What do you do to minimize the security risks created by Java?

RomanZ

In my experience, two of the greatest risks to system security are Flash and Java. Flash has a pretty central place in web design, as those of use who have used iPads, iPhones and Android 2.1 or earlier are well aware. Hopefully the widespread use of Java will fall off now that Adobe has killed support for development of flash for mobile platforms and HTML5 is on the rise. Java, on the other hand, doesn't seem to be going anywhere and remains a popular vehicle for exploits. What do you do at your company to minimize the risks that are created by using Java?

Tags: Flash, HTML5, java
Topic: Security
Answer this Question

Answers

2 total
henyfoxe
Vote Up (26)

 

Java is a big issue, in my opinion.  Browser plug-ins are one of the favorite avenues for cyberattacks, and have been for a long time.  Fortunately, both Chrome and Firefox block out of date plug-ins, which definitely helps matters, at least with those two browsers.  Of all plug-ins, Java is most often used for exploits, in my experience.  Fortunately, there is a good way to minimize the risks of Java: remove Java completely.  There is almost no need for it, and most users will never even miss it.  If you use Chrome, you can use sandboxing to run Java in a secondary browser if you absolutely have to run it.  

 

BTW, apparently we aren't the only ones concerned about the vulnerabilities created by Java.  Mozilla is considering blocking the Java plug-in to help stop SSL attacks.It will be interesting to see if they follow through, and if so, whether there is a reaction from Firefox users.   

 

jimlynch
Vote Up (25)

I think it's a good idea to just get rid of both of them if you don't need them. I ranted about flash in a column a while back, and I still think it stinks.

Why Flash Sucks
http://jimlynch.com/en/2010/04/07/why-flash-sucks/

As far as Java goes, good riddance if you can just get rid of it. Neither of these things is really worth bothering with, given the security headaches (among other things).

So if you can remove them from your system(s) then more power to you. You're probably saving yourself a lot of aggravation in the long run.

Ask a question

Join Now or Sign In to ask a question.
Revelations about U.S. secret surveillance programs have left China's Huawei Technologies exhausted on the public relations front, a top company executive said Wednesday.
Some Android apps thought to be vulnerable to the Heartbleed bug were spared because of a common coding error in the way they implemented their own native OpenSSL library.
The panic over the Heartbleed bug is proving to be a convenient distraction for hackers using standard techniques in a fresh wave of attacks targeting at least 18 U.S. universities, according to a computer security researcher.
Still responding to the National Security Agency surveillance revelations, Google is reportedly preparing to help users beef up Gmail security with end-to-end encryption. The search giant is working on a way to make Pretty Good Privacy (PGP) encryption easier to use for Gmail fans, according to a report by Venture Beat.
Cisco today announced Managed Threat Defense, a set of security services for the enterprise that Cisco is providing through two new operations centers to remotely support intrusion-detection, incident response and forensics, among other services.
Verizon today issued its annual data-breach investigations report, a study of what happened in 1,367 known cases across dozens of industries in 95 countries last year, and the most common form of attack was breaking in through Web applications.
A malware campaign of yet-to-be-determined origin is infecting jailbroken iPhones and iPads to steal Apple account credentials from SSL encrypted traffic.
NEC has launched a biometric security program that uses face recognition to unlock access to PCs.
Web application attacks, cyber-espionage and point-of-sale intrusions were among the top IT security threats in 2013, according to Verizon's latest annual report on data breach investigations.
CloudFlare started a bug bounty program on Monday, joining a host of companies that are turning to independent security researchers to spot bugs in their network.

White Papers & Webcasts

See more White Papers | Webcasts

Join us:
Facebook

Twitter

Pinterest

Tumblr

LinkedIn

Google+

randomness