Java security woes to stay with businesses for a long time

Zero-day vulnerabilities, delays in receiving patches and continuous cyberattacks are enough to make any large company want to toss the buggy Java plug-in from browsers. But that seemingly simple solution is not possible for the majority of businesses, which still use the platform for running Web-based Java applications, experts say.

Businesses were reminded of Java's problems on Monday, when Oracle released an emergency patch to fix two flaws in Java 7 and Java 6, including one hole that security experts warned last week was already being exploited by cybercriminals. Oracle acknowledged knowing about the more serious flaw since Feb. 1, but was unable to get a patch out sooner.

On the same day, a Polish security firm notified Oracle of five more vulnerabilities in the latest version of Java. Those flaws would be difficult to exploit, since they would have to be linked together to bypass Java's anti-exploit sandbox technology.

Nevertheless, Java has become a key target for criminals and a major headache for corporations. The fact that the technology is cross-platform has made matters worse, because malware can be written to infect Windows, Mac or Linux desktops and notebooks.

"Java has certainly moved to the forefront for many enterprises as far as patching and vulnerabilities are concerned," Wolfgang Kandek, chief technology officer for Qualys, said on Tuesday.

The reason businesses cannot remove the distressing Java from browsers is because many organizations run Web-based internal business applications that require the technology.

[Also see: Oracle speeds up Java patching cycle]

"Disabling Java in browsers would break access to these applications," said Chenxi Wang, an analyst for Forrester Research. "For that reason, not many have gotten rid of Java in their environment, despite the fact that Java has been the target of mass market malware exploits for years."

In addition, the technology IT administrators use for enforcing corporate policies does not include disabling or enabling Java for specific people in an organization. "This lack of enterprise controls is causing major heartburn for IT teams," said Andrew Storms, director of security operations for nCircle.

Besides not having an easy off-switch, some organizations are just plain slow at upgrading Java plug-ins. "Some have only just added it to their patching regimes,"said Glenn Chisholm, chief security officer of Cylance.

Many companies are starting to tackle the Java problem. Some are looking at application virtualization to provide Java in a browser for a single session, which is then destroyed and recreated when needed again, Chisholm said.

Security vendors are also providing help. Kandek recommends setting up whitelisting within Internet Explorer, so only pre-approved applications can run. Dan Guido, a consultant with iSec Partners, has posted an hour-long YouTube video that shows how to automatically switch between Chrome for browsing the public Internet and IE for accessing internal applications.

Such creativity is the direction organizations will need to go to avoid a Java-caused security breach. "Java is proving to be the gift that keeps on giving for attackers," Storms said.

Read more about application security in CSOonline's Application Security section.

Join the CSO newsletter!

Error: Please check your email address.

Tags applicationssecurityData Protection | Application SecurityAccess control and authenticationjavasoftwaredata protectionOracle

More about Andrew Corporation (Australia)Forrester ResearchLinuxnCircleOracleQualysWang

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Antone Gonsalves

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts