Java: Worse than Adobe and Microsoft for vulnerabilities?

Brian Krebs thinks so:

    • Java is now among the most frequently-attacked programs, and appears to be fast replacing Adobe as the target of choice for automated exploit tools used by criminals.

Of the systems which I personally administrate as the ‘Chief Family Technology Officer’, the Java updates constantly annoy and confuse my mom who uses Vista… Vista on a locked down system protected by ESET Smart Security’s Firewall and Antispam… and a system which I do the updates on personally. Even with those protections, she calls me about the FakeAV alerts she sees on compromised sites wondering whether they’re something that she needs to update. I feel that people trust their computers far too much and click those ‘update’ boxes even when they’ve been through a lot of user education.

Is it required for her to have Java? Not really a mainstream product however there were some educational tools she needed to use. My solution is to use two browsers – I configure one for the most use and let the other one keep all the ‘funky add-ons’. Because she’s operating 64-bit, the 32-bit version of Internet Explorer also works as a ‘soft backup’ so that actually makes for three browsers on a single system.

Should I remove Java now? I’ll give it another look when I do her updates the next time. Because of the multiple browser configuration, I may remove it from the primary browser she uses and keep it on a secondary one just in case she needs it.

After all, the CFTO position is one which most of our readers hold in their household as well.

How do you handle the configuration management requirements of your family’s technology?

Securing Our eCity Contributing Writer

Author , ESET

  • Bob

    The approach that has worked best for me for several years now is to isolate my main computer from the internet. This is the computer I use for personal business activities such as taxes, databases, genealogy, spreadsheets, etc.

    About 4 years ago I bought a low-end Compaq desktop for $279.00 and I use it as my internet machine. Of course, I have to go on the internet with the other computer for both computer updates and a few other activities, but it only accounts of about 10% or less of my on-line activities, and I almost never use it to cruise the internet or do searches.

    Both of the computers I update religiously and I use Secunia PSI to keep tack of updates like JAVA and Adobe programs, as-well-as daily reading of various security related blogs. Aside from running ESET NOD 32, ZoneAlarm Firewall, and several other anti-malware programs, I also do frequent Image backups with TrueImage. In the event all my efforts fail and my internet computer gets toasted, I restore an image from a time when the system was clean. Worst case,if I have to trash the whole computer, I am only out a few hundred dollars.

    This allows me to keep a fully functional computer while minimizing my financial risk and limiting my data loss to generally non-personal data. I also use whole disk encryption to protect against loss by theft. No approach is fool proof, I realize that. But, the best I can do is stay updated and minimize exposure of my personal data to the internet and limit any equipment loss to a cheap desktop.


  • java training

    I'm also the "CFTO" in my household. It can be frustrating at times to have to be the family "help desk" when it comes to computer issues and woes. Removing Java isn't really an option, so, I just make sure that every week I check to make sure everything that needs to be updated is in fact up to date on the shared pc in our house. Your idea of retaining Java for a secondary browser is great, I may just have to utilize that :)

    • Charles Jeter

      Thanks for the comments! Seems that CFTO is a pretty applicable title everyone can relate to. :)

      @java training: Hope that works for you – I figure one ‘locked down’ browser plus AV including firewall and antispam PLUS no installation rights on the account logged in makes for a pretty locked down system.

      @Bob: That sounds pretty detailed. Secunia is a great mention because those Adobe and Java updates are way too pesky to deal with for most folks. Desktops are indeed commoditized, it’s the data that resides on them which is of ultimate value.

      Great work – every bit of effort in hardening a target helps in ways we all never realize. I never look at it as ‘security through obscurity’ rather than a very well defined psychological approach which is dictated by criminals taking the path of least resistance. Just like a stream meanders through a meadow, picking the path of the least resistance is how crime happens summed up in one word: opportunity. If you prevent the opportunity, you prevent the crime. More of this in the physical world was defined through CPTED or Crime Prevention Through Environmental Design, a really big science in the late 1908s and early 1990s which quantified criminal psychology for burglaries, rapes, robberies, and so forth. Combining ‘brain science’ with a fixed defense in depth (physical) provided the best CPTED proactive defensive posture.


Follow us

Copyright © 2017 ESET, All Rights Reserved.