Java Insecurity: How to Deal with the Constant Vulnerabilities


Published on

Just over a decade ago, the outcry over Microsoft’s security problems reached such a deafening level that it finally got the attention of Bill Gates, who wrote the famous Trustworthy Computing memo. Today, many would say that Microsoft leads the industry in security and vulnerability handling.

Now, it’s Java that’s causing the uproar. But has Oracle learned anything from Microsoft in handling these seemingly ceaseless problems? I’ll start by reviewing the wide-ranging Java security changes Oracle is promising to make. They sound so much like the improvements Microsoft made back with Trustworthy Computing that I’m amazed it hasn’t been done before! We’ll move on to discuss what you can do now to address Java security in your environment.

One of the banes of security with Java is the presence of multiple versions of Java, often on the same computer. Sometimes you really need multiple versions of Java to support applications with version dependencies (crazy, I know). But other times, multiple copies of Java are there “just because.” In this webinar, we’ll talk about the current Java mess and how you can get out of it, including:

Assessment. We’ll discuss ways and tools for cataloging what versions of Java are actually out there on your endpoints.
Identification. We’ll look at methods for identifying which versions are actually required by your users; for instance, I’ll show you how you might use Process Tracking and File Access events in the Windows Security Log to see which Java files are being accessed, by whom, and by which programs.
Disabling. Can you just disable Java? Maybe not for everyone, but what if you could disable it for certain roles within your company that make up 25% – or even 75% – of your workforce? That would be worth it. We’ll explore how you might go about such a measure.
Hardening. We’ll dive into the technical details of hardening Java and reducing your Java attack surface, where possible.
Filtering. Another way to reduce your Java risk is by filtering Java content at your gateway. Again not full coverage control – but what is?
Patching. Then, we’ll delve into the Java patching nightmare. Depending on self-updaters on each endpoint, is could be a recipe for disaster, and I’ll explain why. Basically the only way out of the Java mess is a 3rd party solution that can perform centralized patch management and remediation and that’s where our sponsor, Lumension, will come in.

Published in: Technology, News & Politics
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • Notes:This decision tree could be applied across the entire organization as a whole; however, more likely any department, group or even individual will be unique in their needs.This decision tree could be applied across both server and endpoint environments.Determining the need for Java is likely unique by organization, department, group or even individual user; be sure to consider both vendor-supplied and in-house developed applications.There may be legitimate reasons for maintaining old versions of Java in your organization; if this is the case, then strategies to minimize the risk must be considered.A common recommendation is disable Java plug-ins in the browser(s); this configuration will greatly reduce common attack vectors.
  • Java Insecurity: How to Deal with the Constant Vulnerabilities

    1. 1. Sponsored by Java Insecurity: How to Deal with theConstant Vulnerabilities © 2013 Monterey Technology Group Inc.
    2. 2. Thanks to © 2013 Monterey Technology Group Inc. Chris Merritt, Director of Solution Marketing
    3. 3. Preview of Key Points  Assessment & Identification  Disabling  Hardening  Filtering  Patching
    4. 4. Background  This is not about “Java Script”  No relationship to Java  Java  Supported onWindows,OS X, Linux  Android too, kind of  Not supported on iOS or Chrome  What is the component?  JVM now called JRE  Installed by default?  Windows: up to hardware manufacture  OS X: pre-Lion yes, Lion+ no (more info  Multiple versions can be installed  Each browser has its own Java settings
    5. 5. Background  Important changes with 7.10  Ensuring the Most Secure JRE  JRE Expiration Date  DisablingJava in the Browser  Setting the Security Level  Advanced options  Allow user to grant permissions to signed content  Show sandbox warning banner  Allow user to accept JNLP security requests  Don't prompt for client certificate selection when no certificates or only one exists  Warn if site certificate does not match hostname  Show site certificate even if it is valid  Install options
    6. 6. Background  Big changes in v7U21 (see here) …  security model for signed applets was changed  default plug-in security settings were changed  improvements to standardized revocation services (of certs)  dissociating client/browser use of Java (e.g., affecting home users) and server use (e.g., affecting enterprise deployments)  Latest version 1.7.0_25 (v7U25)  40 security fixes  1899847.html
    7. 7. Assessment & Identification  Which versions of Java and related software are installed on your windows computer? $cn = get-content env:computername $cn = “servershare” + $cn + ".txt“ echo "**************************************“ > $cn Date >> $cn Get-WmiObject -Class Win32_Product | Select-Object -Property Name | Where {$ -Like "*Java*“-or $ -like "J2SE"} >> $cn  Add script as startup/logon script via group policy  Powershell.exe c:fullyqualpathjavalister.ps1
    8. 8. Assessment & Identification  Which versions are really being used?  Windows auditing  To catch Java EXEs starting  Enable Process tracking  Event 4688/592 with “java”  To catch DLLs  Necessary?  Enable File System auditing  Enable auditing on c:program filesjava  Look for 4663 with “java”
    9. 9. Assessment & Identification  Other questions  Which browsers is it enabled in? 
    10. 10. Disabling Java  What about when you need Java on certain websites?  Disable Java in main browser  Enable Java in alternate browser used for certain sites
    11. 11. Disabling Java  Disabling Java  Altogether  Chrome  disabling.html  IE  By script:  FireFox  By script: disabling.html
    12. 12. Uninstall all versions of Java  file-and-group-policy-to-cleanly-update-java  wmic product where "name like 'Java(TM) 6%%'" call uninstall /nointeractive wmic product where "name like 'Java(TM) 7%%'" call uninstall /nointeractive wmic product where "name like 'Java 7%%'" call uninstall /nointeractive wmic product where "name like 'JavaFX%%'" call uninstall /nointeractive wmic product where "name like 'Java(TM) 7%%'" call uninstall /nointeractive wmic product where "name like 'Java(tm) 6%%'" call uninstall /nointeractive wmic product where "name like 'J2SE Runtime Environment%%'" call uninstall /nointeractive
    13. 13. Installing latest and enabling automatic updates hence forth  Group Policy/Software Installation  MSI files  file-and-group-policy-to-cleanly-update-java
    14. 14. Managing Java configuration  Java normally stores its settings for each user in  <UserApplication Data Folder>  Mandate system wide settings with  <Windows Directory>SunJavaDeploymentdeployment.config  oyment-guide/properties.html  oyment-guide/properties.html  How to do it with group policy  of-java-se-environment-using-gpo-redu.html
    15. 15. Filtering  Do you have a proxy server?  Can you filter java applets at the gateway?  Some firewalls and proxies make this possible.  Java content removed from web pages
    16. 16. Patching  Oracle still relies on independent auto-updaters on each endpoint  Install by MSI  Download and run the offline installer, but do not complete it. Look in %userprofile%appdatalocallowsunjava.  Open the folder jre<update number> and copy the msi and cab files there to your server share where you deploy your msis. Deploy with group policy as per normal.  Silent install from script  <jre>.exe [/s] [INSTALLDIR=<drive>:<JRE_install_path>] [STATIC=1] [WEB_JAVA=0/1] [WEB_JAVA_SECURITY_LEVEL=VH/H/M/L] 
    17. 17. Bottom line  Managing Java yourself  Labor intensive – who has the time?  Changes with each new version  Requires fragile scripts  No reporting/monitoring  There must be a better way…
    19. 19. Java Remediation Decision Tree 19 PROPRIETARY & CONFIDENTIAL - NOT FOR PUBLIC DISTRIBUTION
    20. 20. 1 – Know What • Scan entire environment for all Java versions Why • Discover the scope (depth and breadth) of the Java issue in the environment How » Application Scanner – Free Utility from Lumension » Patch and Remediation – part of the Lumension Endpoint Management and Security Suite 20 PROPRIETARY & CONFIDENTIAL - NOT FOR PUBLIC DISTRIBUTION
    21. 21. Application Scanner Dashboard 21 PROPRIETARY & CONFIDENTIAL - NOT FOR PUBLIC DISTRIBUTION
    23. 23. 2 – Act What • How you need Java? » If No, then remove all instances of Java » If Yes, then do you need a specific version or the latest version? Why • Reduce the scope of the Java issue in the environment by: » Eliminating where possible » Updating where possible » Putting a picket fence where needed How » Patch and Remediation – update, standardize » Content Wizard – remove unwanted versions 23 PROPRIETARY & CONFIDENTIAL - NOT FOR PUBLIC DISTRIBUTION
    25. 25. 3 – Protect What • Stay current with all updates • Maintain environment in desired state • Protect against known and unknown (zero-day) malware Why • Prevent environment from returning to an unknown and less secure state How » Patch and Remediation – maintain » Application Control – prevent drift and malware 25 PROPRIETARY & CONFIDENTIAL - NOT FOR PUBLIC DISTRIBUTION
    27. 27. More Information • Free Java Application Scanner Tool » Uncover every version of Java in your endpoint environment to assess, prioritize and manage your Java risk. Tools/Java-App-Scanner-Tool.aspx • Lumension® Endpoint Management and Security Suite: Patch and Remediation » Online Demo Video: Center/Vulnerability-Management.aspx » Free Trial (virtual or download): management/patch-management-software/free- trial.aspx 27 PROPRIETARY & CONFIDENTIAL - NOT FOR PUBLIC DISTRIBUTION • Surviving Java Resource Center » Get free access to essential resources to help you take control of your Java risk – in just 3 steps! Center/Java-Resource-Center.aspx
    28. 28. Global Headquarters 8660 East Hartford Drive Suite 300 Scottsdale, AZ 85255 1.888.725.7828