1 2 Previous Next 13 Replies Latest reply on Jan 15, 2013 9:16 AM by Regis

    Blocking internet Java ?

    Regis

      Given that there's a public exploit now avaialble for an unpatched Java issue.... curious how folks are responding and/or whether there's an easy way to tackle this in policy of the MWG.   What's the best way to cover this, using the safe assumption that exploits for this exist that'll bypass AV, and the best approach is to block all Java filetypes coming from the internet?

       

       

      Refs on the issue:

       

      http://blog.fireeye.com/research/2012/08/zero-day-season-is-not-over-yet.html

       

       

      https://community.rapid7.com/community/metasploit/blog/2012/08/27/lets-start-the -week-with-a-new-java-0day

        • 1. Re: Blocking internet Java ?
          Jon Scholten

          Hi Regis,

           

          There is a number of ways you can approach this.

           

          You could build a rule to say:

          Criteria: URL.Destination.IP is NOT in list <Internal Ranges> AND

          MediaTypes.EnsuredTypes is in list <Java file types>

          Action: Block

           

          On top of that you could add in something about the user agent (the version has to be a certain version).

          Criteria: URL.Destination.IP is NOT in list <Internal Ranges> AND

          Header.Request.Get("User-Agent") does not equal "java 1.7.01 aka fixed version" AND

          MediaTypes.EnsuredTypes is in list <Java file types>

           

          Is this what you are looking for?

           

          Best,

          Jon

          1 of 1 people found this helpful
          • 2. Re: Blocking internet Java ?
            Regis

            That looks pretty close with some blanks filled in of course.   I need to review as i'm not sure what all the possible java media types might be...

             

            Anyone else done this exercise?   

             

             

            On a remediation front... Anyone aware of any unpatched security issues in teh latest Java 6?    

            • 3. Re: Blocking internet Java ?
              Jon Scholten

              You can see what all of the java related media types are by typing into the filter, see example below:

               

              java.png

              I havent read much further into the exploits yet, but based on the article you provided it only mentioned Java 7.

               

              Best,

              Jon

              1 of 1 people found this helpful
              • 4. Re: Blocking internet Java ?
                Regis

                Awesome.  One of those lovely moments that underscores just how great MWG's GUI is versus anything else I've seen in this space.  

                • 5. Re: Blocking internet Java ?
                  asabban

                  Hello,

                   

                  blocking Java content is probably the most secure thing you can do, so I like this approach :-) If you need a more relaxed approach you could collect the user-agent strings used by Java to connect to the Internet. It usually contains the version number, so you can maintain the latest version numbers of Java (e.g. those versions you trust) in a string list like "Trusted Java Versions". Then you could say something like:

                   

                  Rule Set Criteria: MediaTypes.EnsuredTypes is in list <Java file types>

                   

                  First rule to allow Java objects which may be secure to open:

                   

                  If

                  Header.Request.Get(User-Agent) is in list "Trusted Java Versions"

                  and

                  URL.IsMinimalRisk equals "true"

                  Then

                  Stop Rule Set (e.g. "Allow")

                   

                  Second rule to block all others:

                   

                  Always -> Block

                   

                  So you will allow users to open Java objects if their Java Version is recent and the URL is not known as dangeous. Otherwise access to the Java Object will be denied. Of course you can combine it with a list of internal servers that you will always allow.

                   

                  Best,

                  Andre

                  • 6. Re: Blocking internet Java ?
                    Jon Scholten

                    Looks like in the latest DATs this should be protected, see links below:

                     

                    https://community.mcafee.com/docs/DOC-4139 its listed as Oracle Java Applet Remote Code Execution - MTIS12-137-J

                     

                    For reference, the following link is a good bookmark:

                    https://community.mcafee.com/community/security/gti/mtis

                    • 7. Re: Blocking internet Java ?
                      Regis

                      More Java 0day dropped today.  Happily given to the vendor first, it seems in a very responsible disclosure way:      

                           http://seclists.org/fulldisclosure/2012/Sep/170

                       

                       

                      Hi Jon,

                       

                      Appreciate that info and it's good to know what slivers McAfee is protecting with those.   Unfortunately, any security admin that hangs their hat on VSE saving them....   I'll be kind and say "should do more."  :-)       I haven't had time to play with metasploit's re-encoders on this one, but I have little doubt I could get it past VSE with a few packer options.   Such is the bane of the AV game.

                       

                      However, the web gateway surely has some tools to increase the defense in depth here with teh content type blocking, and I really appreciate all the goodies here.   The tough problem is of course signing up the whitelist maintainance task that comes with blocking java by default except for a known whitelist of sites you'll wanna trust (webex/gotoassist, etc).   Invariably, in such exercises, you learn about sites you had no idea were being used for business, and you end up getting in the way of users doing work at least temporarily in order  to move the bar in security. 

                      • 8. Re: Blocking internet Java ?
                        Regis

                        asabban wrote:

                         

                        Hello,

                         

                        blocking Java content is probably the most secure thing you can do, so I like this approach :-) If you need a more relaxed approach you could collect the user-agent strings used by Java to connect to the Internet. It usually contains the version number, so you can maintain the latest version numbers of Java (e.g. those versions you trust) in a string list like "Trusted Java Versions". Then you could say something like:

                         

                        Rule Set Criteria: MediaTypes.EnsuredTypes is in list <Java file types>

                         

                        First rule to allow Java objects which may be secure to open:

                         

                        If

                        Header.Request.Get(User-Agent) is in list "Trusted Java Versions"

                        and

                        URL.IsMinimalRisk equals "true"

                        Then

                        Stop Rule Set (e.g. "Allow")

                         

                        Second rule to block all others:

                         

                        Always -> Block

                         

                        So you will allow users to open Java objects if their Java Version is recent and the URL is not known as dangeous. Otherwise access to the Java Object will be denied. Of course you can combine it with a list of internal servers that you will always allow.

                         

                        Best,

                        Andre

                         

                        Andre, I was intrigued with your suggestion.   Turns out there's an interesting problem with it. In my research implementing something like this,  I learned that Firefox Java plugin will send a java user agent string.

                         

                        Bad news:  IE... doesn't. 

                         

                        Have you observed anything different?

                         

                        As such, if you have IE in the environment, I haven't seen a way to tell on the wire what Java version is in use.     I could envision some fanciness involving a remotely managed list of IP's  populated by automation from a corporate vulnerability scanning solution to help manage that, but doing it in real time on the wire appears to be a non starter for other than Firefox / Java.

                        • 9. Re: Blocking internet Java ?
                          Jon Scholten

                          Hi Regis,

                           

                          I have seen Java launched by IE, use Java's own user agent (this is contradicting your findings). I was looking at a capture just yesterday which had this behavior, it was on Windows 7 with IE9 (from what I remember). In this user agent it included the java version and what not. Are you sure you were not looking at the initial requests for the java related files? How were you attempting to find the user-agent (with wireshark or in the logs)?

                           

                          If using wireshark you can use the following filter:

                          http.user_agent contains "java"

                           

                          Theoretically if you did have the java user-agent logged, you could get a trend of what the business needs are (assuming my observations held true). This could even be done with the Web Reporter usage summary reports, this would give you an idea of the URLs that people use to access java related applications.

                           

                          Best,

                          Jon

                          1 2 Previous Next