If You Can't Disable Java, What Can You Do?

Java is under attack.

Not only from the black hats who are crafting drive-by-downloads, malicious attachments, and other attacks that exploit the vulnerabilities in the technology, but also from the white hats who argue that users shouldn't be using it at all. Even after Oracle patched the latest batch of zero-day vulnerabilities in Java, the Department of Homeland Security's Computer Emergency Readiness Team (US-CERT) recommended users turn Java off.

Much like Adobe's Flash, Java is a popular target because of its tremendously large installed base. If you really don't use websites that require Java, go ahead and dump it. We even have a nice set of instructions on how to disable Java within your browser.

But I Use Java!
Then, there are the rest of us who actually use Java on a regular basis.

"I doubt that anyone who pays attention to security advice is running Java, IE 6/7/8, et. al. because they want to—we run these things because we have to, and the decision is out of our control," security guru Jack Daniel wrote on Uncommon Sense Security.

When I looked around to see what applications used Java, I realized many popular desktop applications fit the bill, including Office alternatives, ThinkFree Office, LibreOffice, and OpenOffice, as well as popular games such as Minecraft. Several Adobe applications also require Java to run certain components. Nothing to worry about, as these are standalone Java applications, and not the ones that run within the Web browser. . If you followed our step-by-step instructions, you disabled Java only in the browser. Local applications will still run fine.

But it turns out there are plenty of gaming sites and businesses that still use Java. Specialized banking services, such as Citi Private Bank, which combines investing and traditional banking into one account, appear to be one example. Cloud services such as Box.net power bulk-file upload tools with Java. Citrix and Cisco both offer client-less SSL VPN products, which lets users establish a secure, remote-access VPN tunnel using a Java-enabled Web browser.

Are you a student? Chances are your school uses Blackboard, which requires the latest version of the Java plugin to upload files and attachments, use the real-time chat feature Virtual Classroom, and to enable certain interactive features on the platform.

Pogo.com and KidsPlayPark.com offer online Java games. Many Pogo users, worried about the latest threats, appear to have replaced Java 7 with Java 6 (which Oracle will no longer support after February), according to posts on the user forums. Just so you know, that's a spectacularly bad idea. There are plenty of attacks that target outdated software; there is no need to risk a whole different set of attacks just to avoid the latest crop.

What Are the Alternatives for IT?
"If you have any business critical applications that require Java: try to find a replacement," SANS Institute's Johannes Ullrich wrote on the Internet Storm Center blog last week.

Web conference platforms appear to be the biggest roadblocks. Cisco's WebEx and Citrix GoToMeeting used to require Java, but both platforms have recently modified their applications to use a different version if it can't find Java. Citrix said it was in the process of phasing out Java entirely. Others in the space, however, including MeetingBurner and Brother's OmniJoin, still use Java. Join.me, ClickMeeting and ReadyTalk are Flash-based.

Even though remote access tools used to be predominantly Java-based, there is a growing list of alternatives that can be used for tech support, Chet Wisniewski, security advisor for Sophos, told SecurityWatch. Remote desktop clients are also built into Mac OS X and Windows.

"For supporting my Mom and Dad, I use the free version of LogMeIn," he said. LogMeIn Free uses ActiveX.

What If I Can't Switch?
For many businesses, "there is no alternative," Thomas Kristensen, CSO of Secunia, told SecurityWatch. While it may be possible to replace some applications, in general, administrators will need to come up with other ways to protect their employees. One way to reduce the attack surface is to enable Java only for those who actually need it and disable it for everyone else, Kristensen said.

Instead of telling employees to stop using Java, organizations should focus on "bubble wrap" to protect users, Invincea's Anup Ghosh told SecurityWatch. Users can surf the Web via a virtualized browser, and if they encounter any malicious sites, accidentally open a booby-trapped file, or try to download malware, the virtual environment would block the attack from running on the actual machine. The second the virtual browser is closed, the attack is removed. And best of all, a virtual browser would protect you from a wider range of threats, not just Java-based ones.

Users can adopt a two-browser system. If you normally browse the Web with Firefox, for example, consider disabling the Java plugin in Firefox. Then, enable Java in an alternative browser such as Chrome, IE9, Safari, etc., and browse only to sites that need Java and never for general Web surfing.

"It is best to enable Java in one browser and only use that browser for websites that will not function without it," said Wisniewski.

Attackers like to change targets—Flash, Internet Explorer, Adobe Reader. "Everyone has a zero-day at one time or another," Metafore's Rob VandenBrink wrote on the Internet Storm Center.

Disabling Java is just one way to defend against Web threats, but not a universal solution. Organizations can limit their exposure and adopt security practices, such as Web filtering and having users run with limited privileges, to block attacks, he said.

"Stop finger pointing and making blanket recommendations that can't be followed," VandenBrink wrote.

For more from Fahmida, follow her on Twitter @zdFYRashid.