Solved

Protecting against Java zero-day vulnerability, and methods for patching or protecting non-Microsoft products

Posted on 2013-01-23
6
656 Views
Last Modified: 2013-01-24
Hi,
the company I am with has received an email from TrendMicro talking up Java zero-day vulnerability saying disable Java until a patch comes out. Unless (hook) you install blah blah to protect yourself. We do run antivirus but it is a Trend product and they don't think it is good enough to protect against this threat.  
My company has asked me to investigate.
Thoughts?  
I would want to have a pretty good business case to warrant spending the money Trend are asking for the next level up.
I guess part of this question is what my attitude to patching other products like Java should be.
I am just implementing WSUS for Microsoft products but that doesn't patch anything other than Microsoft.
Any thoughts on patching Non-Microsoft products in general, and in particular what to do about the Java zero-day vulnerability in general?
Thanks in advance,
Shaun
0
Comment
Question by:shaunwoy
  • 3
  • 2
6 Comments
 

Author Comment

by:shaunwoy
Comment Utility
I have looked into this a little more. You can patch Java with WSUS but you need to install SCCM and SCUP and configure GPOs.
http://itguru82-sccm.blogspot.co.uk/2012/08/java-updates-using-wsussccm.html
It seems like  a bit of a job though.
I have used Kaseya and ManageEngine before but they are clunky things to use and don't always work that well for patch management.

Any thoughts on patch management vs Antivirus and Firewall protection?
Thanks,
Shaun
0
 

Author Comment

by:shaunwoy
Comment Utility
Hi again, I have been researching a little more and I have found Ninite Pro to manage a network for updates.  It does Java and a heap of other things. It also does fresh installs and silent installs.  Anyone had any luck with this program or any similar?
Thanks,
Shaun
0
 
LVL 61

Accepted Solution

by:
btan earned 500 total points
Comment Utility
first need to reckon that no bugless codes and if you need the program or application, we are stuck with it. business run over security most of the time, but this is not saying that we cannot minimise the risk and exposure. overall, this is part of a risk assessment decision and steps to take - we cannot eliminate threat from exploiting those vulnerability - not to even mention those unknown unknown which is zero day for a start.

We need to detect using the security s/w (they themselves can have bugs or corrupted patches bringing down system...but we left with no choice) and prevent using s/w and maintaining always a good security posture doing all those diligence stuff like patch mgmt, change control, version checking, least privilege, process and policy controls reviewed (regular health checks). Some even implement SIEM or have SOC or NOC to oversee the infrastructure networks and servers/client.

When Java zero day is announced, all scrambled - why? Because there is this exposure period and we left with no defenses? Not true, if we have maintain good security and clean bill of health and end user are security savvy or at least aware (not to be phished r social engineered). But we know we cannot take chances, so best is disable it from "secure by default" thinking...stay isolated...but we cannot as business needs to go on...

When Oracle came out with emergency patch, it is exploited once again - hasty attempt but may missed out quality pt ....@ http://www.h-online.com/security/news/item/Oracle-s-Java-patch-leaves-a-loophole-1787566.html

If you are interested, you should check out this paper on Java flaws surfaced. How many would have been covered and been exploited...it is not easy and straightforward
@ https://partners.immunityinc.com/idocs/Java%20MBeanInstantiator.findClass%200day%20Analysis.pdf

So all in all, we will preach defense in depth (not saying having two AV) knowing that it is primarily to deter and not stop such attack. We can only make it harder. Below are interesting thought which you may be interested...why be at the mercy of attacker or malware :)

@ http://privacy-pc.com/articles/offensive-countermeasures-making-attackers-lives-miserable.html
0
Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

 
LVL 61

Expert Comment

by:btan
Comment Utility
We would not want to to fall into Sony foot step

http://www.h-online.com/security/news/item/Sony-fined-Lb250-000-for-2011-PlayStation-Network-breach-Update-1790549.html

.....Access to the network was gained through a vulnerability and ICO found that the administrators of the network had previously failed to address the vulnerability despite the availability of updates that would have closed the hole.
0
 
LVL 50

Expert Comment

by:jcimarron
Comment Utility
shaunwoy---If you need Java for company operations, install the latest
http://java.com/en/download/manual.jsp
Go to Control Panel|Java and then the Security tab.  You will see a slider to increase security as well as a box to Enable/Disable Java.

If you do not need it, uninstall whatever Java now installed.

The web media offer lots of articles that say some malware vulnerabilities are still present in the Java 7 update 11.  So you have to choose.
0
 

Author Comment

by:shaunwoy
Comment Utility
Thanks jcimarron,
We do need it and as it happens on servers.  And the more I read up on it seems the latest update has the vulnerability and sadly the software for Avamar doesn't run without the latest version.
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

This is a fairly complicated script that will install the required prerequisites to install SCCM 2012 R2 on a server.  It was designed under the functional model in order to compartmentalize each step required, reducing the overall complexity.  The …
When you upgrade from Windows 8 to 8.1 or to Windows 10 or if you are like me you are on the Insider Program you may find yourself with many 450MB recovery partitions.  With a traditional disk that may not be a problem but with relatively smaller SS…
This video Micro Tutorial explains how to clone a hard drive using a commercial software product for Windows systems called Casper from Future Systems Solutions (FSS). Cloning makes an exact, complete copy of one hard disk drive (HDD) onto another d…
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now