run on the JRE with Noscript or similar software. Toolkit Enhanced Mitigation Experience can be used to more securely configure the JRE on Windows systems.
Companies can also compile Java code into native executables to avoid problems with the JRE, but this action would deny the "write once, run anywhere" benefit of using Java. Given that most Java applets run on either PCs or Macs, this could be a reasonable measure for some organizations, but it would not work for all platforms that run Java.  
If I could be compiled, this would help reduce the number of systems in a company that has a JRE installed only by an application. All these methods require significant effort, but could reduce the risk to an acceptable level for most companies.
The Java Runtime Environment was the result of the need to facilitate cross-platform development. Unfortunately, the reputation of the Java ecosystem has had significant success due to the large number of security vulnerabilities exposed in the JRE and lifecycle software development Oracle. Whilst organizations should think long and hard about committing to Java, fortunately, there are ways for companies to limit the risk to end by the JRE if it is a business necessity, and if not absolutely necessary, however, should not be installed.

Views: 372

Comment

You need to be a member of Diplo Internet Governance Community to add comments!

Join Diplo Internet Governance Community

Comment by Juan Manuel Rojas on January 23, 2013 at 4:46am

Thanks Angelic it is good to know  this info was useful to confirm your hunch! Thanks for read me.

Comment by Angelic Alihusain-del Castilho on January 22, 2013 at 2:23pm
Very valuable information. I did not know all these details, but had noticed some time ago that the Java software caused problems on my computer. I stopped downloading any java updates. Now I know that my hunch about the java software was correct. Thanks!

Members

Groups

Follow us

Website and downloads

Visit Diplo's IG website, www.diplomacy.edu/ig for info on programmes, events, and resources.

The full text of the book An Introduction to Internet Governance (6th edition) is available here. The translated versions in Serbian/BCS, French, Spanish, Arabic, Russian, Chinese, and Portuguese are also available for download.

Interviews


Karlene Francis (Jamaica)
Ivar Hartmann
(Brazil)
Elona Taka (Albania)
Fahd Batayneh (Jordan)
Edward Muthiga (Kenya)
Nnenna Nwakanma (Côte d'Ivoire)
Xu Jing (China)
Gao Mosweu (Botswana)
Jamil Goheer (Pakistan)
Virginia (Ginger) Paque (Venezuela)
Tim Davies (UK)
Charity Gamboa-Embley (Philippines)
Rafik Dammak (Tunisia)
Jean-Yves Gatete (Burundi)
Guilherme Almeida (Brazil)
Magaly Pazello (Brazil)
Sergio Alves Júnior (Brazil)
Adela Danciu (Romania)
Simona Popa (Romania)
Marina Sokolova (Belarus)
Andreana Stankova (Bulgaria)
Vedran Djordjevic (Canada)
Maria Morozova (Ukraine)
David Kavanagh (Ireland)
Nino Gobronidze (Georgia)
Sorina Teleanu (Romania)
Cosmin Neagu (Romania)
Maja Rakovic (Serbia)
Elma Demir (Bosnia and Herzegovina)
Tatiana Chirev (Moldova)
Maja Lubarda (Slovenia)
Babatope Soremi (Nigeria)
Marilia Maciel (Brazil)
Raquel Gatto (Brazil)
Andrés Piazza (Argentina)
Nevena Ruzic (Serbia)
Deirdre Williams (St. Lucia)
Maureen Hilyard (Cook Islands)
Monica Abalo (Argentina)
Emmanuel Edet (Nigeria)
Mwende Njiraini (Kenya)
Marsha Guthrie (Jamaica)
Kassim M. AL-Hassani (Iraq)
Marília Maciel (Brazil)
Alfonso Avila (Mexico)
Pascal Bekono (Cameroon)

© 2020   Created by Community Owner.   Powered by

Badges  |  Report an Issue  |  Terms of Service