Business users "must not ignore" Oracle Java 7 web browser flaws

Security researchers claim business users could ignore advice to disable plug-ins over app stability fears.

Security issue

Security researchers have urged users to disable internet browser Java plug-ins, despite concerns about the impact it will have on their line-of-business applications.

As reported by IT Pro earlier this week, the US government has urged internet users to switch off Java in their web browsers following the discovery of two Oracle Java 7 zero-day vulnerabilities.

The issue is understood to affect web browsers that use the Java 7 plug-in, including Mozilla Firefox, Google Chrome, Internet Explorer and Apple Safari.

Removing Java from computers eliminates the attack surface, but it will break browser-based apps.

The bugs allow Java applets to carry out arbitrary operating system commands without permission, which could allow vulnerable systems to be infected with malware.

Despite this, IT security experts claim some enterprise users might be tempted to ignore the US government's advice because of the disruption it could cause to their business.

For instance, Ziv Mador, director of security research at Trustwave SpiderLabs, said companies that use browser-based Java apps would experience problems.

"Removing Java from computers eliminates the attack surface, but it is used in line-of-business and consumer applications and will clearly break [them].

"[It] is an issue administrators will need to take into account before they act on this [advice]," he added.

This is a view backed by Rik Ferguson, director of security research at anti-virus vendor Trend Micro, who said this could put some users off disabling Java.

"Some users, depending on who their security vendor is, might feel confident enough in its ability to detect every single variant of malware [this could expose them to], which is, perhaps, not that sensible," said Ferguson.

"There are some workarounds, though, most of which are pretty clunky," he added.

For instance, IT administrations could tell staff to use a different browser, such as Google Chrome, to run their business applications in and another for general internet use.

"It means having two separate browsers and relying on users to maintain that policy for as long as that alert's in place, which is why it's a bit clunky," he explained.

"The simplest solution would be for Oracle to release a patch, especially as this is a vulnerability that is affecting so many different platforms.

Meanwhile, Tal Be'ery, web research team leader at security vendor Imperva, said it is "nearly impossible" for IT administrators to disable a single software component on every machine they are responsible for.

"The current case of disabling Java components is no different," he said.

"Individual users should turn off Java 7 browser plug-ins and only enable them [for] trusted sites, such as [those hosting] Java-powered line of business applications."

Pressure is growing on Oracle to patch the vulnerabilities ahead of its next Java 7 update, which is due in October, following claims that a Polish IT security research team alerted the software giant to the problem back in April.

Featured Resources

B2B under quarantine

Key B2C e-commerce features B2B need to adopt to survive

Download now

The top three IT pains of the new reality and how to solve them

Driving more resiliency with unified operations and service management

Download now

The five essentials from your endpoint security partner

Empower your MSP business to operate efficiently

Download now

How fashion retailers are redesigning their digital future

Fashion retail guide

Download now

Recommended

Asus Chromebox 4 review: Capable, versatile, but not fast
Hardware

Asus Chromebox 4 review: Capable, versatile, but not fast

21 Jul 2021
What is a botnet?
botnets

What is a botnet?

14 Jul 2021
Chrome vs Firefox vs Microsoft Edge
web browser

Chrome vs Firefox vs Microsoft Edge

7 Jul 2021
Lenovo IdeaPad Flex 5 Chromebook review: A dependable workhorse
Laptops

Lenovo IdeaPad Flex 5 Chromebook review: A dependable workhorse

30 Jun 2021

Most Popular

The benefits of workload optimisation
Sponsored

The benefits of workload optimisation

16 Jul 2021
Samsung Galaxy S21 5G review: A rose-tinted experience
Mobile Phones

Samsung Galaxy S21 5G review: A rose-tinted experience

14 Jul 2021
IT Pro Panel: Why IT leaders need soft skills
professional development

IT Pro Panel: Why IT leaders need soft skills

26 Jul 2021