cancel
Showing results for 
Search instead for 
Did you mean: 
Regis
Level 12

Blocking Internet Java (January 2013 edition)

[moved to new thread   but ref: the older thread https://community.mcafee.com/message/270727#270727   ]

With the latest widely-exploited-and-baked-in-exploit-kits Java 0day [1] going around again (which is only half fixed [2] by the latest Java 7 patch)... and with Java 6 a few weeks away from being EOL'd while many many enterprise critical internal Java interfaces don't necessarily work with Java 7... curious how many folks are blocking Java now, and  how they're going about it.    

What legitimate sites are you seeing that are going on your whitelists given that no save version of Java exists right now?

In reviewing logs, I've found a lot of Java mime-types that don't appear to be on the pre-baked list in my MWG interface at mentioned by helpful posters in

https://community.mcafee.com/message/270727#270727     I am also trying to divine a method where I don't keep Eclipse and friends from getting their updates.  Eclipse uses a non-Mozilla user-agent so I think that will be part of the logic I implement.  The other thing I have to be careful of is the legit use of web meetings where Java often comes into play especially for limited users and not able to isntall ActiveX controls that some meeting solutions leverage.

[1] http://krebsonsecurity.com/tag/java-0day/  and http://blog.spiderlabs.com/2013/01/first-java-0day-for-the-year-2013.html

[2] http://immunityproducts.blogspot.com/2013/01/confirmed-java-only-fixed-one-of-tw o.html

Shared experiences welcome!    And no one be deluded into thinking AV signatures will save us from this one.  :-)

0 Kudos
2 Replies
Regis
Level 12

Re: Blocking Internet Java (January 2013 edition)

As no administrators have yet replied, here's one answer offered out from https://isc.sans.edu/diary/When+Disabling+IE6+%28or+Java%2C+or+whatever%29+is+not+an+Option.../14947  ... which lines up rather nicely with what I've divined from my analysis of access logs for Java hits.

If you use a proxy to block java use all the options you have to block it. I use:

Header fields:
User-Agent*Java*

URL path:
*.jar
*.class
*.jnlp

Content Type:
application/*java-*
application/java-*

Magic Number:
0xCAFEBABE

posted by Placebo, Wed Jan 16 2013, 10:28  at

https://isc.sans.edu/diary/When+Disabling+IE6+%28or+Java%2C+or+whatever%29+is+not+an+Option.../14947

0 Kudos
btlyric
Level 12

Re: Blocking Internet Java (January 2013 edition)

This isn't an exact answer to your question, but things that we've considered or implemented for the purpose of avoiding Java pwnage include:

- user-agent

- file type (either as determined by MWG or by what the server sends back as Content-Type)

- file name

- monitoring notifications

- whitelisting specific destinations

- coaching pages for java and uncategorized sites

0 Kudos