Disabling Java in Internet Explorer: No easy task

No doubt you’ve heard the news: Oracle released Java 7, Update 11 on Jan. 13. By the next day, exploits started appearing that took advantage of the Update 11 code. Last Friday, Adam Gowdiak, CEO of Security Explorations, reported yet another series of problems with the latest version of Java:

We have successfully confirmed that a complete Java security sandbox bypass can be still gained under the recent version of Java 7 Update 11 . . . MBeanInstantiator bug (or rather a lack of a fix for it) turned out to be quite inspirational for us. However, instead of relying on this particular bug, we have decided to dig our own issues. As a result, two new security vulnerabilities were spotted in a recent version of Java SE 7 code and they were reported to Oracle today (along with a working Proof of Concept code).

The unprecedented level of mainstream media exposure — arguably, second only to the inimitable John McAfee and his 1992-era Michelangelo publicity campaign — has left computer users at every level worried and anxious. Your boss is probably among those concerned.

Last week I explained how to disable Java in Internet Explorer, Chrome, and Firefox. Unfortunately, the instructions for disabling Java in IE don’t do the job. Even though the instructions take you through disabling all of the Java add-ons for IE and a subsequent running of the Java check at the Oracle website says Java isn’t working in IE, the test lies.

TechLogon describes its quest to disable Java in IE. The site admin found that killing all Oracle add-ons (the procedure I suggested last week) didn’t stop Java. Disabling third-party browser extensions in IE didn’t stop Java. Setting Internet Zones sites to “Disable scripting of applets” didn’t work, “it also failed to stop Java running loose in our browser.”

That’s three for three. All of those approaches should kill Java in IE. They don’t.

The Java Control Panel (see my earlier article) has a setting on the Advanced tab labeled “Default Java for Browsers/Internet Explorer.” Deselecting that entry most assuredly does not disable Java in IE.

You can disable Java in all of your browsers, simultaneously. Disabling Java in Chrome and Firefox is easy, but as best I can tell there’s no way on heaven or earth to reliably disable Java in Internet Explorer, short of a complex procedure documented by the CERT team working on the latest attacks. Even then, I couldn’t find any security experts willing to bet that CERT caught all of the potential vulnerable spots.

It gets worse. According to CERT, Microsoft botched its instructions for blocking Java in IE:

Disabling the Java plug-in for Internet Explorer is significantly more complicated than with other browsers. There are multiple ways for a web page to invoke a Java applet, and multiple ways to configure Java Plug-in support. Microsoft has released KB article 2751647, which describes how to disable the Java plug-in for Internet Explorer. However, we have found that due to the multitude of ways that Java can be invoked in Internet Explorer, their guidance (as well as our prior guidance) does not completely disable Java.

The Microsoft instructions kill about 20 Java CLSIDs. The CERT method kills almost 800 of them.

That has to make you wonder — at least, it makes me wonder — whether there are other tricky methods for invoking Java in Internet Explorer, even after the CERT fixes have been applied.

The one bright spot in all of this? CERT has a .reg file that you can download to apply the changes necessary to cut off Java in IE. CERT also recommends that you manually remove two files, which can be located in a variety of different locations on Windows computers.

(Worth repeating: This admonition only applies to running Java inside a Web browser. Java on your desktop — for running Base and a few other parts of LibreOffice, for example, or Minecraft — is an entirely different kettle of fish. And Java on the server has nothing to do with Java in a browser. JavaScript is likewise completely different.)

Many of you need to run Java in a specific version of IE because your company’s core apps require it. For you, the best advice is to turn off Java in any other browser you may be using, and go to that other browser for general Web surfing. Only bring out the IE problem magnet when you absolutely have to run Java. Then get out of it as soon as you’re done.

Rob VandenBrink at the Internet Storm Center has an interesting recommendation that involves changing the “user agent” string on devices — especially mobile devices — and monitoring your outbound network activity for those custom strings. In addition to monitoring the cows after they’re out of the barn, “watching the agent strings that are logged going outbound can be a good way to find those mouldy-oldy computers that got installed 6 (or 10) years back and haven’t been updated in a while, if ever.”

One question keeps coming back to me: If it’s so easy to disable Java in Firefox and Chrome, why is it so difficult — maybe even impossible — to disable it in Internet Explorer?

With apologies to Jack Daniel, companies need to stop building new browser-based Java apps and start the long migration to a more reliable option. It’s up to IT to take the initiative and kill browser-based Java dead, dead, dead.

And it wouldn’t hurt if Microsoft would build a turn-off-the-add-on switch into IE — one that works.

This story, “Disabling Java in Internet Explorer: No easy task,” was originally published at InfoWorld.com. Get the first word on what the important tech news really means with the InfoWorld Tech Watch blog. For the latest developments in business technology news, follow InfoWorld.com on Twitter.