Skip Links

7 steps to securing Java

Warnings from Homeland Security should prompt security pros to harden enterprise nets against Java-based exploits

By Susan Perschke, Network World
May 14, 2013 10:51 AM ET

Network World - Java, the popular OS-independent platform and programming language, runs on just about every kind of electronic device imaginable, including computers, cell phones, printers, TVs, DVDs, home security systems, automated teller machines, navigation systems, games and medical devices.

In response to successful Java-based exploits against companies like Twitter, Facebook, Apple and Microsoft, and continued concern over “zero-day” security flaws that could allow an attacker to remotely execute malicious code that could compromise vulnerable systems., the U.S. Department of Homeland Security's Computer Emergency Readiness Team (CERT) has issued multiple security advisories concerning Java.

In the advisories issued to date, DHS recommends disabling Java in web browsers. In response, Oracle, which took over Java when it bought Sun, has released a number of patches, some out-of-band (earlier than scheduled), and in a recent patch made changes to how Java applets are handled within web browsers.  

In general, warnings potential security threats are nothing new and most network security managers consider them to be part of the daily IT landscape. The usual solution is to patch systems with vendor-supplied updates and follow vendor recommendations for best practices. However in this case, the advice to disable or uninstall the product, issued not by the vendor, but instead by governmental authorities and other third parties, creates an unusual set of challenges for organizations.

So, here are seven steps you can take to protect your network against Java-based exploits. Given its ubiquity, completely removing Java is probably out of the question for most organizations. But here’s a seven-step action plan that won’t necessarily guarantee security, but will help mitigate threats by creating awareness, hardening systems and reducing attack vectors.

1.  Perform an impact analysis

A good starting point is to identify where and how Java is used both inside and outside the organization. Does your organization provide Java-dependent applications that are accessed by vendors, clients and/or the general public? Unless you have already taken steps to limit the use of Java, you most likely will find it present in most Internet browsers, as part of the OS (especially certain versions of Mac OS) and in any number of popular applications. The latter is probably going to be the biggest unknown as a vast number of commercial and open source software applications are built on the Java platform. Start by ferreting out which applications use Java. Is the app business-critical? Knowing the full scope of your organization’s dependence upon Java-based apps and platforms is a necessary prerequisite to controlling risks.  

[ALSO: 15 free security tools you should try]

2.  Keep Java updated and patched at all times

It is of paramount importance to keep all computers and devices up to date with the latest version of Java. Oracle supports only the latest version – no security patches are available for previous versions. Obtain updates directly from Oracle to reduce the risk of code injection. Another important step is to uninstall older versions of Java manually, as simply installing the latest version does not necessarily ensure that older versions are removed. Consider limiting the use of Java-based apps to virtual machines that can be started up when needed and left unpowered when not.

Our Commenting Policies
Latest News
rssRss Feed
View more Latest News