Understanding the Ins and Outs of Java Vulnerabilities and What to do About It


Published on

Many organizations are jumping on the “Death to Java” bandwagon, ranting about turning off Java to eliminate risk. However, it is important to put the issue in the proper context. The reality is that a Java vulnerability is not the end game for a cyber criminal, it is merely a delivery mechanism in the quest to install and execute bigger malware.

There is no “one size fits all” recommendation for eliminating Java risks. But, you do want to eliminate as much exploitable surface area as reasonably possible on your critical endpoints. This should be the philosophy engrained in every organization’s security culture. If you’re not having this conversation about Java - and quite frankly all of the third-party applications in your environment - you are missing the mark and not calculating your risk. Join Paul Henry and Russ Ernst as they bring us up to speed on the Java vulnerabilities and how to limit your exposure without going overboard.

Published in: Technology
  • Be the first to comment

Understanding the Ins and Outs of Java Vulnerabilities and What to do About It

  1. 1. Understanding theIns and Outs ofJava Vulnerabilitiesand what to doabout itPaul Henry, Security and Forensics ExpertRuss Ernst, Group Product ManagerMarch 2013
  2. 2. History of Malware APTs Crimeware You’ve Got Mail Came of age in 2007 with Mpack Email attachments became the vehicle of choice in the late „90s Elk Cloner A Floppy Delivery One of the first recorded PC Brian, Jerusalem, Morris malware / virus incidents was Worm, Michelangelo You’ve Got More Mail Elk Cloner back in 1982. Emailed malware attacks see a resurgence‘82 ’86-’91 Early ’90s Late ’90s ’00-’02 ‘04 ‘05 ‘07 ’07-’08 ‘09 Macros http:// In the early „90s, macro viruses were CodeRed, Nimda, FriendGreetings, RootKits the most popular deliver method Phishing aided this SoBig, Blaster and Slammer attack vector SQL Injections And stolen credentials began to take off in 2007 - 2008
  3. 3. Explosion of MalwareIn the 1990s, the unique instances of malware beganexplosive growth » In 1990 = 9,044 samples » In 1994 = 28,613 » In 1999 = 98,428 » In 2005 = 333,425 » In 2006 = 972,606 » In 2007 (most dramatic jump) = 5,490,960 samples • Since 2007 malware samples have more then doubled each and every year
  4. 4. What Can We Learn From History?We have been fighting the wrong battle » Our efforts have focused on the delivery of malware, not the endgame of running malicious code in our environmentsWe simply can not keep up with the seemingly unlimited waysmalware can be delivered » Obfuscation has also rendered our most common defensive methods obsolete
  5. 5. Definition Of Insanityin·san·i·ty (n) : Doing the same thing over and over again and expecting a different result» Continuing down our current path means we will still be talking about this issue for the next 25 years» There is a much more effective solution!
  6. 6. Looking Specifically At Java 1,342 “Java” related issues » Covers 129 different products » Looking only at Oracle Java, there are 159 reported issues Yes, any company that writes code will have issues but a secure coding effort can help reduce the number of issues (Microsoft is a good example) Secunia Advisory and Vulnerability Database
  7. 7. Its Java Not JavaScript The current Java issues are with the Java browser plugin. They are not with: » Enterprise Java Beans » Embedded Java » JavaFX » JavaScript
  8. 8. Oracle Is Slow To Fix Problems? In September of 2012, Gowdiak at Security Explorations said that of 29 issues reported this year to Oracle, and two reported to Apple, there are still 25 issues remaining yet to be addressed by Oracle » http://www.informationweek.com/ security/attacks/java-still-not-safe- security-experts-say/240006876
  9. 9. Oracle Is Slow To Fix Problems?On March 4th 2012, Security Explorations issuedProof Of Concept code to Oracle for 60 issues » Oracle focuses effort on patches for exploits known to be actively used in the wild; consequently there is a significant pipeline of unpatched vulnerabilities that are cause for valid concern » Some discovered in 2012 remain unpatched today
  10. 10. Oracle Is Sloppy? With the recent emergency release of 2 patches for Java 7 Oracle inadvertently made a previously undisclosed vulnerability exploitable » Java 7 was the result of 5 years of development but some are questioning if enough time was provided in testing before its release
  11. 11. Oracle Is Sloppy? Within days of the release of patches for Java 7u11, security researcher Adam Gowdiak reportedtwo new vulnerabilities including a complete JavaSandbox bypass » In his own words “although it locked the office door in update 7u11, Oracle left the entrance to the building open”
  12. 12. Apple Dangerously Out of Sync? In September 2012, Apple fell dangerously out of sync with Oracle by releasing what users thought was a Java patch for current Java issues that only patched one issue. This left users woefully exposed to the unpatched issue » http://blog.lumension.com/5869/d eja-vu-apple-dangerously-out-of- sync-with-oracle-patch/
  13. 13. Current State Of Java 15 Insecurity» We received patches from Java on February 1st that corrected 50 issues;» We received patches on February 19th that corrected yet another 6 issues;» Since the February 19th patches, 2 new issues have been reported bringing the total to 7 known vulnerabilities in the latest release;» At Pwn2Own last week 3 more vulnerabilities were made public.
  14. 14. Never Ending Headlines
  15. 15. What Can You Do Right Now? Only allow Java on specific PC‟s that require Javato reduce the overall enterprise Threat Envelope 1. Identify if there is a real business or usability need for the Java plugin by the general user population. 2. Identify assets that do not require the Java plugin and ensure that the plugin is disabled. 3. Ensure that all Java plugin instances are patched on an aggressive schedule. 4. Isolate critical systems that are business process sensitive from the production environment as much as possible.
  16. 16. Wouldn’t it Be Easier to Abandon Java?•Turning off Java sounds easy » Apple regularly does it automatically with no notification » Are you sure you‟ve removed all instances of Java?•Does eliminating Java really solve the problem? » Do your line of business applications require Java?
  17. 17. Focus On The End GameThe best approach is to use mitigating layeredcontrols and processes on endpoints including: » Application control whitelisting to defend against unknown payloads; » Enable native memory security controls in Windows including DEP and ASLR to limit the success of generic memory based attacks; » Deploy advanced memory-injection attack protection including RMI and Skape/JT to interrupt advanced memory attacks; » Use device control to block USB-borne malware; » Utilize strong patch management practices; » Blacklist outdated plugin versions; » Adopt the concept of least privilege for end users.
  18. 18. Defense-in-Depth Strategy Successful risk mitigation starts AV with a solid vulnerability manage- Control the Known ment foundation, augmented by additional layered defenses which Device Control Control the Flow go beyond the traditional blacklist approach. Hard Drive and Media Encryption Control the Data Application Control Control the GreyPatch and Configuration Management Control the Vulnerability Landscape18
  19. 19. More Information• Free Security Scanner Tools • Get a Quote (and more) » Application Scanner – discover all the apps http://www.lumension.com/endpoint- being used in your network management-security-suite/buy-now.aspx#2 » Vulnerability Scanner – discover all OS and application vulnerabilities on your network » http://www.lumension.com/special- offer/premium-security-tools.aspx• Lumension® Endpoint Management and Security Suite (L.E.M.S.S.) » Online Demo Video: http://www.lumension.com/endpoint- management-security-suite/demo-in- detail.aspx » Free Trial (virtual or download): http://www.lumension.com/endpoint- management-security-suite/free-trial.aspx19
  20. 20. Global Headquarters8660 E. Hartford DriveSuite 300Scottsdale, AZ 852501.888.725.7828info@lumension.com