The latest round of critical Java security bugs and new attacks has IT pros asking a familiar question: Is it time to kill the software platform for good?
In the latest part of the Java security saga, a critical zero-day vulnerability was discovered in Java’s Runtime Engine. An exploit targeting the bug was sold in a few widely popular malicious hacker exploit kits.
A similar situation occurred a few months ago, when a serious Java security vulnerability was discovered. The discovery was followed by an emergency patch from Oracle which was later found to be incomplete, and in fact, had opened up a brand new flaw.
Java security too risky?
Java is an incredibly widely used software platform, and that, in part, has helped make it a hacker’s best friend, according to some security experts. Organizations such as the Department of Homeland Security’s United States Computer Emergency Readiness Team (US-CERT) have even gone as far recommending businesses consider disabling Java in web browsers when it isn’t necessary.
According to US-CERT, Java will continue to be widely targeted and for systems with high security needs, the best option may be to turn off Java capabilities completely.
Best bet: Disable Java for any user that doesn’t need it. In a lot of cases, the user won’t even notice it’s been turned off. And in cases when Java is required, one option is using two browsers — one for normal use with Java disabled, and another that has Java turned on for when it’s necessary.
In other cases, there are some security controls IT can take advantage of — for example, the Google Chrome and Firefox browsers have a “click-to-play” option for browser plug-ins that requires the user to actually click on a element before the content loads.