1

We send PC's out to customers that need a very specific version of Java installed; specifically 6.26. I already disable the Java updater but I was wondering if I could block the customer from installing a new version of Java manually without forcing them to run as a limited user. Currently, the PC's run as local administrators with Windows 7 64-bit.

Perhaps an application that provides a blacklist functionality? I also use the IE9 Blocker Toolkit to disable Internet Explorer 9 installation. Is there a possible equivalent for Java?

Edit based on comments - Java is used with a java applet on our website, not a standalone application. I have no power to alter our site to be compatible with newer version of the software. I'm simply trying to limit the ability to update Java to cut down the amount of support calls.

Juice
  • 135
  • 10
  • 2
    As mentioned many times here on SF, if users are local admins there is, effectively, no stopping their access to machine configuration. Physical access also effectively reduces the security of the machine to near-zero. You can disable the Windows Installer service, but there's nothing preventing someone from just turning it back on again. – jscott May 23 '12 at 00:08
  • 1
    I'm not sure your rationale is sound. If you did this, I think you'd still get as many support calls. The only difference is that they'd start "I'm trying to update Java, and ..." – Harry Johnston May 23 '12 at 22:56
  • @HarryJohnston Fair enough. That's a good point. But the calls would be 30 seconds of explaining they can't do that, instead of 15 minutes to uninstall and reinstall Java. – Juice May 24 '12 at 18:55

1 Answers1

6

For the love of God, package your app with a local copy of the Java binary if your app needs a specific version. Don't rely on the system-installed binary. This prevents the users from being able to update their Java browser plug-ins.

With the recent major vulnerabilities in Java lately, I'd stop using your product immediately if you told me I couldn't update Java.

That said, if your customers are administrators on these computers, there is nothing you can do to prevent this. Write better code.

MDMarra
  • 100,183
  • 32
  • 195
  • 326
  • 2
    Thank your for the snide remark, and while I agree with you, the world doesn't work that way. I have come across several situations where customers are stuck at specific versions of Java for application comparability. I am not in a position to change this. I am a humble corporate drone trying to make support a little easier. Secondly, this is for a java applet on our website, not a standalone application. – Juice May 22 '12 at 20:48
  • Does this - http://www.oracle.com/technetwork/java/javase/deployment-policy-135751.html - mean you can't package a specific version any more? – EightBitTony May 22 '12 at 20:51
  • 3
    If your web-based applet needs a specific version of java, then you are exposing your customers to serious security vulnerabilities. I'm not making snide remarks, I'm making serious ones. Telling customers that they can't update their browser plug-ins is borderline negligent. Chrome, Firefox, and Safari all give warnings and require user interaction to run an applet with an outdated version of Java. Also, I did answer your actual question. If you think I was out of line, feel free to flag it as rude/offensive. – MDMarra May 22 '12 at 20:54
  • @EightBitTony Yes, but the OP didn't initially say that it was a web-based applet. In many cases where a specific Java is needed, it's a locally installed application that call `java.exe` or `javaw.exe` directly. That document about applet version selection is specifically to help negate the security vulnerabilities that exist in older Java packages. – MDMarra May 22 '12 at 20:56
  • @MDMarra I totally understand your position but it's not realistic. There are lots of companies that only certify their applications/applets with very specific versions of Java. Up until three weeks ago my company was limited to Java 5.6. I've seen customer applications from other vendors that require Java 4.x. I apologize if I was overly incensed. – Juice May 22 '12 at 21:12
  • `"I totally understand your position but it's not realistic."` Software vendors thinking that this position is not realistic is the reason that millions of client PCs a year are owned by Java vulnerabilities. If you choose a platform to develop on that has significant security updates regularly, you'd better have the developers to keep current. By "you" I mean the vendors, not you specifically as a single employee. – MDMarra May 22 '12 at 21:35
  • 3
    [*"For the very first time in its history, the Top 10 rating of vulnerabilities includes products from just two companies: Adobe and Oracle (Java)"*](http://www.kaspersky.com/about/news/virus/2011/IT_Threat_Evolution_Q2_2011) - Kaspersky Q2 2011 report. Flash, Java and Reader are the top 3 exploited apps for Windows. Forcing a customer to use a out-of-date versions of third-party apps is not ideal, to say the least. – jscott May 23 '12 at 00:06