January 28, 2013

Practical IT: How to Deal with Another Round of Zero Day Java Exploits


“Patch Java and you’ll be protected against Java threats”

We seem to hear this constantly, not just in the last few months, but for years. Way back in Nov. 2011, we were told that if we had Java 6 Update 29 or Java 7 update 1, we wouldn’t be vulnerable to the security weaknesses in the headlines. Yet, with each update vulnerabilities continue to be discovered and exploited. We even had two Java 0-day exploits included in kits before Oracle had patches prepared. Yet despite the patches, we continue to hear about new vulnerabilities. 

Protecting websites from exploitation

End user infections occur when a user visits or “drives by” the website hosting the exploit code. These websites are most frequently legitimate sites that have been compromised. Meaning that the clean site you visited yesterday is now infected. 

If you are a website administrator, this can make life challenging. You have to routinely inspect all of your internet-accessible servers and frequently ensure that you are not contributing to machines being infected across the globe. One way to do this is through a solution that can categorize all installed software as “known-good” or “known-bad,” based on the latest public notices, and even blacklist or whitelist applications.

File Integrity Monitoring (FIM) and Change Detection tools are also useful to alert you when modifications have occurred on your systems. 

Don’t let endpoints be your downfall

In an ideal world you would uninstall Java completely from all of your endpoints. I would say the same thing about any program that has been as challenged by vulnerabilities. But with Java installed on more than three billion devices worldwide, this could be a daunting task.

Patching could be a sufficient countermeasure; if patches existed. However, the window of exposure from exploit proof-of-concept to patch is too much of a risk for most organizations. Even when patches are available, machines across the globe are still not being patched. Three of the top ‘Top Web Exploits’ for Jan. 19 are exploited vulnerabilities with patches that were available for more than three years. Unfortunately, AV isn’t a help in this arena, because while the exploits may be old, the binaries are often too fresh for signature matching.

So what to do? Based on my discussions with other pros and my own experience I’ll be presenting a series on how to mitigate Java risks to protect your endpoints. We’ll look at: Proactive; Immediate; and Long-Term prophylactic measures. Here’s what you can start acting on now:

  1. Notify your executive team of the risks associated with Java. Education is part of your role, and it may even help you gain incremental budget.
  2. Know what has been deployed in your environment and on what systems; and uninstall Java on all systems if it is not needed.
  3. If Java is needed, make sure you have a strong patch management program in place. You can also tweak the Java security settings to increase your posture. You can quickly review how to change the security settings in Internet Explorer at http://support.microsoft.com/kb/182569. I’ll elaborate on this in more detail in a future post (I’ll also explain why I don’t necessarily believe in the two-browser approach some are touting).
  4. Ensure your Intrusion Detection Systems are configured to look for old Java versions, which can stay on an endpoint even after installation of newer versions.
  5. Don’t forget your laptops when they’re not connected to the network! This can be a blind spot if you don’t have cloud protection services.
  6. Protect your network using a solution that sees vulnerabilities in real time and can stop them before impacting your environment.
  7. Auditing and logging can be your friends. The easiest method is to get this rolling via a Group Policy within Active Directory (AD), assuming your computers are part of an AD Domain. The next obvious step would be to monitor your logs! If a tree falls in the forest…
  8. Ideally, your logs are being sent to a SIEM for analysis. Logs can be leverage to validate the preventative measures you have put in place are effective.
  9. This could be a prime opportunity for IT to have the ability to make real changes in their environment and ultimately reduce the company’s exposure to current and future threats!

You’ve probably got all these concepts already in place, so in the next post we’ll begin to address Immediate and Mid-Term Planning. Until then, I’d love to hear what approaches you have rolled out or are considering to handle Java in your organizations.


Forcepoint-authored blog posts are based on discussions with customers and additional research by our content teams.

Read more articles by Forcepoint

About Forcepoint

Forcepoint is the leading user and data protection cybersecurity company, entrusted to safeguard organizations while driving digital transformation and growth. Our solutions adapt in real-time to how people interact with data, providing secure access while enabling employees to create value.