Solved

Protecting against Java zero-day vulnerability, and methods for patching or protecting non-Microsoft products

Posted on 2013-01-23
6
664 Views
Last Modified: 2013-01-24
Hi,
the company I am with has received an email from TrendMicro talking up Java zero-day vulnerability saying disable Java until a patch comes out. Unless (hook) you install blah blah to protect yourself. We do run antivirus but it is a Trend product and they don't think it is good enough to protect against this threat.  
My company has asked me to investigate.
Thoughts?  
I would want to have a pretty good business case to warrant spending the money Trend are asking for the next level up.
I guess part of this question is what my attitude to patching other products like Java should be.
I am just implementing WSUS for Microsoft products but that doesn't patch anything other than Microsoft.
Any thoughts on patching Non-Microsoft products in general, and in particular what to do about the Java zero-day vulnerability in general?
Thanks in advance,
Shaun
0
Comment
Question by:shaunwoy
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
6 Comments
 

Author Comment

by:shaunwoy
ID: 38812229
I have looked into this a little more. You can patch Java with WSUS but you need to install SCCM and SCUP and configure GPOs.
http://itguru82-sccm.blogspot.co.uk/2012/08/java-updates-using-wsussccm.html
It seems like  a bit of a job though.
I have used Kaseya and ManageEngine before but they are clunky things to use and don't always work that well for patch management.

Any thoughts on patch management vs Antivirus and Firewall protection?
Thanks,
Shaun
0
 

Author Comment

by:shaunwoy
ID: 38812672
Hi again, I have been researching a little more and I have found Ninite Pro to manage a network for updates.  It does Java and a heap of other things. It also does fresh installs and silent installs.  Anyone had any luck with this program or any similar?
Thanks,
Shaun
0
 
LVL 64

Accepted Solution

by:
btan earned 500 total points
ID: 38814409
first need to reckon that no bugless codes and if you need the program or application, we are stuck with it. business run over security most of the time, but this is not saying that we cannot minimise the risk and exposure. overall, this is part of a risk assessment decision and steps to take - we cannot eliminate threat from exploiting those vulnerability - not to even mention those unknown unknown which is zero day for a start.

We need to detect using the security s/w (they themselves can have bugs or corrupted patches bringing down system...but we left with no choice) and prevent using s/w and maintaining always a good security posture doing all those diligence stuff like patch mgmt, change control, version checking, least privilege, process and policy controls reviewed (regular health checks). Some even implement SIEM or have SOC or NOC to oversee the infrastructure networks and servers/client.

When Java zero day is announced, all scrambled - why? Because there is this exposure period and we left with no defenses? Not true, if we have maintain good security and clean bill of health and end user are security savvy or at least aware (not to be phished r social engineered). But we know we cannot take chances, so best is disable it from "secure by default" thinking...stay isolated...but we cannot as business needs to go on...

When Oracle came out with emergency patch, it is exploited once again - hasty attempt but may missed out quality pt ....@ http://www.h-online.com/security/news/item/Oracle-s-Java-patch-leaves-a-loophole-1787566.html

If you are interested, you should check out this paper on Java flaws surfaced. How many would have been covered and been exploited...it is not easy and straightforward
@ https://partners.immunityinc.com/idocs/Java%20MBeanInstantiator.findClass%200day%20Analysis.pdf

So all in all, we will preach defense in depth (not saying having two AV) knowing that it is primarily to deter and not stop such attack. We can only make it harder. Below are interesting thought which you may be interested...why be at the mercy of attacker or malware :)

@ http://privacy-pc.com/articles/offensive-countermeasures-making-attackers-lives-miserable.html
0
Get free NFR key for Veeam Availability Suite 9.5

Veeam is happy to provide a free NFR license (1 year, 2 sockets) to all certified IT Pros. The license allows for the non-production use of Veeam Availability Suite v9.5 in your home lab, without any feature limitations. It works for both VMware and Hyper-V environments

 
LVL 64

Expert Comment

by:btan
ID: 38814417
We would not want to to fall into Sony foot step

http://www.h-online.com/security/news/item/Sony-fined-Lb250-000-for-2011-PlayStation-Network-breach-Update-1790549.html

.....Access to the network was gained through a vulnerability and ICO found that the administrators of the network had previously failed to address the vulnerability despite the availability of updates that would have closed the hole.
0
 
LVL 50

Expert Comment

by:jcimarron
ID: 38815363
shaunwoy---If you need Java for company operations, install the latest
http://java.com/en/download/manual.jsp
Go to Control Panel|Java and then the Security tab.  You will see a slider to increase security as well as a box to Enable/Disable Java.

If you do not need it, uninstall whatever Java now installed.

The web media offer lots of articles that say some malware vulnerabilities are still present in the Java 7 update 11.  So you have to choose.
0
 

Author Comment

by:shaunwoy
ID: 38816641
Thanks jcimarron,
We do need it and as it happens on servers.  And the more I read up on it seems the latest update has the vulnerability and sadly the software for Avamar doesn't run without the latest version.
0

Featured Post

Three Reasons Why Backup is Strategic

Backup is strategic to your business because your data is strategic to your business. Without backup, your business will fail. This white paper explains why it is vital for you to design and immediately execute a backup strategy to protect 100 percent of your data.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Microsoft has released remote PowerShell capabilities to all commercial Office 365 customers. So you can be controlled via PowerShell and not from the Office 365 admin center Download Windows PowerShell Module for Lync Online http://www.micros…
In a recent article here at Experts Exchange (http://www.experts-exchange.com/articles/18880/PaperPort-14-in-Windows-10-A-First-Look.html), I discussed my nine-month sandbox testing of the Windows 10 Technical Preview, specifically with respect to r…
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…

636 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question