dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
21
share rss forum feed

Frodo

join:2006-05-05

2 edits
reply to Oleg

Re: Feds warn PC users to disable Java

Just came across this article regarding Java and Internet Explorer.

Essentially, the gist is that there are two ways for Java to execute in IE, one as an active X control, and the other way as an applet.

Since there are two ways to run Java, there should be two things done to shut it down (if needed). One would be to go to manage addons and disable the Java related addons. That takes care of the Active X.

Then, dealing with Java being called for as an applet would need to be dealt with. As the article explains, this can be dealt with in Group Policy. Since I have XP professional, that's how I dealt with it. You should be aware that if you want to shut Java down for a particular zone, that setting didn't show in my IE8. So, I backed up HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\SO\JAVAPER and then ran the registry file indicated in the article and the Java setting for the individual internet zones now shows in the IE control panel for the individual IE zones.

So, just wanted to point out that in IE, Java can be invoked either by Active X, or by applet. Perhaps the setting in the Oracle Java control panel to not run Java in Internet Explorer is sufficient to shut Java down, but if one doesn't want to have a single point of failure, there are other things that can be done. Until I read that article, I thought disabling the Java addons was enough, but that apparently only shuts off the Active X invocation.

OS: XP professional
IE: IE8

Edit: I'm not vouching for that registry file. I installed it, and everything looked good. In the Internet Zone, my ability to change the Java setting was disabled since I had a setting in Group Policy. However, in the Restricted Zone, even though I also disabled Java in that Zone, in the browser control panel, the setting wasn't disabled.

Conclusion: This affirms my decision to buy professional products that can be administrated, as opposed to home user products.

2nd edit: I had previously disabled Java applets in Group Policy at the Computer configuration level. I went back in and disabled Java in the Internet and Restricted zones at the User Configuration level, and this time, the setting in the browser for the Restricted zone was disabled. So, if one wants to disable Java applets in IE for any of the zones, I recommend applying the settings at both the Computer configuration and User configuration levels.


Mele20
Premium
join:2001-06-05
Hilo, HI
kudos:5

1 edit

1 recommendation

You might want to read Woody's article,

»www.infoworld.com/t/web-browsers···page=0,0

weep, and then use the CERT registry file.

From Woody's article:

"You can disable Java in all of your browsers, simultaneously. Disabling Java in Chrome and Firefox is easy, but as best I can tell there's no way on heaven or earth to reliably disable Java in Internet Explorer, short of a complex procedure documented by the CERT team working on the latest attacks. Even then, I couldn't find any security experts willing to bet that CERT caught all of the potential vulnerable spots.

It gets worse. According to CERT, Microsoft botched its instructions for blocking Java in IE:

'Disabling the Java plug-in for Internet Explorer is significantly more complicated than with other browsers. There are multiple ways for a web page to invoke a Java applet, and multiple ways to configure Java Plug-in support. Microsoft has released KB article 2751647, which describes how to disable the Java plug-in for Internet Explorer. However, we have found that due to the multitude of ways that Java can be invoked in Internet Explorer, their guidance (as well as our prior guidance) does not completely disable Java.'

The Microsoft instructions kill about 20 Java CLSIDs. The CERT method kills almost 800 of them".

I didn't know anything about the Next Generation Java Plugin in IE and I had no idea that Java can now be invoked outside IE:

"is a newer version of the Java plug-in that execute outside the process space of the web browser. Note that this means that when invoked via the next-generation Java plug-in, Java executes outside any restrictions of the browser, such as DEP,
Protected Mode, or other sandboxing." According to CERT, the only way to stop this newer version of the Java plug-in in IE is to remove the file. Then IE reverts to using the OLDER Java Plug-in which operates within the confounds of the browser.

I also did not realize I would need to prevent IE from automatically opening JNLP files. CERT has a registry fix for this.

"A registry file that Disables the element in the IE "Internet Zone", sets the kill bit for all of the Java CLSIDs through Java 7 update 6, the Java Web Start ActiveX control, the Java Deployment Toolkit ActiveX controls, as well as prevents IE from automatically opening JNLP files, as described above, is available for download here:

»www.kb.cert.org/CERT_WEB/service···P_IE.reg
--
When governments fear people, there is liberty. When the people fear the government, there is tyranny. Thomas Jefferson