Today, Java is part of nearly every organization’s ‘standard’ desktop image, often used for mission-critical business applications. And Java usage is prevalent beyond with the enterprise as well. Oracle claims more than 3 billion devices are running Java globally. That large target population is very attractive to hackers and can leave your IT environment exposed.
Java has a long history of security vulnerabilities and in 2014 alone there were 133 reported vulnerabilities, resulting in roughly 25 updates each for Java 7 and Java 8. Most of those updates were delivered in quarterly update packages, but several critical vulnerabilities required updating every few weeks to remain fully secure. This represents a major drag on your IT resources to keep pace.
What it took in the early days to keep pace with Java updates when they ran as standalone Java applets running directly on client operating systems, is very different today. Developers have shifted their focus to web-based applications built on the Java Runtime Environment (JRE) and run in a browser. These web-based Java applications share many similarities with standalone Java applets, but they must be packaged and delivered differently for the web. This results in a variety of compatibility and security issues caused by JRE incompatibilities from version to version and by unlimited threat vectors on the web. Despite these challenges, Java application development remains incredibly common within medium and large organizations.
In response, most information security organizations have pressed for regular internal updates to Java versions on end user PCs. This creates challenges for most organizations with change management processes and application compatibility. While these to challenges are often linked, they are distinct issues. Our new whitepaper Managing Java Security in the Enterprise will overview each challenge individually. In addition it will provide you with detailed guidance for managing Java security in your enterprise using a combination of sound security practices and Browsium’s browser management platform.
Learn more about this vital topic by downloading Managing Java Security in the Enterprise. We hope it helps you understand how to effectively deal with Java without compromising compatibility, security, or your change management process.
As readers of this blog are well aware, the timeline to migrate to IE11 has been moved up. January 2016 will be here in no time. The pressure is on to make the move or risk losing technical support and essential security updates.
Because most line-of-business applications now run in the browser, incompatibilities caused by a browser migration can be catastrophic to your business. Today’s rapid pace of innovation in browser technology, combined with compression of the support lifecycle, forces you to confront browser migrations far more frequently. Yet the traditional tools to remediate critical web applications and manage browsers have not kept pace.
Ensuring compatibility with IE11 for all line-of-business web applications before the migration deadline is very frequently an obstacle in the migration process for enterprises. Our new eBook “Clearing the Path to IE11 Migration” is now available to help you find the best option to smoothly and cost-effectively achieve web application compatibility and manage web browsers throughout the migration process and beyond.
This free eBook will provide you with an overview of the tools which have been historically used to solve web application compatibility issues – modifying applications and virtualization. In addition, it discusses two new browser management solutions introduced specifically to address application remediation.
Download the eBook and start planning your migration to IE11 today.
On 1 April 2015, Browsium hosted a webinar: Multi-browser Management with Browsium Catalyst. The webinar was a huge success and generated a number of great questions from the audience. We have compiled the complete set with answers to share with all attendees, and anyone else who is interested in multi-browser management. If you missed the webinar, you can watch the video archive on YouTube today.
Read on to see the questions (and our responses) from the webinar.
Will Catalyst also manage different versions of Java per browser like Ion does?
Browsium Catalyst is a multi-browser web traffic manager for the enterprise, enabling IT to pair all web applications with the most compatible and secure browser. Catalyst can help you secure Java by only allowing a browser with Java disabled to access public websites. Browsium Ion is our solution for Java version management, enabling multiple versions of Java to run side-by-side in a single browser.
Does Catalyst download the needed browser or does the browser have to be downloaded previously?
Browsium does not create or distribute web browsers. We provide browser management tools that work with all major browsers used by enterprise organizations. You will need to download your required browsers from their respective vendors and then install the Catalyst Client on each end user PC to centrally manage the browsers throughout your organization.
What are the integration benefits of using Catalyst and Ion together?
Browsium Ion is a web application remediation and browser management solution for enterprise, designed to simplify browser migration and enable IT to maintain control over browser compatibility and security. Browsium Catalyst is a multi-browser web traffic manager for the enterprise, enabling IT to pair all web applications with the most compatible and secure browser. Together they provide a complete browser management platform.
Imagine you are an IT director in an organization that is in the process of migrating from IE8 to IE11 and you must keep your business applications up and running throughout the process. At the same time, many of your end-users may use another browser for personal purposes, and even tend to favor this other browser because it’s what they use at home.
This is where Catalyst and Ion come together to facilitate productive workflow for you as the IT director and your end-users. You can use Catalyst to redirect to all business applications to IE11, while you have Ion to remediate legacy IE8-dependent applications that you now need to run in IE11.
You have control over the entire browser environment, maximizing compatibility and security while still giving your end-user a choice of browsers for the web.
Will Catalyst support Project Spartan in Windows 10?
We hope to support Spartan in Windows 10, but it’s too early to commit since the preview of Spartan just came out this week and it doesn’t have an extension model at this stage. We expect enterprises to standardize on IE11 in Windows 10, as Microsoft has recommended. If end users also want to use Spartan in the enterprise, and Microsoft provides the APIs for Browsium to manage Spartan, we will investigate providing a version of Catalyst that supports it.
Is there another webinar for Ion coming up soon?
We will be posting our upcoming webinars on the Browsium Blog. We try to host one every 45-60 days. As a reminder, you can watch the archive of our Java webinar from December 2014 and our IE11 migration webinar from January 2015.
Is Catalyst scalable for my IT environment if I have 20,000 users?
Catalyst has infinite scalability in any IT environment, as the program itself does not require any servers. If your organization is experiencing rapid growth, Catalyst can tackle that growth, quickly and efficiently (assuming you’ve purchased the required number of seat licenses).
Join us on April 1st for the next installment in our 30-minute webinar series featuring Browsium founder Matt Heller. This past January, Matt discussed how Browsium Ion can ease your migration to IE11 before the end-of-support deadline in January 2016. In April, Matt is turning his attention to the management of a multi-browser enterprise – a strategy that Gartner analysts continue to promote as a sound practice to maximize compatibility and security. The days of the single-browser enterprise are over. More and more CIOs are mandating a second browser. And those that don’t do so must react to their end users who increasingly install a second browser by preference. Learn what’s driving this trend, and how to deploy the tools that give IT complete control over a multi-browser enterprise, in this informative 30-minute webinar.
When: Wednesday, 1 April 2015 at 0900 PDT/ 1200 EDT / 1700 GMT
Learn how managing Internet Explorer in conjunction with Chrome or Firefox can yield dramatic benefits for your organization. Browsium Catalyst, the multi-browser web traffic manager for the enterprise, enables IT to pair all web applications with the most compatible and secure browser. Register today, and start managing browser use in your organization.
Today we released a minor update to Browsium Ion to address a few issues that have been reported by customers recently. Changes in this release include:
There are more details to help you install and use Ion 3.4.1. in the Release Notes. We highly recommend reading them before installing.
If you’re already an Ion customer, you can download the new version from the download page sent to you with your license key. If you’re just evaluating Ion now, or are interested in evaluating it, you have two options:
Browsium founder Matt Heller dropped in on Brian Madden and Gabe Knuth over at brianmadden.com today for a deep-dive on enterprise browser management. The discussion covered a range of topics, from the impact of Microsoft’s new Internet Explorer support policy on IE11 migrations to the increasing adoption of Chrome and Firefox in the enterprise. Matt, Brian, and Gabe even spent some time musing about the Saturday Night Live 40th anniversary and a few other old-time television shows. So click on over to Brian and Gabe’s site, pop in your ear buds, and enjoy the show.
The Browsium Catalyst customer base continues to grow rapidly as more and more enterprises discover the need to deploy and manage a second, modern browser – typically Google Chrome. These customers continually provide us with feedback on new features and management improvements they’d like to see in Catalyst. It’s no surprise that their top request was to provide Catalyst with the enterprise management and deployment features added to Browsium Ion last summer (in the Ion 3.3 release). So that’s what we’ve been focused on during the past few months, and we’re pleased to deliver the results of that effort today with Browsium Catalyst 3.0.
Catalyst 3.0 not only builds on what we’ve learned about enterprise customer needs with our many Ion deployments, but it actually builds on that same code base. Now Ion and Catalyst share a common infrastructure, enabling us to deliver higher quality software more quickly, and also provide our customers who use both Ion and Catalyst with a much more consistent project development and deployment experience.
Catalyst 3.0 has many visible changes, and some great improvements in the plumbing. Here is a brief list:
A complete feature list, along with information to help you install and use Catalyst 3.0, is available in the Release Notes. We highly recommend reading them before installing.
If you’re already a Catalyst customer, you can download the new version from the download page sent to you with your license key. If you’re just evaluating Catalyst now, or are interested in evaluating it, you have two options:
On 28 January 2015, Browsium hosted a webinar titled: IE11 Migration Made Easy with Browsium Ion. The webinar was a huge success and generated a number of great questions from the audience. We have compiled the complete set with answers to share with all attendees, and anyone else who is interested in IE11 migration. If you missed the webinar, you can watch the video archive on YouTube today.
Read on to see the questions (and our responses) from the IE11 webinar.
As client-side software, does Ion allow for centralized profile configuration so all users obtain the same profile? What about support for 3rd party browsers like Chrome?
While the configuration is loaded on the client side, the configuration file itself is designed to be hosted centrally on a file share or web server. The Browsium Ion client only needs read permission access to the configuration file and then caches the configuration locally in the event the network resource isn’t available or the user system is not network connected. Ion supports Internet Explorer only at this time. As adoption of other browsers increases in the enterprise, and these browser begin to suffer from the legacy issues which have afflicted Internet Explorer, Browsium will evaluate offering Ion support for Chrome or Firefox.
Can Ion be used to redirect websites between IE, Chrome and Firefox? Based on same URL matching techniques?
Browsium Ion is designed to resolve web application compatibility and Java management issues for Internet Explorer. Browsium Catalyst is our multi-browser management tool that enables seamless redirection between Internet Explorer, Chrome, and Firefox. Both Ion and Catalyst rules are triggered using the same engine to match, based on simple (string match), regular expression, or zone-based values.
How are Browsium products licensed? What is the licensing policy/costs in multi-user environments? Can you give list price?
Browsium Ion and Catalyst are licensed via a perpetual license, with a base license fee plus a per-seat license fee, tiered for the number of Windows PCs (or instances of Windows in a VDI environment) that run the Ion software. For multi-user terminal servers, Ion is licensed for the total number of users on the system. Software updates are available to licensees who purchase a yearly support and maintenance contract. Contact Browsium Sales for a custom quote for your organization.
I understand Browsium Ion does not have a central command and control center. Does Browsium provide any sort of reporting for things like agent status, agent failure, sites accessed matching Ion rules, etc.? Also, for discovering Java you said you have a product in roadmap. Is it going to be a newer version of Ion or a separate product?
The current release of Browsium Ion does not include any reporting options regarding client status or performance/activity data. Customers have requested this type of functionality and we plan to include it in a future release.
Our product roadmap includes a new product focusing on web application discovery, Java/extension reporting, usage analysis, and browser configuration reporting. We plan to have more detailed announcements about features and release timing in the coming months.
How safe is Ion use in the enterprise?
Browsium Ion is built following many of the same engineering principles used within Microsoft, including the SDL process. In addition, the Ion design provides for ‘defense in depth’ security by enhancing the security offered by Internet Explorer (Protected Mode, etc), as well as Java Virtual Machine (Sandboxing, etc.)
Using this approach, Browsium Ion loads process-isolated instances of Internet Explorer and loads the JVM (or other external libraries as needed) in a separate memory space. This design helps ensure any potential malicious action would be limited to the separate process and unable to infect the core system as the modifications will be wiped away when the Ion managed process is shut down.
In addition, the Ion-managed processes are only loaded by pattern match and cannot be ‘forced’ to open unless the specific profiles are loaded by a site contained in the rules list. Arbitrary websites cannot issue commands to the Ion Controller to open a website using an Ion profile.
Does Ion run as a Windows service or as plugins within the browser?
Ion is comprised of two parts on the client side – a browser plugin and standalone controller process (.exe). The browser plugin is responsible for monitoring network requests and URL parameters, while the controller process handles the bulk of technical tasks to ensure browser performance is not impacted.
Is there a roadmap for Ion compatibility with Windows 10 and the new browser Spartan? If yes, can you provide any assurance in terms of when will it be available?
Browsium is committed to supporting new Internet Explorer and other browser releases as they reach general availability. With respect to Spartan and Windows 10, both products are currently in various levels of pre-release availability so we do not yet provide support for them. We are working closely with Microsoft to ensure a smooth and successful customer experience when Spartan and Windows 10 are released to the market later this year.
What browsers do you support apart from Internet Explorer?
Browsium Ion supports Internet Explorer only at this time. As adoption of other browsers increases in the enterprise, and these browser begin to suffer from the legacy issues that have afflicted Internet Explorer, Browsium will evaluate offering Ion support for Chrome or Firefox.
Browsium Catalyst is our multi-browser management tool that enables seamless redirection between Internet Explorer, Chrome, and Firefox.
Join us in late January for the next installment of our 30-minute webinar series featuring Browsium founder Matt Heller. In December, Matt discussed how Browsium Ion can help your enterprise keep current with Java security updates while still ensuring compatibility for all your line of business applications. In January, Matt is turning his attention to IE11 migration – a topic that is top of mind for every enterprise IT manager as Microsoft prepares to end support for IE8, IE9, and IE10 at the beginning of 2016.
When: Wednesday 28 January 2015 at 0900 PST/ 1200 EST / 1700 GMT
Ensuring legacy web applications can run alongside modern applications in IE11 is crucial to a successful migration. Only Browsium Ion provides the granular control to keep your mission-critical applications running and streamline this migration.
On 10 December 2014, Browsium hosted a webinar titled: Manage and Secure Java with Browsium Ion. The webinar was a huge success and generated a number of great questions from the audience. We have compiled the complete set with answers to share with all attendees, and anyone else who is interested in Java management. If you missed the webinar, you can watch the video archive on YouTube today.
Read on to see the questions (and our responses) from the Java webinar.
How do you determine that you are running a different version of Java within a browser instance?
There are a few methods to determine the version of Java that is running within a browser instance. One method is to inspect the DLLs used by that browser instance. The DLLs loaded in any given process within Windows can be inspected with Process Explorer. By investigating the list of DLLs loaded under iexplore.exe, you can usually determine the specific version of Java in use. Another somewhat simpler method is to navigate to the javatester.org website within an Ion profile. This can be done by setting a specific rule for Javatester for that profile or appending the string that triggers another rule that uses that profile to the javatester.org URL (e.g., http://javatester.org/version.html?ruletriggertext).
Does Browsium Ion work with Java Web Start?
Yes, Ion can be used to manage different versions of Java Web Start required by different web applications by leveraging Ion’s Custom Registry settings. As a note, some Java Web Start settings or application functions exist outside the browser and Ion is limited to managing functions within the web browser.
What happens if the target system doesn’t have Java installed in that folder – does it fail or does it use the default version of Java instead?
If Ion attempts to load a previous version of Java and it is unable to locate the required files, the default version of Java will be loaded. Browsium recommends using environment variables and defined locations on systems to reduce misconfiguration situations like this.
What kind of logging capabilities does Browsium provide? Can they be leveraged to discover what applications users are accessing which require Java?
Ion provides standard Windows application logging to the event viewer. In addition, Ion can be configured to collect data about which applications the users are accessing. At this time, Browsium would need to work with your organization to convert those data logs into usable and actionable reporting. In 2015, Browsium will release a new product specifically designed to enable organizations to collect and report on all aspects of user web actions, this will include documenting which sites require Java.
Could you please provide any approximate timeline for when this new version (with better logging and reporting) will be available?
At this time, the new product is planned for delivery in 2015.
Is it required to have all Java versions, for which we have created rules, deployed/available on all the end-points?
All versions of Java required by the end user must be installed on that user’s PC. But that user need not have all versions of Java defined in the Ion configuration. However, many organizations prefer to create a single Windows image with all versions of Java required by the organization and a single Ion configuration for all applications used by the organization. You can choose the deployment strategy that works best for your organization.
Will you need to have Java installed in Static Mode?
Ion does not require Java to be installed in Static Mode, but will support static installations of Java. More information on Static Mode can be found on the Oracle Java documentation website.
How would you install multiple versions of Java on the local machine without using the static switch?
A best practice for installing multiple versions of Java is to install in reverse order, from newest to oldest. This will install each version in a unique directory and allow all versions to be installed side-by-side. Once these versions are installed, only the most current version will attempt to auto-update. The legacy versions will be maintained on the system without prompts for updates.
Are there triggers other than the URL? Can you trigger from internal calls from an application without having a visible embedded URL?
Ion is able to review any http or https call made by any Windows application, so links can be visible/interactive for the user or hidden/silent programmed actions and Ion will trigger based on defined Rules.
How do you install multiple versions of Java when one version uninstallls the previous one?
Installing a new version of Java will typically upgrade and remove a prior installation from the same version family (e.g., Java 7 update 71 will upgrade and remove Java 7 update 67). But the same installation will not affect an installation from a prior version family (Java 7 update 71 will not affect Java 6 update 45). A best practice for installing multiple versions of Java is to install in reverse order, from newest to oldest. This will install each version in a unique directory and allow all to be installed side-by-side.
Can Ion manage Java in Internet Explorer only, or does it also work with Chrome/Firefox?
Today Ion provides Java management for Internet Explorer only. However, this functionality can be used in conjunction with Browsium Catalyst to provide additional Java security. For example, an organization could configure Ion to enable multiple versions of Java in Internet Explorer for intranet applications and then use Catalyst to direct all Internet traffic to Chrome with Java disabled for maximum security. More information about using Ion and Catalyst for Java security can be found on the Browsium Blog.
Can Ion help to disable the “Java out of date” warning messages?
Yes, Ion can be used to set custom registry settings for a specific application. This includes setting the registry key to disable Microsoft legacy ActiveX blocker as documented in the Ion Knowledge Base. In addition, Ion’s Custom Files Manager can be used to configure a substitute version of Java’s deployment.properties file to suppress various Java version warnings.
Will I need to modify my Ion configuration when Oracle releases a new Java update?
As new major versions of Java are released, changes are expected with the file installation paths. Browsium recommends using a standard naming convention for each major Java version (e.g. Java 7, Java 8, etc.) so file paths are easy to manage and updates will not impact Ion configurations.
What keeps malicious web pages from invoking old versions of Java if they’re installed on all my PCs?
Ion uses an opt-in model to determine when legacy versions of Java are to be loaded. Unlike other solutions that rely on the coding of a webpage, the Ion approach reacts only based on the specific web location. This design prevents a malicious website from being able to gain access to the legacy Java files, as Ion would not surface them to an undefined or unapproved website.
Does Ion work with Java 8?
Yes, Ion can be used to invoke an old version of Java when Java 8 is the default. So, for example, you could have Java 8 update 25 as the default version and invoke Java 6 update 45 for a specific application. Oracle has made changes to Java in the most recent Java 7 and Java 8 releases that require a few simple additional remediation steps. These have been detailed in the Ion Knowledge Base.