Java Security Best Practices

Why is Java such a high security risk for the campus?

Since late 2011, a multitude of critical vulnerabilities have been discovered in Oracle's Java platform. 

In many cases, running the latest available versions of Java offers no protection for users. To date, at least eight zero-day attacks targeted the Java platform, affecting millions of systems. Most exploits require little or no user interaction. Users' systems are compromised simply by visiting a malicious web page in a Java-enabled browser. Anti-virus and anti-malware software are often ineffective against such attacks.

Industry analysts assert this trend of zero-day and high risk vulnerabilities in Java is expected to continue indefinitely.

Due to the high frequency and impact of Java vulnerabilities, efforts must be made to uninstall or disable Java whenever possible. Because many university systems require the use of Java for day-to-day business needs, other security measures must be put in place to adequately mitigate institutional risk.

The following tips and best practices have been developed to help system administrators and end-users secure systems against attacks targeting Java.

 

How to Disable Java

If you do not have a specific business need for Java, it is highly recommended that you uninstall it

Users that may require Java for desktop applications (e.g. OpenOffice), should follow the instructions on How to Disable Java in Web Browsers. Disabling Java for browsers will not prevent you from desktop-based Java usage, which is typically less of a security risk than browser-based Java usage.

How to Uninstall Java

Users can uninstall Java from their system(s) by following the instructions below:

Windows users: http://www.java.com/en/download/uninstall.jsp

Mac users: http://www.java.com/en/download/help/mac_uninstall_java.xml

How to Disable Java in Web Browsers

Users can disable Java in popular web browsers by following the instructions below:

Internet Explorer, Google Chrome, Mozilla Firefox, and Safari users

Java 7+ users: http://www.java.com/en/download/help/disable_browser.xml

Additional Guidance:

 

How to Use Java Safely

Keep Java Updated

If you require Java usage for every day business, system administrators and end-users with the ability to upgrade their own systems should always keep Java updated to the latest version available. You may subscribe to Oracle Security Alerts to be notified by email when critical updates to Java are released. 

Update Java on Windows.

Update Java on Mac OS X.

Java Security for Web Browsers

The following tips are for users that have a business requirement to run Java applications in a browser:

Use one browser exclusively for Java and one browser for all other web browsing.

Example #1 - Internet Explorer for Java only, Firefox for all other web browsing:

  • Use Internet Explorer for your business-necessary Java application(s) only. 
  • Set up web site whitelisting in Internet Explorer so that it can only be used to access approved campus web sites that utilize Java.
  • Disable Java in Firefox, and utilize Firefox for all other generic web browsing. By doing so, even an accidental visit to a malicious web site targeting Java cannot exploit Firefox.
  • Make Firefox your the default browser on your operating system.
  • This option is preferred because it is much harder to fully disable Java in Internet Explorer than in Firefox or Chrome.  

Example #2 - Firefox for Java only, Chrome for all other web browsing:

  • Use Firefox for your business-necessary Java application(s) only.
  • Set up web site whitelisting in Firefox so that it can only be used to access approved campus web sites that utilize Java.
  • Disable Java in Chrome, and utilize Chrome for all other generic web browsing. By doing so, even an accidental visit to a malicious web site targeting Java cannot exploit Chrome. 
  • Make Chrome the default browser on your operating system.

Tips:

  • Ensure that whichever browser you choose to use for generic web browsing is set as your system's default browser. This way links from other web sites or email are loaded by default into the browser in which you have already disabled Java.
  • Additionally, you may wish to install the NoScript extension for Firefox for additional security.

Setup web site whitelisting in Internet Explorer.

Please see the following article for details:

Setup web site whitelisting in Firefox.

Firefox is the recommended browser of choice for isolating Java usage (see the above example). You can prevent Firefox from visiting sites that are not explicitly authorized by you with the help of the ProCon Latte extension. A whitelist is a list of approved web sites that you can configure in the extension.

  1. Download and install the ProCon Latte Content Filter extension for FireFox.
  2. After Firefox has restarted, navigate to Tools -> Add-ons -> ProConn Latte Content Filter -> Preferences.
  3. Within the Preferences window, navigate to Blacklist tab -> Advanced.
  4. Click to enable the checkbox labeled Limit Internet access to the WhiteList of approved sites.
  5. Within the Preferences window, navigate to Whitelist tab.
  6. Remove the default sites from the whitelist.
  7. Add, one per line, any trusted web sites that require Java to the whitelist.
  8. Close the Preferences window. You will now be prevented from visiting any web sites not explicitly listed in the ProConn Latte Content Filter whitelist. 

Tips:

  • System Administrators setting up ProConn Latte for end-users may wish to enable a password that prevents users from modifying the site WhiteList. This feature can be accessed under Preferences -> General -> Set Password.

Enable Click to Play functionality in Firefox and Chrome.

Firefox and Chrome  support Click to Play functionality for plugins. If you are using either of these browsers as your Java-enabled browser, it is highly recommended that you enable the Click to Play feature.

By enabling Click to Play, web content that requires plugins such as Java, Flash, Silverlight, Adobe Reader, QuickTime, and more will be disabled by default. Users must manually Click to Play plugin content on any given web page in order for the content to load. This provides a useful security control, so that malicious content is not automatically executed by the browser.

Below are instructions on how to enable Click to Play in Firefox and Chrome.

Firefox:

Chrome:

Use Terminal Servers (RDP) for UC Berkeley Enterprise Java Applications when possible.

Due to the amount of vulnerabilities found in Java, many UC Berkeley applications have enabled Terminal Server access via Microsoft's Remote Desktop Protocol (RDP). 

Terminal Servers offer the advantage of effectively "sandboxing" Java and other applications. If a business-necessary application requires an out of date version of Java, it can be placed on a Terminal Server and tightly locked down so that only trusted UC Berkeley servers can be reached using the "sandboxed" web browser. Any possible compromises would only affect the Terminal Server and not a client's system.

Contact your application administrator to inquire about Terminal Server availability.

Java Security for Desktop Applications

Desktop applications that require Java (e.g. OpenOffice) are often less risky and are not affected by many browser-based Java vulnerabilities. However, there are still important security considerations:

  • If you require the use of a desktop Java application for day-to-day business use, be sure to disable Java in all of your web browsers. See How to Disable Java in Web Browsers for instructions.
  • While there is less risk in general for desktop Java applications, users should still:
    1. Keep their operating system version of Java up to date.
    2. Keep their application patch levels up to date. Some applications may use embedded versions of Java that can only be updated via an application software update specific to a vendor.