Kaseya Community

Java-Exploit - Community-Procedure to disable Java in Browsers

This question is answered

Hello KProcedure-Experts!

We've to hurry up ... kick yourself ... we ALL need a "disable Java in Browser-Procedure"!

Read >>> https://krebsonsecurity.com/2012/08/attackers-pounce-on-zero-day-java-exploit/

If anyone will help to develop ... i think we must have the following procedures:

- one master piece of procedure, that calls the following:

- windows, disable java in firefox         
- windows, disable java in internet explorer
- windows, disable java in safari
- windows, disable java in opera 

- linux, disable in firefox?

- mac, disable in safari
- mac, disable in firefox
- mac, disable in ???

Which one is yours? ;)

 

Verified Answer
  • I just confirmed that the KSDU module updates Java 7 to the latest version from Oracle (7.0.70.10).  You may have to kick off a 'manual' catalog update (just go to Applicatin Settings -> Schedule -> Configure Schedules and set the schedule to 1 or 2 minutes past the present time) but it will update the master catalog.

    If you were using KSDU you could, by policy, have had all your machines patched today without ever having to lift a finger.

    Just sayin'. :)

All Replies
  • I'm not disabling any plug-ins. This type of exploit happens a lot with Java, but for some reason it's getting a lot of media coverage this time. In my opinion, the proper response is to wait for an update and deploy as usual. It doesn't make any sense to disable everyone and wait to see what breaks. The risk for being exploited is rather low and it would require a user to visit a specially crafted website (sound familiar?) which is tough to prevent anyway.

  • Wait for an update, when Oracle's known about the flaw since April and haven't done anything? Historically, they're terrible about this sort of thing.

    Sophos have been saying for a while now that Java is the most dangerous plugin you can be running in your browser. This is just one more nail in the coffin.

  • All the drama is amusing, but the fact of the matter is we all have clients that use Java (yes, even the plugin) at some level. I don't believe breaking line of business applications is justified regardless of the hysteria. Let the media beat up Oracle so they get pressured into updating their stuff. We don't need to beat up ourselves too.

    If a client approaches you about disabling Java, that is a different matter. That opens the door to discuss risks and potentially moving away from critical applications, if any, which require Java. Or maybe you want to start the discussion without them asking... your call. Just disabling the plugin globally is the wrong move.

  • I hope the drama will be amusing to you when, between now and October when Oracle puts out their regularly-scheduled update, you have to fend off malware incursions brought on by Java exploits.

    There's a line somewhere between "there's nothing to fear but fear itself" and "the sky is falling." Each of us has to decide where that line is, for ourselves.

  • 0-days come out everyday.  Just because this one is Java related doesn't make it any different.  If one comes out for IE tomorrow, are you going to disable IE for all your clients, too?

  • Well, let's be fair: This isn't really a "0-day," whatever that really means anymore, since the vulnerability is now acknowledged to have been known by Oracle since April. And I'll go ahead and bite on your rhetorical, snarky question and say that if I thought the threat was bad enough, yes, I would cripple IE until I had a better fix.

    When a security team that I respect such as Sophos advises in no uncertain terms that this particular exploit is very bad news, I'm inclined to take it seriously. I'm not reacting to "news hype," I'm not panicking because Slashdot says to, or anything like that, for Pete's sake.

    So what am I actually doing with Java 7? I'm turning off the BHO in IE, for the time being. That's it. I'm not forcibly uninstalling Java from everywhere, I'm not sending out scary emails, I'm just taking a quick and reasonable precaution. In our client base, very few clients rely upon Java for business productivity. Your mileage will vary, yadda yadda. For those clients who do, we'll work to get a secure work-around in place (probably involving Java 6 for now, though that's not a "perfect" solution either for various reasons). Actually, the LOB apps which rely on Java that I know of all use their own bottled versions anyway to avoid dealing with the moving-target nature of Java upgrades. I'll bet you a doughnut that no more than two of our clients will even notice what I've done, which is as it should be.

  • So basically you think this threat is bad enough to cause widespread mania and problems throughout all your clients even though it requires a user to visit a specially crafted website most likely through means of under-education by blindly clicking links or falling into a social engineering trap.

    Gotcha.

    Props to Sophos, though.  They are a very good company about telling things the way they are - even when they get compromised themselves like what happened in April.

  • ...seriously?

    I just said that nobody will even notice what I've done. "Widespread mania and problems," indeed. I disabled a Java plugin, not the contents of System32.

    I've said my piece and stated my reasoning, I guess I'm done here now. Good grief.

  • You misunderstood -- I meant the resulting exploits would cause widespread mania and problems, not you disabling Java. :)

  • The tone of this thread is starting to suck. Here are the two schools of thought:

    1. The workaround is a necessary precaution, the vulnerability is a real threat, and disabling will not impact users

    2. The workaround is not a necessary precaution, the vulnerability is not a real threat, and disabling will impact users

    Do your own research and come up with an appropriate plan for you and your clients.

    As far as the original question, we can disable the plugin like this:

    HKEY_LOCAL_MACHINE\SOFTWARE\JavaSoft\Java Plug-in\UseNewJavaPlugin (DWORD, 0)

    HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\JavaSoft\Java Plug-in\UseNewJavaPlugin (DWORD, 0)

    HKEY_LOCAL_MACHINE\SOFTWARE\JavaSoft\Java Plug-in\[#version#]\UseJava2IExplorer (DWORD, 0)

    HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\JavaSoft\Java Plug-in\[#version#]\UseJava2IExplorer (DWORD, 0)

    http://krebsonsecurity.com/how-to-unplug-java-from-the-browser/

    http://www.kb.cert.org/vuls/id/636312



    [edited by: SMason at 2:17 PM (GMT -7) on 30 Aug 2012] One more correction
  • We use Ninite.  We just pushed out the update to most of our users by running the agent procedure to upgrade Java/Java 7.  I say most because we have more internal improvements to make with how we notify end users of these type of updates ie that an immediate update it is happening and that they will need to restart their browsers.

  • Ufff ... 24 hours no time for the community ... :) Thanks all! Thanks SMason - i've uninstalled Java on each machine that don't MUST HAVE it installed. Installed today with ninite and updated all clients with ninite today.

    my "panic" cames from the example which allows to open any programm on any computer just by browsing to a affected website ... :) sometimes a technican just get panic if ... :)

    thanks a lot ... kai.

  • I just confirmed that the KSDU module updates Java 7 to the latest version from Oracle (7.0.70.10).  You may have to kick off a 'manual' catalog update (just go to Applicatin Settings -> Schedule -> Configure Schedules and set the schedule to 1 or 2 minutes past the present time) but it will update the master catalog.

    If you were using KSDU you could, by policy, have had all your machines patched today without ever having to lift a finger.

    Just sayin'. :)

  • @Ben: Thanks! Ninite as standalone has worked too ... :)

  • What a shame that the update Oracle provided isn't a proper fix. There is still a zero-day exploit in Java.

    For dutch readers: webwereld.nl/.../111638

    For other people: translate.google.com/translate