I am assuming you are reading this now because you saw this Security Alert for CVE-2013-4022 Released and:
- the panic has set in, or
- Oracle and Java have taken its toll or
- You are now getting e-mails from your executives asking if you are aware, and what you are doing about this!
Let’s quickly assess what the Internet is yelling at us about, and what the real threats are.First off let’s look at the obvious.
There have always been problems with Java. Research demonstrates that a large number of attacks or breaches from last year were a direct result of threats related to Java. Kaspersky Lab estimated that last year 50 percent of all website exploitations were due to vulnerabilities in Java. Platforms that could be vulnerable include Windows, OSX, Linux and pretty much any system you are using that has a browser and java enabled. The United States Department of Homeland Security and Public Safety Canada advised users to disable java in their browsers.
How and What to Exploit.
The way Java is exploited is through an Exploit kit (available for sale online) putting the ability to attack you in the hands of relatively inexperienced attackers. They are using these kits to steal credit card data, personal information and potentially do other harm. Because these kits are being sold all over the Internet it harm spreads very quickly. McAfee covers this in greater detail here.
How to protect.
The 100% guaranteed fix is turn off Java all together, or disable it in your browser (personally this is what I have done). Here’s how to do it.
Now we all know this is not the solution for all scenarios because of how entrenched Java is in business. There are so many internal applications that rely on Java to operate that turning it off internally may end up hindering business. Fortunately there are other ways to protect yourself and your users.
- Make sure you are patched and up to date. While several researchers are saying that the time it will really take Oracle to fix all the problems could take very long time. H.D. Moore, Chief Security Officer of Rapid7, said it could take two years for Oracle to fix all the security flaws in the version of Java used to surf the web; that timeframe doesn’t count any additional Java exploits discovered in the future.
- Make sure your security tools are tuned and have current signatures. Most security vendors have said that their tools are able to block known .jar files that are served up by various exploit kits.
- If you are using a web gateway product make sure you have turned on the web reputation services. Because the exploit will likely be delivered via the web, a web gateway can be the key to successfully defending against this (Learn more about drive by downloads here) Security vendors find malicious sites (intentionally or otherwise) and update their systems to prevent your users from visiting them. This will ensure that you have the most updated security intelligence from around the world that your vendor provides.
- Some firewalls/proxies/web gateways will allow you to flat out block any .jar file all together. This will reduce the likelihood of exploitation but may break essential content on external websites.
- Create some new content for your Security Information Event Management System (learn more about SIEM) to watch for users downloading new .jar files and then correlate that to users communicating to know blacklisted sites across the internet.
- As a last effort you can also go into the Java control panel under the security tab and set the security level to very high. Most should already be set to high but moving it to very high will limit some other unknown apps from running.
What we need to know is that we have many layers protecting us to ensure where one layer falls short we may be notified at another. If you wish to talk to someone that can help plan a strategy or design a solution please leave a comment below and someone from our security team will respond as quickly as we can. Or talk to your Softchoice rep about how to implement some of these solutions in your network.