What do you do to minimize the security risks created by Java?

RomanZ

In my experience, two of the greatest risks to system security are Flash and Java. Flash has a pretty central place in web design, as those of use who have used iPads, iPhones and Android 2.1 or earlier are well aware. Hopefully the widespread use of Java will fall off now that Adobe has killed support for development of flash for mobile platforms and HTML5 is on the rise. Java, on the other hand, doesn't seem to be going anywhere and remains a popular vehicle for exploits. What do you do at your company to minimize the risks that are created by using Java?

Tags: Flash, HTML5, java
Topic: Security
Answer this Question

Answers

2 total
henyfoxe
Vote Up (32)

 

Java is a big issue, in my opinion.  Browser plug-ins are one of the favorite avenues for cyberattacks, and have been for a long time.  Fortunately, both Chrome and Firefox block out of date plug-ins, which definitely helps matters, at least with those two browsers.  Of all plug-ins, Java is most often used for exploits, in my experience.  Fortunately, there is a good way to minimize the risks of Java: remove Java completely.  There is almost no need for it, and most users will never even miss it.  If you use Chrome, you can use sandboxing to run Java in a secondary browser if you absolutely have to run it.  

 

BTW, apparently we aren't the only ones concerned about the vulnerabilities created by Java.  Mozilla is considering blocking the Java plug-in to help stop SSL attacks.It will be interesting to see if they follow through, and if so, whether there is a reaction from Firefox users.   

 

jimlynch
Vote Up (30)

I think it's a good idea to just get rid of both of them if you don't need them. I ranted about flash in a column a while back, and I still think it stinks.

Why Flash Sucks
http://jimlynch.com/en/2010/04/07/why-flash-sucks/

As far as Java goes, good riddance if you can just get rid of it. Neither of these things is really worth bothering with, given the security headaches (among other things).

So if you can remove them from your system(s) then more power to you. You're probably saving yourself a lot of aggravation in the long run.

Ask a question

Join Now or Sign In to ask a question.
The U.S. Congress is unlikely to pass legislation to end the National Security Agency's widespread collection of U.S. telephone records before leaving Washington, D.C., on a two-month break.
Customers cringe every time they hear about a bank, retail or healthcare hack that puts personal or financial data at risk. Today's hackers are after much more that credit card numbers, though -- and most firms are powerless to stop them.
While the capability to remotely wipe data from lost or stolen mobile phones may help CIOs sleep at night, it may be an outdated approach to BYOD security.
Cisco is bringing technology obtained through last year's acquisition of Sourcefire to its firewalls to enable threat-focused security for enterprises.
Wyvern securely rolls five programming languages into one.
A U.S. appeals court has thrown out a US$368.2 million award against Apple in a patent infringement case brought by patent-holding and software company VirnetX.
The default browser in Android versions older than 4.4 has a vulnerability that allows malicious websites to bypass a critical security mechanism and take control of a user's authenticated sessions on other sites.
The attorney general of the U.S. state of Connecticut is concerned about the privacy implications of Apple Watch's handling of consumers' health information.
A banking trojan, known for its small size but powerful capabilities, has expanded the number of financial institutions it can collect data from, according to security vendor Avast.
It's not easy to figure out if your data has been collected by hackers, but an online tool has been expanded to hunt through one of the most prolific sources of leaked data, known as "pastes."
Join us:
Facebook

Twitter

Pinterest

Tumblr

LinkedIn

Google+

randomness