This webcast is by Lunension, who make security products (so fairly alarmist). While we need Java Runtime Environment (JRE) to run in-house and 3rd party Java applications, we also need to ensure the web plugin for JRE isn’t an entry point for malware as staff browse the public internet.
“Many organizations are jumping on the “Death to Java” bandwagon, ranting about turning off Java to eliminate risk. However, it is important to put the issue in the proper context. The reality is, a Java vulnerability is not the end game for a cyber criminal, it is merely a delivery mechanism in the quest to install and execute bigger malware.
There is no “one size fits all” as far as recommendations go. But, you do want to eliminate as much exploitable surface area as reasonably possible on your critical endpoints. This is should be the philosophy ingrained in every organization’s security culture. If you’re not having this conversation about Java, and quite frankly all of the third-party applications in your environment, you are missing the mark and not calculating your risk. Join Paul Henry and Russ Ernst as they bring us up to speed on the Java vulnerabilities and how to limit your exposure.”
Lumension recommend whitelisting to block non-authorised software from executing. Rather than the traditional signature based blacklist (antivirus software). This would require passing all software though a whitelisting system (likely as part of an application packaging process). If you have an environment with a known application set, for example internet kiosks, point of sales terminals, “information workers” with the regular Office applications suite this might be possible. Microsoft have AppLocker for this purpose (management overhead) and Lumension have a product.
Also suggests traditional antivirus software, that scans files on read/write, can’t detect newer code that will do DLL injection, insert themselves in a running process in RAM. Have a look at Microsoft EMET (checks for suspicions activity) in processes.
Point 3, do deploy JRE updates regularly to get the java web plugin updates. For in-house applications you can manage which JRE version is used at launch using wrapper scripts (rather than just pickup the JRE in %path%).
Point 4, do reception desk PCs need network connectivity to your core business app servers? Defence in depth..
For now JRE is a necessary evil so do what you can to update it regularly and limit your security risks.