Many organizations are jumping on the “Death to Java” bandwagon, ranting about turning off Java to eliminate risk. However, it is important to put the issue in the proper context. The reality is that a Java vulnerability is not the end game for a cyber criminal, it is merely a delivery mechanism in the quest to install and execute bigger malware.
There is no “one size fits all” recommendation for eliminating Java risks. But, you do want to eliminate as much exploitable surface area as reasonably possible on your critical endpoints. This should be the philosophy engrained in every organization’s security culture. If you’re not having this conversation about Java - and quite frankly all of the third-party applications in your environment - you are missing the mark and not calculating your risk. Join Paul Henry and Russ Ernst as they bring us up to speed on the Java vulnerabilities and how to limit your exposure without going overboard.
Understanding the Ins and Outs of Java Vulnerabilities and What to do About It
1. Understanding the
Ins and Outs of
Java Vulnerabilities
and what to do
about it
Paul Henry, Security and Forensics Expert
Russ Ernst, Group Product Manager
March 2013
2. History of Malware
APTs
Crimeware
You’ve Got Mail Came of age in 2007 with Mpack
Email attachments became the
vehicle of choice in the late „90s
Elk Cloner A Floppy Delivery
One of the first recorded PC Brian, Jerusalem, Morris
malware / virus incidents was Worm, Michelangelo You’ve Got More Mail
Elk Cloner back in 1982. Emailed malware attacks
see a resurgence
‘82 ’86-’91 Early ’90s Late ’90s ’00-’02 ‘04 ‘05 ‘07 ’07-’08 ‘09
Macros http://
In the early „90s, macro viruses were CodeRed, Nimda, FriendGreetings,
RootKits
the most popular deliver method Phishing aided this
SoBig, Blaster and Slammer
attack vector
SQL Injections
And stolen credentials
began to take off in
2007 - 2008
3. Explosion of Malware
In the 1990s, the unique instances of malware began
explosive growth
» In 1990 = 9,044 samples
» In 1994 = 28,613
» In 1999 = 98,428
» In 2005 = 333,425
» In 2006 = 972,606
» In 2007 (most dramatic jump) = 5,490,960 samples
• Since 2007 malware samples have more then doubled each and every
year
4. What Can We Learn From History?
We have been fighting the wrong battle
» Our efforts have focused on the delivery of malware, not the endgame
of running malicious code in our environments
We simply can not keep up with the seemingly unlimited ways
malware can be delivered
» Obfuscation has also rendered our most common defensive methods
obsolete
5. Definition Of Insanity
in·san·i·ty (n) : Doing the same thing over and over again and
expecting a different result
» Continuing down our current path means we will still be talking about
this issue for the next 25 years
» There is a much more effective solution!
6. Looking Specifically At Java
1,342 “Java” related issues
» Covers 129 different products
» Looking only at Oracle Java, there
are 159 reported issues
Yes, any company that writes
code will have issues but a
secure coding effort can help
reduce the number of issues
(Microsoft is a good example)
Secunia Advisory and Vulnerability Database
7. Its Java Not JavaScript
The current Java issues are
with the Java browser plugin.
They are not with:
» Enterprise Java Beans
» Embedded Java
» JavaFX
» JavaScript
8. Oracle Is Slow To Fix Problems?
In September of 2012, Gowdiak
at Security Explorations said
that of 29 issues reported this
year to Oracle, and two
reported to Apple, there are still
25 issues remaining yet to be
addressed by Oracle
» http://www.informationweek.com/
security/attacks/java-still-not-safe-
security-experts-say/240006876
9. Oracle Is Slow To Fix Problems?
On March 4th 2012, Security Explorations issued
Proof Of Concept code to Oracle for 60 issues
» Oracle focuses effort on patches for exploits known to be
actively used in the wild; consequently there is a
significant pipeline of unpatched vulnerabilities that are
cause for valid concern
» Some discovered in 2012 remain unpatched today
10. Oracle Is Sloppy?
With the recent emergency
release of 2 patches for Java 7
Oracle inadvertently made a
previously undisclosed
vulnerability exploitable
» Java 7 was the result of 5 years
of development but some are
questioning if enough time was
provided in testing before its
release
11. Oracle Is Sloppy?
Within days of the release of patches for Java 7
u11, security researcher Adam Gowdiak reported
two new vulnerabilities including a complete Java
Sandbox bypass
» In his own words “although it locked the office door in
update 7u11, Oracle left the entrance to the building open”
12. Apple Dangerously Out of Sync?
In September 2012, Apple fell
dangerously out of sync with
Oracle by releasing what users
thought was a Java patch for
current Java issues that only
patched one issue. This left
users woefully exposed to the
unpatched issue
» http://blog.lumension.com/5869/d
eja-vu-apple-dangerously-out-of-
sync-with-oracle-patch/
13. Current State Of Java 15 Insecurity
» We received patches from Java on February 1st that
corrected 50 issues;
» We received patches on February 19th that corrected yet
another 6 issues;
» Since the February 19th patches, 2 new issues have been
reported bringing the total to 7 known vulnerabilities in the
latest release;
» At Pwn2Own last week 3 more vulnerabilities were made
public.
15. What Can You Do Right Now?
Only allow Java on specific PC‟s that require Java
to reduce the overall enterprise Threat Envelope
1. Identify if there is a real business or usability need for
the Java plugin by the general user population.
2. Identify assets that do not require the Java plugin and
ensure that the plugin is disabled.
3. Ensure that all Java plugin instances are patched on
an aggressive schedule.
4. Isolate critical systems that are business process
sensitive from the production environment as much as
possible.
16. Wouldn’t it Be Easier to Abandon Java?
•Turning off Java sounds easy
» Apple regularly does it automatically with no notification
» Are you sure you‟ve removed all instances of Java?
•Does eliminating Java really solve the problem?
» Do your line of business applications require Java?
17. Focus On The End Game
The best approach is to use mitigating layered
controls and processes on endpoints including:
» Application control whitelisting to defend against unknown payloads;
» Enable native memory security controls in Windows including DEP
and ASLR to limit the success of generic memory based attacks;
» Deploy advanced memory-injection attack protection including RMI
and Skape/JT to interrupt advanced memory attacks;
» Use device control to block USB-borne malware;
» Utilize strong patch management practices;
» Blacklist outdated plugin versions;
» Adopt the concept of least privilege for end users.
18. Defense-in-Depth Strategy
Successful risk mitigation starts
AV with a solid vulnerability manage-
Control
the Known ment foundation, augmented by
additional layered defenses which
Device Control
Control the Flow go beyond the traditional blacklist
approach.
Hard Drive and
Media Encryption
Control the Data
Application Control
Control the Grey
Patch and Configuration Management
Control the Vulnerability Landscape
18
19. More Information
• Free Security Scanner Tools • Get a Quote (and more)
» Application Scanner – discover all the apps http://www.lumension.com/endpoint-
being used in your network management-security-suite/buy-now.aspx#2
» Vulnerability Scanner – discover all OS and
application vulnerabilities on your network
» http://www.lumension.com/special-
offer/premium-security-tools.aspx
• Lumension® Endpoint Management
and Security Suite (L.E.M.S.S.)
» Online Demo Video:
http://www.lumension.com/endpoint-
management-security-suite/demo-in-
detail.aspx
» Free Trial (virtual or download):
http://www.lumension.com/endpoint-
management-security-suite/free-trial.aspx
19