8

Concerning the recent Java vulnerability (Should I be disabling Java?), the most common advise seems to be to disable Java plug-ins in the browser.

However, Heise Security suggests that, when it comes to Internet Explorer, this might not be enough:

Tests carried out by our associates at heise Security found that Microsoft's flagship browser was still able to access the Java plugin even after it had been explicitly disabled. Users running IE are therefore advised to uninstall Java completely using the Add or Remove Programs option in Windows' Control Panel.

Is there really a known weakness by which a Java exploit could harm an IE user visiting a malicious website, even if the Java add-ons are disabled?

Community
  • 1
Heinzi
  • 2,914
  • 2
  • 21
  • 25
  • 1
    That article provides no reference to any test results or proof to that claim. I would highly recommended using an alternative browser anyway. – Hammo Jan 14 '13 at 08:47

2 Answers2

7

My German is pretty rusty, but I'm pretty sure the article from Heise Security doesn't really say what the H-online article claims.

Unter Opera erreicht man die Plugin-Verwaltung durch die Eingabe von opera:plugins in die Adressleiste. Beim Internet Explorer genügt das Deaktiveren der Plug-ins unter "Add-Ons verwalten" nicht. Wer den IE einsetzt, sollte Java daher besser vollständig über Systemsteuerung/Software deinstallieren.

Which roughly translates to

The plugin manager for Opera can be accessed by typing opera:plugins in the address bar. For Internet Explorer, it is not sufficient to use "Manage Add-ons" for deactivation of Java plug-ins. Anyone that uses IE should completely uninstall Java via Control Panel / Programs.

IE doesn't allow you to completely disable the Java plugin from within the browser. Instead, you have to use a registry key to disable it properly. The article from Heise is hinting at this - simply turning off the plugin doesn't actually fully disable the embedded Java functionality in IE. I believe the Heise article writer was unaware of this registry trick, and that the H-online article writer just took the advice "as writ", without properly checking the facts.

So no, you don't need to uninstall it completely. Though I would certainly put it at the top of your list of stuff to uninstall if you can survive without it, considering the tirade of recent 0-days.

Polynomial
  • 132,208
  • 43
  • 298
  • 379
  • +1, thanks for your answer. After doing a bit more research myself, I found a similar H-online article with a reference to a CERT advisory, which contained more details. I've added my findings as a separate answer. – Heinzi Jan 14 '13 at 09:21
  • 1
    You don't have to uninstall it, but you also have to pray that it doesn't repair its registry key, hence Heise Security's recommendation that what ain't there ain't exploitable under IE. – Fiasco Labs Jan 14 '13 at 17:02
4

Disabling the add-ons is not enough.

CERT writes in one of its vulnerability notes:

Disable the Java plug-in and Java Deployment Toolkit for Internet Explorer

Disabling the Java plug-in for Internet Explorer is significantly more complicated than with other browsers. There are multiple ways for a web page to invoke a Java applet, and multiple ways to configure Java Plug-in support. Microsoft has released KB article 2751647, which describes how to disable the Java plug-in for Internet Explorer. However, we have found that due to the multitude of ways that Java can be invoked in Internet Explorer, their guidance (as well as our prior guidance) does not completely disable Java. However, we have provided a registry file that disables all of the CLSIDs provided by Java versions up through Java 7 Update 6, as well as blocks invocation of java through the element in the IE by setting the URLACTION_JAVA_PERMISSIONS flag for the "Internet Zone." If you wish to disable the element in other zones, you can modify the registry file to suit your needs. See Microsoft KB article 182569 for more details. In our testing, importing this registry file appears to prevent invocation of Java applets in Internet Explorer.

Thus, reliably disabling Java in IE seems only possible through disabling the add-ons and adding a bunch of kill-bit registry entries, as suggested in the link provided by @Polynomial. However, it seems like different Java versions have different kill-bit GUIDs, which would basically mean that this method only blacklists the currently known versions of the Java plugin, which might be fine if you just want to disable Java until a certain exploit is fixed. But it won't disable Java permanently.

However, starting with Java 7u10, there is a feature in the Java Control Panel which permanently disables Java in all browsers. Oracle itself describes this as the only way to disable Java in IE:

Internet Explorer

The only way to completely disable Java in Internet Explorer (IE) is to disable Java through the Java Control Panel as noted above.

Community
  • 1
Heinzi
  • 2,914
  • 2
  • 21
  • 25
  • 1
    Nice, didn't know about that new feature. Kinda funny that they had to add such a switch to their product as a result of all the 0days, though. – Polynomial Jan 14 '13 at 09:26
  • @Polynomial - Its likely Microsoft encourage such a thing to prevent a backlash of "Windows is insecure comments" from the "geek community". Oracle might be big but Microsoft still has some pretty big hands to direct people in the technology sector. – Ramhound Jan 14 '13 at 12:42
  • @Polynomial I suspect there also was pressure to do the same from various major corporate customers who have stand alone java applications for their employees; but don't use java applets and wanted to lock down that vulnerability without a lot of hoop jumping. – Dan Is Fiddling By Firelight Jan 14 '13 at 13:45