Just over a decade ago, the outcry over Microsoft’s security problems reached such a deafening level that it finally got the attention of Bill Gates, who wrote the famous Trustworthy Computing memo. Today, many would say that Microsoft leads the industry in security and vulnerability handling. Now, it’s Java that’s causing the uproar. But has Oracle learned anything from Microsoft in handling these seemingly ceaseless problems? I’ll start by reviewing the wide-ranging Java security changes Oracle is promising to make. They sound so much like the improvements Microsoft made back with Trustworthy Computing that I’m amazed it hasn’t been done before! We’ll move on to discuss what you can do now to address Java security in your environment. One of the banes of security with Java is the presence of multiple versions of Java, often on the same computer. Sometimes you really need multiple versions of Java to support applications with version dependencies (crazy, I know). But other times, multiple copies of Java are there “just because.” In this webinar, we’ll talk about the current Java mess and how you can get out of it, including: Assessment. We’ll discuss ways and tools for cataloging what versions of Java are actually out there on your endpoints. Identification. We’ll look at methods for identifying which versions are actually required by your users; for instance, I’ll show you how you might use Process Tracking and File Access events in the Windows Security Log to see which Java files are being accessed, by whom, and by which programs. Disabling. Can you just disable Java? Maybe not for everyone, but what if you could disable it for certain roles within your company that make up 25% – or even 75% – of your workforce? That would be worth it. We’ll explore how you might go about such a measure. Hardening. We’ll dive into the technical details of hardening Java and reducing your Java attack surface, where possible. Filtering. Another way to reduce your Java risk is by filtering Java content at your gateway. Again not full coverage control – but what is? Patching. Then, we’ll delve into the Java patching nightmare. Depending on self-updaters on each endpoint, is could be a recipe for disaster, and I’ll explain why. Basically the only way out of the Java mess is a 3rd party solution that can perform centralized patch management and remediation and that’s where our sponsor, Lumension, will come in.

1. Sponsored by
Java Insecurity: How to Deal
with theConstant
Vulnerabilities
© 2013 Monterey Technology Group Inc.

2. Thanks to
© 2013 Monterey Technology Group Inc.
www.Lumension.com
Chris Merritt, Director of Solution Marketing

3. Preview of Key
Points
 Assessment & Identification
 Disabling
 Hardening
 Filtering
 Patching

4. Background
 This is not about “Java Script”
 No relationship to Java
 Java
 Supported onWindows,OS X, Linux
 Android too, kind of
 Not supported on iOS or Chrome
 What is the component?
 JVM now called JRE
 Installed by default?
 Windows: up to hardware manufacture
 OS X: pre-Lion yes, Lion+ no (more info javatest.org)
 Multiple versions can be installed
 Each browser has its own Java settings

5. Background
 Important changes with 7.10
 Ensuring the Most Secure JRE
 JRE Expiration Date
 Disabling Java in the Browser
 Setting the Security Level
 Advanced options
 Allow user to grant permissions to signed content
 Show sandbox warning banner
 Allow user to accept JNLP security requests
 Don't prompt for client certificate selection when no certificates or only one
exists
 Warn if site certificate does not match hostname
 Show site certificate even if it is valid
 Install options

6. Background
 Big changes in v7U21 (see here) …
 security model for signed applets was changed
 default plug-in security settings were changed
 improvements to standardized revocation services (of certs)
 dissociating client/browser use of Java (e.g., affecting home users) and
server use (e.g., affecting enterprise deployments)
 Latest version 1.7.0_25 (v7U25)
 40 security fixes
 http://www.oracle.com/technetwork/topics/security/javacpujun2013-
1899847.html

7. Assessment &
Identification
 Which versions of Java and related software are installed on your
windows computer?
$cn = get-content env:computername
$cn = “servershare” + $cn + ".txt“
echo "**************************************“ > $cn
Date >> $cn
Get-WmiObject -Class Win32_Product | Select-Object
-Property Name | Where {$_.name -Like "*Java*“-or
$_.name -like "J2SE"} >> $cn
 Add script as startup/logon script via group policy
 Powershell.exe c:fullyqualpathjavalister.ps1

8. Assessment &
Identification
 Which versions are really being used?
 Windows auditing
 To catch Java EXEs starting
 Enable Process tracking
 Event 4688/592 with “java”
 To catch DLLs
 Necessary?
 Enable File System auditing
 Enable auditing on c:program filesjava
 Look for 4663 with “java”

9. Assessment &
Identification
 Other questions
 Which browsers is it enabled in?
 http://javatester.org/version.html

10. Disabling Java
 What about when you need Java on certain websites?
 Disable Java in main browser
 Enable Java in alternate browser used for certain sites

11. Disabling Java
 Disabling Java
 Altogether
 Chrome
 http://mtwsec.blogspot.ca/2012/08/java-0-day-workarounds-silent-
disabling.html
 IE
 By script: http://support.microsoft.com/kb/2751647
 FireFox
 By script: http://mtwsec.blogspot.ca/2012/08/java-0-day-workarounds-silent-
disabling.html

12. Uninstall all
versions of
Java
 http://community.spiceworks.com/how_to/show/22997-use-a-batch-
file-and-group-policy-to-cleanly-update-java
 wmic product where "name like 'Java(TM) 6%%'" call uninstall
/nointeractive
wmic product where "name like 'Java(TM) 7%%'" call uninstall
/nointeractive
wmic product where "name like 'Java 7%%'" call uninstall /nointeractive
wmic product where "name like 'JavaFX%%'" call uninstall
/nointeractive
wmic product where "name like 'Java(TM) 7%%'" call uninstall
/nointeractive
wmic product where "name like 'Java(tm) 6%%'" call uninstall
/nointeractive
wmic product where "name like 'J2SE Runtime Environment%%'" call
uninstall /nointeractive

13. Installing
latest and
enabling
automatic
updates hence
forth
 Group Policy/Software Installation
 MSI files
 http://community.spiceworks.com/how_to/show/22997-use-a-batch-
file-and-group-policy-to-cleanly-update-java

14. Managing
Java
configuration
 Java normally stores its settings for each user in
 <UserApplication Data
Folder>SunJavaDeploymentdeployment.properties
 Mandate system wide settings with
 <Windows Directory>SunJavaDeploymentdeployment.config
 http://docs.oracle.com/javase/6/docs/technotes/guides/deployment/depl
oyment-guide/properties.html
 http://docs.oracle.com/javase/7/docs/technotes/guides/deployment/depl
oyment-guide/properties.html
 How to do it with group policy
 http://www.darkoperator.com/blog/2013/1/14/centralized-management-
of-java-se-environment-using-gpo-redu.html

15. Filtering
 Do you have a proxy server?
 Can you filter java applets at the gateway?
 Some firewalls and proxies make this possible.
 Java content removed from web pages

16. Patching
 Oracle still relies on independent auto-updaters on each endpoint
 Install by MSI
 Download and run the offline installer, but do not complete it. Look in
%userprofile%appdatalocallowsunjava.
 Open the folder jre<update number> and copy the msi and cab files there
to your server share where you deploy your msis. Deploy with group
policy as per normal.
 Silent install from script
 <jre>.exe [/s] [INSTALLDIR=<drive>:<JRE_install_path>] [STATIC=1]
[WEB_JAVA=0/1] [WEB_JAVA_SECURITY_LEVEL=VH/H/M/L]
 http://java.com/en/download/help/silent_install.xml

17. Bottom line
 Managing Java yourself
 Labor intensive – who has the time?
 Changes with each new version
 Requires fragile scripts
 No reporting/monitoring
 There must be a better way…

18. PROPRIETARY & CONFIDENTIAL - NOT FOR PUBLIC DISTRIBUTION
Java
Survival
Guide

19. Java Remediation Decision Tree
19
PROPRIETARY & CONFIDENTIAL - NOT FOR PUBLIC DISTRIBUTION

20. 1 – Know
What
• Scan entire environment for all Java versions
Why
• Discover the scope (depth and breadth) of the Java issue in the environment
How
» Application Scanner – Free Utility from Lumension
» Patch and Remediation – part of the Lumension Endpoint Management and
Security Suite
20
PROPRIETARY & CONFIDENTIAL - NOT FOR PUBLIC DISTRIBUTION

21. Application Scanner Dashboard
21
PROPRIETARY & CONFIDENTIAL - NOT FOR PUBLIC DISTRIBUTION

22. Java Application Scanner
22
PROPRIETARY & CONFIDENTIAL - NOT FOR PUBLIC DISTRIBUTION

23. 2 – Act
What
• How you need Java?
» If No, then remove all instances of Java
» If Yes, then do you need a specific version or the latest version?
Why
• Reduce the scope of the Java issue in the environment by:
» Eliminating where possible
» Updating where possible
» Putting a picket fence where needed
How
» Patch and Remediation – update, standardize
» Content Wizard – remove unwanted versions
23
PROPRIETARY & CONFIDENTIAL - NOT FOR PUBLIC DISTRIBUTION

24. Disable Java Browser Plug-ins
24
PROPRIETARY & CONFIDENTIAL - NOT FOR PUBLIC DISTRIBUTION

25. 3 – Protect
What
• Stay current with all updates
• Maintain environment in desired state
• Protect against known and unknown (zero-day) malware
Why
• Prevent environment from returning to an unknown and less secure state
How
» Patch and Remediation – maintain
» Application Control – prevent drift and malware
25
PROPRIETARY & CONFIDENTIAL - NOT FOR PUBLIC DISTRIBUTION

26. Application Control
26
PROPRIETARY & CONFIDENTIAL - NOT FOR PUBLIC DISTRIBUTION

27. More Information
• Free Java Application Scanner Tool
» Uncover every version of Java in your endpoint
environment to assess, prioritize and manage your
Java risk.
http://www.lumension.com/Resources/Security-
Tools/Java-App-Scanner-Tool.aspx
• Lumension® Endpoint Management
and Security Suite: Patch and
Remediation
» Online Demo Video:
http://www.lumension.com/Resources/Demo-
Center/Vulnerability-Management.aspx
» Free Trial (virtual or download):
http://www.lumension.com/vulnerability-
management/patch-management-software/free-
trial.aspx
27
PROPRIETARY & CONFIDENTIAL - NOT FOR PUBLIC DISTRIBUTION
• Surviving Java Resource Center
» Get free access to essential resources to help you
take control of your Java risk – in just 3 steps!
http://www.lumension.com/Resources/Resource-
Center/Java-Resource-Center.aspx

28. Global Headquarters
8660 East Hartford Drive
Suite 300
Scottsdale, AZ 85255
1.888.725.7828
info@lumension.com
http://blog.lumension.com