The immediate reaction amongst security professionals to hearing about Java security exploits is to ask: “Haven’t you disabled Java in the browser yet?”. Disabling Java in the browser is both sensible, and a touch naive.
Browsing the big bad Internet with Java enabled is sort of like wandering around a major tourist attraction with an overly stuffed wallet half-poking out of your back pocket. An invitation for the less than moral to try their luck.
So disabling the use of Java within a web browser seems like a sensible suggestion, and is almost always the right thing to do in a domestic situation.
But in a corporate environment, there is almost certainly some “application” in use that requires Java (or even worse, IE6). And as soon as it is made plain that disabling Java will (or might) prevent corporate applications from working the reaction is to reject the measure to disable Java. Which is perfectly understandable – the cost to an organisation of a certain loss of access to a corporate application may very well be greater that the potential loss due to an unknown threat.
Or perhaps the cost of the former can be measured; whereas the cost of the later cannot.
However this overlooks a relatively simple solution to the problem :-
- Use one browser to run corporate applications. This can be as simple as a voluntary measure, or be made compulsory through a variety of controls. It could even go as far as to implement icons to access web-based applications as if they were desktop applications, using a browser deliberately configured to make general web browsing impossible or at least painful.
- Use a separate browser to access the Internet. This can be configured differently to prevent the use of dangerous plugins, and indeed can be updated without performing the whole bank of testing needed to confirm compatibility with corporate applications.
We have grown too used to assuming that a computer needs only a single web browser, and that all “applications” accessed through the web, should be accessed through that single web browser. Ignoring the fact that there are different requirements for browsing the web in general, and making use of corporate applications.
There are organisations where access to the Internet is banned because the risk to the organisation is too great. Other organisations reduce the risk by the use of the “air gap” where separate computers are used – one to access corporate applications, and the other to access the Internet.
That is going a little bit too far for most organisations, but that does not mean that increasing the “gap” between Internet access and corporate applications is not a sensible move. And using separate web browsers is the first step along the road of increasing that gap.