Defending Against Java

- July 24th, 2013

 

Java offers enterprises the ability to write code once and run it everywhere.  However, this flexibility comes with a high cost: reduced security on endpoints. It has lately gotten so bad that Java has been nicknamed Just Another Vulnerability Announcement. Oracle has been working to produce updates to Java that addresses these vulnerabilities, but many enterprises are slow to roll out the updates.

We’ve recently conducted internal tests against fully patched Windows 7 systems using Metasploit. Our team had great success breaking into these systems by exploiting the vulnerabilities in Java. All of our testing was done using the latest releases from Oracle and the latest exploits obtained from various penetration testing web sites. Recent articles have highlighted that many enterprises are running old versions of Java. Our testing showed that companies are still vulnerable, even with the latest version. 

Java metasploit

Exploiting Java with Metasploit

 How should a company defend itself against Java exploits when even the latest version can still be exploited? For me, the answer is simple: Application Whitelisting

You can read where SANS listed Application Whitelisting as the number one solution for controlling unauthorized software here. Our internal testing showed that Application Control blocked Java signed exploit attacks that would normally bypass anti-virus and other traditional security technologies.

I have restricted running Java to secure virtual machines or to systems secured with application whitelisting.  Enterprises using any version of Java should consider its use case within the organization and then definitely investigate using whitelisting as a defense against Java exploits.

Editor’s Note Updated

For more information on securing Java, check out new resources (including a Java Scanner) available in the  Java Survival Guide.


About the Author

is a Senior Architect at Lumension and a 24-year veteran of the computer security field. Dan was CTO at CoreTrace Corporation prior to the 2012 acquisition and is a graduate of the Massachusetts Institute of Technology. He also spent time at the Air Force Information Warfare Center (AFIWC) as a specialist in the field of intrusion detection.

Follow Daniel M. on Twitter @danteal





Comments

One Response to “Defending Against Java”

  1. […] Optimal Security, Daniel M. Teal, , Share this:LinkedInFacebookTwitterGoogle +1Like this:Like […]

Leave a Reply


IT Secured. Success Optimized.™

Contact Lumension | Privacy Policy

Comments


Share

blog.lumension.com