With what seems like a noticeable increase in ways to exploit Java recently, should enterprises revisit their policies...
By submitting your personal information, you agree that TechTarget and its partners may contact you regarding relevant content, products and special offers.
regarding the use of Java? Has Java essentially become too dangerous for the average end user unless there's a specific business case?
Ask the Expert!
Have questions about enterprise information security threats for expert Nick Lewis? Send them via email today! (All questions are anonymous.)
Enterprises should revisit their policies regarding the use of the Java Runtime Environment (JRE), given the difficulty that often comes with updating the software. Enterprises might want to include other software they install by default in addition to a JRE security policy analysis. Given that many Windows computers, and increasingly other operating systems, are exploited regularly via the JRE, using the JRE might now be too risky for some enterprises. If an enterprise cannot effectively deploy updates of the JRE, the software should not be installed.
Microsoft reports (.pdf) that JRE vulnerabilities were among the most commonly exploited software flaws in the first half of 2011. Oracle, for example, continues to patch the JRE, but its systems are still commonly exploited via Java vulnerabilities. Oracle and its customers would be well-served to include new functionality options for silently patching systems as Google is doing for Chrome and Microsoft is going to start doing for Internet Explorer. Auto-patching could be problematic for enterprises with mission-critical software that requires specific versions of the JRE, so enterprises should log bug reports or feature requests with the vendors in order for them to support secure versions of the JRE. Enterprises should also log requests with their vendors if the vendor software requires an insecure and outdated JRE.
The Java programming language and server-side components have not been exploited to install malware on client systems and are not a concern for client systems. Enterprises should not proactively install Java, or most other software, unless there is a specific business case. Minimizing the software installed on endpoints helps reduce the effort required to keep clients updated and secure.
Dig Deeper on Web Application Security
Related Q&A from Nick Lewis
An HTTPS session with a reused nonce is vulnerable to the Forbidden attack. Expert Nick Lewis explains how the attack works, and how to properly ...continue reading
The Irongate malware has been discovered to have similar functionality to Stuxnet. Expert Nick Lewis explains how enterprises can protect their ICS ...continue reading
APT groups have been continuously exploiting a flaw in Microsoft Office, despite it having been patched. Expert Nick Lewis explains how these attacks...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.