It’s become all too clear in the last week that patching Java simply won’t protect you. This has been stated many times in the past, but it is so blatant right now that it needs to be reiterated, and steps need to be taken to keep users secure. For those of you who don’t know Oracle pushed out a patch for an exploit in the wild four days after it was being exploited, only to have a new exploit found the next day. That exploit is already being sold to exploit kits.
So as a user what can you do to stay safe if you can’t rely on patching?
Thankfully, browsers have set Java to Click To Play by default. Both Firefox and Chrome have done so, so make sure you use one of those and keep them up to date.
Another way to secure Java is to go into the Java Control Panel. Turn the security settings all the way up, and then go to the Advanced Settings.
These settings are fairly straight forward – when in doubt, set it to prompt.
Key areas are:
Enable granting elevated access to self-signed apps.
No! Uncheck that. An attacker can sign their applet and run with full execution rights, that’s no good at all.
Make sure that when there’s mixed code you prompt, or default deny the mixed code. This is another key area to secure.
There isn’t much more you can do with Java, but these steps should ensure that all exploits are, at the very least, hidden behind a click.