Java is a security headache, not just for users and Oracle, its provider, but also for other software companies that have to deal with it, as well. Microsoft has taken steps to address this problem by releasing a FixIt tool that is designed to block all of the Web-based Java attack vectors in Internet Explorer, while still leaving the desktop Java functionality intact.

Attackers have had a field day with Java for years now and users have struggled to find ways to defend themselves, especially when patches have been slow to come from Oracle. Many attacks that have been successful over the last few years have targeted vulnerabilities in older versions of Java, finding plenty of machines with out-of-date Java applications. However there also has been a steady parade of zero day vulnerabilities in Java revealed either by security researchers or through their use by attackers.

To help users defend themselves against Web-based attacks using Java plug-ins in the browser, Microsoft’s FixIt tool will block all of the Web-based vectors for attack on all versions of Java.

“The Fix it solution consists of two parts. The first makes use of Windows Application Compatibility Toolkit, changing the behavior of Internet Explorer at runtime so that it will prevent the load of Oracle’s Java Web plugins. This is achieved by hooking all LoadLibrary* functions so that they return NULL (last error ERROR_FILE_NOT_FOUND) when attempting to load all Java ActiveX dlls (npjpi*.dlljp2iexp.dll). The second part prevents Internet Explorer from automatically opening JNLP files. It does this by clearing the ACL (access control list) of the JNLP protocol handler registry location (HKCR\JNLPFile), thus preventing all user apps from reading its contents,” Cristian Craioveanu of the Microsoft Security Response Center wrote.

The new tool works to block Web attack vectors for Internet Explorer only. If you use an alternate browser such as Chrome or Firefox, this method won’t work. There are ways to disable the Java plug-in in each of the other browsers, typically by going in to the settings menu and removing it from the list of running plug-ins. The FixIt also doesn’t have any effect on desktop applications that use Java.




Categories: Vulnerabilities, Web Security

Comments (2)

  1. Sven

    With quality lifestyle and entertainment in mind,
    the product also doubles as being a portable scrapbook
    and pocket gaming device. • Make the web a family activity – Maybe
    more vital than other things that are, keep the computers inside a central
    the primary house; that way you are able to stay
    involved whilst an eye on which your children are doing.

    Creation of unique MP3 ring tones for the mobile phone requires the cellphone to be compatible while using MP3 format,
    and built with ports for a USB cable to transfer the file or enabled with Infra – red, Bluetooth, or WAP to
    facilitate a wireless transfer.

    spy mobile

Comments are closed.