Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Java's security problems unlikely to be resolved soon, researchers say

Lucian Constantin | March 14, 2013
Security experts think Oracle should have acted sooner to strengthen Java against attacks.

"I would not expect solutions any time soon," Kandek said. "IT administrators should invest their time in understanding where they need Java on the desktop and where they can restrict it."

Security experts agree that Java should be disabled where it's not needed, at least at the browser level. Many users don't even know they have Java installed on their computers. That's probably why Google and Mozilla chose to restrict the Java plugin in Chrome and Firefox, Raiu said.

Apple has also blacklisted vulnerable versions of the Java plugin on Mac OS X, and Windows has a registry setting that can limit Java use in Internet Explorer to trusted websites.

While many home users don't need Java in their browsers, people in some parts of the world might. In Denmark, for example, online banking and government websites use a log-in mechanism called NemID that requires Java support, Eiram said. Similar cases might exist in other countries.

In those cases, using the click-to-play feature in Chrome and Firefox, or the Zones mechanism in IE, could be used to let Java content load from only certain websites. A less technical solution would be to use one browser with Java disabled for general tasks, and a different browser with Java enabled for trusted websites that need Java support.

Restricting the use of Java in corporate environments is more difficult. Many companies use internal and external Web-based applications that require the Java browser plugin to run. Features like click-to-play are not suitable for corporate environments where policies need to be centrally managed and enforced.

"Making Java more configurable will help IT administrators deploy Java in the right fashion for the organization's requirements," Kandek said. "Higher default security levels and the easy disconnect from the browser are a good start, but I believe we will need to improve the white-listing capabilities of browsers or the Java plugins."

For the moment, the Zone mechanism in IE offers the most scalable management capabilities for the Java plugin in corporate environments, Kandek said.

The recent wave of Java-based attacks, including the one that resulted in security breaches at Microsoft, Facebook, Apple and Twitter, might have damaged Java's reputation, Eiram said. But if businesses had confidence in Java as being safe and secure, "they haven't been heeding the plentiful warnings provided by researchers for a while," he said.

It's not only Java's reputation that might have been damaged. It's likely some companies are asking whether Java's poor security is reflected in other Oracle products, Gowdiak said.

Eiram hopes the recent attacks will cause companies to re-evaluate whether they need Java in their environments.

"Companies in general are migrating to pure HTML5 based applications and moving away from plugins such as Flash, Silverlight and Java," Kandek said. "Java will continue to grow on the server side, where its powerful processing capabilities are absolutely needed."

 

Previous Page  1  2  3  4 

Sign up for CIO Asia eNewsletters.