Controlling Java in Internet Explorer

Recently, there’s been some interest in how to control the use of Java within Internet Explorer. Java is a unique form of extensibility because it can be invoked in two ways:

  • Using an APPLET element
  • Using an OBJECT element with a CLSID of a JVM

These two invocation methods are subject to different security controls, which I’ll describe in today’s post.

Controlling Applet Tags

When Internet Explorer encounters an APPLET tag, it checks the URLACTION_JAVA_PERMISSIONS value to determine whether the APPLET should be loaded. If the value is URL_POLICY_JAVA_PROHIBIT, then the APPLET tag is prevented from loading the JVM. In earlier versions of Internet Explorer, when a Microsoft JVM was available, this URLAction was exposed on the Tools > Internet Options > Security > Custom… dialog, but it has since been removed.

You can use the Group Policy Editor to control the URLAction under the node \Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\ZoneID:

image

Alternatively, you can make a small registry tweak to add the JVM Options entry back to the Internet Control Panel:

image

The registry script takes advantage of the fact that the Internet Control Panel UI is extensible via the registry; it simply creates a new item that adjusts the values of the URLACTION_JAVA_PERMISSIONS URLAction.

If you adjust the Internet Zone settings from “High Security” to Disable (URL_POLICY_JAVA_PROHIBIT) any site attempting to use an APPLET tag will find that the applet does not load and a notification is shown:

"An add-on failed to run..." notification 

Controlling Object Tags

Unfortunately, when a site uses an OBJECT tag to load Java, an entirely different codepath is executed. In the OBJECT tag case, the JAVA_PERMISSIONS URLAction isn’t consulted, because as far as Internet Explorer is concerned, this might be any type of OBJECT. Instead, the traditional ActiveX-controlling features are consulted (e.g. ActiveX Filtering, Per-Site ActiveX, Manage Add-ons, etc). You can use IE’s Tools > Manage Add-ons feature to examine or adjust the state of the Java Plug-in object:

Manage Add-ons Showing JVM Plugin

Note: I’m told that the Java Plug-In SSV Helper Browser Helper object should not be disabled, as it ensures that websites may not attempt to load older (insecure) versions of the JVM you may have installed. However, you’ll notice that you pay a performance penalty on tab startup to load this BHO—this is one of the many reasons I don’t install Java on my PCs.

If you select the Java Plug-in, you can click the Disable button to prevent Java from being loaded by an OBJECT tag. Alternatively, if you click the More Information link, you can clear the * from the list of sites on which the Java Plug-in may run:

image

If you subsequently visit a site that attempts to invoke Java as an OBJECT tag, you will see a notification bar prompting you for permission to run Java on the current site.

So, if you want to permit Java to run only in the Intranet and Trusted Sites zones:

  1. Adjust the URLAction for the Internet Zone to Disable
  2. Remove the * from the Per-Site list of the ActiveX Control

Step #1 will ensure that only Intranet Zone and Trusted Zone sites may load Java for APPLET Tags. Step #2 will ensure that the Java Plug-in will not load as an OBJECT on Internet Zone sites; a notification will be shown instead. Because Intranet and Trusted Sites ignore the Per-Site ActiveX list, you won’t see any additional warnings on those sites.

-Eric Lawrence