Solved

Protecting against Java zero-day vulnerability, and methods for patching or protecting non-Microsoft products

Posted on 2013-01-23
6
657 Views
Last Modified: 2013-01-24
Hi,
the company I am with has received an email from TrendMicro talking up Java zero-day vulnerability saying disable Java until a patch comes out. Unless (hook) you install blah blah to protect yourself. We do run antivirus but it is a Trend product and they don't think it is good enough to protect against this threat.  
My company has asked me to investigate.
Thoughts?  
I would want to have a pretty good business case to warrant spending the money Trend are asking for the next level up.
I guess part of this question is what my attitude to patching other products like Java should be.
I am just implementing WSUS for Microsoft products but that doesn't patch anything other than Microsoft.
Any thoughts on patching Non-Microsoft products in general, and in particular what to do about the Java zero-day vulnerability in general?
Thanks in advance,
Shaun
0
Comment
Question by:shaunwoy
  • 3
  • 2
6 Comments
 

Author Comment

by:shaunwoy
ID: 38812229
I have looked into this a little more. You can patch Java with WSUS but you need to install SCCM and SCUP and configure GPOs.
http://itguru82-sccm.blogspot.co.uk/2012/08/java-updates-using-wsussccm.html
It seems like  a bit of a job though.
I have used Kaseya and ManageEngine before but they are clunky things to use and don't always work that well for patch management.

Any thoughts on patch management vs Antivirus and Firewall protection?
Thanks,
Shaun
0
 

Author Comment

by:shaunwoy
ID: 38812672
Hi again, I have been researching a little more and I have found Ninite Pro to manage a network for updates.  It does Java and a heap of other things. It also does fresh installs and silent installs.  Anyone had any luck with this program or any similar?
Thanks,
Shaun
0
 
LVL 62

Accepted Solution

by:
btan earned 500 total points
ID: 38814409
first need to reckon that no bugless codes and if you need the program or application, we are stuck with it. business run over security most of the time, but this is not saying that we cannot minimise the risk and exposure. overall, this is part of a risk assessment decision and steps to take - we cannot eliminate threat from exploiting those vulnerability - not to even mention those unknown unknown which is zero day for a start.

We need to detect using the security s/w (they themselves can have bugs or corrupted patches bringing down system...but we left with no choice) and prevent using s/w and maintaining always a good security posture doing all those diligence stuff like patch mgmt, change control, version checking, least privilege, process and policy controls reviewed (regular health checks). Some even implement SIEM or have SOC or NOC to oversee the infrastructure networks and servers/client.

When Java zero day is announced, all scrambled - why? Because there is this exposure period and we left with no defenses? Not true, if we have maintain good security and clean bill of health and end user are security savvy or at least aware (not to be phished r social engineered). But we know we cannot take chances, so best is disable it from "secure by default" thinking...stay isolated...but we cannot as business needs to go on...

When Oracle came out with emergency patch, it is exploited once again - hasty attempt but may missed out quality pt ....@ http://www.h-online.com/security/news/item/Oracle-s-Java-patch-leaves-a-loophole-1787566.html

If you are interested, you should check out this paper on Java flaws surfaced. How many would have been covered and been exploited...it is not easy and straightforward
@ https://partners.immunityinc.com/idocs/Java%20MBeanInstantiator.findClass%200day%20Analysis.pdf

So all in all, we will preach defense in depth (not saying having two AV) knowing that it is primarily to deter and not stop such attack. We can only make it harder. Below are interesting thought which you may be interested...why be at the mercy of attacker or malware :)

@ http://privacy-pc.com/articles/offensive-countermeasures-making-attackers-lives-miserable.html
0
Backup Your Microsoft Windows Server®

Backup all your Microsoft Windows Server – on-premises, in remote locations, in private and hybrid clouds. Your entire Windows Server will be backed up in one easy step with patented, block-level disk imaging. We achieve RTOs (recovery time objectives) as low as 15 seconds.

 
LVL 62

Expert Comment

by:btan
ID: 38814417
We would not want to to fall into Sony foot step

http://www.h-online.com/security/news/item/Sony-fined-Lb250-000-for-2011-PlayStation-Network-breach-Update-1790549.html

.....Access to the network was gained through a vulnerability and ICO found that the administrators of the network had previously failed to address the vulnerability despite the availability of updates that would have closed the hole.
0
 
LVL 50

Expert Comment

by:jcimarron
ID: 38815363
shaunwoy---If you need Java for company operations, install the latest
http://java.com/en/download/manual.jsp
Go to Control Panel|Java and then the Security tab.  You will see a slider to increase security as well as a box to Enable/Disable Java.

If you do not need it, uninstall whatever Java now installed.

The web media offer lots of articles that say some malware vulnerabilities are still present in the Java 7 update 11.  So you have to choose.
0
 

Author Comment

by:shaunwoy
ID: 38816641
Thanks jcimarron,
We do need it and as it happens on servers.  And the more I read up on it seems the latest update has the vulnerability and sadly the software for Avamar doesn't run without the latest version.
0

Featured Post

[Webinar] Disaster Recovery and Cloud Management

Learn from Unigma and CloudBerry industry veterans which providers are best for certain use cases and how to lower cloud costs, how to grow your Managed Services practice in IaaS clouds, and how to utilize public cloud for Disaster Recovery

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I don't know if many of you have made the great mistake of using the Cisco Thin Client model with the management software VXC. If you have then you are probably more then familiar with the incredibly clunky interface, the numerous work arounds, and …
In a recent article here at Experts Exchange (http://www.experts-exchange.com/articles/18880/PaperPort-14-in-Windows-10-A-First-Look.html), I discussed my nine-month sandbox testing of the Windows 10 Technical Preview, specifically with respect to r…
This video Micro Tutorial explains how to clone a hard drive using a commercial software product for Windows systems called Casper from Future Systems Solutions (FSS). Cloning makes an exact, complete copy of one hard disk drive (HDD) onto another d…
Windows 8 came with a dramatically different user interface known as Metro. Notably missing from that interface was a Start button and Start Menu. Microsoft responded to negative user feedback of the Metro interface, bringing back the Start button a…

895 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now