3 Replies Latest reply on Sep 25, 2012 1:54 PM by Regis

    IE and Java 0day responses ?

    Regis

      So...   we've got quite an issue on our hands as a security community with these IE [1] [2] and Java [3] 0days for which there's still no patch from either Oracle or Microsoft for the Metasploit available exploits.    Oracle did release a patch for Java 7, but apparently, it's not entirely effective[4].

       

      Anyone blocking all Java file types, user agents at the border?  What's it break other than webex and gotomeeting for Firefox users?

       

      Anyone gone so far as to block IE and give users a message to use Firefox or Chrome?

       

       

      Refs:

      [1] https://isc.sans.edu/diary/IE+Zero+Day+is+For+Real+/14107

       

      [2] https://community.rapid7.com/community/metasploit/blog/2012/09/17/lets-start-the -week-with-a-new-internet-explorer-0-day-in-metasploit

       

      [3] https://community.rapid7.com/community/metasploit/blog/2012/08/27/lets-start-the -week-with-a-new-java-0day

       

      [4] http://www.h-online.com/security/news/item/Latest-Java-sandbox-is-still-vulnerab le-1697550.html

        • 1. Re: IE and Java 0day responses ?
          fschulte

          I do not know your business, but I personally think it is generally a good idea to have a whitelist of web sites that are allowed to use java applets. (Which is also true for java script and flash.) Block all the rest you do not need.

           

          Again, it's my personal opinion; maybe not generally considered as best practice.

           

          Ciao

          Felix

          • 2. Re: IE and Java 0day responses ?
            ittech

            This depends on the organization. Where I am IT is certainly trying to protect through restrictions, but we're still just another department under executive managment. If they don't want to hear complaints from users they'd rather open up the web with an attitude of "That's why we have McAfee, isn't it?"

             

            In an environment where we've already decided we only use IE with a MWG7 that blocks certain categories and has an AV scanner, we're kinda stuck.

             

            It's harder to take freedoms away from users when they've already had them for years. You end up looking like chicken little yelling about how the sky is faling to those who merely wish to keep the status quo.

            • 3. Re: IE and Java 0day responses ?
              Regis

              Oh yay.  More Java 0day.  This time on 5/6/7 with sandbox bypass.    At least there's not a public exploit at this point.

               

              http://seclists.org/fulldisclosure/2012/Sep/170