January 23, 2013

Turn It Off: Another Java Vulnerability

For some of us in the security field, the tools we use require us to use Java.  With that said though we also know when to turn it off and on because we are up-to-date with the news or at least we should be.  The problem comes with our users and the victim is our network.  Every time a new Java vulnerability is discovered it puts our data and our networks at risk.

Over the past couple of year’s Java has been made Swiss cheese by security researchers and malicious cyber criminals.  Just as Apple decided to keep Adobe Flash off their iOS products, the time has come for Java.  Sometimes things are just too broken to be useful any more.

Unfortunately, the biggest problem with Java is that it is alive and well.  Hundreds of millions of browsers have it, many of which reside on systems with users that are unaware of the security issues associated with it.  Whenever the news reports on a new vulnerability discovered the remediation is to disable or uninstall Java.  If our users really disabled it or uninstalled it every time there was a bug discovered they would never be able to use it.

Even though you can make a case for Java, there really is very few instances for our end users to have Java installed.  One of those use cases is using WebEx, which requires Java for its Web-based meetings. This can be a major stumbling block for many organizations who are required to use WebEx for company meetings, sales presentations and webinars. That’s an important use case, but it’s not nearly enough to warrant a stay of execution for Java.

“We’ve been telling folks to disable Java 10 times a year for the past couple of years now,” HD Moore, CSO of Rapid7 and the creator of the Metasploit Project, said about the use of Java. “It’s really to the point where you should be telling people to keep it disabled all the time.”

Just as we learned to live without Adobe Flash on our iPhones and iPads, I believe we can learn to live without Java.  I think the majority probably won’t even notice a change.