Jettisoning Java: Damned if You Do, Damned if You Don't
The DHS' Computer Emergency Readiness Team warned Thursday evening that it was being exploited in the wild and could allow an attacker to execute arbitrary code on vulnerable systems.
CERT recommended that Java be disabled in Web browsers. It pointed users to the Solution section of the US-CERT Alert and to the Oracle Technical Note Setting the Security Level of the Java Client for information on how to do that.
Another Zero-Day Alarm
The warning is bad news for Java, which has been the target of more than its fair share of zero-day exploits.
"I've said it before and I'll say it again; if you don't need Java, disable it," Andrew Storms, director of security operations for nCircle, told TechNewsWorld.
"It's a drive-by bug, so little user interaction is necessary, and people won't even know they've been attacked until it's too late," he explained. "Although current attacks are focused on Windows, this bug isn't operating system specific, so no one will be safe for long -- especially since major exploit kits now include attacks."
The potential consequences of exploit are high, noted Tyler Shields, senior security researcher at Veracode.
An attack "can lead to theft of sensitive data, use of the compromised computer as a zombie or botnet node, and continued attacker persistence on the system," he told TechNewsWorld.
What to Do?
The obvious solution is to follow CERT's warning and turn off Java. Many consumers probably don't know if they are using it or not in their browsers, but "if you aren't sure, find out now and turn it off," said Storms.
Users can follow these links to turn off Java browser plug-ins:
- How to turn off the Java plugin in Firefox
- How to turn off the Java plugin in Chrome
- How to turn off the Java plugin in Safari
Low Compliance Expected
Unfortunately, many consumers and businesses are not likely to take this advice. If they did, they wouldn't be able to view sites they need or like for work or play.
In short, the suggested workaround "is conceptually difficult and likely to not be implemented by many end users unless they are forced to comply," Shields said.
It may be more difficult for businesses to disable Java than for consumers.
"Many companies have used Java as a primary component to their websites and internal Web-based applications," Jerry Irvine, CIO of Prescient Solutions, told TechNewsWorld. "For these companies, balancing the risk with the requirement of continuing to perform day-to-day functions is a major issue."
If you disable Java blindly, you're going to break a lot of functionality, A.N. Ananth, CEO of EventTracker, told TechNewsWorld.
"This means a tremendous disruption to your company's operations," he said. "Government organizations may be able to consider this, but commercial ones will cringe at the prospect."
Risk Assessment Time
Still, some sort of analysis of the pros and cons of ditching Java is necessary, Ananth continued.
"When confronted with a vulnerability -- today it's an attack on Java, tomorrow it will be something else -- the systemic response needs to be an assessment of the risk to the enterprise, starting with the most critical systems," he explained.
"If this assessment shows that you're vulnerable to an attack no matter what you do, and the risk of loss is beyond the threshold of acceptance -- then sure, consider disabling Java," Ananth said.
Basically, none of the choices confronting businesses that have applications reliant on Java are palatable, nCircle's Storms said. "The continuing stream of serious Java bugs has got to be discouraging for businesses that rely on it -- it certainly makes alternatives like HTML5 look more attractive."