Is Java safe for enterprises or for individual users? A question that has been the topic of the month since the most recent widely publicised zero-day vulnerabilities and associated exploits in Oracle's Java distribution. Not a question though, that has a straightforward answer.
Java was conceived as a cross-platform language promising developers that they could "write once, run anywhere". Java is far from being a programming language restricted to funky little applets embedded in web pages. It is found in embedded devices and mobile phones (including Google's Android) and used for writing enterprise scale applications and even on supercomputers. In fact, the embedded web page applet format is by far the minority function of Java today.
Of course enterprising criminals have been attracted by this cross-platform promise. It means that their attacks can be used against a variety of platforms. It was a Java based attack for example that led to the success of the Flashback Trojan or DNS Changer malware on the MacOS platform. Write once, exploit anywhere.
With unfailing regularity, zero day vulnerabilities (vulnerabilities for which there are no available patches at the time of discovery) are routinely discovered in Oracle Java. These vulnerabilities change hands for thousands of dollars on underground forums, where they are incorporated into attack tool kits and used in both targeted and widespread attacks. No sooner is a patch released for one problem than another vulnerability is being sold in a criminal forum.
In the wake of this criminal activity, how is an enterprise to deal successfully with Java on the network? After all, Oracle estimates that Java is installed on more than 850 million PCs worldwide!
Most of the recent advice has been to simply un-install Java. Not only is that relatively complex to manage, it is also functionally impossible for a company that uses applications developed on the Java platform. More realistic for the enterprise is to enforce a "two-browser policy", but this is dependent on effective network architecture. A company could use group policy to enforce different proxy settings in two different browsers, one for use only on the internal network and one with access to the Internet. In the browser that has access to the Internet, again group policy can be used to disable the Java (and any other undesirable) plug-in.
For end-users, the answer is more simple, uninstall Oracle's Java completely. If at some point in the future, you notice that your Java is gone (which is highly unlikely) then install the latest version from Oracle's website, but be sure to disable any Java functionality in your web browser. This used to be a complex proposition, different for every browser (I posted some instructions here) but, recognising this user requirement, the latest version of the Java control panel now features a simple "Enable Java in the browser" option, under the security tab. If you don't see this option, you're not up-to-date.