If you are using Palo Alto for your IPS they just put out content update to catch these exploits and block them. I am pretty sure within the next day or so that other IPS/AV vendors will also update their signatures as Jim says below.
I would take a look at the links off the ISC page, the IP network that is landing pad for the payload should be dropped ingress/egress at your firewall, and its located in Singapore. Z Edward E. Ziots, CISSP, Security +, Network + Security Engineer Lifespan Organization [email protected] From: Kennedy, Jim [mailto:[email protected]] Sent: Tuesday, August 28, 2012 3:04 PM To: NT System Admin Issues Subject: RE: 0 Day in Java 1.7 up to Version 6 The only thing to do, and it probably isn't worth the effort..is to downgrade to a previous version and hope that those known flaws are caught by your IPS/AV/Web Filter. I am hanging tight, this is getting pretty widespread attention...I am hopeful that Java does an out of band patch on it. From: Ziots, Edward [mailto:[email protected]] Sent: Tuesday, August 28, 2012 2:41 PM To: NT System Admin Issues Subject: RE: 0 Day in Java 1.7 up to Version 6 Not really, there isn't a legit fix for the flaw yet... Z Edward E. Ziots, CISSP, Security +, Network + Security Engineer Lifespan Organization [email protected] From: David Lum [mailto:[email protected]] Sent: Tuesday, August 28, 2012 12:54 PM To: NT System Admin Issues Subject: RE: 0 Day in Java 1.7 up to Version 6 Ugh. Can it be done via GPO? From: Kennedy, Jim [mailto:[email protected]] Sent: Monday, August 27, 2012 3:42 PM To: NT System Admin Issues Subject: RE: 0 Day in Java 1.7 up to Version 6 I suggest we all do something on this one. The exploit is already out on SET, so it is child's play now to exploit it. (pun intended) ________________________________ From: Ziots, Edward [[email protected]] Sent: Monday, August 27, 2012 4:14 PM To: NT System Admin Issues Subject: RE: 0 Day in Java 1.7 up to Version 6 I would make a recommendation. If you have an IPS, then utilize it to do a lot of egress filtering for known networks that are hosting these exploits and just flat block the Class C networks. I know its cut down a lot on what I am seeing on my IPS. A lot of times web filter and AV are going to miss it, or one might catch it if its too late. But definitely of the exploits and the methods I have looked at, they are targeting Java Heavily... Z Edward E. Ziots, CISSP, Security +, Network + Security Engineer Lifespan Organization [email protected] From: N Parr [mailto:[email protected]] Sent: Monday, August 27, 2012 3:59 PM To: NT System Admin Issues Subject: RE: 0 Day in Java 1.7 up to Version 6 I've been trying to keep everything latest and greatest because I've had at least 3 cases in the past few months where GFI has had to disinfect clients with fake AV type infections on them. They said the infiltration point was through JRE6 which was at the latest update available at the time. So you're SOL either way if your web filter and antivirus both miss it. Only thing you can do is take it off which doesn't fly around here. ________________________________ From: Carl Houseman [mailto:[email protected]] Sent: Monday, August 27, 2012 2:30 PM To: NT System Admin Issues Subject: RE: 0 Day in Java 1.7 up to Version 6 Hmm, out of concern for compatibility, I've kept GPO-installed client systems at JRE 6 (update 33 is the latest needed for security patches). Looks like that was a good call and I don't have to worry about this particular problem, at least not yet. But it will be interesting to see if Oracle's Java group recognize the seriousness of this and issue an interim update before the scheduled quarterly update. Carl From: Ziots, Edward [mailto:[email protected]] Sent: Monday, August 27, 2012 2:44 PM To: NT System Admin Issues Subject: 0 Day in Java 1.7 up to Version 6 Importance: High Heads up on the Java Front... 0 day Attackers Pounce on Zero-Day Java Exploit - Krebs on Security: http://krebsonsecurity.com/2012/08/attackers-pounce-on-zero-day-java-exp loit/ Cross Post from the Internal Security Discussion list at Microsoft. (Thanks to Ms Bradley the SBS queen J) Already emailed the handlers at SANS to hopefully update the ISC page to spread the word... Z Edward E. Ziots, CISSP, Security +, Network + Security Engineer Lifespan Organization [email protected] ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin
