understanding the ins and outs of java vulnerabilities and what to do about it
TRANSCRIPT
Understanding the Ins and Outs of Java Vulnerabilities and what to do about itPaul Henry, Security and Forensics Expert
Russ Ernst, Group Product Manager
March 2013
http://CodeRed, Nimda, FriendGreetings,
SoBig, Blaster and Slammer
Elk ClonerOne of the first recorded PC malware / virus incidents was Elk Cloner back in 1982.
‘82
History of Malware
’86-’91 Early ’90s Late ’90s ’00-’02 ‘04 ‘05 ‘07 ’07-’08 ‘09
A Floppy DeliveryBrian, Jerusalem, Morris Worm, Michelangelo
You’ve Got MailEmail attachments became the
vehicle of choice in the late ‘90s
MacrosIn the early ‘90s, macro viruses were
the most popular deliver method
You’ve Got More MailEmailed malware attacks
see a resurgence
SQL InjectionsAnd stolen credentials
began to take off in 2007 - 2008
RootKitsPhishing aided this
attack vector
CrimewareCame of age in 2007 with Mpack
APTs
Explosion of Malware
In the 1990s, the unique instances of malware began explosive growth
» In 1990 = 9,044 samples» In 1994 = 28,613» In 1999 = 98,428» In 2005 = 333,425» In 2006 = 972,606» In 2007 (most dramatic jump) = 5,490,960 samples
• Since 2007 malware samples have more then doubled each and every year
What Can We Learn From History?
We have been fighting the wrong battle» Our efforts have focused on the delivery of malware, not the endgame
of running malicious code in our environments
We simply can not keep up with the seemingly unlimited ways malware can be delivered
» Obfuscation has also rendered our most common defensive methods obsolete
Definition Of Insanity
in·san·i·ty (n) : Doing the same thing over and over again and
expecting a different result
» Continuing down our current path means we will still be talking about this issue for the next 25 years
» There is a much more effective solution!
Looking Specifically At Java
1,342 “Java” related issues » Covers 129 different products» Looking only at Oracle Java, there
are 159 reported issues
Yes, any company that writes code will have issues but a secure coding effort can help reduce the number of issues (Microsoft is a good example)
Secunia Advisory and Vulnerability Database
Its Java Not JavaScript
The current Java issues are with the Java browser plugin. They are not with:
» Enterprise Java Beans» Embedded Java» JavaFX» JavaScript
Oracle Is Slow To Fix Problems?
In September of 2012, Gowdiak at Security Explorations said that of 29 issues reported this year to Oracle, and two reported to Apple, there are still 25 issues remaining yet to be addressed by Oracle
» http://www.informationweek.com/security/attacks/java-still-not-safe-security-experts-say/240006876
Oracle Is Slow To Fix Problems?
On March 4th 2012, Security Explorations issued Proof Of Concept code to Oracle for 60 issues
» Oracle focuses effort on patches for exploits known to be actively used in the wild; consequently there is a significant pipeline of unpatched vulnerabilities that are cause for valid concern
» Some discovered in 2012 remain unpatched today
Oracle Is Sloppy?
With the recent emergency release of 2 patches for Java 7 Oracle inadvertently made a previously undisclosed vulnerability exploitable
» Java 7 was the result of 5 years of development but some are questioning if enough time was provided in testing before its release
Oracle Is Sloppy?
Within days of the release of patches for Java 7 u11, security researcher Adam Gowdiak reported two new vulnerabilities including a complete Java Sandbox bypass
» In his own words “although it locked the office door in update 7u11, Oracle left the entrance to the building open”
Apple Dangerously Out of Sync?
In September 2012, Apple fell dangerously out of sync with Oracle by releasing what users thought was a Java patch for current Java issues that only patched one issue. This left users woefully exposed to the unpatched issue
» http://blog.lumension.com/5869/deja-vu-apple-dangerously-out-of-sync-with-oracle-patch/
Current State Of Java 15 Insecurity
» We received patches from Java on February 1st that corrected 50 issues;
» We received patches on February 19th that corrected yet another 6 issues;
» Since the February 19th patches, 2 new issues have been reported bringing the total to 7 known vulnerabilities in the latest release;
» At Pwn2Own last week 3 more vulnerabilities were made public.
What Can You Do Right Now?
Only allow Java on specific PC’s that require Java to reduce the overall enterprise Threat Envelope
1. Identify if there is a real business or usability need for the Java plugin by the general user population.
2. Identify assets that do not require the Java plugin and ensure that the plugin is disabled.
3. Ensure that all Java plugin instances are patched on an aggressive schedule.
4. Isolate critical systems that are business process sensitive from the production environment as much as possible.
Wouldn’t it Be Easier to Abandon Java?
•Turning off Java sounds easy» Apple regularly does it automatically with no notification» Are you sure you’ve removed all instances of Java?
•Does eliminating Java really solve the problem?» Do your line of business applications require Java?
Focus On The End Game
The best approach is to use mitigating layered controls and processes on endpoints including:
» Application control whitelisting to defend against unknown payloads;» Enable native memory security controls in Windows including DEP
and ASLR to limit the success of generic memory based attacks;» Deploy advanced memory-injection attack protection including RMI
and Skape/JT to interrupt advanced memory attacks;» Use device control to block USB-borne malware;» Utilize strong patch management practices;» Blacklist outdated plugin versions;» Adopt the concept of least privilege for end users.
Defense-in-Depth Strategy
Successful risk mitigation starts with a solid vulnerability manage-ment foundation, augmented by additional layered defenses which go beyond the traditional blacklist approach.
18
Patch and Configuration ManagementControl the Vulnerability Landscape
Application ControlControl the Grey
Device ControlControl the Flow
AVControl
the Known
Hard Drive andMedia Encryption
Control the Data
More Information
• Free Security Scanner Tools» Application Scanner – discover all the apps
being used in your network» Vulnerability Scanner – discover all OS and
application vulnerabilities on your network » http://www.lumension.com/special-offer/premi
um-security-tools.aspx
• Lumension® Endpoint Management and Security Suite (L.E.M.S.S.)» Online Demo Video:
http://www.lumension.com/endpoint-management-security-suite/demo-in-detail.aspx
» Free Trial (virtual or download):http://www.lumension.com/endpoint-management-security-suite/free-trial.aspx
• Get a Quote (and more)http://www.lumension.com/endpoint-management-security-suite/buy-now.aspx#2
19
Global Headquarters8660 E. Hartford Drive
Suite 300
Scottsdale, AZ 85250
1.888.725.7828