With what seems like a noticeable increase in ways to exploit Java recently, should enterprises revisit their policies...
regarding the use of Java? Has Java essentially become too dangerous for the average end user unless there's a specific business case?
Ask the Expert!
Have questions about enterprise information security threats for expert Nick Lewis? Send them via email today! (All questions are anonymous.)
Enterprises should revisit their policies regarding the use of the Java Runtime Environment (JRE), given the difficulty that often comes with updating the software. Enterprises might want to include other software they install by default in addition to a JRE security policy analysis. Given that many Windows computers, and increasingly other operating systems, are exploited regularly via the JRE, using the JRE might now be too risky for some enterprises. If an enterprise cannot effectively deploy updates of the JRE, the software should not be installed.
Microsoft reports (.pdf) that JRE vulnerabilities were among the most commonly exploited software flaws in the first half of 2011. Oracle, for example, continues to patch the JRE, but its systems are still commonly exploited via Java vulnerabilities. Oracle and its customers would be well-served to include new functionality options for silently patching systems as Google is doing for Chrome and Microsoft is going to start doing for Internet Explorer. Auto-patching could be problematic for enterprises with mission-critical software that requires specific versions of the JRE, so enterprises should log bug reports or feature requests with the vendors in order for them to support secure versions of the JRE. Enterprises should also log requests with their vendors if the vendor software requires an insecure and outdated JRE.
The Java programming language and server-side components have not been exploited to install malware on client systems and are not a concern for client systems. Enterprises should not proactively install Java, or most other software, unless there is a specific business case. Minimizing the software installed on endpoints helps reduce the effort required to keep clients updated and secure.
Dig Deeper on Web application and API security best practices
Related Q&A from Nick Lewis
Rakos malware is attempting to build a botnet by attacking embedded Linux systems. Expert Nick Lewis explains how enterprises can prevent attacks on ...continue reading
The Switcher Trojan spreads to Android devices through the wireless router to which they are connected. Expert Nick Lewis explains how this attack is...continue reading
USB Killer devices, with the ability to destroy systems via a USB input, are available and inexpensive. Expert Nick Lewis explains how they work and ...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.