Java- How to manage if you're forced to use

There's been a lot of talk about how dangerous Java but I know some people have to use it for a variety of different reasons. From what I know, the major damage Java causes is from the browser plugin and going to an infected site after which a hacker will be able to control your computer. I'm also guessing there are a lot more flaws that could lead to many other exploits.

What I want to know is how best to manage Java. If you block it with your firewall will that help? Will EMET stop the problem? Maybe Shadow Defender, AppGuard or Sandboxie are the solutions? What would you say is the best solution or best combination of handling Java? And please don't say by not having Java

 

When I am forced to use it, it is usually because I want to run a Java application. Basically, running a Java application is no more dangerous than installing and running any other application. But if that application doesn't need internet access, then you could block Java from your firewall.

The real problem with Java is when it is used as a browser plugin. And that is something I avoid to do at all costs

 

Hello, merisi,

Yes, that is the principal attack vector. Here is a recent one from last month:

Researchers warn of new Java exploit being used by attackers
March 01, 2013
http://www.infoworld.com/d/security/researchers-warn-of-new-java-exploit-being-used-attackers-213736

"Best" is open to debate!

My own solution is to enable the browser plugin for just the one site that requires it. (It's only used on the company's contact page.)

Otherwise, the plugin remains disabled and thus is not available for unauthorized use.


----
rich

 

I use Java programs I also do some compiling that requires Java be installed. I'm not all that worried about this Java thing, I think it's a bit over hyped, but that is just me. That said I do take some precautions.

I use OpenJDK instead of Sun Java, NOT because I feel it's "more secure" than Sun's; it's not. I use it because I prefer it over Sun's version. Plus there is something to be said about using the lesser used Java. Sun's Java is the one being specifically targeted as it's the most prevalent. While both OpenJDK and Sun Java do share some of the same exploits, they do not share all of them. As far as running programs I take no extra precautions over that of any other programs I use.

When I browse I have the IcedTea-Web Plugin installed to run Java, this Add-on is normally disabled unless actually needed. I use an extension called Plugins Toggler that allows me to quickly enable, disable as needed from an icon displayed in my Add-on Bar.

I also keep track of security fixes and update my installed version as needed.

I neglected to mention, the above applies to Linux. In Windows Java has been removed as I have no need for it in that environment.

 

Some Java based apps even demand that the java plugin is enabled in Firefox / Internet Explorer. It's a horrible situation and all I can do for those computers is to wrap Java with EMET and deny execution of jre files outside the Program Files directory.

 

I'm scratching my head on this?

Of course they would demand the Java plugin be enabled. Those types of programs are designed to run inside the browser. So it stand to reason the plugin is needed.

I have never run in to a Java program that does not run in a browser require that the java plugin be enabled in my browser. Can you give an example of one that does?

 

It's a non-browser application that works even if the browers are shut down. But if the Java plugin is disabled in IE or Firefox, the program won't open.

 

I would simply install the latest Java RE under a new sandbox using Sandboxie and install or run any program that requires Java under the same sandbox where the latest Java RE was installed.

For PortableApps.com software, there is jPortable and jPortable Browser Switch.

 

It's no that hard: Use Firefox, it will warn you before executing an applet:

Picture:
https://service.parachat.com/images-pchat/kb/java-click2run.png

 

That isn't a "Firefox warning".

That warning comes from Java and is displayed like that for other browsers too.

And there are open vulnerabilities involving it AFAIK.

 

As soon as Java added the warning, someone immediately figured out a way to bypass it. It's pretty much a joke...

 

Sorry, wrong pic;
http://www.computerworld.com/common/images/site/features/2013/01/Firefox_click-to-play_598.jpg

The best option is the NoScript addon, it will stop all Java plugins per site.

 

Interesting. What application?

 

It's called e-markets. Shows real-time exchange rates etc.

 

Thanks everyone for suggestions on this subject. I'm surprised how easy it is to manage Java as I've been given the impression up until now it's some evil that will almost certainly lead to your computer being ruined.

 

An application firewall can be used to control exactly how java processes connect out. That's one of the ways I restrict java.

 

No, installing Java doesn't immediately start an auto-countdown-to-destruction.
For most folks it isn't needed imo and better removed if outdated and disregarded.
Keep it updated and perhaps remove any outdated jre cruft (JavaRa link).
And don't mistake a signed java app for a safe java app.
All signed apps run outside the java-sandbox, having more rights.

"In other words, there appears to be no way that a Java applet can be signed and specify that it is only to be executed in a sandbox.
The current Java version does not enforce privileges in a way that allows this combination to happen.
This challenge is one of the reasons we wrote The CERT Oracle Secure Coding Standard for Java rule ENV00-J.
Do not sign code that performs only unprivileged operations. Heck, even Oracle's own guidance states: "For applets and JNLP applications the best approach is often to leave the jar files unsigned." CERT/CC Blog link