Business users "must not ignore" Oracle Java 7 web browser flaws

Security researchers claim business users could ignore advice to disable plug-ins over app stability fears.

Security issue

Security researchers have urged users to disable internet browser Java plug-ins, despite concerns about the impact it will have on their line-of-business applications.

As reported by IT Pro earlier this week, the US government has urged internet users to switch off Java in their web browsers following the discovery of two Oracle Java 7 zero-day vulnerabilities.

The issue is understood to affect web browsers that use the Java 7 plug-in, including Mozilla Firefox, Google Chrome, Internet Explorer and Apple Safari.

Removing Java from computers eliminates the attack surface, but it will break browser-based apps.

The bugs allow Java applets to carry out arbitrary operating system commands without permission, which could allow vulnerable systems to be infected with malware.

Despite this, IT security experts claim some enterprise users might be tempted to ignore the US government's advice because of the disruption it could cause to their business.

For instance, Ziv Mador, director of security research at Trustwave SpiderLabs, said companies that use browser-based Java apps would experience problems.

"Removing Java from computers eliminates the attack surface, but it is used in line-of-business and consumer applications and will clearly break [them].

"[It] is an issue administrators will need to take into account before they act on this [advice]," he added.

This is a view backed by Rik Ferguson, director of security research at anti-virus vendor Trend Micro, who said this could put some users off disabling Java.

"Some users, depending on who their security vendor is, might feel confident enough in its ability to detect every single variant of malware [this could expose them to], which is, perhaps, not that sensible," said Ferguson.

"There are some workarounds, though, most of which are pretty clunky," he added.

For instance, IT administrations could tell staff to use a different browser, such as Google Chrome, to run their business applications in and another for general internet use.

"It means having two separate browsers and relying on users to maintain that policy for as long as that alert's in place, which is why it's a bit clunky," he explained.

"The simplest solution would be for Oracle to release a patch, especially as this is a vulnerability that is affecting so many different platforms.

Meanwhile, Tal Be'ery, web research team leader at security vendor Imperva, said it is "nearly impossible" for IT administrators to disable a single software component on every machine they are responsible for.

"The current case of disabling Java components is no different," he said.

"Individual users should turn off Java 7 browser plug-ins and only enable them [for] trusted sites, such as [those hosting] Java-powered line of business applications."

Pressure is growing on Oracle to patch the vulnerabilities ahead of its next Java 7 update, which is due in October, following claims that a Polish IT security research team alerted the software giant to the problem back in April.

Featured Resources

Five lessons learned from the pivot to a distributed workforce

Delivering continuity and scale with a remote work strategy

Download now

Connected experiences in a digital transformation

Enable businesses to meet the demands of the future

Download now

Simplify to secure

Reduce complexity by integrating your security ecosystem

Download now

Enhance the safety and security of your people, assets and operations

Enable a true vision of security with an engineered solution based on hyperconverged and storage platforms

Download now

Recommended

Chrome OS 87 makes life easier for parents with young children
operating systems

Chrome OS 87 makes life easier for parents with young children

10 Sep 2020
Chrome 85 arrives with faster page loading and tab throttling
web browser

Chrome 85 arrives with faster page loading and tab throttling

26 Aug 2020
Google Chrome will reward fast-loading sites with 'fast page' badge
Google Android

Google Chrome will reward fast-loading sites with 'fast page' badge

19 Aug 2020
Chrome disables feature that curtailed its memory-hogging ways
web browser

Chrome disables feature that curtailed its memory-hogging ways

16 Jul 2020

Most Popular

Accenture ploughs $3 billion into cloud migration support group
digital transformation

Accenture ploughs $3 billion into cloud migration support group

17 Sep 2020
Google Pixel 4a review: A picture-perfect package
Google Android

Google Pixel 4a review: A picture-perfect package

18 Sep 2020
16 ways to speed up your laptop
Laptops

16 ways to speed up your laptop

16 Sep 2020