Editorial Update: 02/06/2013
Since this blog was originally written, Oracle has released a massive security patch that resolves at least 50 different issues. This is the largest security patch in the company’s history, and it appears to resolve the current security problems with Java. However, small business owners who find that their business has no use for Java may still want to consider disabling it, or rely on Firefox 17 with its “click-to-play” feature for automatically disabling out-of- date versions of Java and other commonly exploited plugins.
You may have caught recent reports about a new security flaw in the Java platform. Essentially a method to bypass the Java sandbox, the flaw has already allowed a number of exploits to surface, which let hackers infiltrate with malicious code for remote execution.
This latest vulnerability was concerning on two fronts: It affects all versions of Java 7 – the latest version of Java, and there were no software updates that could be applied when it first surfaced.
For this reason, security firms have advised people to disable the Java browser plugin altogether to stymie hackers. To be clear, disabling the Java browser plugin does not prevent desktop-based Java apps from executing. On its part, Oracle recently released a Java 7 Update 11 to resolve the problem. Or, rather, it was intended to resolve it.
It didn’t take long for security researchers to find further problems that allow a sandbox bypass with the latest Java update from Oracle. In a mailing list, Adam Gowdiak of Security Explorations wrote: “We have successfully confirmed that a complete Java security sandbox bypass can be still gained under the recent version of Java 7 Update 11.”
While Gowdiak declined to share the details of the exploit, he did reveal that the team found two new security vulnerabilities. A working proof of concept code has been produced, he says, and which had been shared with Oracle for their action.
Since then, the call to disable or abandon Java has only grown louder. The argument is simple: Only a very small number of websites out there require the Java plugin that is the root cause of so many security issues. The bottom line: businesses that disable Java are unlikely to lose any functionality at all. Indeed, they stand to substantially reduce their vulnerability to future exploits that targets the Java plugin.
Ironically, Java’s cross-platform capability is one of the key factors that make it so popular with hackers. This is because flaws discovered on one variant of Java have high chances of being duplicated on various platforms. This makes a Java exploit highly economical — and appealing — for hackers who don’t want to re-code it for every platform.
For now, small businesses that don’t use Java may want to seriously consider disabling the Java browser plugin or even uninstall Java altogether.
Doing this will save a lot of time and headaches for smaller businesses that cannot afford the manpower to constantly monitor the situation.
To perform the Java browser plugin, first launch the Java app within the Windows Control Panel. Look for and deselect the box marked “Enable Java Content in the Browser.” Finally, remember to restart your browser for the new configuration to kick in.
Paul Mah covers technology for SMBs for Small Business Computing and for IT Business Edge. He also shares his passion for and knowledge of everything from networking to operating systems as an instructor at Republic Polytechnic in Singapore, and is a contributor to a number of tech sites, including Ars Technica and TechRepublic.
|Do you have a comment or question about this article or other small business topics in general? Speak out in the SmallBusinessComputing.com Forums. Join the discussion today!|