Just over a decade ago, the outcry over Microsoft’s security problems reached such a deafening level that it finally got the attention of Bill Gates, who wrote the famous Trustworthy Computing memo. Today, many would say that Microsoft leads the industry in security and vulnerability handling.
Now, it’s Java that’s causing the uproar. But has Oracle learned anything from Microsoft in handling these seemingly ceaseless problems? I’ll start by reviewing the wide-ranging Java security changes Oracle is promising to make. They sound so much like the improvements Microsoft made back with Trustworthy Computing that I’m amazed it hasn’t been done before! We’ll move on to discuss what you can do now to address Java security in your environment.
One of the banes of security with Java is the presence of multiple versions of Java, often on the same computer. Sometimes you really need multiple versions of Java to support applications with version dependencies (crazy, I know). But other times, multiple copies of Java are there “just because.” In this webinar, we’ll talk about the current Java mess and how you can get out of it, including:
Assessment. We’ll discuss ways and tools for cataloging what versions of Java are actually out there on your endpoints.
Identification. We’ll look at methods for identifying which versions are actually required by your users; for instance, I’ll show you how you might use Process Tracking and File Access events in the Windows Security Log to see which Java files are being accessed, by whom, and by which programs.
Disabling. Can you just disable Java? Maybe not for everyone, but what if you could disable it for certain roles within your company that make up 25% – or even 75% – of your workforce? That would be worth it. We’ll explore how you might go about such a measure.
Hardening. We’ll dive into the technical details of hardening Java and reducing your Java attack surface, where possible.
Filtering. Another way to reduce your Java risk is by filtering Java content at your gateway. Again not full coverage control – but what is?
Patching. Then, we’ll delve into the Java patching nightmare. Depending on self-updaters on each endpoint, is could be a recipe for disaster, and I’ll explain why. Basically the only way out of the Java mess is a 3rd party solution that can perform centralized patch management and remediation and that’s where our sponsor, Lumension, will come in.
4. Background
This is not about “Java Script”
No relationship to Java
Java
Supported onWindows,OS X, Linux
Android too, kind of
Not supported on iOS or Chrome
What is the component?
JVM now called JRE
Installed by default?
Windows: up to hardware manufacture
OS X: pre-Lion yes, Lion+ no (more info javatest.org)
Multiple versions can be installed
Each browser has its own Java settings
5. Background
Important changes with 7.10
Ensuring the Most Secure JRE
JRE Expiration Date
Disabling Java in the Browser
Setting the Security Level
Advanced options
Allow user to grant permissions to signed content
Show sandbox warning banner
Allow user to accept JNLP security requests
Don't prompt for client certificate selection when no certificates or only one
exists
Warn if site certificate does not match hostname
Show site certificate even if it is valid
Install options
6. Background
Big changes in v7U21 (see here) …
security model for signed applets was changed
default plug-in security settings were changed
improvements to standardized revocation services (of certs)
dissociating client/browser use of Java (e.g., affecting home users) and
server use (e.g., affecting enterprise deployments)
Latest version 1.7.0_25 (v7U25)
40 security fixes
http://www.oracle.com/technetwork/topics/security/javacpujun2013-
1899847.html
7. Assessment &
Identification
Which versions of Java and related software are installed on your
windows computer?
$cn = get-content env:computername
$cn = “servershare” + $cn + ".txt“
echo "**************************************“ > $cn
Date >> $cn
Get-WmiObject -Class Win32_Product | Select-Object
-Property Name | Where {$_.name -Like "*Java*“-or
$_.name -like "J2SE"} >> $cn
Add script as startup/logon script via group policy
Powershell.exe c:fullyqualpathjavalister.ps1
8. Assessment &
Identification
Which versions are really being used?
Windows auditing
To catch Java EXEs starting
Enable Process tracking
Event 4688/592 with “java”
To catch DLLs
Necessary?
Enable File System auditing
Enable auditing on c:program filesjava
Look for 4663 with “java”
10. Disabling Java
What about when you need Java on certain websites?
Disable Java in main browser
Enable Java in alternate browser used for certain sites
12. Uninstall all
versions of
Java
http://community.spiceworks.com/how_to/show/22997-use-a-batch-
file-and-group-policy-to-cleanly-update-java
wmic product where "name like 'Java(TM) 6%%'" call uninstall
/nointeractive
wmic product where "name like 'Java(TM) 7%%'" call uninstall
/nointeractive
wmic product where "name like 'Java 7%%'" call uninstall /nointeractive
wmic product where "name like 'JavaFX%%'" call uninstall
/nointeractive
wmic product where "name like 'Java(TM) 7%%'" call uninstall
/nointeractive
wmic product where "name like 'Java(tm) 6%%'" call uninstall
/nointeractive
wmic product where "name like 'J2SE Runtime Environment%%'" call
uninstall /nointeractive
14. Managing
Java
configuration
Java normally stores its settings for each user in
<UserApplication Data
Folder>SunJavaDeploymentdeployment.properties
Mandate system wide settings with
<Windows Directory>SunJavaDeploymentdeployment.config
http://docs.oracle.com/javase/6/docs/technotes/guides/deployment/depl
oyment-guide/properties.html
http://docs.oracle.com/javase/7/docs/technotes/guides/deployment/depl
oyment-guide/properties.html
How to do it with group policy
http://www.darkoperator.com/blog/2013/1/14/centralized-management-
of-java-se-environment-using-gpo-redu.html
15. Filtering
Do you have a proxy server?
Can you filter java applets at the gateway?
Some firewalls and proxies make this possible.
Java content removed from web pages
16. Patching
Oracle still relies on independent auto-updaters on each endpoint
Install by MSI
Download and run the offline installer, but do not complete it. Look in
%userprofile%appdatalocallowsunjava.
Open the folder jre<update number> and copy the msi and cab files there
to your server share where you deploy your msis. Deploy with group
policy as per normal.
Silent install from script
<jre>.exe [/s] [INSTALLDIR=<drive>:<JRE_install_path>] [STATIC=1]
[WEB_JAVA=0/1] [WEB_JAVA_SECURITY_LEVEL=VH/H/M/L]
http://java.com/en/download/help/silent_install.xml
17. Bottom line
Managing Java yourself
Labor intensive – who has the time?
Changes with each new version
Requires fragile scripts
No reporting/monitoring
There must be a better way…
20. 1 – Know
What
• Scan entire environment for all Java versions
Why
• Discover the scope (depth and breadth) of the Java issue in the environment
How
» Application Scanner – Free Utility from Lumension
» Patch and Remediation – part of the Lumension Endpoint Management and
Security Suite
20
PROPRIETARY & CONFIDENTIAL - NOT FOR PUBLIC DISTRIBUTION
23. 2 – Act
What
• How you need Java?
» If No, then remove all instances of Java
» If Yes, then do you need a specific version or the latest version?
Why
• Reduce the scope of the Java issue in the environment by:
» Eliminating where possible
» Updating where possible
» Putting a picket fence where needed
How
» Patch and Remediation – update, standardize
» Content Wizard – remove unwanted versions
23
PROPRIETARY & CONFIDENTIAL - NOT FOR PUBLIC DISTRIBUTION
24. Disable Java Browser Plug-ins
24
PROPRIETARY & CONFIDENTIAL - NOT FOR PUBLIC DISTRIBUTION
25. 3 – Protect
What
• Stay current with all updates
• Maintain environment in desired state
• Protect against known and unknown (zero-day) malware
Why
• Prevent environment from returning to an unknown and less secure state
How
» Patch and Remediation – maintain
» Application Control – prevent drift and malware
25
PROPRIETARY & CONFIDENTIAL - NOT FOR PUBLIC DISTRIBUTION
27. More Information
• Free Java Application Scanner Tool
» Uncover every version of Java in your endpoint
environment to assess, prioritize and manage your
Java risk.
http://www.lumension.com/Resources/Security-
Tools/Java-App-Scanner-Tool.aspx
• Lumension® Endpoint Management
and Security Suite: Patch and
Remediation
» Online Demo Video:
http://www.lumension.com/Resources/Demo-
Center/Vulnerability-Management.aspx
» Free Trial (virtual or download):
http://www.lumension.com/vulnerability-
management/patch-management-software/free-
trial.aspx
27
PROPRIETARY & CONFIDENTIAL - NOT FOR PUBLIC DISTRIBUTION
• Surviving Java Resource Center
» Get free access to essential resources to help you
take control of your Java risk – in just 3 steps!
http://www.lumension.com/Resources/Resource-
Center/Java-Resource-Center.aspx
28. Global Headquarters
8660 East Hartford Drive
Suite 300
Scottsdale, AZ 85255
1.888.725.7828
info@lumension.com
http://blog.lumension.com
Editor's Notes
Notes:
This decision tree could be applied across the entire organization as a whole; however, more likely any department, group or even individual will be unique in their needs.
This decision tree could be applied across both server and endpoint environments.
Determining the need for Java is likely unique by organization, department, group or even individual user; be sure to consider both vendor-supplied and in-house developed applications.
There may be legitimate reasons for maintaining old versions of Java in your organization; if this is the case, then strategies to minimize the risk must be considered.
A common recommendation is disable Java plug-ins in the browser(s); this configuration will greatly reduce common attack vectors.