Defensive Security Podcast Episode 5

Download the MP3 here

Suggestions? ideas? feedback? Send an email to podcast@defensivesecurity.org

A lot has happened since the last Podcast:

  • HIPAA mega rule released – all 563 pages
  • Zero day in Java
  • Freak-outs ensued
  • Oracle released a Java patch
  • Freak-outs continued
  • Word of new vulnerabilities have emerged

Is this the end of Java? Probably not.

Java is a tough situation:

– Commonly used in businesses for applications

– Apps commonly not compatible with different Java versions

The recommendation from US CERT and DHS is to disable the browser plugin. 2 problems with this:

Many business apps are web-based or at least launched by visiting an intranet site, and disabling the plugin will break those apps

Installing the Java update will re-enable to browser plugins

The advice to completely uninstall Java seems only applicable to home computers without kids who play Minecraft.

Recommending an organization ditch the investment made in business apps is usually a career limiting move. We can make a strategic recommendation to move away from java, but for those organizations who rely on it, we have to live with it.

There are a few other options:

  1. Noscript configured to only allow Java on whitelisted domains. Requires that you only use Firefox. Scriptsafe is available for Chrome, but not quite as nice as Noscript
  2. Configure only one browser to use the Java plugin, and limit that browser to only intranet sites.
  3. Implement filtering policies on proxies to block Java

None are great and all have some significant holes

My AV Rant.

 

Leave a Reply