Business users "must not ignore" Oracle Java 7 web browser flaws

Security issue

Security researchers have urged users to disable internet browser Java plug-ins, despite concerns about the impact it will have on their line-of-business applications.

As reported by IT Pro earlier this week, the US government has urged internet users to switch off Java in their web browsers following the discovery of two Oracle Java 7 zero-day vulnerabilities.

The issue is understood to affect web browsers that use the Java 7 plug-in, including Mozilla Firefox, Google Chrome, Internet Explorer and Apple Safari.

Removing Java from computers eliminates the attack surface, but it will break browser-based apps.

The bugs allow Java applets to carry out arbitrary operating system commands without permission, which could allow vulnerable systems to be infected with malware.

Despite this, IT security experts claim some enterprise users might be tempted to ignore the US government's advice because of the disruption it could cause to their business.

For instance, Ziv Mador, director of security research at Trustwave SpiderLabs, said companies that use browser-based Java apps would experience problems.

"Removing Java from computers eliminates the attack surface, but it is used in line-of-business and consumer applications and will clearly break [them].

"[It] is an issue administrators will need to take into account before they act on this [advice]," he added.

This is a view backed by Rik Ferguson, director of security research at anti-virus vendor Trend Micro, who said this could put some users off disabling Java.

"Some users, depending on who their security vendor is, might feel confident enough in its ability to detect every single variant of malware [this could expose them to], which is, perhaps, not that sensible," said Ferguson.

"There are some workarounds, though, most of which are pretty clunky," he added.

For instance, IT administrations could tell staff to use a different browser, such as Google Chrome, to run their business applications in and another for general internet use.

"It means having two separate browsers and relying on users to maintain that policy for as long as that alert's in place, which is why it's a bit clunky," he explained.

"The simplest solution would be for Oracle to release a patch, especially as this is a vulnerability that is affecting so many different platforms.

Meanwhile, Tal Be'ery, web research team leader at security vendor Imperva, said it is "nearly impossible" for IT administrators to disable a single software component on every machine they are responsible for.

"The current case of disabling Java components is no different," he said.

"Individual users should turn off Java 7 browser plug-ins and only enable them [for] trusted sites, such as [those hosting] Java-powered line of business applications."

Pressure is growing on Oracle to patch the vulnerabilities ahead of its next Java 7 update, which is due in October, following claims that a Polish IT security research team alerted the software giant to the problem back in April.

Caroline Donnelly is the news and analysis editor of IT Pro and its sister site Cloud Pro, and covers general news, as well as the storage, security, public sector, cloud and Microsoft beats. Caroline has been a member of the IT Pro/Cloud Pro team since March 2012, and has previously worked as a reporter at several B2B publications, including UK channel magazine CRN, and as features writer for local weekly newspaper, The Slough and Windsor Observer. She studied Medical Biochemistry at the University of Leicester and completed a Postgraduate Diploma in Magazine Journalism at PMA Training in 2006.