Following last week’s discovery of a major security vulnerability in Java, Bit9 engineer Chris Lord says that being vulnerable is a matter of trust.
In summary, Bit9 says that if an enterprise is running a trust-based security platform, then the doom and gloom of a situation such as this one is largely inconsequential. If you only allow software you trust to run in your environment, then you really can’t be adversely affected by this or any similar vulnerability.
The media doomsayers with their calls for PC users to disable Java in the wake of a vulnerability identified last Thursday were chilling. Now that Oracle has released a JDK 7 update that addresses the Java vulnerability (which made the media rounds almost as fast as it was picked up by the exploit kits), it’s time to chill. Software is and will continue to be vulnerable.
Mat Honan’s note in SANS NewsBites summed it up best: “It seems each time a zero day exploit is found in software, be that Java or otherwise, the industry pundits recommend that people stop using that software. New vulnerabilities will always be discovered in the software we use. If our best defence to a threat is to cause a denial-of-service on ourselves then this in the long term is a no-win strategy for us as an industry. We need to be looking at better ways to defend our systems and data, one good place to start is the 20 Critical Security Controls.”
Follow the prevailing guidance to disable Java if you don’t need it, but what about the next 0day? The folks over at SANS shared Immunity's analysis of the Java MBeanInstantiator.findClass vulnerability. Three interesting observations: JDK 6 and likely 5 are both vulnerable; other sandboxed runtime environments with rich APIs have similar risks; and this vulnerability was already being widely exploited for mass malware installation in advance of its disclosure.
More doom? No, but a clear call for approaches that help mitigate such threats. A trust-based approach to application control and whitelisting can help contain any damage, whether it starts inside a sandbox or with a native application. You don’t need to disable Java; you need to prevent the malware that exploits this (and the inevitable next) vulnerability from running. That’s exactly what we do.
A trust-based security solution can track all the Java files (and all the other applications) in your environment. Those you trust are allowed to run; those you don’t are blocked. If you haven’t turned on support for tracking Java, then you’re missing part of your best defence.