Improve company productivity with a Business Account.Sign Up


Protecting against Java zero-day vulnerability, and methods for patching or protecting non-Microsoft products

Posted on 2013-01-23
Medium Priority
Last Modified: 2013-01-24
the company I am with has received an email from TrendMicro talking up Java zero-day vulnerability saying disable Java until a patch comes out. Unless (hook) you install blah blah to protect yourself. We do run antivirus but it is a Trend product and they don't think it is good enough to protect against this threat.  
My company has asked me to investigate.
I would want to have a pretty good business case to warrant spending the money Trend are asking for the next level up.
I guess part of this question is what my attitude to patching other products like Java should be.
I am just implementing WSUS for Microsoft products but that doesn't patch anything other than Microsoft.
Any thoughts on patching Non-Microsoft products in general, and in particular what to do about the Java zero-day vulnerability in general?
Thanks in advance,
Question by:shaunwoy
  • 3
  • 2

Author Comment

ID: 38812229
I have looked into this a little more. You can patch Java with WSUS but you need to install SCCM and SCUP and configure GPOs.
It seems like  a bit of a job though.
I have used Kaseya and ManageEngine before but they are clunky things to use and don't always work that well for patch management.

Any thoughts on patch management vs Antivirus and Firewall protection?

Author Comment

ID: 38812672
Hi again, I have been researching a little more and I have found Ninite Pro to manage a network for updates.  It does Java and a heap of other things. It also does fresh installs and silent installs.  Anyone had any luck with this program or any similar?
LVL 66

Accepted Solution

btan earned 1500 total points
ID: 38814409
first need to reckon that no bugless codes and if you need the program or application, we are stuck with it. business run over security most of the time, but this is not saying that we cannot minimise the risk and exposure. overall, this is part of a risk assessment decision and steps to take - we cannot eliminate threat from exploiting those vulnerability - not to even mention those unknown unknown which is zero day for a start.

We need to detect using the security s/w (they themselves can have bugs or corrupted patches bringing down system...but we left with no choice) and prevent using s/w and maintaining always a good security posture doing all those diligence stuff like patch mgmt, change control, version checking, least privilege, process and policy controls reviewed (regular health checks). Some even implement SIEM or have SOC or NOC to oversee the infrastructure networks and servers/client.

When Java zero day is announced, all scrambled - why? Because there is this exposure period and we left with no defenses? Not true, if we have maintain good security and clean bill of health and end user are security savvy or at least aware (not to be phished r social engineered). But we know we cannot take chances, so best is disable it from "secure by default" thinking...stay isolated...but we cannot as business needs to go on...

When Oracle came out with emergency patch, it is exploited once again - hasty attempt but may missed out quality pt ....@

If you are interested, you should check out this paper on Java flaws surfaced. How many would have been covered and been is not easy and straightforward

So all in all, we will preach defense in depth (not saying having two AV) knowing that it is primarily to deter and not stop such attack. We can only make it harder. Below are interesting thought which you may be interested...why be at the mercy of attacker or malware :)

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

LVL 66

Expert Comment

ID: 38814417
We would not want to to fall into Sony foot step

.....Access to the network was gained through a vulnerability and ICO found that the administrators of the network had previously failed to address the vulnerability despite the availability of updates that would have closed the hole.
LVL 50

Expert Comment

ID: 38815363
shaunwoy---If you need Java for company operations, install the latest
Go to Control Panel|Java and then the Security tab.  You will see a slider to increase security as well as a box to Enable/Disable Java.

If you do not need it, uninstall whatever Java now installed.

The web media offer lots of articles that say some malware vulnerabilities are still present in the Java 7 update 11.  So you have to choose.

Author Comment

ID: 38816641
Thanks jcimarron,
We do need it and as it happens on servers.  And the more I read up on it seems the latest update has the vulnerability and sadly the software for Avamar doesn't run without the latest version.

Featured Post

Get expert help—faster!

Need expert help—fast? Use the Help Bell for personalized assistance getting answers to your important questions.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Ever notice how you can't use a new drive in Windows without having Windows assigning a Disk Signature?  Ever have a signature collision problem (especially with Virtual Machines?)  This article is intended to help you understand what's going on and…
#Citrix #POC #XenDesktop #vCenter #VMware #ESX
In this video, we discuss why the need for additional vertical screen space has become more important in recent years, namely, due to the transition in the marketplace of 4x3 computer screens to 16x9 and 16x10 screens (so-called widescreen format). …
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…

585 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question