How to Keep Java in Your Web Browser and Still Be Safe
For the last year or so, Java seems to have spawned a never-ending flow of security bugs, partly because of the software environment's invisibility to end users and partly because of the system access it allows.
In January alone, two different Java vulnerabilities were attacked by widespread browser exploit kits. At least one of those Java flaws led to the recently disclosed network penetrations of Apple, Facebook and Microsoft, and may have also been involved in the compromise of 250,000 Twitter accounts.
Because of these dangers, many security experts recommend that users disable Java browser plug-ins, or even to take the more drastic step of uninstalling the underlying Java Runtime Environment (JRE) entirely.
Those recommendations may make sense for many, but they are not blanket solutions for all users with Java installed on their machines.
The problem is that Java, in one form or another, is still used for a lot of things that people want and need to do. It might be an essential element of running programs that you never considered.
If, for example, you are one of the millions of people who enjoy playing "Minecraft" or "RuneScape," you'll need Java installed on your machine. If you play "World of Warcraft," getting rid of Java might leave you without the use of the game's launcher.
If you're a creative professional, Adobe's Creative Suite, which includes applications such as Photoshop, Illustrator and Premiere, relies on Java to exchange information among applications. If you're a user of free office software like OpenOffice and LibreOffice, both programs use Java.
None of those applications normally access websites, so leaving Java installed on your computer while disabling it in your Web browsers will let you use those pieces of software while minimizing your exposure to malware.
Unfortunately, that isn't possible with many Web-facing business applications that absolutely require that Java plug-ins be active in a browser, such as Web-conferencing software like Citrix's GoToMeeting or Cisco's WebEx.
Let's be careful out there
For some people, turning off Java in the browser is simply not a realistic option. So what can you do to mitigate your risks when using Java on the Web?
The first thing is to follow information-security best practices, which will make it harder for malicious code to infect and damage your system.
"Use anti-virus, anti-malware software and a firewall," said Ross Barrett, senior manager of security engineering at Boston-based Rapid7. "Browse with a user account that does not have administrator privileges.”
There are also some basic Java security precautions that you can take to make sure that you are limiting your risks.
"Java users should stay up to date with patches and software revisions. When an update comes out, apply it immediately. This drastically lowers your surface of exposure and ensures that you have the latest built-in protections," Barrett said.
"Turn up [Java's] security settings," he added. "This will mean that you'll get frequent warning messages and alerts while you browse — don't ignore them."
Twice the fun
End users may want to try a "double browser" strategy.
“If you do rely on websites that require Java, consider installing a second browser and turning Java on in that browser only," said Richard Wang, senior security manager at the British anti-virus firm Sophos. "Use it for your Java-based websites only, and stick to your Java-disabled main browser for everything else."
For businesses, people who work at home or anyone with an abundance of sensitive data to protect, a beefier version of this strategy can keep Java security problems from becoming system-wide issues.
“You should make a list of all the tools you use on a regular basis and that require Java. Then, run these tools in a virtual machine or other isolated environment," said Tim Erlin, director of IT security and risk strategy for San Francisco's nCircle, referring to software-based computer emulators that essentially "live" inside other computers.
"If you find that you need Java for many of your routine tasks," Erlin said, "it might be time to consider evaluating alternate tools that don't require Java."
Will these strategies be a silver bullet that will protect you from all of the security problems that have been plaguing Java on the Web? No, but in IT security there are no guarantees. You can only mitigate your risks and take reasonable precautions.
After all, Java is not the only browser plug-in that can be exploited to install malicious code. If you uninstalled or disabled every possible risk, then the Web would lose the majority of its functionality.
Practical security is about playing the odds and getting the best possible protection without putting everything on lockdown.