Java in Web Browser: Disable Now!

Hi, it's Will and Art here. We've been telling people to disable Java for years. In fact, the first version of the Securing Your Web Browser document from 2006 provided clear recommendations for disabling Java in web browsers. However, after investigating the Java 7 vulnerability from August, I realized that completely disabling Java in web browsers is not as simple as it should be.

Luckily, Oracle has since added a new option in the Java control panel applet to disable Java in the browser. If you haven't already done so, now is the time to disable Java in the browser.

Surprise, another serious Java vulnerability (VU#625617, CVE-2013-0422), similar in some ways to the last serious Java vulnerability (VU#636312, CVE-2012-4681), has been discovered. Self-quoting from last time:

We strongly recommend disabling Java support in web browsers--and also applying any and all Java security updates.

Is installing the [7u7] update necessary? Yes. Is it sufficient? No.

Not much has changed. Like CVE-2012-4681, this new vulnerability doesn't involve memory corruption, so EMET and other runtime mitigation techniques won't help you. Java is cross platform, accessible via web browsers, and has architectural soft spots related to reflection, SecurityManager, and the Java sandbox. The Next Generation Java Plug-in (used by default) runs out-of-process, so web browser sandboxing and Internet Explorer Protected Mode are out of the way. These are some of the reasons that make Java an attractive target for attack. And that's why (self-quoting again):

We strongly recommend disabling Java support in web browsers. And leave it off.

As mentioned earlier, Java 7u10 now provides a one-click option to disable Java in web browsers along with some other security enhancements. This is a huge improvement over the previous situation, especially for Internet Explorer.

We have confirmed that VU#625617 can be used to reliably execute code on Windows, OS X, and Linux platforms. And the exploit code for the vulnerability is publicly available and already incorporated into exploit kits. This should be enough motivation for you to turn Java off. How can you determine whether you need Java in your browser? Turn it off and see how many web sites break. If the web works fine, then leave it off. You may be pleasantly surprised (and safer as a result).

Software Engineering Institute

SEI Blog

Java in Web Browser: Disable Now!

Art Manion

January 10, 2013

PUBLISHED IN

CITE

TAGS

SHARE

Written By

Art Manion

Author Page

Digital Library Publications

Send a Message

More By The Author

Comments on Voluntary Voting System Guidelines 2.0 Principles and Guidelines

June 14, 2019 • By Allen D. Householder, Deana Shick, Jonathan Spring, Art Manion

Coordinated Vulnerability Disclosure for DoD Websites

April 2, 2018 • By Art Manion, CERT Insider Threat Center

Vulnerability Equities

November 15, 2017 • By Art Manion

Comments on BIS Wassenaar Proposed Rule

July 22, 2015 • By Allen D. Householder, Art Manion

Anatomy of Java Exploits

January 15, 2013 • By Art Manion, David Svoboda

More In CERT/CC Vulnerabilities

UEFI: 5 Recommendations for Securing and Restoring Trust

June 26, 2023 • By Vijay S. Sarvepalli

Vultron: A Protocol for Coordinated Vulnerability Disclosure

September 26, 2022 • By Allen D. Householder

UEFI – Terra Firma for Attackers

August 1, 2022 • By Vijay S. Sarvepalli

Probably Don’t Rely on EPSS Yet

June 6, 2022 • By Jonathan Spring

The Latest Work from the SEI: Coordinated Vulnerability Disclosure, Cybersecurity Research, Cyber Risk and Resilience, and the Importance of Fostering Diversity in Software Engineering

September 6, 2021 • By Douglas Schmidt (Vanderbilt University)