I sense more than a bit of delight on the part of the major software vendors as they scold Oracle for its recent string of Java vulnerabilities. For once the blame is not being laid at the door of Microsoft, Adobe, Firefox or Google, and Apple surely feels vindicated in its decision to turn off Java by default in Safari. But it’s important to remember that what goes around, comes around. Remember Apple’s decision to ban Flash and the hue and cry about “breaking the Internet”? It wasn’t fun to be Adobe then. And it’s never fun to be Microsoft on a zero-day.
There are a couple of key points missing from the fuss:
- It’s important to realize that banning or disabling Java won’t solve the problem. Humans develop buggy code – in all languages – and though the more modern ones are harder to exploit, they can all be subverted. Moreover many users (and businesses) depend on Java, for example Citrix GoToMeeting. Banning it would severely impact my ability to work. More importantly, all software is vulnerable, and all the software vendors have done is to move the vulnerabilities about, without substantially changing the odds of attack.
- Second, users will always click on bad stuff. I call this tendency the “you in user”, to drill home the point that even the smartest IT person has also clicked on a bad link, at some point.
There is a way out of this mess, that will enable your legacy leaky, insecure (Java, Firefox, IE, Office….) applications to still run, without endangering the enterprise. It’s called micro-virtualization, and it uses hardware isolation to enforce “need to know” on a per-task basis on the endpoint . It guarantees that when the next zero day comes along, the attacker cannot steal any information or gain access to the corporate network. Moreover, the attacker and all persisted state will be simply discarded as soon as the user closes the task window. No remediation. No change to the applications or to the end user experience.
There is a brighter world ahead – one in which you don’t have to arbitrarily enable or disable key application stacks based on the stunt of the day, or curse your in-laws for making you click on the bad link. It is a world in which hardware, not software, protects you and your data, no matter what gets thrown at it.
I spent my weekend clicking through live Java 7 malware variants, and examining their behavior using Bromium LAVA (Live Attack Visualization & Analysis). They were quite impressive, and yet harmless to me. It is difficult to explain how empowered I feel as an end-user, on a device that protects me by design.