More threads by David Baxter PhD

David Baxter PhD

Late Founder
Security Experts Recommend Long, Hard Look at Disabling Java Browser Plug-In
by Michael Mimoso
October 4, 2012

Is the Java browser plug-in the IT equivalent of the human appendix? Would you miss it if it were gone? Probably not, experts say, especially now that attackers are beating the Java sandbox with a rash of zero-day exploits.

“It's simply safer to have the Java plug-in disabled in the browser knowing that there is a security bug in it that could be potentially exploited to gain access to the system,” said Adam Gowdiak, CEO and founder of Security Explorations, a security consultancy in Poland. Gowdiak and his team discovered the latest zero-day in Java, this one in versions 5, 6 and 7 that would allow a complete sandbox escape and give an attacker full remote control of a compromised computer.

Gowdiak’s exploit was the second assault on Java in the last 45 days. A zero-day in Java 7 was discovered in late August and the exploit included the PoisonIvy remote access Trojan. With more than 1 billion Java installations on computers worldwide, there may not be a bigger, more vulnerable target than Java on browsers. Yet, relatively few websites require Java to view content. This is especially true for consumers, who often are less security savvy than their business counterparts. Business users are likely to feel more of an impact should Java be disabled, or abandoned altogether, because some mission-critical collaboration applications such as WebEx or GoToMeeting are built on Java.

“Java code runs on many devices, but is especially prevalent in internet browsers, such as Internet Explorer. This gives attackers targeting Java vulnerabilities direct access to their victims,” said Chris Valasek, senior security researcher with application security company Coverity. Valasek points out that most Java bugs aren’t similar to the memory corruption problems plaguing Windows and IE, for example. He said they are design logic or architectural issues that permit an attacker to run Java code on the machine as if it were a local command, and not from the Web.

“This permits actions not intended, such as starting other processes and writing to the disk,” Valasek said. “This ease-of-exploitation factor plays a major part in the Java vulnerabilities being exploited by attackers.”

Experts say disabling Java makes sense from a security standpoint; many don’t have the plug-in installed or have a dedicated browser installed just for when Java functionality is required, such as WebEx meetings.

“Most of the things that only Java could do a few years ago can now also be done with HTML5 and Flash Player,” said Atif Mushtaq, senior staff scientist at FireEye. “A vast majority of desktop users don't really need Java running inside their browsers.”

Marcus Ranum, a security pioneer, remembers the early days of Java and the rush to code business logic on top of Java despite known implementation flaws in the engine, he said. “When it first came out, it didn’t take long for guys like Ed Felten and Gary McGraw to start finding holes in Java,” Ranum said. “People should have said ‘wait a minute’ then.”

Companies coding mistakes on top of Java aren’t facing the same threats zero-days pose, but simple errors such as forgetting to require authentication or coding in a SQL injection bug, can open equally dangerous holes.

“What’s frustrating about Java is that it’s playing itself out exactly the way security experts predicted it would,” Ranum said. “I think organizations need to take a look at how much Java they’ve got. When was the last time you ran into a Java website? If you don’t have a Java engine installed, chances are you don’t miss it. The hard thing with Java is I know of a lot of enterprises with substantial investments in code on the backend all Java. Maybe they’ll think harder next time.”

Part of the frustration with Java security issues has to do with Oracle, which owns the Java code base since acquiring Sun in April 2009. Experts have been critical of Oracle’s patch cycles and the speed with which updates are made available, especially out of band.

“In my opinion if Oracle is really serious about the security of billions of end users they need to be more vigilant when it comes to fixing their software. You need a different mindset when dealing with a consumer product being used by the masses as compared to an enterprise software product,” said FireEye’s Mushtaq. “A patch cycle of a couple of months for enterprise software might be acceptable but, when it comes to Java running inside billions of browsers, the patching cycle should happen within weeks if not days. Needless to say, even if there is a delay for the final patch, at the least, mitigation techniques should be published immediately.”

Tod Beardsley, engineering manager for Rapid7 and Metasploit hopes the latest run of zero-days is a wake-up call for Oracle.

“If Oracle is going to take ownership of the platform, then take ownership and get on the stick,” Beardsley said. “The same thing happened to Microsoft with things like ActiveX. Now it’s Oracle’s turn. I’m sure they’ll get better too.”

With exploit modules written almost immediately for Metasploit, the time to exploits in the wild is very short for users.

“It is somewhat simpler to write a Java exploit,” said Beardsley. “You tend to not be dealing with complicated things like buffer overflows. You deal with things like escaping sandboxing, which is technically easier to approach.”

In the meantime, experts say shut down those Java plug-ins.

“Disabling Java in the Web browser seems to be a good idea for now,” Coverity’s Valasek said. “It seems right now that having the Java plug-in is a liability and its use should be limited if not completely avoided.”
 

MHealthJo

MVP, Forum Supporter
MVP
Hmm. I always thought of java as totally safe. This could explain the trojan i found on my laptop this morning and spent a good deal of time removing. :D

I'll be thinking differently in future! Gee I wonder who's now got all my passwords etc. :S
 

W00BY

MVP, Forum Supporter
MVP
Newer versions of firefox disable the java plugin automatically now, however another program being exploited a lot particularly at update level is adobe flash player,

I uninstalled and reinstalled both java and adobe recently as the memory usage on my computer was spiking, adobe also blue screened my entire system earlier in the year as it had not removed all the files from a previous backup correctly.

My anti virus has been very happy with java a few times in previous months.

I have learned ( for those using (firefox) to keep an eye on java's behavior and usage and be very careful it is the right site you are downloading from as there are quite a few professional clone sites out there now.

I also would suggest to anyone using firefox to keep all plug-ins to a minimum as the resources they use is massive and there are certainly loopholes to be exploited with a few of them, split browser being one that comes to mind.

I really like java in comparison to silverlight but nothing really these days is totally safe.
 

W00BY

MVP, Forum Supporter
MVP
My anti virus has been very "happy" with java a few times in previous months.

That should have read "unhappy".

It did turn out there was a bit of malware trying to install along with the java update.

I use both Malewarebytes and Spybot and always use an ad-block there are other great pieces of programming out there too that will protect your computer.

If ever in doubt always copy what you computer is wanting to do and Google it 9 times out of 10 someone will have the same problem or know whether it is safe or not.

Keep all plugins and programs up to date, I personally get peeved at being told to update stuff all the time but in the instance of the java issue that was because I had not updated it for a while and was running an old version of Firefox.
 
Replying is not possible. This forum is only available as an archive.
Top