Endpoint Protection Small Business Edition

 View Only

  • 1.  0day Java 7 Exploit - is SEP ready for this one?

    Posted Jan 10, 2013 08:38 PM

    See this notice posted today:  http://blog.beyondtrust.com/java-0day-exploit-oracle-urges-people-to-run-into-burning-building

    I'd like to see if anyone from Symantec Corp monitoring can assure me (us) that Sym Endpoint Prot can block or defeat this.  It sounds, looks and smells pretty ominous.  Extra concern:  In the eMail that this alert was received the authors also indicate that everyone is going to have to move to Java 7 by the end of Feb.  I don't know where they got this from but if true, forcing us to Java 7 then may create even more surface area exposure to this one -if- we're not on top of it.

    Is this a genuine threat and does this threat need/deserve attention?

    And, how much attention will it get from our malware signature publishers at Symantec?

    H



  • 2.  RE: 0day Java 7 Exploit - is SEP ready for this one?

    Trusted Advisor
    Posted Jan 11, 2013 06:26 AM

    Hello,

    Check this BLOG from Symantec Security Response Team on same issue -

    Java Zero-Day Dished Up from Cool Exploit Kit

    https://www-secure.symantec.com/connect/blogs/java-zero-day-dished-cool-exploit-kit

    Hope that helps!!



  • 3.  RE: 0day Java 7 Exploit - is SEP ready for this one?

    Broadcom Employee
    Posted Jan 11, 2013 06:38 AM

    IPS signature within SEP will help to prevent the attack. check the above blog .



  • 4.  RE: 0day Java 7 Exploit - is SEP ready for this one?

    Posted Jan 11, 2013 07:21 AM

    Yes, this helps a lot.  This is why we purchase top-quality, industrial strength, commercial grade software.  I'll rest a bit easier now.

    And, so Java 6 goes bye-bye in Feb (supposedly)...

    H



  • 5.  RE: 0day Java 7 Exploit - is SEP ready for this one?

    Posted Jan 13, 2013 01:25 AM

     In my opinion:

    The Windows environment Java Exploit describe by DHS can be Contained in kind of a "walled garden" using “Symantec Endpoint Protection's” "Application and device control" policy feature.

    This is done by first building an execute rule around the JRE exe's and Dll's, basically telling JRE it cannot execute any applications out side its own Shell or you can specify exactly what apps it can spawn/compile and from where!,

    Next building a file/folder write restriction policy that says where & what JRE can write to the disk, registry & memory.

    Now write a rule that explicitly states what applications can spawn the JRE.

    This a bit Over simplified but seems to work in other application senarios we used it to mitigate. I love it.