With what seems like a noticeable increase in ways to exploit Java recently, should enterprises revisit their policies...
By submitting your personal information, you agree that TechTarget and its partners may contact you regarding relevant content, products and special offers.
regarding the use of Java? Has Java essentially become too dangerous for the average end user unless there's a specific business case?
Ask the Expert!
Have questions about enterprise information security threats for expert Nick Lewis? Send them via email today! (All questions are anonymous.)
Enterprises should revisit their policies regarding the use of the Java Runtime Environment (JRE), given the difficulty that often comes with updating the software. Enterprises might want to include other software they install by default in addition to a JRE security policy analysis. Given that many Windows computers, and increasingly other operating systems, are exploited regularly via the JRE, using the JRE might now be too risky for some enterprises. If an enterprise cannot effectively deploy updates of the JRE, the software should not be installed.
Microsoft reports (.pdf) that JRE vulnerabilities were among the most commonly exploited software flaws in the first half of 2011. Oracle, for example, continues to patch the JRE, but its systems are still commonly exploited via Java vulnerabilities. Oracle and its customers would be well-served to include new functionality options for silently patching systems as Google is doing for Chrome and Microsoft is going to start doing for Internet Explorer. Auto-patching could be problematic for enterprises with mission-critical software that requires specific versions of the JRE, so enterprises should log bug reports or feature requests with the vendors in order for them to support secure versions of the JRE. Enterprises should also log requests with their vendors if the vendor software requires an insecure and outdated JRE.
The Java programming language and server-side components have not been exploited to install malware on client systems and are not a concern for client systems. Enterprises should not proactively install Java, or most other software, unless there is a specific business case. Minimizing the software installed on endpoints helps reduce the effort required to keep clients updated and secure.
Dig Deeper on Web Application Security
Related Q&A from Nick Lewis
The BENIGNCERTAIN exploit affects certain versions of Cisco systems using the IKEv1 protocol. Expert Nick Lewis explains what the protocol does and ...continue reading
Enterprises with open FTP servers are being targeted by Miner-C malware for crypto coin mining activities. Expert Nick Lewis explains how enterprises...continue reading
MedSec and Muddy Waters Capital revealed serious flaws in IoT medical devices manufactured by St. Jude Medical. Expert Nick Lewis explains the ...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.