Java in the Cross-Hairs of Enterprise Security

Wednesday, September 26, 2012

Rafal Los


Enterprises seem to have a rather obvious love-hate relationship with our old pal Java. It's a fat client we aren't thrilled with, but when it comes to cross-platform use there aren't really any other great alternatives right now.  

In fact, if you look around you'll find that many of the security device management platforms are written in what? Java.

Recently a big bomb dropped as yet another Java 0-day was unleashed on the world, CVE-2012-4681.  It was reported in OSVDB [8/1/012], and immediately had coverage in Dave Kennedy's SET (social engineering toolkit) and MetaSploit.  This means that everyone now has access to exploitation of a critical flaw that exists virtually everywhere in the enterprise.

Queue the lamentation.

Perhaps one odd positive note for those, like me, who are still on Java6 and haven't updated to Java7, is that you're safe... so in an odd way not updating to the latest Java release actually saves your your skin from an issue that has no resolution right now.

Impact Assessment

Let's take a quick look at impact to your enterprise.

Java comes bundled with lots of software packages that require a heavy client. Whether you're doing data-access, or something that required local filesystem access, or other 'heavy' client tasks... Java does show up all over the place.  

The problem is that many of these software packages, whether they're a financial management package or managing a security device, require a specific version of Java which is often outdated.

Step 1 is to figure out what version of Java you're on.  I suggest this link on Oracle's site (since you know it's legit, mostly...):  Apparently my system is running the latest and greatest version, thanks to our enterprise security team, which makes this box vulnerable.

Luckily (this is sarcasm) Java can, and likely does, exist in multiple versions on any machine... which makes this even more fun.  Wait... jre1.5.0_10.... how did that get on there?!

Of course, you can't expect your end-users to maintain Java on their own enterprise-wide, so there are systems management tools that help you keep current (or at least updated) on Java in your enterprise.  The issue is of course what do you do when you have an enterprise application that relies on a version of Java that has issues?

Worse still, as I was looking for examples to share with you, one of my industry colleagues who always complains about Java compatibility issues with security tools shared with me a few nuggets of knowledge from his daily life.  For example, security tools like Rapid7's NeXpose, BlueCoat's SG proxies, and several McAfee products have awful, old Java management interfaces.  This doesn't bode well for security administrators who also browse the Internet.

You could, of course, turn Java off on your system, browser by browser...or you could uninstall it.  It appears that in Internet Explorer Java may be a little difficult to get rid of... What's interesting is I wonder how many people have the "Insecure JRE versions" settings set... and why the current version of Java doesn't prompt you especially since there are known exploits out there for it?  Hello Oracle?

So we're back to uninstalling Java to make your system safe for users who browse the Internet.  This is not a viable solution, especially if they have a requirement to use Java to access enterprise applications, partner/customer portals, or management tools.

The irony here is perhaps that security administrators are the high value targets here. Odds are you're running Java to either run a security tool, or manage a console somewhere... and you can't divorce yourself from the Internet.  Check to see if you're running OWASP Zap, Burp Proxy, or the widely-used free development IDE Eclipse!  

Remember, just because you're not using Java in a browser (to manage a security tool) but rather in its own JVM, you can still be exploited because Java will install itself into your browsers as a plug-in by default!  Your only option is to use a multi-browser strategy (manage devices using Java in IE, while remembering never to use IE on the Internet...? )  This doesn't seem like a tenable or viable option for a long-term approach to security.  

So... I've gone and disabled Java on all my systems, and have told people I know that aren't technical to simply uninstall it if it's on their machines.  With Java being actively exploited, difficult to update, and HTML5 coming fast (no doubt with its own proven security issues)... is the life-span for Java limited?

Additional Links:

Cross-posted from Following the White Rabbit

Possibly Related Articles:
Java Zero Day Browser Security Vulnerabilities Web Application Security Exploits Secure Coding Network Security
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.