Re: Java vs. Banner

["Shalla, Kevin" <kshalla () UIC EDU>]

Dave,

I heard that Ellucian released a statement on 12/5 indicating they are still wrapping up testing for Banner 
Administrative Forms with Java 7 and hoped to have general support available in January or February.  We're not holding 
our breath, and I see you're not either.  We've been advising people to use IE only for Banner and other on-campus 
systems.  For anything off campus they're supposed to use Firefox with Java disabled.

Kevin

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of David 
Curry
Sent: Thursday, February 21, 2013 12:09 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] Java vs. Banner

As those of you at schools using Banner know, Ellucian has still not certified Banner to run on Java 7; Java 6 
(including the browser plug-in) must be installed on end users' desktops. Java 6, of course, has reached the end of its 
public update period, which means any future updates after the end of this month will come through Ellucian rather than 
Oracle (or so they tell us).

Aside from the increased difficulty of trying to keep a down-rev version of Java installed on systems used by Banner 
users, especially since our users have admin rights and are therefore free to update Java when they want and will do so 
if another application asks them to, we are of course concerned that maintaining a down-rev version of the Java plug-in 
will expose these systems to increased risk of compromise because of security vulnerabilities. This is particularly 
worrying because, of course, the people who use Banner are also the people who work with lots of personally 
identifiable information.

Java 7 support from Ellucian doesn't appear to be imminent, so we believe we need to find a medium-term solution to 
this problem that lets our Banner users continue to use Java 6, but does not expose them to increased risk by allowing 
them to use a browser containing the Java 6 plug-in to access the Internet. We have some preliminary thoughts on ways 
to address the issue, ranging from "use this browser to access Banner and that browser to access the Internet" (which 
doesn't come with a very high assurance level) to installing Windows XP Compatibility Mode on all Banner users' 
machines and running Banner+Java 6 in a virtual machine (a lot of work to implement).

Before we go one way or the other, we thought we'd ask the list -- what is your school doing in response to the whole 
Java vs. Banner thing?

Thanks,
--Dave




--

DAVID A. CURRY, CISSP * DIRECTOR OF INFORMATION SECURITY

THE NEW SCHOOL * 55 W. 13TH STREET * NEW YORK, NY 10011

+1 212 229-5300 x4728 * david.curry () newschool edu<mailto:david.curry () newschool edu>