Java- How to manage if you're forced to use

Discussion in 'other security issues & news' started by merisi, Apr 29, 2013.

Thread Status:
Not open for further replies.
  1. merisi

    merisi Registered Member

    Joined:
    Dec 17, 2012
    Posts:
    316
    There's been a lot of talk about how dangerous Java but I know some people have to use it for a variety of different reasons. From what I know, the major damage Java causes is from the browser plugin and going to an infected site after which a hacker will be able to control your computer. I'm also guessing there are a lot more flaws that could lead to many other exploits.

    What I want to know is how best to manage Java. If you block it with your firewall will that help? Will EMET stop the problem? Maybe Shadow Defender, AppGuard or Sandboxie are the solutions? What would you say is the best solution or best combination of handling Java? And please don't say by not having Java ;)
     
  2. Nebulus

    Nebulus Registered Member

    Joined:
    Jan 20, 2007
    Posts:
    1,582
    Location:
    European Union
    When I am forced to use it, it is usually because I want to run a Java application. Basically, running a Java application is no more dangerous than installing and running any other application. But if that application doesn't need internet access, then you could block Java from your firewall.

    The real problem with Java is when it is used as a browser plugin. And that is something I avoid to do at all costs :)
     
  3. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,053
    HI Nebulus

    I have the same issue. Worse still I haven't had much success running Java in Sandboxie.

    So here is my solution. Two apps that I like anyway

    Appguard. I run Java with appguard as a guarded application. When you run an application guarded in Appguard, it isn't allowed to write to what appguard defines as system areas, Windows, and program files areas. This basically stops exploits.

    Secondly I run Novirusthanks ExeRadarPro. It is a whitelisting program. I have the Java exe's set so anytime they want to run it asks me. If it is something I initiated I do an allow once, rather then give it blanket permission. If it pops up on it's own, I do a block once. This way I know exactly when it is going to run.

    Pete

    PS. All I run is Online Armor, with the HIPS part pretty well supressed, Sandboxie, Appguard, and ExeRadarPro. No AV's or AS's
     
  4. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Hello, merisi,

    Yes, that is the principal attack vector. Here is a recent one from last month:

    Researchers warn of new Java exploit being used by attackers
    March 01, 2013
    http://www.infoworld.com/d/security/researchers-warn-of-new-java-exploit-being-used-attackers-213736
    "Best" is open to debate!

    My own solution is to enable the browser plugin for just the one site that requires it. (It's only used on the company's contact page.)

    Otherwise, the plugin remains disabled and thus is not available for unauthorized use.


    ----
    rich
     
  5. chrisretusn

    chrisretusn Registered Member

    Joined:
    Jun 16, 2004
    Posts:
    1,322
    Location:
    Philippines
    I use Java programs I also do some compiling that requires Java be installed. I'm not all that worried about this Java thing, I think it's a bit over hyped, but that is just me. That said I do take some precautions.

    I use OpenJDK instead of Sun Java, NOT because I feel it's "more secure" than Sun's; it's not. I use it because I prefer it over Sun's version. Plus there is something to be said about using the lesser used Java. Sun's Java is the one being specifically targeted as it's the most prevalent. While both OpenJDK and Sun Java do share some of the same exploits, they do not share all of them. As far as running programs I take no extra precautions over that of any other programs I use.

    When I browse I have the IcedTea-Web Plugin installed to run Java, this Add-on is normally disabled unless actually needed. I use an extension called Plugins Toggler that allows me to quickly enable, disable as needed from an icon displayed in my Add-on Bar.

    I also keep track of security fixes and update my installed version as needed.

    I neglected to mention, the above applies to Linux. In Windows Java has been removed as I have no need for it in that environment.
     
    Last edited: Apr 30, 2013
  6. new2security

    new2security Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    492

    Some Java based apps even demand that the java plugin is enabled in Firefox / Internet Explorer. It's a horrible situation and all I can do for those computers is to wrap Java with EMET and deny execution of jre files outside the Program Files directory.
     
  7. chrisretusn

    chrisretusn Registered Member

    Joined:
    Jun 16, 2004
    Posts:
    1,322
    Location:
    Philippines
    I'm scratching my head on this?

    Of course they would demand the Java plugin be enabled. Those types of programs are designed to run inside the browser. So it stand to reason the plugin is needed.

    I have never run in to a Java program that does not run in a browser require that the java plugin be enabled in my browser. Can you give an example of one that does?
     
  8. new2security

    new2security Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    492

    It's a non-browser application that works even if the browers are shut down. But if the Java plugin is disabled in IE or Firefox, the program won't open.
     
  9. Wild Hunter

    Wild Hunter Former Poster

    Joined:
    Oct 13, 2012
    Posts:
    1,375
    I would simply install the latest Java RE under a new sandbox using Sandboxie and install or run any program that requires Java under the same sandbox where the latest Java RE was installed.

    For PortableApps.com software, there is jPortable and jPortable Browser Switch.
     
  10. Countermail

    Countermail Registered Member

    Joined:
    Aug 7, 2009
    Posts:
    167
    Location:
    Sweden
  11. Wild Hunter

    Wild Hunter Former Poster

    Joined:
    Oct 13, 2012
    Posts:
    1,375
    That isn't a "Firefox warning".

    That warning comes from Java and is displayed like that for other browsers too.

    And there are open vulnerabilities involving it AFAIK.
     
  12. Kerodo

    Kerodo Registered Member

    Joined:
    Oct 5, 2004
    Posts:
    7,786
    As soon as Java added the warning, someone immediately figured out a way to bypass it. It's pretty much a joke...
     
  13. Countermail

    Countermail Registered Member

    Joined:
    Aug 7, 2009
    Posts:
    167
    Location:
    Sweden
  14. chrisretusn

    chrisretusn Registered Member

    Joined:
    Jun 16, 2004
    Posts:
    1,322
    Location:
    Philippines
    Interesting. What application?
     
  15. new2security

    new2security Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    492
    It's called e-markets. Shows real-time exchange rates etc.
     
  16. merisi

    merisi Registered Member

    Joined:
    Dec 17, 2012
    Posts:
    316
    Thanks everyone for suggestions on this subject. I'm surprised how easy it is to manage Java as I've been given the impression up until now it's some evil that will almost certainly lead to your computer being ruined.
     
  17. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    1,985
    Location:
    Canada
    An application firewall can be used to control exactly how java processes connect out. That's one of the ways I restrict java.
     
  18. Baserk

    Baserk Registered Member

    Joined:
    Apr 14, 2008
    Posts:
    1,317
    Location:
    AmstelodamUM
    No, installing Java doesn't immediately start an auto-countdown-to-destruction.
    For most folks it isn't needed imo and better removed if outdated and disregarded.
    Keep it updated and perhaps remove any outdated jre cruft (JavaRa link).
    And don't mistake a signed java app for a safe java app.
    All signed apps run outside the java-sandbox, having more rights.

    "In other words, there appears to be no way that a Java applet can be signed and specify that it is only to be executed in a sandbox.
    The current Java version does not enforce privileges in a way that allows this combination to happen.
    This challenge is one of the reasons we wrote The CERT Oracle Secure Coding Standard for Java rule ENV00-J.
    Do not sign code that performs only unprivileged operations. Heck, even Oracle's own guidance states: "For applets and JNLP applications the best approach is often to leave the jar files unsigned."
    CERT/CC Blog link
     
Loading...
Thread Status:
Not open for further replies.