Zero-day vulnerabilities, delays in receiving patches and continuous cyberattacks are enough to make any large company want to toss the buggy Java plug-in from browsers. But that seemingly simple solution is not possible for the majority of businesses, which still use the platform for running Web-based Java applications, experts say.
Businesses were reminded of Java's problems on Monday, when Oracle released an emergency patch to fix two flaws in Java 7 and Java 6, including one hole that security experts warned last week was already being exploited by cybercriminals. Oracle acknowledged knowing about the more serious flaw since Feb. 1, but was unable to get a patch out sooner.
On the same day, a Polish security firm notified Oracle of five more vulnerabilities in the latest version of Java. Those flaws would be difficult to exploit, since they would have to be linked together to bypass Java's anti-exploit sandbox technology.
Nevertheless, Java has become a key target for criminals and a major headache for corporations. The fact that the technology is cross-platform has made matters worse, because malware can be written to infect Windows, Mac or Linux desktops and notebooks.
"Java has certainly moved to the forefront for many enterprises as far as patching and vulnerabilities are concerned," Wolfgang Kandek, chief technology officer for Qualys, said on Tuesday.
The reason businesses cannot remove the distressing Java from browsers is because many organizations run Web-based internal business applications that require the technology.
[Also see: Oracle speeds up Java patching cycle]
"Disabling Java in browsers would break access to these applications," said Chenxi Wang, an analyst for Forrester Research. "For that reason, not many have gotten rid of Java in their environment, despite the fact that Java has been the target of mass market malware exploits for years."
In addition, the technology IT administrators use for enforcing corporate policies does not include disabling or enabling Java for specific people in an organization. "This lack of enterprise controls is causing major heartburn for IT teams," said Andrew Storms, director of security operations for nCircle.
Besides not having an easy off-switch, some organizations are just plain slow at upgrading Java plug-ins. "Some have only just added it to their patching regimes,"said Glenn Chisholm, chief security officer of Cylance.
Many companies are starting to tackle the Java problem. Some are looking at application virtualization to provide Java in a browser for a single session, which is then destroyed and recreated when needed again, Chisholm said.
Security vendors are also providing help. Kandek recommends setting up whitelisting within Internet Explorer, so only pre-approved applications can run. Dan Guido, a consultant with iSec Partners, has posted an hour-long YouTube video that shows how to automatically switch between Chrome for browsing the public Internet and IE for accessing internal applications.
Such creativity is the direction organizations will need to go to avoid a Java-caused security breach. "Java is proving to be the gift that keeps on giving for attackers," Storms said.
Read more about application security in CSOonline's Application Security section.