Six ways to protect against the latest Java vulnerability
Security researchers proposed several methods to protect computers from being compromised via a new Java vulnerability
IDG News Service - Security researchers have proposed several methods for users to protect their computers from ongoing attacks that target a new and yet-to-be-patched vulnerability in all versions of Java Runtime Environment 7.
Most of the proposed solutions have drawbacks or are applicable only to certain system configurations and environments. However, the hope is that in the absence of an official patch from Oracle users will be able to use one or a combination of them in order to reduce the risk of their systems being compromised.
Researchers from security firm FireEye announced the existence of the new Java vulnerability on Sunday and reported that it's being exploited in limited targeted attacks.
A working proof-of-concept exploit appeared online the next day and was integrated into Metasploit, an open-source security testing tool used by many penetration testers.
The new vulnerability is considered extremely critical and can be exploited to execute malicious code on a system by simply visiting a maliciously crafted Web page from a Web browser that has the Java plug-in enabled.
The only recommendations that most security professionals have given to users in order to protect their systems from attacks targeting this vulnerability was to uninstall Java or at least disable the Java Web plug-in from their browsers.
Instructions on how to do the latter for the most popular Web browsers are detailed in an advisory published by the United States Computer Emergency Readiness Team (US-CERT) on Monday.
This is probably the most effective method of mitigating the risks associated with the Java new vulnerability or similar ones that might be discovered in the future.
However, it has the drawback of not being practical in some environments, especially business ones where Java-based Web applications are necessary for important operations.
"Most consumers never need Java, but many corporate users require it for things like GoTo Meeting and WebEx," Chester Wisniewski, senior security adviser at antivirus vendor Sophos, said Tuesday via email. "In a corporate environment you may be able to control JavaW.exe and make sure it will only execute certain applets or contact known good IP ranges for services you use that require Java."
Another solution was proposed by Wolfgang Kandek, the chief technology officer at security vendor Qualys, and consists of using the Zone-based security mechanism of Internet Explorer to in order to restrict which websites that can load Java applets.
Users can forbid the use of Java in the Internet Zone by setting the Windows registry key 1C00 to 0 under HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 and allowing Java only on whitelisted websites in the Trusted Zone, Kandek said Monday in a blog post.
Meanwhile, users of Google Chrome and Mozilla Firefox can achieve a similar result by enabling the click-to-play feature that blocks plug-in-based content from loading by default and asks for user confirmation. The feature allows website white-listing.
- Gartner Magic Quadrant for Client Management Tools The client management tool market is maturing and evolving to adapt to consumerization, desktop virtualization, and an ongoing need to improve efficiency.
- Path Selection Infographic Path Selection Infographic
- Hyperconvergence Infographic A wide range of observers agree that data centers are now entering an era of "hyperconvergence" that will raise network traffic levels faster...
- Preparing Your Infrastructure for the Hyperconvergence Era From cloud computing and virtualization to mobility and unified communications, an array of innovative technologies is transforming today's data centers.
- Cloud Knowledge Vault Learn how your organization can benefit from the scalability, flexibility, and performance that the cloud offers through the short videos and other resources...
- LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users? All Desktop Apps White Papers | Webcasts