Disclaimer: In this post, I'm blogging about a subject I do not entirely comprehend. I hope to encourage discussion and learn from the community as I know that there are folks smarter than me who may have already addressed this issue.

I recently read about the Oracle Java 7 Security Manager Bypass Vulnerability published by the United States Computer Emergency Readiness Team. As I understand it, vulnerabilities have been discovered which could allow a sandboxed application to promote itself in privileges to be able to access files and resources outside of the sandbox - such as accessing your files or internet communication.   US-Cert Vulnerability Note VU#636312 advises disabling or removing completely the Java runtime environment so that web browsers cannot launch Java.

While I understand and am concerned about the security threat, I am also concerned about the impact of disabling or removing the Java runtime environment. In my simple tests I found that web pages and resources ceased to function fully for need of the appropriate Java runtime.

20130112 - Java Runtime Plugin Missing.jpg

It appears that Oracle can or will release a security update that may address at least part of this threat but questions remain: What would the impact be if Java is uninstalled altogether? How would this likely affect web use? What about the Lotus Notes Components that make use of Java?  

I am still trying to wrap my head this and would appreciate any information that you think may help myself or others that may read this post.

Discussion/Comments (8):

Richard Schwartz (http://www.poweroftheschwartz.com): 1/12/2013 4:18:04 PM
Domino Admins: How to respond to US-CERT Alert TA13-010A?

In some browsers (e.g., Chrome) you can configure it so that Java is not launched for a web site unless you give it permission by clicking, however apparently a 'click-jack' attack could get past that. What I have done is disabled Java in Chrome, which is my primary browser, but if I have need to go to a specific site that I trust and which uses Java I can always launch Firefox, IE, or Safari.


Eric Mack (www.ica.com): 1/12/2013 4:33:30 PM
re: Domino Admins: How to respond to US-CERT Alert TA13-010A?

Hi Richard,

So are you comfortable disabling Java for specific browsers as opposed to uinstalling altogether? (And perhaps running a Java enabled browser in a VM if needed.)

I suppose the benefit to this approach would be that at least Java is still available for the applications that need it. From what I understand the vulnerability is specifically related to Java and Browsers...


Richard Schwartz (http://www.poweroftheschwartz.com): 1/12/2013 4:56:22 PM
Domino Admins: How to respond to US-CERT Alert TA13-010A?

Yes, I'm comfortable with that. The VM idea is reasonable as an extra precaution.


Darren Duke (http://blog.darrenduke.net): 1/14/2013 4:42:31 AM
Domino Admins: How to respond to US-CERT Alert TA13-010A?

Oracle have patched it:

{ Link }


Darren Duke (http://blog.darrenduke.net): 1/14/2013 4:45:59 AM
Domino Admins: How to respond to US-CERT Alert TA13-010A?

Oh, and to answer Eric's initial question, I still use Java 6 and that version was unaffected by this issue.

It is becoming obvious to me that moving to an new version of Java, you'd be better off waiting until at least update 15. Sad but true.


Eric Mack (www.ica.com): 1/14/2013 8:33:32 AM
re: Domino Admins: How to respond to US-CERT Alert TA13-010A?

Thanks Darren


Add a comment