CERT-SEI
CERT/CC Blog

Java in Web Browser: Disable Now!

By Art Manion on 01/10/2013 | Permalink

Hi, it's Will and Art here. We've been telling people to disable Java for years. In fact, the first version of the Securing Your Web Browser document from 2006 provided clear recommendations for disabling Java in web browsers. However, after investigating the Java 7 vulnerability from August, I realized that completely disabling Java in web browsers is not as simple as it should be.

Luckily, Oracle has since added a new option in the Java control panel applet to disable Java in the browser. If you haven't already done so, now is the time to disable Java in the browser.

Surprise, another serious Java vulnerability (VU#625617, CVE-2013-0422), similar in some ways to the last serious Java vulnerability (VU#636312, CVE-2012-4681), has been discovered. Self-quoting from last time:

We strongly recommend disabling Java support in web browsers—and also applying any and all Java security updates.

Is installing the [7u7] update necessary? Yes. Is it sufficient? No.

Not much has changed. Like CVE-2012-4681, this new vulnerability doesn't involve memory corruption, so EMET and other runtime mitigation techniques won't help you. Java is cross platform, accessible via web browsers, and has architectural soft spots related to reflection, SecurityManager, and the Java sandbox. The Next Generation Java Plug-in (used by default) runs out-of-process, so web browser sandboxing and Internet Explorer Protected Mode are out of the way. These are some of the reasons that make Java an attractive target for attack. And that's why (self-quoting again):

We strongly recommend disabling Java support in web browsers. And leave it off.

As mentioned earlier, Java 7u10 now provides a one-click option to disable Java in web browsers along with some other security enhancements. This is a huge improvement over the previous situation, especially for Internet Explorer.

We have confirmed that VU#625617 can be used to reliably execute code on Windows, OS X, and Linux platforms. And the exploit code for the vulnerability is publicly available and already incorporated into exploit kits. This should be enough motivation for you to turn Java off. How can you determine whether you need Java in your browser? Turn it off and see how many web sites break. If the web works fine, then leave it off. You may be pleasantly surprised (and safer as a result).

Topics: Vulnerability Analysis , Vulnerability Mitigation