No doubt you've heard the news: Oracle released Java 7, Update 11 on Jan. 13. By the next day, exploits started appearing that took advantage of the Update 11 code. Last Friday, Adam Gowdiak, CEO of Security Explorations, reported yet another series of problems with the latest version of Java:
We have successfully confirmed that a complete Java security sandbox bypass can be still gained under the recent version of Java 7 Update 11 . . . MBeanInstantiator bug (or rather a lack of a fix for it) turned out to be quite inspirational for us. However, instead of relying on this particular bug, we have decided to dig our own issues. As a result, two new security vulnerabilities were spotted in a recent version of Java SE 7 code and they were reported to Oracle today (along with a working Proof of Concept code).
The unprecedented level of mainstream media exposure -- arguably, second only to the inimitable John McAfee and his 1992-era Michelangelo publicity campaign -- has left computer users at every level worried and anxious. Your boss is probably among those concerned.
Last week I explained how to disable Java in Internet Explorer, Chrome, and Firefox. Unfortunately, the instructions for disabling Java in IE don't do the job. Even though the instructions take you through disabling all of the Java add-ons for IE and a subsequent running of the Java check at the Oracle website says Java isn't working in IE, the test lies.
TechLogon describes its quest to disable Java in IE. The site admin found that killing all Oracle add-ons (the procedure I suggested last week) didn't stop Java. Disabling third-party browser extensions in IE didn't stop Java. Setting Internet Zones sites to "Disable scripting of applets" didn't work, "it also failed to stop Java running loose in our browser."
That's three for three. All of those approaches should kill Java in IE. They don't.
The Java Control Panel (see my earlier article) has a setting on the Advanced tab labeled "Default Java for Browsers/Internet Explorer." Deselecting that entry most assuredly does not disable Java in IE.
You can disable Java in all of your browsers, simultaneously. Disabling Java in Chrome and Firefox is easy, but as best I can tell there's no way on heaven or earth to reliably disable Java in Internet Explorer, short of a complex procedure documented by the CERT team working on the latest attacks. Even then, I couldn't find any security experts willing to bet that CERT caught all of the potential vulnerable spots.
It gets worse. According to CERT, Microsoft botched its instructions for blocking Java in IE:
Disabling the Java plug-in for Internet Explorer is significantly more complicated than with other browsers. There are multiple ways for a web page to invoke a Java applet, and multiple ways to configure Java Plug-in support. Microsoft has released KB article 2751647, which describes how to disable the Java plug-in for Internet Explorer. However, we have found that due to the multitude of ways that Java can be invoked in Internet Explorer, their guidance (as well as our prior guidance) does not completely disable Java.
The Microsoft instructions kill about 20 Java CLSIDs. The CERT method kills almost 800 of them.