Making Java (Slightly) Safer on Windows

Here’s a suggestion that can make it a little safer to run the Java plugin in your web browser on Windows (Vista, Win 7, and Win 8–but not XP.)  This doesn’t stop exploits, and is probably not entirely effective, but it can stop some bad things from happening.  Don’t be fooled into feeling safe by doing this, it’s just one additional layer, but could stop your system from being fully-compromised. Windows includes a feature called mandatory integrity controls that imposes an extra layer of protection on top of the discretionary access controls provided by the operating system.  It is a (very) simple method of preventing write access to items with a higher security level label.  There are several levels defined: Anonymous, Low, Medium, High, and System.  Mandatory integrity controls are one of the many features that makes Google Chrome’s sandbox possible. One of the first thing that many Java exploits perform is to grab a dropper, save it to the filesystem, and execute it.  In most cases by running Java running with low integrity (this is easy for malware authors to work around though,) will short circuit the download.  Also important is that child processes will inherit the integrity label, so if the malware was smart enough to drop the bot or whatever it grabbed into a location with a “low” label, the bot will execute with low permissions.  This will stop it from being persistent, writing to browser settings, copying itself to system folders and so on. The downsides?  the “Low” label still allows reading of files and information labeled as “Medium” or higher, relying on discretionary access controls.  Another downside, is this will probably break any complex Java applet.  I was still able to run most of the stuff I came across, it’s just when trying to write files that things get denied.  Another thing is that you probably don’t want to change the java.exe program itself if you use any Java applications, but this isn’t really a problem because Internet Explorer uses a helper executable to launch the program “jp2launcher.exe”, and as mentioned before it will inherit the “Low” label on execution. Here’s how to run the Java browser plugin as Low integrity: Open a Command Prompt as the Administrative user (right click, Run as Administrator) and run the command ”icacls <location of jp2launcher.exe> /setintegritylevel L” cmd_exe-icacls Next time a Java Applet is run, it will execute as Low integrity, as evidenced by looking at it’s properties in Process Explorer: browser-plugin-MIC And as you can see, basic applets still run …


Just to drive the point home, this will cause problems with legitimate applets that save files.