8

Just imagine you have a bunch of computers which need Java for some important software and you can't just switch to another vendor because all are using Java in this field of technology. If you start to update Java the software is causing problems and will not start but you need this software essentially so there is no way around this problem.

What can you do to leverage this lack of Java updates? Usually those machines tend to get infected by multiple malware based on Java (e.g. sopiuhdu243.class). All those files are located withn Java's Cache. What can I do now beside Java Update or not using Java at all which is not an option at the moment. I hope someone of you outside has more experience with problems like this.

Andre
  • 221
  • 1
  • 5

3 Answers3

5

It sounds like you are in a corporate environment with in house or vendor specific applications needed for business. You should be able to use a combination of code signing and whitelisting to setup policies where it will only run the JAVA applets and applications that are authorized. This is not full proof, but may help to reduce infections.

See the JAVA documentation:

Very High: You are prompted to accept apps that are signed with a trusted certificate. All other apps are not allowed to run. If the JRE is below the security baseline, you are given an option to update.

Eric G
  • 9,691
  • 4
  • 31
  • 58
  • true. thank you for this advice. i will try to figure out how to enable those security enhancements. – Andre Apr 22 '13 at 21:14
1

This is an all too common scenario within the corporate world. I have to deal with exactly this problem and it isn't easy. The apps are business critical and cannot be replaced (last replacement implementation project came in at $15 million). There are firewalls and other layers of protection, but these are PCs used by staff who will also surf the web and could easily connect to a site with malicious java based applets.

All you can do is try to implement some controls to reduce the risk. As suggested, whitelists and java security policies can help. However, don't overlook education. Run an information campaign that informs your users about the security threats, how to spot them and what to do should they suspect they have possible been compromised. Ensure people feel OK about putting their hand up and saying "I think I may have made a mistake....". Use intrusion detection, log analysis and network monitoring techniques to alert you to problems sooner rather than later. Above all, assess your users and identify the risk profiles so that ou know where you are most exposed and where you need the stronger controls and review regularly.

finally, ignore any advice which talks in absolute terms, There are NO absolutes in IT security. You are not definitely screwed nor are you definitely protected. The threat differs depending on who and where you are and what value you represent. What you do to protect yourself should be a reflection of the threat exposure.

Of course, in my perfect world, the three amigos (Java, Flash and IE) just don't exist and all my users have perfect awareness!

Tim X
  • 3,242
  • 13
  • 13
  • Grea answer. I will try doing my best on this. But the simple: deactivate it in browser, would maybe help a lot. Thank you very much – Andre Apr 27 '13 at 06:52
0

Are the machines internet facing? If it is, you are screwed.

If the machines are not internet facing, keeping them behind a firewall with very strict access conditions might reduce the possible attack surface enough.

There is no true alternative to simply patching or removing Java though.

  • they are not facing the internet. all behind restrictive firewalls. – Andre Apr 22 '13 at 13:34
  • @vlad How are the machines getting infected? –  Apr 22 '13 at 13:38
  • I guess by simple surfing. there are so many websites hijacked which simply use exploits in old Java versions. – Andre Apr 22 '13 at 14:06
  • @vlad Ah see, "have a bunch of computers which need Java for some important software..." and "simple surfing" just isn't matching up. You shouldn't be allowing people to surf the internet from unpatched machines running important software... –  Apr 22 '13 at 14:08
  • Well this is true but I am sure that this would lead to even more problems. Isn't there any other way around which just gives me a little bit time? – Andre Apr 22 '13 at 14:11
  • Keep your internet surfing to better patched machines and just use your unpatched machines for whatever important software you need. –  Apr 22 '13 at 14:12
  • You don't even need to give everyone two machines - you can use a terminal server or virtual machines. – Graham Hill Apr 22 '13 at 14:29