Go Premium for a chance to win a PS4. Enter to Win


Protecting against Java zero-day vulnerability, and methods for patching or protecting non-Microsoft products

Posted on 2013-01-23
Medium Priority
Last Modified: 2013-01-24
the company I am with has received an email from TrendMicro talking up Java zero-day vulnerability saying disable Java until a patch comes out. Unless (hook) you install blah blah to protect yourself. We do run antivirus but it is a Trend product and they don't think it is good enough to protect against this threat.  
My company has asked me to investigate.
I would want to have a pretty good business case to warrant spending the money Trend are asking for the next level up.
I guess part of this question is what my attitude to patching other products like Java should be.
I am just implementing WSUS for Microsoft products but that doesn't patch anything other than Microsoft.
Any thoughts on patching Non-Microsoft products in general, and in particular what to do about the Java zero-day vulnerability in general?
Thanks in advance,
Question by:shaunwoy
  • 3
  • 2

Author Comment

ID: 38812229
I have looked into this a little more. You can patch Java with WSUS but you need to install SCCM and SCUP and configure GPOs.
It seems like  a bit of a job though.
I have used Kaseya and ManageEngine before but they are clunky things to use and don't always work that well for patch management.

Any thoughts on patch management vs Antivirus and Firewall protection?

Author Comment

ID: 38812672
Hi again, I have been researching a little more and I have found Ninite Pro to manage a network for updates.  It does Java and a heap of other things. It also does fresh installs and silent installs.  Anyone had any luck with this program or any similar?
LVL 65

Accepted Solution

btan earned 1500 total points
ID: 38814409
first need to reckon that no bugless codes and if you need the program or application, we are stuck with it. business run over security most of the time, but this is not saying that we cannot minimise the risk and exposure. overall, this is part of a risk assessment decision and steps to take - we cannot eliminate threat from exploiting those vulnerability - not to even mention those unknown unknown which is zero day for a start.

We need to detect using the security s/w (they themselves can have bugs or corrupted patches bringing down system...but we left with no choice) and prevent using s/w and maintaining always a good security posture doing all those diligence stuff like patch mgmt, change control, version checking, least privilege, process and policy controls reviewed (regular health checks). Some even implement SIEM or have SOC or NOC to oversee the infrastructure networks and servers/client.

When Java zero day is announced, all scrambled - why? Because there is this exposure period and we left with no defenses? Not true, if we have maintain good security and clean bill of health and end user are security savvy or at least aware (not to be phished r social engineered). But we know we cannot take chances, so best is disable it from "secure by default" thinking...stay isolated...but we cannot as business needs to go on...

When Oracle came out with emergency patch, it is exploited once again - hasty attempt but may missed out quality pt ....@ http://www.h-online.com/security/news/item/Oracle-s-Java-patch-leaves-a-loophole-1787566.html

If you are interested, you should check out this paper on Java flaws surfaced. How many would have been covered and been exploited...it is not easy and straightforward
@ https://partners.immunityinc.com/idocs/Java%20MBeanInstantiator.findClass%200day%20Analysis.pdf

So all in all, we will preach defense in depth (not saying having two AV) knowing that it is primarily to deter and not stop such attack. We can only make it harder. Below are interesting thought which you may be interested...why be at the mercy of attacker or malware :)

@ http://privacy-pc.com/articles/offensive-countermeasures-making-attackers-lives-miserable.html
NFR key for Veeam Agent for Linux

Veeam is happy to provide a free NFR license for one year.  It allows for the non‑production use and valid for five workstations and two servers. Veeam Agent for Linux is a simple backup tool for your Linux installations, both on‑premises and in the public cloud.

LVL 65

Expert Comment

ID: 38814417
We would not want to to fall into Sony foot step


.....Access to the network was gained through a vulnerability and ICO found that the administrators of the network had previously failed to address the vulnerability despite the availability of updates that would have closed the hole.
LVL 50

Expert Comment

ID: 38815363
shaunwoy---If you need Java for company operations, install the latest
Go to Control Panel|Java and then the Security tab.  You will see a slider to increase security as well as a box to Enable/Disable Java.

If you do not need it, uninstall whatever Java now installed.

The web media offer lots of articles that say some malware vulnerabilities are still present in the Java 7 update 11.  So you have to choose.

Author Comment

ID: 38816641
Thanks jcimarron,
We do need it and as it happens on servers.  And the more I read up on it seems the latest update has the vulnerability and sadly the software for Avamar doesn't run without the latest version.

Featured Post

How to Use the Help Bell

Need to boost the visibility of your question for solutions? Use the Experts Exchange Help Bell to confirm priority levels and contact subject-matter experts for question attention.  Check out this how-to article for more information.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this article we will discuss all things related to StageFright bug, the most vulnerable bug of android devices.
It’s been over a month into 2017, and there is already a sophisticated Gmail phishing email making it rounds. New techniques and tactics, have given hackers a way to authentically impersonate your contacts.How it Works The attack works by targeti…
This video Micro Tutorial explains how to clone a hard drive using a commercial software product for Windows systems called Casper from Future Systems Solutions (FSS). Cloning makes an exact, complete copy of one hard disk drive (HDD) onto another d…
This is used to tweak the memory usage for your computer, it is used for servers more so than workstations but just be careful editing registry settings as it may cause irreversible results. I hold no responsibility for anything you do to the regist…

824 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question