Remove Java? I doubt it.

There has been a lot of discussion related to Java vulnerabilities with a lot of security professionals and organizations recommending that it be removed.  I enjoy programming in Java because it allows me to write one set of code and run on any platform.  However I recognize the risks Java adds if it can be accessed by a browser.

I typically solve this problem in one of two ways.  I categorize machines, host or guest, as either needing Java or not needing Java and then maintain the installation.  Second, on the machines that need it, I will use more than one browser and only enable Java in one of the browser flavors.  Typically on a Windows system I will allow Java to connect to IE, and use a plugin like Quick Java to disable Java in FireFox. With Java 7u10, they introduced a check box to disable the browser functionality in the Java Control Panel.  I don’t like this approach as there are places that need Java (I have kids who like Minecraft).  I prefer to have it so only one browser can access Java, and that is the secondary browser only used for that purpose.

I don’t see uninstalling Java to be a reasonable solution.  It is not the language itself that is the problem, it is the connection to the browser that allows people with evil intent to be able to run arbitrary code when a vulnerability is discovered.  Just like binary malware, a user would have to actively execute a JAR file to get Java to run code when not invoked by the browser.  We don’t see much of that because it requires user interaction.  What we often see is a Java exploit as part of a drive-by attack, where the only purpose of the Java code is to grab a piece of malware written and compiled for Windows and invoke it on the system.

If you don’t need Java, then by all means, get rid of it.  It is overhead on the system and it only exposes the system to exploitation if it is forgotten about and not patched (Yes I know 0-days mean even patched and maintained are exposed).  But a lot of people do have legitimate uses for Java.  Most of these uses don’t involve the browser and they cannot remove Java unless they are willing to give up that use.  For them, they need to either disconnect Java from all browsers, or develop and stick to a safe usage plan.

I do wish that Java would auto-update and did not require admin privileges to do so.  As stated, my children like Minecraft, but they don’t have admin accounts.  That means they cannot update Java on a Windows machine even if it were to notify them there is a Java update. I need to find a way like in Ubuntu where I can add the update command to the list of commands that do not require root to invoke. Alternatively, Oracle could make the Java install able to be set to automatically download and update security patches by the installing user (that would be admin/root at time of install) and run as a service at that user level.  My only fear there is I might get some unwanted toolbars after an update. :)

Also, to give some kudos to Oracle, Java 7u11 does notify the user of Java content trying to run as applets in a browser and ask them to confirm they want it to run.  This is great if systems are fully patched.  My experience is that most are not because there is no auto-update feature, images with old installs are used to push out production machines, or the user only updates it when they use Java.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>