Java vs JavaScript, vulnerabilities, and how to protect your sensitive data from attack.

The recent reported vulnerabilities in Java are of course a top concern for enterprises large and small. However, as reported by some of the media, there's a lot of confusion about what do do.

The advice is to turn off Java in browsers until there's a fix. It's harder to do than you might think, due to having to open less-than-intuitive application control panels to adjust the Java install package settings. However, it is possible and there are good guides out there to show you how. Mind you, a lot of web-facing Internet applications (not web sites) use Java due to its sophistication and ability to deliver a nice customer experience outside the browser. Take WebEx, for example. It has a Java package that runs locally on the desktop to enable nice online meetings. So turning it off may not be practical all the time for business reasons.

However, the biggest area of confusion I've seen is with JavaScript. It’s simply not really related to Java despite the "j", the "a", the "v", and the other "a" before the “Script” word. You don’t need to turn it off. In fact, turning it off has no relationship to the reported Java vulnerability itself. Most e-commerce shopping carts and shopping sites, auction sites, blog sites, file sharing sites, social network sites, and webmail clients like GMail and Yahoo! will have much-reduced functionality with JavaScript disabled — and
may, in fact, not work at all without it. About 99% of top web sites use JavaScript. That’s all the big names. Take a look at this ranking page, Top Sites using JavaScript, for example. If you’re at an enterprise of any size, it’s likely your own web site uses it for analytics or other purposes.

JavaScript is a handy, HTML-related coding tool which can streamline web experiences. JavaScript
executes in the browser itself. Of course, there are some places JavaScript shouldn’t be used — in email messages for example. JavaScript in an email attachment looks like malware to most scanners, and may be blocked or stripped — and quite rightly. That’s why in Voltage SecureMail we only use neutral and simple HTML for example.

On the other hand, Java is used to create actual applications. Java applications need a Java
virtual machine to execute. Using Java in the browser or on the desktop requires a hefty install for the Java VM and Java application stack, with browser plugins from Oracle and of course regular, annoying patching. Java applications may run using a browser plugin, but they may also be standalone applications with their own GUI. They might also be on smart devices. Android runs mostly Java-based applications, for example. The latest vulnerabilities relate to the execution of arbitrary applications exploiting the Java system itself.

To help explain all this, I found this article useful to share when asked questions on this topic.

However, also remember that fixing one vulnerability simple leads to trying to fix the next. That’s not a fun game. So, if data breaches and attackers stealing data are your concern— or you want to be able to use data easily in low-trust environments that are probably vulnerable to compromise — then instead of worrying about Java issues or similar vulnerabilities, why not protect the data independently of the system, using data-centric security?

Data-centric security can be applied to email inside and outside the enterprise, filespayment transactionsdata in applicationsdatabasesbig data, cloud, mobile email, and even back office legacy mainframe infrastructure — practically any structured or unstructured data, anywhere it goes.

With data-centric security, organizations can protect the data from cradle to grave, instead of trying to keep up with the constant barrage of IT system vulnerabilities. Patching is of course important and a good best practice, but it’s not always practical to do immediately — and sometimes a patch might not even exist. After all, patching is a burdensome arms race that can never be won.

Data-centric security, on the other hand, is a powerful enabler that can be applied easily
and quickly, and opens new doors to more use of data without increasing risk. It provides enterprises large and small with more freedom to expand and grow as data-driven leaders, and to escape the burden of traditional approaches to IT security that are becoming increasingly transparent to the new attackers — the bad guys now creating powerful malware to steal your data from vulnerable systems. So why not take a look at a newer, powerful data-centric approach to ease the pain of compliance and data breach risk management?

As always, to find out more don’t hesitate to drop me a line at info@voltage.com, or
send us a request for more information right here.

 

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>