Disable Java Browser Plugin, But Why?

2013-04-12

Oracle is facing a hard time fixing the security holes that were opened up with the release of Java 7. Various websites and blogs have been discussing about these vulnerabilities and most of them claim that the only way to stay safe from being attacked is to disable the Java plugin in web browsers. But why do we need to disable the browsers plugins? How does it help protect our computers from being attacked? That is what we are going to discuss in this article.

Understanding Java Applets

Most of the Java vulnerabilities are related to applets. Applets are Java programs that are embedded within a webpage. An applet can be executed only if the user’s browser has a Java plugin installed. When a user visits a web page that is embedded with an applet, the applet executes inside the user’s browser and can access critical information from the user’s computer. If an applet is programmed with malicious intent, it could pose a security threat to any user who visits that webpage. But Java came up with a security measure that prevented malicious applets from harming the user’s computer. This security measure is popularly known as the Java sandbox.

How does sandbox ensure security?

Java applets are primarily classified into “Signed” and “Unsigned” Applets. Applets are verified by authorized certificate providers and if they are found to be legit, the applets are digitally signed. These applets are said to be “Signed” applets and they are considered to be trusted. Those applets that are not digitally signed are considered as untrusted applets.

When a user visits a webpage embedded with an applet, Java identifies whether it is a signed or unsigned applet. A signed applet is allowed to run with unrestricted access, with the user’s permission. Whereas an unsigned applet is executed inside the Java sandbox, which provides limited access to the applet, thereby restricting it from accessing critical information from the user’s computer.

This is how Java ensures the security of the applets.

Vulnerability in Java 7

The certificate of a signed applet can anytime be revoked by the certificate provider, even before the certificate has expired. But Java 7 did not identify if the applet’s certificate has been revoked. Attackers have used this security hole to sign their applets with revoked certificates, which were considered to be trusted by Java. This in turn enabled the attackers to run their applets outside of the Java’s security sandbox, thereby allowing them to access critical parts of the user’s machine.

Though this vulnerability can be handled by modifying the security parameters in Java control panel, this is just one of the vulnerabilities that Java 7 has opened up. That is why users are being advised to disable Java plugins in their browsers, as these applets cannot run without the browser plugins. So turn off your Java plugins and stay safe until all the vulnerabilities are patched up.