We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message
80,258 News Articles

Java security woes to stay with businesses for a long time

Zero-day vulnerabilities, delays in receiving patches and continuous cyberattacks are enough to make any large company want to toss the buggy Java plug-in from browsers. But that seemingly simple solution is not possible for the majority of businesses, which still use the platform for running Web-based Java applications, experts say.

Businesses were reminded of Java's problems on Monday, when Oracle released an emergency patch to fix two flaws in Java 7 and Java 6, including one hole that security experts warned last week was already being exploited by cybercriminals. Oracle acknowledged knowing about the more serious flaw since Feb. 1, but was unable to get a patch out sooner.

On the same day, a Polish security firm notified Oracle of five more vulnerabilities in the latest version of Java. Those flaws would be difficult to exploit, since they would have to be linked together to bypass Java's anti-exploit sandbox technology.

Nevertheless, Java has become a key target for criminals and a major headache for corporations. The fact that the technology is cross-platform has made matters worse, because malware can be written to infect Windows, Mac or Linux desktops and notebooks.

"Java has certainly moved to the forefront for many enterprises as far as patching and vulnerabilities are concerned," Wolfgang Kandek, chief technology officer for Qualys, said on Tuesday.

The reason businesses cannot remove the distressing Java from browsers is because many organizations run Web-based internal business applications that require the technology.

[Also see: Oracle speeds up Java patching cycle]

"Disabling Java in browsers would break access to these applications," said Chenxi Wang, an analyst for Forrester Research. "For that reason, not many have gotten rid of Java in their environment, despite the fact that Java has been the target of mass market malware exploits for years."

In addition, the technology IT administrators use for enforcing corporate policies does not include disabling or enabling Java for specific people in an organization. "This lack of enterprise controls is causing major heartburn for IT teams," said Andrew Storms, director of security operations for nCircle.

Besides not having an easy off-switch, some organizations are just plain slow at upgrading Java plug-ins. "Some have only just added it to their patching regimes,"said Glenn Chisholm, chief security officer of Cylance.

Many companies are starting to tackle the Java problem. Some are looking at application virtualization to provide Java in a browser for a single session, which is then destroyed and recreated when needed again, Chisholm said.

Security vendors are also providing help. Kandek recommends setting up whitelisting within Internet Explorer, so only pre-approved applications can run. Dan Guido, a consultant with iSec Partners, has posted an hour-long YouTube video that shows how to automatically switch between Chrome for browsing the public Internet and IE for accessing internal applications.

Such creativity is the direction organizations will need to go to avoid a Java-caused security breach. "Java is proving to be the gift that keeps on giving for attackers," Storms said.

Read more about application security in CSOonline's Application Security section.

IDG UK Sites

Best camera phone of 2015: iPhone 6 Plus vs LG G4 vs Galaxy S6 vs One M9 vs Nexus 6

IDG UK Sites

In defence of BlackBerrys

IDG UK Sites

Why we should reserve judgement on Apple ditching Helvetica in OS X/iOS for the Apple Watch's San...

IDG UK Sites

Retina 3.3GHz iMac 27in preview: Apple cuts £400 of price of Retina iMac with new model