Java 0-Day Coverage
Greetings everyone.
We are still getting a lot of questions about Symantec's coverage of the most recent Java 0-Day. I thought I would take a moment to jot down a list of our current coverage for this event, and hopefully save everyone some time and hassle.
Current Coverage:
- 24063 - Web Attack: Malicious Java Download 3
Created prior to the advent of the 0day being used in the wild. This was detecting the Metasploit Exploit Module released for the exploit.
- 25826 - Web Attack: Blackhole Toolkit Website 30
Also created prior to the 0 Day. This detects BlackHole Toolkits trying to make use of the new vuln as well.
- 25903 - Web Attack: Malicious JAR Download 3 CVE-2012-4681
Built and released specifically to detect the exploit of the vuln.
Not-Coverage
- 25431 - Web Attack: Malicious JAR File Download 6
Although this signature was updated recently, it does not provide additional protection specific to this vulnerability.
This was reported incorrectly for a short time in the Security Response blog, but has since been corrected.
2nd 0-day??
There has been some mention of a second Java 0-day but this seems to be a matter of semantics. The exploit requires both to actually function, so most researchers are considering them a single vulnerabilty. This may change, but its where wer are currently at.
That said, all the coverage information above, still holds true.
http://threatpost.com/en_us/blogs/researchers-iden...
http://www.informationweek.com/security/vulnerabil...
Security Response Blogs:
New Java Zero-Day Vulnerability (CVE-2012-4681)
Java Zero-Day Used in Targeted Attack Campaign
About Security Community Blog
The Security Community Blog is the perfect place to share short, timely insights including product tips, news and other information relevant to the Security community. Any authenticated Connect member can contribute to this blog.
Comments 7 Comments • Jump to latest comment
Hi,
As per this post as of now it is not recommended to download and install java?
Thanks & Regards,
Srikanth.S
"Defeat the Defeat before the Defeat Defeats you"
(Swami Vivekananda)
Hm... Does SEP v 12.1 can prevent this issue ?
Kind regards,
John Santana
Graduate IT Professional
--------------------------------------------------
Please be nice to me as I'm newbie in this forum.
@Srikanth
Pathing the vulnerable application is ALWAYS to be preffered.
@John
In my post you will find the links to the IPS signatures. Those are deployed through IPS in SEP 12.1. So, yes, you are protected as lonag as you have the IPS component installed.
If not, then why not? :)
Brandon Noble
ESS Incident Response Officer
Security Response Liaisons
Symantec Corporation
www.symantec.com
Update [August 30, 2012] -
Java Zero-Day Used in Targeted Attack Campaign
ALSO
Oracle has issued a patch: Java SE 7 Update 7 for CVE-2012-4186.
Users are advised to download the latest update.
Brandon Noble
ESS Incident Response Officer
Security Response Liaisons
Symantec Corporation
www.symantec.com
Ah ok, yes it seems that I have IPS enabled on all of my SEP clients as at below.
but my servers only got the Virus and Spyware protection :-|
Kind regards,
John Santana
Graduate IT Professional
--------------------------------------------------
Please be nice to me as I'm newbie in this forum.
@ John
Proactive Threat Protection or PTP updates on a non-standard schedule.
You can find the current definitions date for all the technologies here:
http://www.symantec.com/security_response/definiti...
This is a good one to bookmark!
Also, please note we had a few issues with the site not reflecting the accurate date for PTP defs last week. You can see my responses to the following post for more info on that:
PTP not updating all other definitions are uptodate
Brandon Noble
ESS Incident Response Officer
Security Response Liaisons
Symantec Corporation
www.symantec.com
Thank you for the clarification Brandon !
Kind regards,
John Santana
Graduate IT Professional
--------------------------------------------------
Please be nice to me as I'm newbie in this forum.
Would you like to reply?
Login or Register to post your comment.