I recently read about the Oracle Java 7 Security Manager Bypass Vulnerability published by the United States Computer Emergency Readiness Team. As I understand it, vulnerabilities have been discovered which could allow a sandboxed application to promote itself in privileges to be able to access files and resources outside of the sandbox - such as accessing your files or internet communication. US-Cert Vulnerability Note VU#636312 advises disabling or removing completely the Java runtime environment so that web browsers cannot launch Java.
While I understand and am concerned about the security threat, I am also concerned about the impact of disabling or removing the Java runtime environment. In my simple tests I found that web pages and resources ceased to function fully for need of the appropriate Java runtime.
It appears that Oracle can or will release a security update that may address at least part of this threat but questions remain: What would the impact be if Java is uninstalled altogether? How would this likely affect web use? What about the Lotus Notes Components that make use of Java?
I am still trying to wrap my head this and would appreciate any information that you think may help myself or others that may read this post.
Discussion/Comments (7):
In some browsers (e.g., Chrome) you can configure it so that Java is not launched for a web site unless you give it permission by clicking, however apparently a 'click-jack' attack could get past that. What I have done is disabled Java in Chrome, which is my primary browser, but if I have need to go to a specific site that I trust and which uses Java I can always launch Firefox, IE, or Safari.
Eric Mack (www.ica.com): 1/12/2013 4:33:30 PM
Hi Richard,
So are you comfortable disabling Java for specific browsers as opposed to uinstalling altogether? (And perhaps running a Java enabled browser in a VM if needed.)
I suppose the benefit to this approach would be that at least Java is still available for the applications that need it. From what I understand the vulnerability is specifically related to Java and Browsers...
Richard Schwartz (http://www.poweroftheschwartz.com): 1/12/2013 4:56:22 PM
Yes, I'm comfortable with that. The VM idea is reasonable as an extra precaution.
Darren Duke (http://blog.darrenduke.net): 1/14/2013 4:42:31 AM
Oracle have patched it:
{ Link }
Darren Duke (http://blog.darrenduke.net): 1/14/2013 4:45:59 AM
Oh, and to answer Eric's initial question, I still use Java 6 and that version was unaffected by this issue.
It is becoming obvious to me that moving to an new version of Java, you'd be better off waiting until at least update 15. Sad but true.
Eric Mack (www.ica.com): 1/14/2013 8:33:32 AM
Thanks Darren