Search This Blog

Monday, January 21, 2013

(I) So what do we do about Java?







With the latest scare with Java and right after Java 7 release 11 yet another vulnerability announced - what do we do about Java?

Nothing!

No really - NOTHING!!!!

The Feds say remove it, articles say the Feds say to remove it... So when did a vulnerability in software require us to stop using it? We would have stopped using Windows years ago, but we can't. You can uninstall the runtime Java on your system (if you can), but it is built into browsers and the Internet.

Could you really remove Java? Have you ever visited a city, county, state, federal or local government website. Java is everywhere, can you really remove it? Apple solved it by flipping a switch that disables it across all Apple Macs.. How cool is that !?

Seriously though, the only thing that you need to do is CHANGE YOUR BEHAVIOR!

Oracle in release 10 allows you to disable Java directly in your browser. But I don't do this... In many a post I have stated Not Script for Chrome and NoScript for FireFox. If you stop using IE and start using Chrome and FireFox with the add-ons to block Java and Javascript (which has nothing to do with Java FYI) except when you know you need it and trust (in theory) the site, then you really do not need to do a darned thing other than change your behavior.

These Java exploits are going away and will come in email attachments and drive by surfing. If you block Ads with AdBlock+, use Web of Trust (WOT) when you search the InterWebbings to avoid known bad sites and NoScript and Not Script then you don't have to do anything except pay attention.

If you are an enterprise admin, then deploy the add-ons and train your users and of course 'Don't Click on That!'

#InfoSec