Security researchers have proposed several methods for users to protect their computers from ongoing attacks that target a new and yet-to-be-patched vulnerability in all versions of Java Runtime Environment 7.
Most of the proposed solutions have drawbacks or are applicable only to certain system configurations and environments. However, the hope is that in the absence of an official patch from Oracle users will be able to use one or a combination of them in order to reduce the risk of their systems being compromised.
[ InfoWorld's expert contributors show you how to secure your Web browsers in the "Web Browser Security Deep Dive" PDF guide. Download it today! | Stay up to date on the latest security developments with InfoWorld's Security Adviser blog and Security Central newsletter. ]
Researchers from security firm FireEye announced the existence of the new Java vulnerability on Sunday and reported that it's being exploited in limited targeted attacks. A working proof-of-concept exploit appeared online the next day and was integrated into Metasploit, an open-source security testing tool used by many penetration testers.
The new vulnerability is considered extremely critical and can be exploited to execute malicious code on a system by simply visiting a maliciously crafted Web page from a Web browser that has the Java plug-in enabled.
The only recommendations that most security professionals have given to users in order to protect their systems from attacks targeting this vulnerability is to uninstall Java -- or at least disable the Java Web plug-in from their browsers. Instructions on how to do the latter for the most popular Web browsers are detailed in an advisory published by the United States Computer Emergency Readiness Team (US-CERT) on Monday.
This is probably the most effective method of mitigating the risks associated with the Java new vulnerability or similar ones that might be discovered in the future. However, it has the drawback of not being practical in some environments, especially business ones where Java-based Web applications are necessary for important operations.
"Most consumers never need Java, but many corporate users require it for things like GoTo Meeting and WebEx," Chester Wisniewski, senior security adviser at antivirus vendor Sophos, said Tuesday via email. "In a corporate environment you may be able to control JavaW.exe and make sure it will only execute certain applets or contact known good IP ranges for services you use that require Java."
Another solution was proposed by Wolfgang Kandek, chief technology officer at security vendor Qualys, and consists of using the Zone-based security mechanism of Internet Explorer to in order to restrict which websites that can load Java applets. Users can forbid the use of Java in the Internet Zone by setting the Windows registry key 1C00 to 0 under HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 and allowing Java only on whitelisted websites in the Trusted Zone, Kandek said Monday in a blog post.