With what seems like a noticeable increase in ways to exploit Java recently, should enterprises revisit their policies...
regarding the use of Java? Has Java essentially become too dangerous for the average end user unless there's a specific business case?
Ask the Expert!
Have questions about enterprise information security threats for expert Nick Lewis? Send them via email today! (All questions are anonymous.)
Enterprises should revisit their policies regarding the use of the Java Runtime Environment (JRE), given the difficulty that often comes with updating the software. Enterprises might want to include other software they install by default in addition to a JRE security policy analysis. Given that many Windows computers, and increasingly other operating systems, are exploited regularly via the JRE, using the JRE might now be too risky for some enterprises. If an enterprise cannot effectively deploy updates of the JRE, the software should not be installed.
Microsoft reports (.pdf) that JRE vulnerabilities were among the most commonly exploited software flaws in the first half of 2011. Oracle, for example, continues to patch the JRE, but its systems are still commonly exploited via Java vulnerabilities. Oracle and its customers would be well-served to include new functionality options for silently patching systems as Google is doing for Chrome and Microsoft is going to start doing for Internet Explorer. Auto-patching could be problematic for enterprises with mission-critical software that requires specific versions of the JRE, so enterprises should log bug reports or feature requests with the vendors in order for them to support secure versions of the JRE. Enterprises should also log requests with their vendors if the vendor software requires an insecure and outdated JRE.
The Java programming language and server-side components have not been exploited to install malware on client systems and are not a concern for client systems. Enterprises should not proactively install Java, or most other software, unless there is a specific business case. Minimizing the software installed on endpoints helps reduce the effort required to keep clients updated and secure.
Dig Deeper on Web application and API security best practices
Related Q&A from Nick Lewis
The OurMine hacking group recently used DNS poisoning to attack WikiLeaks and take over its web address. Learn how this attack was performed from ...continue reading
Typosquatting was used by threat actors to spread malware in the NPM registry. Learn from expert Nick Lewis how this method was used and what it ...continue reading
Threat actors are using phishing email campaigns to fool users with tech support scams and fake Blue Screens of Death. Learn how these campaigns work...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.