The Latest in IT Security

Java Considered Harmful

22
Dec
2011

Do you need Java in your web browser? Seriously, do you? If not, get rid of it.

Turns out, most users don’t need Java any more, yet people keep running it.

Do not confuse Java with JavaScript: it’s hard to use the web without JavaScript. But JavaScript has nothing to do with Java.

The risks of Java are nicely illustrated by the recent Java Rhino vulnerability (aka CVE-2011-3544). If you’re running Java, but not the latest version, you’re vulnerable. So either you have to check at all times that you have the latest version of Java — or get rid of it altogether.

And the Java Rhino vulnerability is not theoretical: the most common exploit kits have incorporated this vulnerability in their default exploits, and it seems to be working very well for the online criminals.

Here’s a sample screenshot from a Blackhole exploit kit control panel. In this picture we can see 16,144 computers which were taken over with the CVE-2011-3544 vulnerability.

Blackhole exploit kit

So, ditch Java if you can. It might not be as painful as you think, as Larry Seltzer found out when he tried it.

Do you need Java for a specific web application? Such as an online bank or an intranet app? Leave Java on your system but remove the Java plugin from your daily browser. Then use another browser that you use only for this one service.

Also note that Chrome has been doing a good job in sandboxing or otherwise securing risky add-ons and extensions. Many Java exploits do not work against Chrome. Also, Chrome does not use an Adobe Reader plugin to render PDF files. This is good news, as Chrome is quickly becoming the most common browser on the planet.

Wikipedia

Leave a reply


Categories

FRIDAY, MARCH 29, 2024
WHITE PAPERS

Mission-Critical Broadband – Why Governments Should Partner with Commercial Operators:
Many governments embrace mobile network operator (MNO) networks as ...

ARA at Scale: How to Choose a Solution That Grows With Your Needs:
Application release automation (ARA) tools enable best practices in...

The Multi-Model Database:
Part of the “new normal” where data and cloud applications are ...

Featured

Archives

Latest Comments