Using Java Secuirly

[PrinceXizor]

Now that you've stopped snickering I have a question about using Java. I do need to use it but I would like to do what I can to use it securely. I don't make it a habit to visit strange websites and I have most of the security features discussed in mechbgon's excellent security tutorial (configured router, firewall, non-admin accounts, DEP, AV) up and running. Will most likely add SEHOP when my computer is fully functional and loaded.

Are there settings to limit Java running wild? Whitelists of sites to use? User prompts?

 

[postmortemIA]

Do you need to use Java in web browser? If no, install only JDK, no JRE - no web browsers plugins.
Also Firefox & IE will let you use Java plugin on demand, so you can use it only for the sites you need.

 

[mechBgon]

If you do need Java in the browser, one strategy to consider is having two browsers, and enabling Java in just one of them. Use the Java-enabled browser for your Java sites, and use the other one for everything else. That isn't absolutely bulletproof, but it sure cuts down the exposure level. You can build on that by limiting what sites can use the Java capabilities in the Java-enabled browser, and consider running it in a sandbox like Sandboxie.

Some of the recent Java vulnerabilities that have made headlines were not actual exploits. They were loopholes in Java's security model. That's not something that can be fixed with DEP, ASLR, or other anti-exploit tweaking, it was inherently broken. There's probably more where that came from. So while I would definitely add Java.exe to the protection list of EMET, I'd also remember that Java could be misused without actually exploiting it.

 

[blankslate]

Run your Java browser in a sandbox?

 

[VirtualLarry]

I'm surprised that the Java plugin doesn't have a site whitelist. That would go a long way towards preventing drive-by Java exploits.

 

[PrinceXizor]

Do you need to use Java in web browser? If no, install only JDK, no JRE - no web browsers plugins.
Also Firefox & IE will let you use Java plugin on demand, so you can use it only for the sites you need.

On Demand is probably the way to go. Its too bad they don't have a whitelist, would be the next logical step from on demand. I'll see if I can get by without it.

 

[MustISO]

You can use IE to whitelist sites that you want to use Java on. Go into the Addon Manager and modify Java to not work on all sites, then only sites you say to allow will be added to the list of sites the addon can be used on.

 

[PrinceXizor]

Fantastic! If I can't find a way to get around Java it is good to know what steps I can take.

As an aside...I just got my XP VM working in Win 7 Pro. Do I need to secure this? Go through the update process, virus checker, firewall, etc?

 

[Chiefcrowe]

Yes, because it is possible that something that gets in through the VM can attack the host. So I would treat it as a normal PC.

Fantastic! If I can't find a way to get around Java it is good to know what steps I can take.

As an aside...I just got my XP VM working in Win 7 Pro. Do I need to secure this? Go through the update process, virus checker, firewall, etc?

 

[kleinkinstein]

Use Ghostery