With what seems like a noticeable increase in ways to exploit Java recently, should enterprises revisit their policies...
By submitting your personal information, you agree that TechTarget and its partners may contact you regarding relevant content, products and special offers.
regarding the use of Java? Has Java essentially become too dangerous for the average end user unless there's a specific business case?
Ask the Expert!
Have questions about enterprise information security threats for expert Nick Lewis? Send them via email today! (All questions are anonymous.)
Enterprises should revisit their policies regarding the use of the Java Runtime Environment (JRE), given the difficulty that often comes with updating the software. Enterprises might want to include other software they install by default in addition to a JRE security policy analysis. Given that many Windows computers, and increasingly other operating systems, are exploited regularly via the JRE, using the JRE might now be too risky for some enterprises. If an enterprise cannot effectively deploy updates of the JRE, the software should not be installed.
Microsoft reports (.pdf) that JRE vulnerabilities were among the most commonly exploited software flaws in the first half of 2011. Oracle, for example, continues to patch the JRE, but its systems are still commonly exploited via Java vulnerabilities. Oracle and its customers would be well-served to include new functionality options for silently patching systems as Google is doing for Chrome and Microsoft is going to start doing for Internet Explorer. Auto-patching could be problematic for enterprises with mission-critical software that requires specific versions of the JRE, so enterprises should log bug reports or feature requests with the vendors in order for them to support secure versions of the JRE. Enterprises should also log requests with their vendors if the vendor software requires an insecure and outdated JRE.
The Java programming language and server-side components have not been exploited to install malware on client systems and are not a concern for client systems. Enterprises should not proactively install Java, or most other software, unless there is a specific business case. Minimizing the software installed on endpoints helps reduce the effort required to keep clients updated and secure.
Dig Deeper on Web Application Security
Related Q&A from Nick Lewis
Locky ransomware has, again, changed tactics by moving to using LNK files for distribution. Expert Nick Lewis explains how enterprises can adjust ...continue reading
Hajime malware was discovered to have links to the Mirai botnet that launched powerful DDoS attacks last year. Expert Nick Lewis explains how Hajime ...continue reading
Drammer, or a deterministic Rowhammer attack, was found to be more effective on ARM-based mobile devices. Expert Nick Lewis explains the issue with ...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.