Business users "must not ignore" Oracle Java 7 web browser flaws

Security researchers claim business users could ignore advice to disable plug-ins over app stability fears.

Security issue

Security researchers have urged users to disable internet browser Java plug-ins, despite concerns about the impact it will have on their line-of-business applications.

As reported by IT Pro earlier this week, the US government has urged internet users to switch off Java in their web browsers following the discovery of two Oracle Java 7 zero-day vulnerabilities.

The issue is understood to affect web browsers that use the Java 7 plug-in, including Mozilla Firefox, Google Chrome, Internet Explorer and Apple Safari.

Removing Java from computers eliminates the attack surface, but it will break browser-based apps.

The bugs allow Java applets to carry out arbitrary operating system commands without permission, which could allow vulnerable systems to be infected with malware.

Despite this, IT security experts claim some enterprise users might be tempted to ignore the US government's advice because of the disruption it could cause to their business.

For instance, Ziv Mador, director of security research at Trustwave SpiderLabs, said companies that use browser-based Java apps would experience problems.

"Removing Java from computers eliminates the attack surface, but it is used in line-of-business and consumer applications and will clearly break [them].

"[It] is an issue administrators will need to take into account before they act on this [advice]," he added.

This is a view backed by Rik Ferguson, director of security research at anti-virus vendor Trend Micro, who said this could put some users off disabling Java.

"Some users, depending on who their security vendor is, might feel confident enough in its ability to detect every single variant of malware [this could expose them to], which is, perhaps, not that sensible," said Ferguson.

"There are some workarounds, though, most of which are pretty clunky," he added.

For instance, IT administrations could tell staff to use a different browser, such as Google Chrome, to run their business applications in and another for general internet use.

"It means having two separate browsers and relying on users to maintain that policy for as long as that alert's in place, which is why it's a bit clunky," he explained.

"The simplest solution would be for Oracle to release a patch, especially as this is a vulnerability that is affecting so many different platforms.

Meanwhile, Tal Be'ery, web research team leader at security vendor Imperva, said it is "nearly impossible" for IT administrators to disable a single software component on every machine they are responsible for.

"The current case of disabling Java components is no different," he said.

"Individual users should turn off Java 7 browser plug-ins and only enable them [for] trusted sites, such as [those hosting] Java-powered line of business applications."

Pressure is growing on Oracle to patch the vulnerabilities ahead of its next Java 7 update, which is due in October, following claims that a Polish IT security research team alerted the software giant to the problem back in April.

Featured Resources

How to scale your organisation in the cloud

How to overcome common scaling challenges and choose the right scalable cloud service

Download now

The people factor: A critical ingredient for intelligent communications

How to improve communication within your business

Download now

Future of video conferencing

Optimising video conferencing features to achieve business goals

Download now

Improving cyber security for remote working

13 recommendations for security from any location

Download now

Recommended

Chrome vs Firefox vs Microsoft Edge
web browser

Chrome vs Firefox vs Microsoft Edge

26 Feb 2021
HP Pro c640 Chromebook review: Nailing the basics
Laptops

HP Pro c640 Chromebook review: Nailing the basics

15 Jan 2021
Malware found on popular Facebook, Instagram and Vimeo browser extensions
malware

Malware found on popular Facebook, Instagram and Vimeo browser extensions

17 Dec 2020
Trend Micro aims to seamlessly secure file storage in the cloud
cyber security

Trend Micro aims to seamlessly secure file storage in the cloud

16 Dec 2020

Most Popular

How to connect one, two or more monitors to your laptop
Laptops

How to connect one, two or more monitors to your laptop

25 Feb 2021
How to find RAM speed, size and type
Laptops

How to find RAM speed, size and type

26 Feb 2021
Ransomware operators are exploiting VMware ESXi flaws
ransomware

Ransomware operators are exploiting VMware ESXi flaws

1 Mar 2021