Java is a security headache, not just for users and Oracle, its provider, but also for other software companies that have to deal with it, as well. Microsoft has taken steps to address this problem by releasing a FixIt tool that is designed to block all of the Web-based Java attack vectors in Internet Explorer, while still leaving the desktop Java functionality intact.
Attackers have had a field day with Java for years now and users have struggled to find ways to defend themselves, especially when patches have been slow to come from Oracle. Many attacks that have been successful over the last few years have targeted vulnerabilities in older versions of Java, finding plenty of machines with out-of-date Java applications. However there also has been a steady parade of zero day vulnerabilities in Java revealed either by security researchers or through their use by attackers.
To help users defend themselves against Web-based attacks using Java plug-ins in the browser, Microsoft’s FixIt tool will block all of the Web-based vectors for attack on all versions of Java.
“The Fix it solution consists of two parts. The first makes use of Windows Application Compatibility Toolkit, changing the behavior of Internet Explorer at runtime so that it will prevent the load of Oracle’s Java Web plugins. This is achieved by hooking all LoadLibrary* functions so that they return NULL (last error ERROR_FILE_NOT_FOUND) when attempting to load all Java ActiveX dlls (npjpi*.dll, jp2iexp.dll). The second part prevents Internet Explorer from automatically opening JNLP files. It does this by clearing the ACL (access control list) of the JNLP protocol handler registry location (HKCR\JNLPFile), thus preventing all user apps from reading its contents,” Cristian Craioveanu of the Microsoft Security Response Center wrote.
The new tool works to block Web attack vectors for Internet Explorer only. If you use an alternate browser such as Chrome or Firefox, this method won’t work. There are ways to disable the Java plug-in in each of the other browsers, typically by going in to the settings menu and removing it from the list of running plug-ins. The FixIt also doesn’t have any effect on desktop applications that use Java.