Lumension, profile picture
Uploaded byLumension
PPTX, PDF1,085 views

Java Insecurity: How to Deal with the Constant Vulnerabilities

The document outlines vulnerabilities associated with Java software and provides strategies for assessment, disabling, hardening, filtering, and patching Java installations. Key points include the importance of identifying installed Java versions, managing security configurations, and utilizing tools for effective patch and remediation. It emphasizes the need for organizations to proactively manage Java risks to maintain security across their environments.

Embed presentation

Downloaded 16 times
Sponsored by Java Insecurity: How to Deal with theConstant Vulnerabilities © 2013 Monterey Technology Group Inc.
Thanks to © 2013 Monterey Technology Group Inc. www.Lumension.com Chris Merritt, Director of Solution Marketing
Preview of Key Points  Assessment & Identification  Disabling  Hardening  Filtering  Patching
Background  This is not about “Java Script”  No relationship to Java  Java  Supported onWindows,OS X, Linux  Android too, kind of  Not supported on iOS or Chrome  What is the component?  JVM now called JRE  Installed by default?  Windows: up to hardware manufacture  OS X: pre-Lion yes, Lion+ no (more info javatest.org)  Multiple versions can be installed  Each browser has its own Java settings
Background  Important changes with 7.10  Ensuring the Most Secure JRE  JRE Expiration Date  Disabling Java in the Browser  Setting the Security Level  Advanced options  Allow user to grant permissions to signed content  Show sandbox warning banner  Allow user to accept JNLP security requests  Don't prompt for client certificate selection when no certificates or only one exists  Warn if site certificate does not match hostname  Show site certificate even if it is valid  Install options
Background  Big changes in v7U21 (see here) …  security model for signed applets was changed  default plug-in security settings were changed  improvements to standardized revocation services (of certs)  dissociating client/browser use of Java (e.g., affecting home users) and server use (e.g., affecting enterprise deployments)  Latest version 1.7.0_25 (v7U25)  40 security fixes  http://www.oracle.com/technetwork/topics/security/javacpujun2013- 1899847.html
Assessment & Identification  Which versions of Java and related software are installed on your windows computer? $cn = get-content env:computername $cn = “servershare” + $cn + ".txt“ echo "**************************************“ > $cn Date >> $cn Get-WmiObject -Class Win32_Product | Select-Object -Property Name | Where {$_.name -Like "*Java*“-or $_.name -like "J2SE"} >> $cn  Add script as startup/logon script via group policy  Powershell.exe c:fullyqualpathjavalister.ps1
Assessment & Identification  Which versions are really being used?  Windows auditing  To catch Java EXEs starting  Enable Process tracking  Event 4688/592 with “java”  To catch DLLs  Necessary?  Enable File System auditing  Enable auditing on c:program filesjava  Look for 4663 with “java”
Assessment & Identification  Other questions  Which browsers is it enabled in?  http://javatester.org/version.html
Disabling Java  What about when you need Java on certain websites?  Disable Java in main browser  Enable Java in alternate browser used for certain sites
Disabling Java  Disabling Java  Altogether  Chrome  http://mtwsec.blogspot.ca/2012/08/java-0-day-workarounds-silent- disabling.html  IE  By script: http://support.microsoft.com/kb/2751647  FireFox  By script: http://mtwsec.blogspot.ca/2012/08/java-0-day-workarounds-silent- disabling.html
Uninstall all versions of Java  http://community.spiceworks.com/how_to/show/22997-use-a-batch- file-and-group-policy-to-cleanly-update-java  wmic product where "name like 'Java(TM) 6%%'" call uninstall /nointeractive wmic product where "name like 'Java(TM) 7%%'" call uninstall /nointeractive wmic product where "name like 'Java 7%%'" call uninstall /nointeractive wmic product where "name like 'JavaFX%%'" call uninstall /nointeractive wmic product where "name like 'Java(TM) 7%%'" call uninstall /nointeractive wmic product where "name like 'Java(tm) 6%%'" call uninstall /nointeractive wmic product where "name like 'J2SE Runtime Environment%%'" call uninstall /nointeractive
Installing latest and enabling automatic updates hence forth  Group Policy/Software Installation  MSI files  http://community.spiceworks.com/how_to/show/22997-use-a-batch- file-and-group-policy-to-cleanly-update-java
Managing Java configuration  Java normally stores its settings for each user in  <UserApplication Data Folder>SunJavaDeploymentdeployment.properties  Mandate system wide settings with  <Windows Directory>SunJavaDeploymentdeployment.config  http://docs.oracle.com/javase/6/docs/technotes/guides/deployment/depl oyment-guide/properties.html  http://docs.oracle.com/javase/7/docs/technotes/guides/deployment/depl oyment-guide/properties.html  How to do it with group policy  http://www.darkoperator.com/blog/2013/1/14/centralized-management- of-java-se-environment-using-gpo-redu.html
Filtering  Do you have a proxy server?  Can you filter java applets at the gateway?  Some firewalls and proxies make this possible.  Java content removed from web pages
Patching  Oracle still relies on independent auto-updaters on each endpoint  Install by MSI  Download and run the offline installer, but do not complete it. Look in %userprofile%appdatalocallowsunjava.  Open the folder jre<update number> and copy the msi and cab files there to your server share where you deploy your msis. Deploy with group policy as per normal.  Silent install from script  <jre>.exe [/s] [INSTALLDIR=<drive>:<JRE_install_path>] [STATIC=1] [WEB_JAVA=0/1] [WEB_JAVA_SECURITY_LEVEL=VH/H/M/L]  http://java.com/en/download/help/silent_install.xml
Bottom line  Managing Java yourself  Labor intensive – who has the time?  Changes with each new version  Requires fragile scripts  No reporting/monitoring  There must be a better way…
PROPRIETARY & CONFIDENTIAL - NOT FOR PUBLIC DISTRIBUTION Java Survival Guide
Java Remediation Decision Tree 19 PROPRIETARY & CONFIDENTIAL - NOT FOR PUBLIC DISTRIBUTION
1 – Know What • Scan entire environment for all Java versions Why • Discover the scope (depth and breadth) of the Java issue in the environment How » Application Scanner – Free Utility from Lumension » Patch and Remediation – part of the Lumension Endpoint Management and Security Suite 20 PROPRIETARY & CONFIDENTIAL - NOT FOR PUBLIC DISTRIBUTION
Application Scanner Dashboard 21 PROPRIETARY & CONFIDENTIAL - NOT FOR PUBLIC DISTRIBUTION
Java Application Scanner 22 PROPRIETARY & CONFIDENTIAL - NOT FOR PUBLIC DISTRIBUTION
2 – Act What • How you need Java? » If No, then remove all instances of Java » If Yes, then do you need a specific version or the latest version? Why • Reduce the scope of the Java issue in the environment by: » Eliminating where possible » Updating where possible » Putting a picket fence where needed How » Patch and Remediation – update, standardize » Content Wizard – remove unwanted versions 23 PROPRIETARY & CONFIDENTIAL - NOT FOR PUBLIC DISTRIBUTION
Disable Java Browser Plug-ins 24 PROPRIETARY & CONFIDENTIAL - NOT FOR PUBLIC DISTRIBUTION
3 – Protect What • Stay current with all updates • Maintain environment in desired state • Protect against known and unknown (zero-day) malware Why • Prevent environment from returning to an unknown and less secure state How » Patch and Remediation – maintain » Application Control – prevent drift and malware 25 PROPRIETARY & CONFIDENTIAL - NOT FOR PUBLIC DISTRIBUTION
Application Control 26 PROPRIETARY & CONFIDENTIAL - NOT FOR PUBLIC DISTRIBUTION
More Information • Free Java Application Scanner Tool » Uncover every version of Java in your endpoint environment to assess, prioritize and manage your Java risk. http://www.lumension.com/Resources/Security- Tools/Java-App-Scanner-Tool.aspx • Lumension® Endpoint Management and Security Suite: Patch and Remediation » Online Demo Video: http://www.lumension.com/Resources/Demo- Center/Vulnerability-Management.aspx » Free Trial (virtual or download): http://www.lumension.com/vulnerability- management/patch-management-software/free- trial.aspx 27 PROPRIETARY & CONFIDENTIAL - NOT FOR PUBLIC DISTRIBUTION • Surviving Java Resource Center » Get free access to essential resources to help you take control of your Java risk – in just 3 steps! http://www.lumension.com/Resources/Resource- Center/Java-Resource-Center.aspx
Global Headquarters 8660 East Hartford Drive Suite 300 Scottsdale, AZ 85255 1.888.725.7828 info@lumension.com http://blog.lumension.com

More Related Content

PDF
Deployment Best Practices on WebLogic Server (DOAG IMC Summit 2013)
byAndreas Koop
 
PPT
Troubleshooting the Windows Installer
byAppDetails
 
PDF
David Thiel - Secure Development On iOS
bySource Conference
 
KEY
Introduction To Maven2
byShuji Watanabe
 
PPTX
Vm Penetration Test
byNicole Gaehle, MSIST
 
PDF
TS-5358
bytutorialsruby
 
PDF
Problems with parameters b sides-msp
byMike Saunders
 
PDF
IE Exploit Protection
byKim Jensen
 
Deployment Best Practices on WebLogic Server (DOAG IMC Summit 2013)
byAndreas Koop
 
Troubleshooting the Windows Installer
byAppDetails
 
David Thiel - Secure Development On iOS
bySource Conference
 
Introduction To Maven2
byShuji Watanabe
 
Vm Penetration Test
byNicole Gaehle, MSIST
 
TS-5358
bytutorialsruby
 
Problems with parameters b sides-msp
byMike Saunders
 
IE Exploit Protection
byKim Jensen
 

What's hot

PDF
Rock-solid Magento Deployments (and Development)
byAOE
 
PDF
Secure Coding for Java - An Introduction
bySebastien Gioria
 
PPTX
Advanced Malware Analysis Training Session 4 - Anti-Analysis Techniques
bysecurityxploded
 
PDF
Testing Web Based Applications[1]
byMBA_Community
 
PPTX
[Wroclaw #2] Web Application Security Headers
byOWASP
 
PDF
Analyzing the Effectivess of Web Application Firewalls
byLarry Suto
 
PPT
WAFEC
byConferencias FIST
 
PDF
Secure Authentication and Session Management in Java EE
byPatrycja Wegrzynowicz
 
PPT
OWASP Serbia - A5 cross-site request forgery
byNikola Milosevic
 
PDF
Dev ops tools and was liberty profile
bysflynn073
 
PDF
CloudFlare vs Incapsula: Round 2
byZero Science Lab
 
PDF
Securing Android
byMarakana Inc.
 
PDF
Bridging the gap - Security and Software Testing
byRoberto Suggi Liverani
 
PPTX
Web Application Security And Getting Into Bug Bounties
bykunwaratul hax0r
 
PDF
Web Application Frewall
byAbhishek Singh
 
PDF
Augmented reality in your web proxy
byRoberto Suggi Liverani
 
PPTX
Web security-–-everything-we-know-is-wrong-eoin-keary
bydrewz lin
 
PPTX
OWASP Khartoum Top 10 A3 - 6th meeting
byOWASP Khartoum
 
PDF
Magento Testing on all fronts
byAOE
 
Rock-solid Magento Deployments (and Development)
byAOE
 
Secure Coding for Java - An Introduction
bySebastien Gioria
 
Advanced Malware Analysis Training Session 4 - Anti-Analysis Techniques
bysecurityxploded
 
Testing Web Based Applications[1]
byMBA_Community
 
[Wroclaw #2] Web Application Security Headers
byOWASP
 
Analyzing the Effectivess of Web Application Firewalls
byLarry Suto
 
WAFEC
byConferencias FIST
 
Secure Authentication and Session Management in Java EE
byPatrycja Wegrzynowicz
 
OWASP Serbia - A5 cross-site request forgery
byNikola Milosevic
 
Dev ops tools and was liberty profile
bysflynn073
 
CloudFlare vs Incapsula: Round 2
byZero Science Lab
 
Securing Android
byMarakana Inc.
 
Bridging the gap - Security and Software Testing
byRoberto Suggi Liverani
 
Web Application Security And Getting Into Bug Bounties
bykunwaratul hax0r
 
Web Application Frewall
byAbhishek Singh
 
Augmented reality in your web proxy
byRoberto Suggi Liverani
 
Web security-–-everything-we-know-is-wrong-eoin-keary
bydrewz lin
 
OWASP Khartoum Top 10 A3 - 6th meeting
byOWASP Khartoum
 
Magento Testing on all fronts
byAOE
 

Viewers also liked

PPTX
Windows 7 AppLocker: Understanding its Capabilities and Limitations
byLumension
 
PPTX
Tazkirah ramadhan
byMohd Asmariza Che Mahmood
 
PPTX
Skor A+ sejarah STPM
byKarsodikromo Yatiman
 
PPTX
Application Explosion How to Manage Productivity vs Security
byLumension
 
PPTX
Effectively Utilizing LEMSS: Top 11 Security Capabilities You Can Implement T...
byLumension
 
PPT
State of endpoint risk v3
byLumension
 
PPTX
It's Time to Rethink Your Endpoint Strategy
byLumension
 
PPTX
State of endpoint risk v3
byLumension
 
PDF
BakeSale Pitch Deck (text heavy)
byRyan Chacon
 
PPTX
Picking Up The Pieces: Rebuilding Your Credit After Financial Disaster
byCurtis Rose
 
PPT
2013 indruk-krijgen-techniek-beroepen
byChris Noordam
 
PDF
تقرير الإستكمال
byHany May
 
PPT
2013 sectoren-ecabo-werknemers-ict-ss
byChris Noordam
 
PDF
ความรู้เบื้่องต้นเกี่ยวกับการสร้างบลอค
byInception Tnz
 
PPT
2013 banen-die-blijven-bestaan
byChris Noordam
 
PDF
Skif lan
bysnobroreelsbac1980
 
PPT
діяльність комітету доступності у херсонській області
byOleksa Lipko
 
PPTX
Galileo galilei
byReana Mondo
 
Windows 7 AppLocker: Understanding its Capabilities and Limitations
byLumension
 
Tazkirah ramadhan
byMohd Asmariza Che Mahmood
 
Skor A+ sejarah STPM
byKarsodikromo Yatiman
 
Application Explosion How to Manage Productivity vs Security
byLumension
 
Effectively Utilizing LEMSS: Top 11 Security Capabilities You Can Implement T...
byLumension
 
State of endpoint risk v3
byLumension
 
It's Time to Rethink Your Endpoint Strategy
byLumension
 
State of endpoint risk v3
byLumension
 
BakeSale Pitch Deck (text heavy)
byRyan Chacon
 
Picking Up The Pieces: Rebuilding Your Credit After Financial Disaster
byCurtis Rose
 
2013 indruk-krijgen-techniek-beroepen
byChris Noordam
 
تقرير الإستكمال
byHany May
 
2013 sectoren-ecabo-werknemers-ict-ss
byChris Noordam
 
ความรู้เบื้่องต้นเกี่ยวกับการสร้างบลอค
byInception Tnz
 
2013 banen-die-blijven-bestaan
byChris Noordam
 
Skif lan
bysnobroreelsbac1980
 
діяльність комітету доступності у херсонській області
byOleksa Lipko
 
Galileo galilei
byReana Mondo
 

Similar to Java Insecurity: How to Deal with the Constant Vulnerabilities

PPTX
System hardening - OS and Application
byedavid2685
 
PDF
It's a jdk jungle out there - JDK 11 and OpenJDK 11
byWolfgang Weigend
 
PDF
Java part 1
byACCESS Health Digital
 
PDF
Java SE Subscription Workshop
byMarketingArrowECS_CZ
 
PDF
JDK versions and OpenJDK
byWolfgang Weigend
 
PPTX
Java Licensing Roadmap for Oracle License Management
byFredrik Filipsson - Oracle License Expert
 
PDF
Patch management
byGFI Software
 
PDF
Advanced Java
byHossein Mobasher
 
PDF
JavaCro'15 - Managing Java at Scale Security and Compatibility Applications -...
byHUJAK - Hrvatska udruga Java korisnika / Croatian Java User Association
 
PPT
Running Java safely
byJane Prusakova
 
DOC
Do you know security flaws persist in java 7u10 update !
byAndolasoft Inc
 
PDF
2010-03 Yesterday's Trusted Web Sites are Today's Malicious Servers
byRaleigh ISSA
 
PDF
Secure JEE Architecture and Programming 101
byMario-Leander Reimer
 
PDF
Securing Java in the Server Room
byTim Ellison
 
PPT
The Anatomy of Java Vulnerabilities (Devoxx UK 2017)
bySteve Poole
 
PDF
JavaOne2013: Securing Java in the Server Room - Tim Ellison
byChris Bailey
 
PDF
JavaSecurityIssuesOverviewHUJAK_20130219
byjkrizanic
 
PPTX
Malware in a JAR: How Rogue Java Applications Compromise your Endpoints
byIBM Security
 
PDF
Oracle Keynote from JMagghreb 2014
bySimon Ritter
 
PDF
Java Configuration on Windows Xp
byAbdinav Kumar Singh
 
System hardening - OS and Application
byedavid2685
 
It's a jdk jungle out there - JDK 11 and OpenJDK 11
byWolfgang Weigend
 
Java part 1
byACCESS Health Digital
 
Java SE Subscription Workshop
byMarketingArrowECS_CZ
 
JDK versions and OpenJDK
byWolfgang Weigend
 
Java Licensing Roadmap for Oracle License Management
byFredrik Filipsson - Oracle License Expert
 
Patch management
byGFI Software
 
Advanced Java
byHossein Mobasher
 
JavaCro'15 - Managing Java at Scale Security and Compatibility Applications -...
byHUJAK - Hrvatska udruga Java korisnika / Croatian Java User Association
 
Running Java safely
byJane Prusakova
 
Do you know security flaws persist in java 7u10 update !
byAndolasoft Inc
 
2010-03 Yesterday's Trusted Web Sites are Today's Malicious Servers
byRaleigh ISSA
 
Secure JEE Architecture and Programming 101
byMario-Leander Reimer
 
Securing Java in the Server Room
byTim Ellison
 
The Anatomy of Java Vulnerabilities (Devoxx UK 2017)
bySteve Poole
 
JavaOne2013: Securing Java in the Server Room - Tim Ellison
byChris Bailey
 
JavaSecurityIssuesOverviewHUJAK_20130219
byjkrizanic
 
Malware in a JAR: How Rogue Java Applications Compromise your Endpoints
byIBM Security
 
Oracle Keynote from JMagghreb 2014
bySimon Ritter
 
Java Configuration on Windows Xp
byAbdinav Kumar Singh
 

More from Lumension

PPTX
Using SCUP (System Center Updates Publisher) to Security Patch 3rd Party Apps...
byLumension
 
PPTX
Using SCCM 2012 r2 to Patch Linux, UNIX and Macs
byLumension
 
PPTX
Adobe Hacked Again: What Does It Mean for You?
byLumension
 
PPTX
Careto: Unmasking a New Level in APT-ware
byLumension
 
PPTX
Windows XP is Coming to an End: How to Stay Secure Before You Migrate
byLumension
 
PPTX
APTs: The State of Server Side Risk and Steps to Minimize Risk
byLumension
 
PPTX
Defending Your Corporate Endpoints How to Go Beyond Anti-Virus
byLumension
 
PPTX
Real World Defense Strategies for Targeted Endpoint Threats
byLumension
 
PPTX
2014 Ultimate Buyers Guide to Endpoint Security Solutions
byLumension
 
PPTX
2015 Endpoint and Mobile Security Buyers Guide
byLumension
 
PPTX
Top 10 Things to Secure on iOS and Android to Protect Corporate Information
byLumension
 
PPTX
2014 Data Protection Maturity Survey: Results and Analysis
byLumension
 
PPTX
2014 BYOD and Mobile Security Survey Preliminary Results
byLumension
 
PPTX
2014 Security Trends: SIEM, Endpoint Security, Data Loss, Mobile Devices and ...
byLumension
 
PPTX
3 Executive Strategies to Reduce Your IT Risk
byLumension
 
PPTX
Securing Your Point of Sale Systems: Stopping Malware and Data Theft
byLumension
 
PDF
The Evolution of Advanced Persistent Threats_The Current Risks and Mitigation...
byLumension
 
PDF
Greatest It Security Risks of 2014: 5th Annual State of Endpoint Risk
byLumension
 
PPTX
BYOD & Mobile Security: How to Respond to the Security Risks
byLumension
 
PPTX
Data Protection Rules are Changing: What Can You Do to Prepare?
byLumension
 
Using SCUP (System Center Updates Publisher) to Security Patch 3rd Party Apps...
byLumension
 
Using SCCM 2012 r2 to Patch Linux, UNIX and Macs
byLumension
 
Adobe Hacked Again: What Does It Mean for You?
byLumension
 
Careto: Unmasking a New Level in APT-ware
byLumension
 
Windows XP is Coming to an End: How to Stay Secure Before You Migrate
byLumension
 
APTs: The State of Server Side Risk and Steps to Minimize Risk
byLumension
 
Defending Your Corporate Endpoints How to Go Beyond Anti-Virus
byLumension
 
Real World Defense Strategies for Targeted Endpoint Threats
byLumension
 
2014 Ultimate Buyers Guide to Endpoint Security Solutions
byLumension
 
2015 Endpoint and Mobile Security Buyers Guide
byLumension
 
Top 10 Things to Secure on iOS and Android to Protect Corporate Information
byLumension
 
2014 Data Protection Maturity Survey: Results and Analysis
byLumension
 
2014 BYOD and Mobile Security Survey Preliminary Results
byLumension
 
2014 Security Trends: SIEM, Endpoint Security, Data Loss, Mobile Devices and ...
byLumension
 
3 Executive Strategies to Reduce Your IT Risk
byLumension
 
Securing Your Point of Sale Systems: Stopping Malware and Data Theft
byLumension
 
The Evolution of Advanced Persistent Threats_The Current Risks and Mitigation...
byLumension
 
Greatest It Security Risks of 2014: 5th Annual State of Endpoint Risk
byLumension
 
BYOD & Mobile Security: How to Respond to the Security Risks
byLumension
 
Data Protection Rules are Changing: What Can You Do to Prepare?
byLumension
 

Recently uploaded

PDF
January Patch Tuesday
byIvanti
 
PDF
One String, Many Prompts: AI Code Generation
byGeoffrey Goetz
 
PDF
Adding Copilot+ PCs with Snapdragon to your HP fleet won’t require IT deploym...
byPrincipled Technologies
 
PPTX
Storage-and-HCI-Positioning-update-sales.pptx
byhungungphu123
 
PPTX
Microsoft Azure News - January 2026 - BAUG
byDaniel Toomey
 
PDF
Pervasive Encryption - Keeping Data Secure.pdf
byPrecisely
 
PPTX
Apache Kafka 101 for Techies in IT dep.pptx
byamulyareddyk97
 
PPTX
Spacewalk 2026 - Presented at the IMAX in Raleigh, NC
byAll Things Open
 
PPTX
Fortify Your Digital Defenses with ServiceNow Security Operations by Suma Soft
byGavin Ellis
 
PDF
MINDCTI Revenue Release Quarter 3 2025 - Financial Presentation
byMIND CTI
 
PDF
Profiting from Technological Innovation: Managing Intellectual Property to Bu...
byDavid Teece
 
PDF
Top 5 Best Dedicated Server Providers in Los Angeles (Updated Edition)
byAtal Networks
 
PDF
2006 IEEE International Solid-State Circuits Conference
bySlide_N
 
PDF
Implementing A Data Lakehouse Using Iceberg & Spark
byAnass Nabil
 
PPTX
Mastering SQL Server Replication: Types, Setup & Troubleshooting
byGeoPITS Global Pvt Ltd
 
PDF
TopMate ES11 3-Wheel Electric Scooter: Comfortable, Stable Mobility for Every...
byTopmate
 
PDF
Special Reeling Cable Specification _ Anhui Feichun Special Cable Co., Ltd_.pdf
byAnhui Feichun Special Cable Co., Ltd.
 
PPTX
Accelerate Innovation with Engineering R&D Services
byChetu
 
PDF
Presentation of Cybersecurity and data protection
bytarikaityahya2
 
PDF
2025-CB-NCAE-slide-deck.pptx-1-83.pdf Virtual Orientation on the Administrati...
byNelizabethEsplaguera1
 
January Patch Tuesday
byIvanti
 
One String, Many Prompts: AI Code Generation
byGeoffrey Goetz
 
Adding Copilot+ PCs with Snapdragon to your HP fleet won’t require IT deploym...
byPrincipled Technologies
 
Storage-and-HCI-Positioning-update-sales.pptx
byhungungphu123
 
Microsoft Azure News - January 2026 - BAUG
byDaniel Toomey
 
Pervasive Encryption - Keeping Data Secure.pdf
byPrecisely
 
Apache Kafka 101 for Techies in IT dep.pptx
byamulyareddyk97
 
Spacewalk 2026 - Presented at the IMAX in Raleigh, NC
byAll Things Open
 
Fortify Your Digital Defenses with ServiceNow Security Operations by Suma Soft
byGavin Ellis
 
MINDCTI Revenue Release Quarter 3 2025 - Financial Presentation
byMIND CTI
 
Profiting from Technological Innovation: Managing Intellectual Property to Bu...
byDavid Teece
 
Top 5 Best Dedicated Server Providers in Los Angeles (Updated Edition)
byAtal Networks
 
2006 IEEE International Solid-State Circuits Conference
bySlide_N
 
Implementing A Data Lakehouse Using Iceberg & Spark
byAnass Nabil
 
Mastering SQL Server Replication: Types, Setup & Troubleshooting
byGeoPITS Global Pvt Ltd
 
TopMate ES11 3-Wheel Electric Scooter: Comfortable, Stable Mobility for Every...
byTopmate
 
Special Reeling Cable Specification _ Anhui Feichun Special Cable Co., Ltd_.pdf
byAnhui Feichun Special Cable Co., Ltd.
 
Accelerate Innovation with Engineering R&D Services
byChetu
 
Presentation of Cybersecurity and data protection
bytarikaityahya2
 
2025-CB-NCAE-slide-deck.pptx-1-83.pdf Virtual Orientation on the Administrati...
byNelizabethEsplaguera1
 

Java Insecurity: How to Deal with the Constant Vulnerabilities

  • 1.
    Sponsored by Java Insecurity:How to Deal with theConstant Vulnerabilities © 2013 Monterey Technology Group Inc.
  • 2.
    Thanks to © 2013Monterey Technology Group Inc. www.Lumension.com Chris Merritt, Director of Solution Marketing
  • 3.
    Preview of Key Points Assessment & Identification  Disabling  Hardening  Filtering  Patching
  • 4.
    Background  This isnot about “Java Script”  No relationship to Java  Java  Supported onWindows,OS X, Linux  Android too, kind of  Not supported on iOS or Chrome  What is the component?  JVM now called JRE  Installed by default?  Windows: up to hardware manufacture  OS X: pre-Lion yes, Lion+ no (more info javatest.org)  Multiple versions can be installed  Each browser has its own Java settings
  • 5.
    Background  Important changeswith 7.10  Ensuring the Most Secure JRE  JRE Expiration Date  Disabling Java in the Browser  Setting the Security Level  Advanced options  Allow user to grant permissions to signed content  Show sandbox warning banner  Allow user to accept JNLP security requests  Don't prompt for client certificate selection when no certificates or only one exists  Warn if site certificate does not match hostname  Show site certificate even if it is valid  Install options
  • 6.
    Background  Big changesin v7U21 (see here) …  security model for signed applets was changed  default plug-in security settings were changed  improvements to standardized revocation services (of certs)  dissociating client/browser use of Java (e.g., affecting home users) and server use (e.g., affecting enterprise deployments)  Latest version 1.7.0_25 (v7U25)  40 security fixes  http://www.oracle.com/technetwork/topics/security/javacpujun2013- 1899847.html
  • 7.
    Assessment & Identification  Whichversions of Java and related software are installed on your windows computer? $cn = get-content env:computername $cn = “servershare” + $cn + ".txt“ echo "**************************************“ > $cn Date >> $cn Get-WmiObject -Class Win32_Product | Select-Object -Property Name | Where {$_.name -Like "*Java*“-or $_.name -like "J2SE"} >> $cn  Add script as startup/logon script via group policy  Powershell.exe c:fullyqualpathjavalister.ps1
  • 8.
    Assessment & Identification  Whichversions are really being used?  Windows auditing  To catch Java EXEs starting  Enable Process tracking  Event 4688/592 with “java”  To catch DLLs  Necessary?  Enable File System auditing  Enable auditing on c:program filesjava  Look for 4663 with “java”
  • 9.
    Assessment & Identification  Otherquestions  Which browsers is it enabled in?  http://javatester.org/version.html
  • 10.
    Disabling Java  Whatabout when you need Java on certain websites?  Disable Java in main browser  Enable Java in alternate browser used for certain sites
  • 11.
    Disabling Java  DisablingJava  Altogether  Chrome  http://mtwsec.blogspot.ca/2012/08/java-0-day-workarounds-silent- disabling.html  IE  By script: http://support.microsoft.com/kb/2751647  FireFox  By script: http://mtwsec.blogspot.ca/2012/08/java-0-day-workarounds-silent- disabling.html
  • 12.
    Uninstall all versions of Java http://community.spiceworks.com/how_to/show/22997-use-a-batch- file-and-group-policy-to-cleanly-update-java  wmic product where "name like 'Java(TM) 6%%'" call uninstall /nointeractive wmic product where "name like 'Java(TM) 7%%'" call uninstall /nointeractive wmic product where "name like 'Java 7%%'" call uninstall /nointeractive wmic product where "name like 'JavaFX%%'" call uninstall /nointeractive wmic product where "name like 'Java(TM) 7%%'" call uninstall /nointeractive wmic product where "name like 'Java(tm) 6%%'" call uninstall /nointeractive wmic product where "name like 'J2SE Runtime Environment%%'" call uninstall /nointeractive
  • 13.
    Installing latest and enabling automatic updates hence forth Group Policy/Software Installation  MSI files  http://community.spiceworks.com/how_to/show/22997-use-a-batch- file-and-group-policy-to-cleanly-update-java
  • 14.
    Managing Java configuration  Java normallystores its settings for each user in  <UserApplication Data Folder>SunJavaDeploymentdeployment.properties  Mandate system wide settings with  <Windows Directory>SunJavaDeploymentdeployment.config  http://docs.oracle.com/javase/6/docs/technotes/guides/deployment/depl oyment-guide/properties.html  http://docs.oracle.com/javase/7/docs/technotes/guides/deployment/depl oyment-guide/properties.html  How to do it with group policy  http://www.darkoperator.com/blog/2013/1/14/centralized-management- of-java-se-environment-using-gpo-redu.html
  • 15.
    Filtering  Do youhave a proxy server?  Can you filter java applets at the gateway?  Some firewalls and proxies make this possible.  Java content removed from web pages
  • 16.
    Patching  Oracle stillrelies on independent auto-updaters on each endpoint  Install by MSI  Download and run the offline installer, but do not complete it. Look in %userprofile%appdatalocallowsunjava.  Open the folder jre<update number> and copy the msi and cab files there to your server share where you deploy your msis. Deploy with group policy as per normal.  Silent install from script  <jre>.exe [/s] [INSTALLDIR=<drive>:<JRE_install_path>] [STATIC=1] [WEB_JAVA=0/1] [WEB_JAVA_SECURITY_LEVEL=VH/H/M/L]  http://java.com/en/download/help/silent_install.xml
  • 17.
    Bottom line  ManagingJava yourself  Labor intensive – who has the time?  Changes with each new version  Requires fragile scripts  No reporting/monitoring  There must be a better way…
  • 18.
    PROPRIETARY & CONFIDENTIAL- NOT FOR PUBLIC DISTRIBUTION Java Survival Guide
  • 19.
    Java Remediation DecisionTree 19 PROPRIETARY & CONFIDENTIAL - NOT FOR PUBLIC DISTRIBUTION
  • 20.
    1 – Know What •Scan entire environment for all Java versions Why • Discover the scope (depth and breadth) of the Java issue in the environment How » Application Scanner – Free Utility from Lumension » Patch and Remediation – part of the Lumension Endpoint Management and Security Suite 20 PROPRIETARY & CONFIDENTIAL - NOT FOR PUBLIC DISTRIBUTION
  • 21.
    Application Scanner Dashboard 21 PROPRIETARY& CONFIDENTIAL - NOT FOR PUBLIC DISTRIBUTION
  • 22.
    Java Application Scanner 22 PROPRIETARY& CONFIDENTIAL - NOT FOR PUBLIC DISTRIBUTION
  • 23.
    2 – Act What •How you need Java? » If No, then remove all instances of Java » If Yes, then do you need a specific version or the latest version? Why • Reduce the scope of the Java issue in the environment by: » Eliminating where possible » Updating where possible » Putting a picket fence where needed How » Patch and Remediation – update, standardize » Content Wizard – remove unwanted versions 23 PROPRIETARY & CONFIDENTIAL - NOT FOR PUBLIC DISTRIBUTION
  • 24.
    Disable Java BrowserPlug-ins 24 PROPRIETARY & CONFIDENTIAL - NOT FOR PUBLIC DISTRIBUTION
  • 25.
    3 – Protect What •Stay current with all updates • Maintain environment in desired state • Protect against known and unknown (zero-day) malware Why • Prevent environment from returning to an unknown and less secure state How » Patch and Remediation – maintain » Application Control – prevent drift and malware 25 PROPRIETARY & CONFIDENTIAL - NOT FOR PUBLIC DISTRIBUTION
  • 26.
    Application Control 26 PROPRIETARY &CONFIDENTIAL - NOT FOR PUBLIC DISTRIBUTION
  • 27.
    More Information • FreeJava Application Scanner Tool » Uncover every version of Java in your endpoint environment to assess, prioritize and manage your Java risk. http://www.lumension.com/Resources/Security- Tools/Java-App-Scanner-Tool.aspx • Lumension® Endpoint Management and Security Suite: Patch and Remediation » Online Demo Video: http://www.lumension.com/Resources/Demo- Center/Vulnerability-Management.aspx » Free Trial (virtual or download): http://www.lumension.com/vulnerability- management/patch-management-software/free- trial.aspx 27 PROPRIETARY & CONFIDENTIAL - NOT FOR PUBLIC DISTRIBUTION • Surviving Java Resource Center » Get free access to essential resources to help you take control of your Java risk – in just 3 steps! http://www.lumension.com/Resources/Resource- Center/Java-Resource-Center.aspx
  • 28.
    Global Headquarters 8660 EastHartford Drive Suite 300 Scottsdale, AZ 85255 1.888.725.7828 info@lumension.com http://blog.lumension.com

Editor's Notes

  • #20 Notes: This decision tree could be applied across the entire organization as a whole; however, more likely any department, group or even individual will be unique in their needs. This decision tree could be applied across both server and endpoint environments. Determining the need for Java is likely unique by organization, department, group or even individual user; be sure to consider both vendor-supplied and in-house developed applications. There may be legitimate reasons for maintaining old versions of Java in your organization; if this is the case, then strategies to minimize the risk must be considered. A common recommendation is disable Java plug-ins in the browser(s); this configuration will greatly reduce common attack vectors.