Oracle on Monday announced the release of Java 7 Update 17 to address two separate vulnerabilities, one of which was being exploited in the wild. On Tuesday, the US government has offered advice on this release, recommending that Java should be updated but that the browser plugin should be disabled.
The US Computer Emergency Readiness Team (US-CERT), which falls under the National Cyber Security Division of the Department of Homeland Security, has issued a vulnerability note for Java. Here’s an excerpt of the solution section:
- Apply an update – These issues are addressed in Java 7 Update 17 and Java 6 Update 43. Please see the Oracle Security Alert for CVE-2013-1493 for more details. Unless it is absolutely necessary to run Java in web browsers, disable it as described below, even after updating to 7u17. This will help mitigate other Java vulnerabilities that may be discovered in the future.
- Disable Java in web browsers – Starting with Java 7 Update 10, it is possible to disable Java content in web browsers through the Java control panel applet. Please see the Java documentation for more details.
- Restrict access to Java applets – Network administrators unable to disable Java in web browsers may be able to help mitigate this and other Java vulnerabilities by restricting access to Java applets. This may be accomplished by using proxy server rules, for example. Blocking or whitelisting web requests to .jar and .class files can help to prevent Java from being used by untrusted sources. Filtering requests that contain a Java User-Agent header may also be effective.
The first two points apply to all users and are in line with our advice:
We recommend that regardless of what browser and operating system you are using, you should uninstall Java if you don’t need it. If you do need it, disable Java in your default browser, use a second browser when Java is required, and set your Java security settings to “High” so that it prompts you before loading an applet. That being said, make sure you’re on Java 7 Update 17 at the very least.
That being said, the last point is also very important for those in IT positions. If you maintain an environment where Java is required on the local intranet, using a proxy to allow Java requests locally but block them when the destination is a site on the Internet can significantly beef up your company’s security.
In fact, such rules would have stopped the attacks last month on computers at multiple companies, including Apple, Facebook, and Microsoft. Uninstalling Java completely would have done it as well.