Why you shouldn't always listen to security advice

Why you shouldn't always listen to security advice

Summary: You should update Java. Or uninstall it. Or not completely uninstall it, but disable it. Or not do anything at all because it's not a problem. Whoever's advice you take, the chances are it's wrong.

TOPICS: Security, Oracle

Computers? The internet? They're dangerous. It's safer not to use them.

If that sort of advice has your hackles up, then take a step back and consider for a moment that, in a way, it's what so many of us have been saying for years.

There's a lot of advice out there on the recent zero-day exploit, which was found in Java 7 Update 10 last week. Oracle thinks that it has solved the problem and that it's okay to run browser plug-ins again; some say that not everything has been patched; others appear to no longer trust Oracle and warn against enabling the browser plug-in, even once updated; and the most extreme call is for Java to be uninstalled completely. Whatever the advice, it seems that everyone says you should do something right now.

While most suggestions are well intended — people are generally offering advice for your own protection — they don't always speak to each individuals' circumstances.

Since the news broke, I've fielded messages from readers who have been unaware of the issue and not known what to do. I've even seen a question about whether it matters because they're in a certain country. In all cases, however, my recommendation is that users should carefully consider their own circumstances and act accordingly.

Read this

How to disable Java in your browser on Windows, Mac

How to disable Java in your browser on Windows, Mac

Amid a serious security flaw in the latest version of Java 7, where even the U.S. Department of Homeland Security has warned users to disable the plug-in, here's how you do it.

Personally, as much as I think that Oracle will continue to fight a losing battle against hackers hell-bent on finding exploits in Java (and that's probably more to the credit of the hackers), I won't be uninstalling it, but I will disable it in my browser and re-enable it on a case-by-case basis. Java is a piece of software that I require from time to time, and despite being aware of the risks, they're manageable or acceptable.

Part of the managing the risk means keeping tabs on any future security issues that might pop up out of the blue, being more than careful with how I browse the web, accepting and considering what might be compromised in an attack, and realising that posting a blog about how I'm approaching the issue could further increase that risk.

It is not the safest route, and it goes slightly against the Department of Homeland Security's advice to disable the plug-in "unless it is absolutely necessary", but the US government (as far as I know) doesn't know me, isn't keeping tabs on me, and doesn't know my exact environment, browsing habits, and mitigating actions. I don't consider myself to be any "better" than anyone else, but the US government's advice doesn't strictly apply to me because I simply have a different set of circumstances.

Likewise, it's impossible for me to recommend that anyone follow my own example, as each and every person has their own unique circumstances where keeping or not keeping Java in some form or another will be best for them. To tell people that they should do one thing or another would be like forcing Vegemite on everyone else, just because that happened to be what I had put on my toast and didn't result in me dying (yet).

The bottom line is, no one can tell you how you should or shouldn't secure yourself, because no one knows your environment the way you do. There are vulnerabilities in every operating system known to man, but no one tells you not to run one — that would be impossible.

In that same vein of thought, we can't prescribe security to people without knowing what they do, how they manage the risks, or if they are prepared to accept them. Otherwise, we might as well go the full hog and tell them that not using a computer is the safest option. And that's just offensive.

Topics: Security, Oracle

Michael Lee

About Michael Lee

A Sydney, Australia-based journalist, Michael Lee covers a gamut of news in the technology space including information security, state Government initiatives, and local startups.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Right and Wrong

    You are right and wrong. You are absolutely right when you say that the circumstances need to be analyzed, and that it's something that rarely happens on information security no matter where it’s applied.

    In the other way, you cannot assume that you are safe because you are an unknown user, that is not a correct approach, let me just refresh your memory and what best than talking about Java itself, last year when the Blackhole exploit first started the exploit was on the wild for Windows and Mac OS, Oracle did fix the Windows version of Java but left the 0-day free to exploit on the MAC OS during months, on the time between 600000 MAC computers were infected.

    Many of those infected MAC computer owners assumed the exact same thing, on their circumstance Java was safe and nobody known their real identity in the same sense you mentioned, it just failed.

    Java is unsafe because the Java update cycle and development is totally wrong and Oracle is not committed to do it better! So it's not safe at all. Many people talk a lot of Microsoft security and they have indeed 0-days as anybody else, but they have an update roadmap cycle, the Security development lifecycle which reduces dramatically the number of 0-days and sec vulnerabilities and they have something else which is more important than everything else, they are strongly committed to keep the Internet ecosystem a safe place to be and this is something that goes beyond technology.
    • @OOXML

      Correction, Oracle fixed both, Windows and MAC OS versions at the same time, Apple didn't sent the update to their OS exposing their enviroment to infection. ( Because it was considered that the OS was immune to virus/malware, etc... )
      • Yep, It was all Apple's Fault

        They dropped the ball on the update. Not Oracle.
  • Err...

    Isn't the best advice; don't install software you don't need (so if that's Java - don't install it), keep any software you do need fully patched? Seems simple.

    Of course, this isn't always possible (that dratted internal system that expects some old version of IE, or the program that doesn't work on anything newer than XP, or is a PowerPC binary) but the above does seem to represent the "ideal".

    I know some people will cling to the idea that; "I'm running Linux/Windows/OS X so I'm safe" but really, we all know better than that - right?

    But above all, understand the threats and don't install stuff you don't actually NEED. I think for most people Java in the browser isn't really needed.
    • Some people are safe - from this one at least

      If you're not running Java, you are not vulnerable to this exploit.
      • RE: Some people are safe - from this one at least

        Indeed. Some of us are still using Java SE 6 which is not vulnerable to this particular exploit.

        In addition, Java SE 7 Update 10 users that proactively disabled Java for their web browsers were also safe. As are Java SE 7 users that proactively disable Java from this point forward.

        The Java plug-in's security is consideraly behind the Flash Player plug-in which is now sandboxed via the Chrome browser (all platforms), Firefox browser (Windows only) and IE 10 on Windows 8. Anyone needing the Java plug-in available for their web browser should be running it inside a sandbox, whether the sandbox is provided by the OS (e.g., Linux security modules such as AppArmor, SELinux, etc.), a 3rd party sandbox (e.g., Sandboxie, GeSWall or Trustware BufferZone Pro for Windows) or via the web browser (sometime in the future?).
        Rabid Howler Monkey
    • Problem is...

      The problem is not with Java itself, the problem is with the virtual machine (JVM), Oracle's JVM specifically, I should add. I'm worried that all the languages designed to run in the JVM will also be victims of this. I'm a Scala programmer and I'm afraid Scala's adoption may be hindered by these security issues (I have colleagues programming in Clojure, and they have the same misgivings).
  • Java Flaws How to maintain security,

    For once, can we hear from the principals... at least at Oracle and Apple: 1-15-14 Waiting
    • How is Apple a Java principal?

      And BTW, Apple did respond - by disabling Java in Safari and releasing a patch.
  • While there is a grain of truth to the writer's assertion

    it is really bad advice, nonetheless. Since Java is the attack vector, solving the problem is not complicated, and depending on your need for Java, the risk can be mitigated in descending order of effectiveness by (a) uninstalling Java, (b) disabling it, (c) using a browser that blocks it by default but allows you to run it by clicking through (i.e. Firefox), and lastly (d) by patching to the very latest JVM and visiting only the websites you have to, if you aren't willing to do any of the earlier items.

    The writer does a great disservice by doing the "throw up your hands, its too complicated to give advice" thing. You can take actions, based on the extent of your Java needs.
  • Why you shouldn't always listen to security advice

    I don't have it installed, haven't had a need for it in a number of years.
    • Why comment?

      So, why do you even bother to comment on this topic?
      • To show that its not needed

        And that the safest security is to not have java installed.
        • Java

          Just too hard to compile, eh?
  • Fine for IT professionals to debate, but...

    what about the millions of users that can't even differentiate between JRE and Javascript? I'm pessimistic about getting most users to get their systems secure by any means. I see it often on my clients' systems (we don't have direct control over their software choices and maintenance), where there are browsers with 5 crapware toolbars, and often a lack of updates for many products.
    • ..For all us Ignorant ones.....

      How the he!! do you KNOW if you do or don't need Java.
      From my limited perspective, it seems to be embedded into an enormous amount of web content.
      It is definitely employed by many Public Schools to present online tutorial/instructional information.
      I would argue that many of the commenters, hereon, who profess to KNOW are actually deluding themselves and are commenting purely for the interactive social adrenalin.
      Surely some amongst you can craft, and share, a useful solution for the multitude of us unknowing ones. Please?
    • Hint...

      You do need to install the JDK and enable the JRE in your browser, you do not need to install JavaScript yourself, it's there!
  • Challenge accepted ;)

    Challenge accepted ;)

    if use_java_in_browser then
    if non_browser_alternatives_exist then
    elseif only_use_java_outside_of_browser then

    Yes, you are right that the EXACT advice will vary from person to person.

    No,you are wrong that we are actually giving bad advice. OF COURSE I always stipulate that you do different things in different circumstances. OF COURSE I will base my advice on the circumstances of the user. I really don't think that your readership is really that dumb.
    • Wow...

      if IsComputerGeek = "yes"
      then GiveUpTryingToGetLaid
      else GoFindWoman
      • Well, that contributed nothing.

        Well, that contributed nothing to the discussion.