Categories
Computer & Network Security|Information Security

Java vs. Javascript

We field questions about Java security issues on a regular basis, and have noticed that users are often confused about the differences between Java and Javascript.

Java is a standalone application that runs separately from your browser, although it can be called on by your browser to run Java ‘applets.’ Applets aren’t that common any more, but the Java application is a different matter. Java has a history of being exploited for vulnerabilities, and updates have historically released on a somewhat tardy basis. Even more painful is that users have to manually watch for and install those updates unless they chose the “check for updates periodically” option during the original Java install. And even then, they’re required to manually download a patch file and run it. And we all know how users are so very diligent about that sort of thing……..

Javascript is something else altogether. It’s integrated into the browser, and although there have been security issues with it in the past, updates come in the form of operating system updates which are usually controlled by Windows Update settings or corporate patch agents.

Securit360’s recommendations for this sort of thing always follow the “least privilege” concept: if you don’t need it – turn it off. Just like every other piece of unused software, we recommend uninstalling Java unless it’s actually being used. We’re not singling out Java; this is our recommendation for every piece of software and application on the market. If your users really need Java to do their work, though, then make sure Java is configured to periodically check for updates and patches. On top of that, run regular security scans to confirm what version of Java is installed and update old versions when you find them.

Java is a fantastic program but needs some care and careful handling to prevent it from being a security issue for your organization. Keep an eye on it……