Lately Java has been getting a bit of bad press, thanks to several consecutive security holes that have been exploited by malware developers. One notable occurrence was the Flashback malware threat that affected a number of OS X users, which (though due in part to Apple’s negligence about Java upkeep) was rooted in the Java runtime. More recently, Java 7 has seen a new zero-day vulnerability that has been circulating in exploit kits.
In response to these threats, many in the tech community have recommended that people uninstall Java altogether. However, this can be impractical for some, as many people need Java to run applications, including Web apps and a number of technical and creative development tools.
When it comes to the security of your system, uninstalling Java completely is certainly one way to avoid problems arising from it, but it is a bit of an extreme measure. So, how do you secure your system while keeping a potentially faulty runtime installed?
There are two aspects to Oracle’s Java installation. The first is the runtime itself, which consists of the libraries and execution environment that allow your system to execute Java programs. The second component of the installation is the Web plug-in, which interfaces these libraries with the browser to allow hosted Web applets to run.
In older versions of Java (1.6 or earlier) Safari’s security preferences could be used to disable Java, but this is now done in the Java Control Panel in the system preferences.
(Credit: Screenshot by Topher Kessler/CNET)
The vast majority of Java’s security problems revolve around the use of the Java plug-in. While the vulnerabilities ultimately exist in the runtime, the plug-in is the avenue that malware developers use to exploit these remotely. You are somehow tricked into loading a Web page that contains a malicious Java applet, which exploits the fault and loads malware on to your system. If you close this off or otherwise manage it, then you will vastly improve the security of your system, and can continue to use Java for other purposes without needing to remove it completely.
There are several ways to do this. In the latest Java runtime, you can access the Java Control Panel and in the security settings uncheck the option to “Enable Java content in the browser.” This will effectively close the door between Java and Web sites you visit, so Java applets will not run. While technically the security vulnerabilities are still open with this setting, you would need to manually download a Java executable and purposely run it on your system.
When ClickToPlugin is enabled, your plug-in content is shown like this, and only is active if you explicitly click it.
(Credit: Screenshot by Topher Kessler/CNET)
The second option is the use of security levels in determining which Java code is allowed to run. Similar to Apple’s Gatekeeper feature in Mountain Lion, which can restrict running applications to signed code or apps specifically from the Mac App Store, Java’s security levels can require that you approve any unsigned applications or even approve all code regardless of its signature. To do this, in the same Security section of the Java control panel, you can drag the security level slider to High, which allows only signed programs to run, or Very High, which requires approval for all code.
Beyond Java’s built-in security measures, you can also use some third-party tools to help prevent malicious Java applets from running on your system. While disabling the Java plug-in is perhaps best, if you regularly visit Web sites that require Java, then doing this can be a burden to your work flow. Therefore, instead use a plug-in manager such as ClickToPlugin that will block not only Java but also Flash and other plug-in content as well. The benefit here is instead runnng of the blocked content, you’ll receive a notification that you can click to quickly allow it to run. Also, you can customize a whitelist of sites that are automatically allowed to work.
Some browsers like Chrome come with a click-to-play option, which can be seen by going to Chrome’s content settings (Copy and paste this URL into Chrome to get to these settings: chrome://chrome/settings/content#click) and selecting the “Click to play” option in the Plug-ins section. For those who use Firefox, the NoScript plug-in is a very effective approach to managing unwanted execution of plug-ins and other Web-based content.
A final approach to help protect your system is to monitor outgoing traffic using a reverse firewall tool like Little Snitch. With such a tool installed, whenever a program tries to contact an external server, the system will notify you and give you options to allow or deny the attempt, and also provide you with information to investigate what process is making the request.
When Little Snitch detects an outgoing connection, it will notify you and provide information on what the process is and who it is attempting to contact.
(Credit: Objective Development)
While this is a bit of a tangential approach to dealing with faults in Java, it has been a very useful and effective way to detect malicious behavior on systems in the past and was integral to the early detection of the Flashback malware in OS X While such firewalls may not prevent malware from exploiting your system, they can prevent it from carrying out its primary purpose, which is to communicate personal information to an external server and open up unwanted command and control ports in the system.
Overall, while Java has seen its fair share of problems and exploits recently, and although the most secure route is to uninstall Java and avoid using it, this is not necessary to keep your system secure. With plug-in management, higher security settings for Java, and reverse firewalls to detect malicious activity, you can still keep Java installed for the purposes you need while giving yourself an advantage in fighting the tricks that malware uses to cause problems in your system.