After Oracle Took Java For the last year or so, Java seems to have spawned a never-ending flow of security bugs, partly because of the software environment’s invisibility to end users and partly because of the system access it allows.
In January alone, two different Java vulnerabilities were attacked by widespread browser exploit kits. At least one of those Java flaws led to the recently disclosed network penetrations of Apple, Facebook and Microsoft, and may have also been involved in the process of Compromising 250,000 of Twitter accounts alone.
Because of these developments of dangers, many security experts recommend that users should disable Java browser plug-ins on necesary basis, or even to take the more drastic step of uninstalling the underlying Java Runtime Environment (JRE) entirely.
Those recommendations may makes definitely sense for many users, but they are not blanket or blind solutions for all users with Java installed on their machines.
The problem is that Java, in one form or another, is still used for a lot of things that people want and need to do. It might be an essential element of running programs that you never considered.
If, for example, you are one of the millions of people who enjoy playing Minecraft or RuneScape, you’ll need Java installed on your machine. If you play “World of Warcraft,” getting rid of Java might leave you without the use of the game’s launcher.
If you’re a creative professional, Adobe’s Creative Suite, which includes applications such as Photoshop, Illustrator and Premiere, relies on Java to exchange information among applications. If you’re a user of free office software like OpenOffice and LibreOffice, both programs use Java.
None of those applications normally access websites, so leaving Java installed on your computer while disabling it in your Web browsers will let you use those pieces of software while minimizing your exposure to malware.
Unfortunately, that isn’t possible with many web-facing business applications that absolutely require that Java plug-ins be active in a browser, such as web-conferencing software like Citrix’s GoToMeeting or Cisco’s WebEx.
Twice the Fun
End users may want to try a “double browser” strategy.
“If you do rely on websites that require Java, consider installing a second browser and turning Java on in that browser only,” said Richard Wang, senior security manager at the British anti-virus firm Sophos. “Use it for your Java-based websites only, and stick to your Java-disabled main browser for everything else.”
For businesses, people who work at home or anyone with an abundance of sensitive data to protect, a beefier version of this strategy can keep Java security problems from becoming system-wide issues.
“You should make a list of all the tools you use on a regular basis and that require Java. Then, run these tools in a virtual machine or other isolated environment,” said Tim Erlin, director of IT security and risk strategy for San Francisco’s nCircle, referring to software-based computer emulators that essentially “live” inside other computers.
“If you find that you need Java for many of your routine tasks,” Erlin said, “it might be time to consider evaluating alternate tools that don’t require Java.”
Will these strategies be a silver bullet that will protect you from all of the security problems that have been plaguing Java on the Web? No, but in IT security there are no guarantees. You can only mitigate your risks and take reasonable precautions.
After all, Java is not the only browser plug-in that can be exploited to install malicious code. If you uninstalled or disabled every possible risk, then the Web would lose the majority of its functionality.
Practical security is about playing the odds and getting the best possible protection without putting everything on lockdown.