Zero-day exploits attacking Java have become commonplace, leading some experts to recommend disabling Java whenever possible. But others have begun pointing to whitelisting as a means of protecting corporate environments without having to give up Java-enabled applications or conduct detailed assessments of whether the platform plays a meaningful role.
"The reason people are recommending that Java be removed is because they have very low confidence that Oracle is going to change their approach to security," said Chet Wisniewski, senior security advisor at Sophos.
"Microsoft recognized that they needed to invest in security, and they turned their situation around. Adobe had a similar issue with Acrobat Reader, but they seem to be cleaning that up, too. But we're not seeing that with Oracle. They currently patch Java three times a year, which is an extremely strange cycle. And even though the zero-days come along frequently, they don't seem very motivated to fix them. Instead of holding off until February, they should probably issue patches every month."
A Java exploit is in the news again this week. Noted security blogger Brian Krebs published a blog that describes underground attempts to sell a zero-day exploit "that attackers can use to remotely seize control over systems running the program."
The vulnerability in Java JRE 7 Update 9 is apparently being marketed through an invitation-only forum to which Krebs claims access. Krebs quotes the hacker as saying, "I will only sell this ONE TIME and I leave no guarantee that it will not be patched so use it quickly." The price was undisclosed but is believed to be in the five-figure range.
[Related: Another Java Zero Day Vulnerability Found]
Krebs is among the industry insiders who have called for the removal of Java from systems that do not specifically need it. Alternatively, he suggests a "two-browser" approach in which Java, when necessary, is managed from a browser not normally in use.
But Wisniewski suggests that the key to keeping the network safe while still using Java may lie in using the firewall to limit Java functionality to known, sanctioned applications.
"In the '90s it was really popular to use Java, but a lot of the functionalities have been built into more basic things like HTML 5, for example. In the corporate environment, you can configure a firewall to control what Java can talk to, and thereby defend against zero-day drive-bys. So if you know your company uses GoToMeeting, or uses ADP payroll services, both of which use Java, then you can block it from supporting anything but those two things. But when you find yourself on badguy.ru, you don't want Java loading."
Such whitelisting tactics have grown in popularity in recent years, driven by the need to protect IT resources from a rapidly growing array of threats being leveled against them.
"We've been using firewalls for years as if everything from the outside coming in is bad, but we can go out and do anything we want," Wisniewski continued. "And that's really kind of silly. We need to control the outbound traffic because the data is getting stolen on the way out. It's because we're going out to a bad website and pulling back the content."
PUBLISHED NOV. 28, 2012
