Understanding the Ins and Outs of Java Vulnerabilities and what to do about itPaul Henry, Security and Forensics Expert

Russ Ernst, Group Product Manager

March 2013

http://CodeRed, Nimda, FriendGreetings,

SoBig, Blaster and Slammer

Elk ClonerOne of the first recorded PC malware / virus incidents was Elk Cloner back in 1982.

‘82

History of Malware

’86-’91 Early ’90s Late ’90s ’00-’02 ‘04 ‘05 ‘07 ’07-’08 ‘09

A Floppy DeliveryBrian, Jerusalem, Morris Worm, Michelangelo

You’ve Got MailEmail attachments became the

vehicle of choice in the late ‘90s

MacrosIn the early ‘90s, macro viruses were

the most popular deliver method

You’ve Got More MailEmailed malware attacks

see a resurgence

SQL InjectionsAnd stolen credentials

began to take off in 2007 - 2008

RootKitsPhishing aided this

attack vector

CrimewareCame of age in 2007 with Mpack

APTs

Explosion of Malware

In the 1990s, the unique instances of malware began explosive growth

» In 1990 = 9,044 samples» In 1994 = 28,613» In 1999 = 98,428» In 2005 = 333,425» In 2006 = 972,606» In 2007 (most dramatic jump) = 5,490,960 samples

• Since 2007 malware samples have more then doubled each and every year

What Can We Learn From History?

We have been fighting the wrong battle» Our efforts have focused on the delivery of malware, not the endgame

of running malicious code in our environments

We simply can not keep up with the seemingly unlimited ways malware can be delivered

» Obfuscation has also rendered our most common defensive methods obsolete

Definition Of Insanity

in·san·i·ty (n) : Doing the same thing over and over again and

expecting a different result

» Continuing down our current path means we will still be talking about this issue for the next 25 years

» There is a much more effective solution!

Looking Specifically At Java

1,342 “Java” related issues » Covers 129 different products» Looking only at Oracle Java, there

are 159 reported issues

Yes, any company that writes code will have issues but a secure coding effort can help reduce the number of issues (Microsoft is a good example)

Secunia Advisory and Vulnerability Database

Its Java Not JavaScript

The current Java issues are with the Java browser plugin. They are not with:

» Enterprise Java Beans» Embedded Java» JavaFX» JavaScript

Oracle Is Slow To Fix Problems?

In September of 2012, Gowdiak at Security Explorations said that of 29 issues reported this year to Oracle, and two reported to Apple, there are still 25 issues remaining yet to be addressed by Oracle

» http://www.informationweek.com/security/attacks/java-still-not-safe-security-experts-say/240006876

Oracle Is Slow To Fix Problems?

On March 4th 2012, Security Explorations issued Proof Of Concept code to Oracle for 60 issues

» Oracle focuses effort on patches for exploits known to be actively used in the wild; consequently there is a significant pipeline of unpatched vulnerabilities that are cause for valid concern

» Some discovered in 2012 remain unpatched today

Oracle Is Sloppy?

With the recent emergency release of 2 patches for Java 7 Oracle inadvertently made a previously undisclosed vulnerability exploitable

» Java 7 was the result of 5 years of development but some are questioning if enough time was provided in testing before its release

Oracle Is Sloppy?

Within days of the release of patches for Java 7 u11, security researcher Adam Gowdiak reported two new vulnerabilities including a complete Java Sandbox bypass

» In his own words “although it locked the office door in update 7u11, Oracle left the entrance to the building open”

Apple Dangerously Out of Sync?

In September 2012, Apple fell dangerously out of sync with Oracle by releasing what users thought was a Java patch for current Java issues that only patched one issue. This left users woefully exposed to the unpatched issue

» http://blog.lumension.com/5869/deja-vu-apple-dangerously-out-of-sync-with-oracle-patch/

Current State Of Java 15 Insecurity

» We received patches from Java on February 1st that corrected 50 issues;

» We received patches on February 19th that corrected yet another 6 issues;

» Since the February 19th patches, 2 new issues have been reported bringing the total to 7 known vulnerabilities in the latest release;

» At Pwn2Own last week 3 more vulnerabilities were made public.

Never Ending Headlines

What Can You Do Right Now?

Only allow Java on specific PC’s that require Java to reduce the overall enterprise Threat Envelope

1. Identify if there is a real business or usability need for the Java plugin by the general user population.

2. Identify assets that do not require the Java plugin and ensure that the plugin is disabled.

3. Ensure that all Java plugin instances are patched on an aggressive schedule.

4. Isolate critical systems that are business process sensitive from the production environment as much as possible.

Wouldn’t it Be Easier to Abandon Java?

•Turning off Java sounds easy» Apple regularly does it automatically with no notification» Are you sure you’ve removed all instances of Java?

•Does eliminating Java really solve the problem?» Do your line of business applications require Java?

Focus On The End Game

The best approach is to use mitigating layered controls and processes on endpoints including:

» Application control whitelisting to defend against unknown payloads;» Enable native memory security controls in Windows including DEP

and ASLR to limit the success of generic memory based attacks;» Deploy advanced memory-injection attack protection including RMI

and Skape/JT to interrupt advanced memory attacks;» Use device control to block USB-borne malware;» Utilize strong patch management practices;» Blacklist outdated plugin versions;» Adopt the concept of least privilege for end users.

Defense-in-Depth Strategy

Successful risk mitigation starts with a solid vulnerability manage-ment foundation, augmented by additional layered defenses which go beyond the traditional blacklist approach.

18

Patch and Configuration ManagementControl the Vulnerability Landscape

Application ControlControl the Grey

Device ControlControl the Flow

AVControl

the Known

Hard Drive andMedia Encryption

Control the Data

More Information

• Free Security Scanner Tools» Application Scanner – discover all the apps

being used in your network» Vulnerability Scanner – discover all OS and

application vulnerabilities on your network » http://www.lumension.com/special-offer/premi

um-security-tools.aspx

• Lumension® Endpoint Management and Security Suite (L.E.M.S.S.)» Online Demo Video:

http://www.lumension.com/endpoint-management-security-suite/demo-in-detail.aspx

» Free Trial (virtual or download):http://www.lumension.com/endpoint-management-security-suite/free-trial.aspx

• Get a Quote (and more)http://www.lumension.com/endpoint-management-security-suite/buy-now.aspx#2

19

Global Headquarters8660 E. Hartford Drive

Suite 300

Scottsdale, AZ 85250

1.888.725.7828

info@lumension.com