It’s made the Internet a better place. But like all wonderful things, Java needs careful oversight
Java, what’s it good for? If the depressing zero day flaw parade of recent weeks is anything to go by, not a lot.
A quick description of the mess; on 10 January, exploits started circulating for a serious flaw in Java 7 Update 10 (itself a major overhaul, released mid-December), prompting an unusual ‘disable immediately’ warning from the US Department of Homeland Security (DHS) no less.
After a rapid but partial patch from Oracle, Update 11, attention turned to further zero day flaws that remained, including one reportedly sold in recent days on the criminal underworld for at least $5,000. One particularly enterprising group of criminals even started impersonating the Java update to sneak malware on to computers.
Meanwhile, researchers complain that Oracle ignores responsibly-disclosed flaws for months, and won’t have a further in-band release until 19 February - unless, that is, more security holes emerge in which case Oracle will find itself patching patches of patches.
So is Java a pointless nuisance the world should be glad to see the back of? I’d like to suggest it’s not that simple.
It was always madness to install such a powerful programming interface by default even if a minority of home users will still need to find some way to accommodate it. Their best option is to install it on a single computer.
Unfortunately, enterprises can’t rid themselves of the problem as easily; Java is an important arm of much corporate software development, leaving security admins putting hours into watching it like hawks while praying Oracle helps keeps up with the stream of vulnerabilities.
But there is another way – don’t uninstall the Java VM, manage it as you would any other software asset, first by limiting the administrator permissions needed to install it or alter its security settings.
It’s long been a no-brainer that malware, including Java exploits, thrive on environments that allow unmanaged privilege escalation and even those that do should make sure the admin elevation process itself is fully secure.
Another increasingly important option to add to the mix is to use allow listing, which can be implemented using Avecto software. This approach not only controls applications that might not be desirable but don’t in fact require admin rights to function (Windows 8 apps for instance), but rules out precisely the sort of third-party code used by malware writers targeting Java flaws.
Assuming the digital certificates used to sign applications remain secure (which aside from a tiny number of very specific attacks has been the case), this defends against even zero day vulnerabilities.
With Java having a bad time of it, it is tempting to suggest simply abandoning it altogether. This is unnecessary because it offers features that businesses and even some consumers still find useful. It has been a huge boon to developers which has made the Internet a richer place.
But it has also taken too long to wake up to the risks. Don’t treat it like another piece of software furniture. Work out who really needs it and then control the way they use it while ruthlessly limiting which applets can run. Notice – that is log- everything.
The answer is to tend and manage Java and make it work for us, not the criminals.