Enterprises seem to have a rather obvious love-hate relationship with our old pal Java. It's a fat client we aren't thrilled with, but when it comes to cross-platform use there aren't really any other great alternatives right now.
In fact, if you look around you'll find that many of the security device management platforms are written in what? Java.
Recently a big bomb dropped as yet another Java 0-day was unleashed on the world, CVE-2012-4681. It was reported in OSVDB [8/1/012], and immediately had coverage in Dave Kennedy's SET (social engineering toolkit) and MetaSploit. This means that everyone now has access to exploitation of a critical flaw that exists virtually everywhere in the enterprise.
Queue the lamentation.
Perhaps one odd positive note for those, like me, who are still on Java6 and haven't updated to Java7, is that you're safe... so in an odd way not updating to the latest Java release actually saves your your skin from an issue that has no resolution right now.
Let's take a quick look at impact to your enterprise.
Java comes bundled with lots of software packages that require a heavy client. Whether you're doing data-access, or something that required local filesystem access, or other 'heavy' client tasks... Java does show up all over the place.
The problem is that many of these software packages, whether they're a financial management package or managing a security device, require a specific version of Java which is often outdated.
Step 1 is to figure out what version of Java you're on. I suggest this link on Oracle's site (since you know it's legit, mostly...): http://www.java.com/en/download/installed.jsp Apparently my system is running the latest and greatest version, thanks to our enterprise security team, which makes this box vulnerable.
Luckily (this is sarcasm) Java can, and likely does, exist in multiple versions on any machine... which makes this even more fun. Wait... jre1.5.0_10.... how did that get on there?!
Of course, you can't expect your end-users to maintain Java on their own enterprise-wide, so there are systems management tools that help you keep current (or at least updated) on Java in your enterprise. The issue is of course what do you do when you have an enterprise application that relies on a version of Java that has issues?
Worse still, as I was looking for examples to share with you, one of my industry colleagues who always complains about Java compatibility issues with security tools shared with me a few nuggets of knowledge from his daily life. For example, security tools like Rapid7's NeXpose, BlueCoat's SG proxies, and several McAfee products have awful, old Java management interfaces. This doesn't bode well for security administrators who also browse the Internet.
You could, of course, turn Java off on your system, browser by browser...or you could uninstall it. It appears that in Internet Explorer Java may be a little difficult to get rid of... What's interesting is I wonder how many people have the "Insecure JRE versions" settings set... and why the current version of Java doesn't prompt you especially since there are known exploits out there for it? Hello Oracle?
So we're back to uninstalling Java to make your system safe for users who browse the Internet. This is not a viable solution, especially if they have a requirement to use Java to access enterprise applications, partner/customer portals, or management tools.
The irony here is perhaps that security administrators are the high value targets here. Odds are you're running Java to either run a security tool, or manage a console somewhere... and you can't divorce yourself from the Internet. Check to see if you're running OWASP Zap, Burp Proxy, or the widely-used free development IDE Eclipse!
Remember, just because you're not using Java in a browser (to manage a security tool) but rather in its own JVM, you can still be exploited because Java will install itself into your browsers as a plug-in by default! Your only option is to use a multi-browser strategy (manage devices using Java in IE, while remembering never to use IE on the Internet...? ) This doesn't seem like a tenable or viable option for a long-term approach to security.
So... I've gone and disabled Java on all my systems, and have told people I know that aren't technical to simply uninstall it if it's on their machines. With Java being actively exploited, difficult to update, and HTML5 coming fast (no doubt with its own proven security issues)... is the life-span for Java limited?
- Forbes says "Disable Java!" - http://www.forbes.com/sites/andygreenberg/2012/08/27/disable-java-in-your-browser-to-avoid-a-nasty-n...
- Mozilla advocates disabling Java (via Michael Coates, Twitter) - https://blog.mozilla.org/security/2012/08/28/protecting-users-against-java-security-vulnerability/
- Great post from Immunity (Dave Aitel's outfit) on the vulnerability details - http://immunityproducts.blogspot.com.ar/2012/08/java-0day-analysis-cve-2012-4681.html
Cross-posted from Following the White Rabbit