8

Given that Java 6 is now deprecated by Oracle and there recently has been notification of a 0day (that will exist forever now that Oracle is not patching JRE6), what can we do to prevent drive-by exploitation of Java within our browsers?

We cannot remove Java from the browser as my organization relies heavily on it for internal and some external applets. We also can not upgrade to Java 7 at the moment due to a number of legacy applications (though we are speeding up this process but I cannot see it happening in the next 6 months).

I have tried searching for ways to whitelist only our allowed applets but everything seems to be for Java 7. Short of disabling support for unsigned applets and ensuring we sign all applets is there anything we can do?

Hat tips given to those that includes methods to deploy the solution via GPO, multi-browser support (so maybe something at the Java level and not browser specific).

Just to clarify, we cannot upgrade to Java 7 and can not remove Java from the browser. I am looking for a solution to only allow the browser to run applets from *.mydomain.com and *.ourfriendsdomain.com for example.

Gilles 'SO- stop being evil'
  • 50,912
  • 13
  • 120
  • 179
fixulate
  • 788
  • 4
  • 9

2 Answers2

6

Your organisation might want to subscribe to Java for Business:

With the announcement of Java for Business customers and partners running Java applications on older release families (1.4, 5.0, 6) now have a choice of either migrating to a newer release or subscribing to Java for Business to continue receiving critical reliability, availability and security updates, as well as new operating environment support for their existing applications.

(http://www.oracle.com/technetwork/java/javase/training/index-jsp-138092.html)

mkl
  • 1,038
  • 2
  • 11
  • 16
  • Thanks for that - I was not aware of that. I can see Java being targeted on-going and there frequently being 0day attacks which patching will not prevent. Any tips on how to achieve the whitelisting approach would be great! – fixulate Mar 04 '13 at 11:20
  • Happy to mark this as accepted but will leave it a few more days, looking forward to some responses around whitelisting specific applets maybe via the registry or other means? Any takers? :) – fixulate Mar 05 '13 at 13:45
2

You can install NoScript Firefox Extension and add the websites on which you want to allow Java to the whitelist. It will block Java (among other things) on all other websites. You will probably want to globally allow JavaScript (in NoScript), otherwise most websites will be broken. Install it and see the available options. Read documentation too.

http://noscript.net/

https://addons.mozilla.org/en-US/firefox/addon/noscript/

You can also configure Java to ask the user before it runs in the browser. Furthermore, you can remove all CA certificates from Java and only add the one that is used to sign your Java applications. You can do all this in Java control panel.

Matrix
  • 3,988
  • 14
  • 25