Using Java Secuirly

PrinceXizor

Platinum Member
Oct 4, 2002
2,188
99
91
Now that you've stopped snickering I have a question about using Java. I do need to use it but I would like to do what I can to use it securely. I don't make it a habit to visit strange websites and I have most of the security features discussed in mechbgon's excellent security tutorial (configured router, firewall, non-admin accounts, DEP, AV) up and running. Will most likely add SEHOP when my computer is fully functional and loaded.

Are there settings to limit Java running wild? Whitelists of sites to use? User prompts?
 

postmortemIA

Diamond Member
Jul 11, 2006
7,721
40
91
Do you need to use Java in web browser? If no, install only JDK, no JRE - no web browsers plugins.
Also Firefox & IE will let you use Java plugin on demand, so you can use it only for the sites you need.
 

mechBgon

Super Moderator<br>Elite Member
Oct 31, 1999
30,699
1
0
If you do need Java in the browser, one strategy to consider is having two browsers, and enabling Java in just one of them. Use the Java-enabled browser for your Java sites, and use the other one for everything else. That isn't absolutely bulletproof, but it sure cuts down the exposure level. You can build on that by limiting what sites can use the Java capabilities in the Java-enabled browser, and consider running it in a sandbox like Sandboxie.

Some of the recent Java vulnerabilities that have made headlines were not actual exploits. They were loopholes in Java's security model. That's not something that can be fixed with DEP, ASLR, or other anti-exploit tweaking, it was inherently broken. There's probably more where that came from. So while I would definitely add Java.exe to the protection list of EMET, I'd also remember that Java could be misused without actually exploiting it.
 

VirtualLarry

No Lifer
Aug 25, 2001
56,572
10,207
126
I'm surprised that the Java plugin doesn't have a site whitelist. That would go a long way towards preventing drive-by Java exploits.
 

PrinceXizor

Platinum Member
Oct 4, 2002
2,188
99
91
Do you need to use Java in web browser? If no, install only JDK, no JRE - no web browsers plugins.
Also Firefox & IE will let you use Java plugin on demand, so you can use it only for the sites you need.

On Demand is probably the way to go. Its too bad they don't have a whitelist, would be the next logical step from on demand. I'll see if I can get by without it.
 

MustISO

Lifer
Oct 9, 1999
11,927
12
81
You can use IE to whitelist sites that you want to use Java on. Go into the Addon Manager and modify Java to not work on all sites, then only sites you say to allow will be added to the list of sites the addon can be used on.
 

PrinceXizor

Platinum Member
Oct 4, 2002
2,188
99
91
Fantastic! If I can't find a way to get around Java it is good to know what steps I can take.

As an aside...I just got my XP VM working in Win 7 Pro. Do I need to secure this? Go through the update process, virus checker, firewall, etc?
 

Chiefcrowe

Diamond Member
Sep 15, 2008
5,056
199
116
Yes, because it is possible that something that gets in through the VM can attack the host. So I would treat it as a normal PC.


Fantastic! If I can't find a way to get around Java it is good to know what steps I can take.

As an aside...I just got my XP VM working in Win 7 Pro. Do I need to secure this? Go through the update process, virus checker, firewall, etc?