Exploring the Java Jive

The trade press has been full of comments on recently found Java vulnerabilities. Oracle has fixed some and there are more to go, apparently. Most security experts have recommended disabling Java in the browsers you use. Instructions have been posted for Chrome, Firefox and others. There are, however, two major issues few have addressed:

First, many enterprise systems rely on Java. That is, they use Java not just to make pretty web pages, but to implement solutions upon which the enterprise relies. Disabling Java may sound good and may be a good action from a security standpoint, but if it blocks a business-critical application from running, it is not an option for many. If you absolutely must use Java, here are some recommendations for making it a bit safer. This probably won’t avoid all problems, but they should at least help:

  • Never run embedded Java as Administrator or with Administrator privileges. In fact, never run anything with Administrator privileges unless it is absolutely necessary. Period. We talk about this in Learning Tree Course 468 – it’s called the “principle of least privilege”.
  • Only use Java from pages/sites you fully trust. I set my Java (in the Java Console Advanced tab) to pop up the Java console whenever it starts. That way I can see any time my browser wants to use Java. I did the because some reports indicate that even you set the security to Very High (see below) some applets can still cause problems.
  • Update to the most current version of Java (1.7.0_11-b21 at this writing which reportedly still has issues).
  • In the Java Control Panel (on Windows) set the Security Level to Very High
    HighSecurity
  • Also in the Java Control Panel ensure that automatic updates are enabled
    Update
  • Of course, be sure you are running good anti-malware software.

A second issue is the difficulty of disabling Java in Internet Explorer. Woody Leonhard at InfoWorld has a good post on this. I haven’t tried those steps yet, but I seldom use IE. What I find interesting about this is that it is not a simple task. IE still used by many organizations. It is not a “fringe” tool. Surely it should be easier to configure a simple plug-in! I think Microsoft needs to step up and fix this.

Finally, remember that Java in a web page, server side Java (J2EE),  Java on the desktop  and Javascript are all different things. These issues are all related to Java in the browser and not the other platforms.

What steps are you taking regarding Java? Let us know in the comments below.

John McDermott

Type to search blog.learningtree.com

Do you mean "" ?

Sorry, no results were found for your query.

Please check your spelling and try your search again.