Endpoint Protection

I hate Java but its a necessary evil. So I keep our PC's all up to date with the latest version of Java. And Adobe Flash, Shockwave, Reader and everything else! 

Infections - we've had next to none since keeping everything patched and hardening our SEP policies. I've had time do actually do work instead of fixing malware infections and rebuilding PC's. We've always had a few guys who ran apps that needed the next newest Java update which is understandable and I've obliged.

Now one of our trading platform vendors have said we need to run Java 6 update 16. The one released on the 13^th August 2009. They say that their 40,000 customers inlcuding some major banks all use 6u16. 

I'm not happy about downgrading them. If I have to what is the best way of locking them down so Java exploits cant run. 

It's a Catch 22 situation too. If I downgrade them to overcome potenially stability issues I also open then up to downtime If i have to rebuild their PC'.

Some of you guys here must work in large enterprise, whats your stance on Java updates. 

you may need to check the vulnerability and create a firewall /custom IPS signature to overcome those issues.

That is not something easily done. There must be 100's of vulnerabilies since update 16. 

If it were me, I'd restrict access to the internet, except where it needs to go.No users as local admin. Patch Windows.

IPS is the way to go. We use it to scan and block attempts to exploit vulnerabilities in popular applications... Java is certainly included. Our IPS signatures should already cover the 100's of vulnerabilities that may be in Update 16.

There are a number of possible solutions depending on budgets and complexity, and also number of users who need this.

You could, for example, set up a terminal server and run the app under terminal services so that you can lock down the environment and keep it sandboxed so that no malware can reach the terminal server.

If you are running Win 7 business or ultimate editions, you could place the application and Java environment into "XP Mode" so that it runs in a virtual machine environment on the user workstations. This VM could also be locked down to minimise infection risks.

Finally, you could run the app as a virtual app using Symantec Workspace Virtualisation, so that the app and its Java Runtime are hosted in their own virtual layer. Apps in a virtual layer can interact with the base operating system but you do have control over the level of interaction, and you can also reset the virtual layer to the just-installed state as and when required, to get rid of any content that has been added since the layer was installed.

The problems caused by apps needing specific versions of the Java runtime is not uncommon and therefore many corporates have had to go down a virtualised or terminal services route to support multiple runtime versions concurrently.

The problem you appear to have is caused by users having too much internet access and insufficient lockdown, and your proxy server allowing too much content through, as you have had to spend so much time clearing up malware in the past.  You may not have the authority to restrict this, but has anyone analysed the support cost of allowing such free access to the internet?