I've implemented the Internet zone disable as well. This protects against the <APPLET> tag.
This does not protect against activeX object usage in the Internet zone - <OBJECT> tag. The bulk of the registry settings recommended (CERT/Microsoft) are to make the make the Java activeX objects unsafe for invocation - Internet Explorer cannot use those objects in any way and therefore does this for all zones - which is a problem for us. Without knowing which activeX objects we are actually using (and by no means do we know all the java apps we are using in the enterprise and if they are invoked by the OBJECT tag) it would be hard to know which of the objects to disable. So we have not disabled them. The java objects presumably are properly signed thus other Internet zone settings cannot be used to protect the Internet zone. We are not about to implement activeX object whitelisting due to the effort involved to make this happen. I wish there was a registry of applications, listing the activeX objects used, which every software vendor regularly maintained. Regarding the JNLP file associations - ie. applets can be downloaded and then run (local machine zone now). The unexpected download prompt might be enough to protect most people - although truly I do not really believe this from past experience - there are many users that will happily click on through - they are experts at their job function but not necessarily so with computers. Adjusting the file association we will probably implement. This will have to be a regular maintenance item as new JVM versions will likely "fix" the file association. From: Sam Cayze [mailto:[email protected]] Sent: Friday, January 25, 2013 11:33 AM To: NT System Admin Issues Subject: RE: Java 7 0day actively exploited in the wild | BeyondTrust This is exactly what we have done. Thanks. Good to hear others recommend it. From: Kennedy, Jim [mailto:[email protected]] Sent: Friday, January 25, 2013 10:09 AM To: NT System Admin Issues Subject: RE: Java 7 0day actively exploited in the wild | BeyondTrust If it is over the internet...add that site to trusted and disable java in the 'internet zone'. http://blogs.msdn.com/b/ieinternals/archive/2011/05/15/controlling-java-in-internet-explorer.aspx From: Andrew S. Baker [mailto:[email protected]] Sent: Friday, January 25, 2013 11:04 AM To: NT System Admin Issues Subject: Re: Java 7 0day actively exploited in the wild | BeyondTrust Be advised that the primary vector for Java exploits into an organization is via the web browser plugin. So, unless your B2B app is over the public network, or requires that the browser plugin be operational, you have some measure of risk reduction. ASB http://XeeMe.com/AndrewBaker<http://xeeme.com/AndrewBaker> Providing Virtual CIO Services (IT Operations & Information Security) for the SMB market... On Tue, Jan 15, 2013 at 1:21 PM, Sam Cayze <[email protected]<mailto:[email protected]>> wrote: >>>Does the reward outweigh the risk? The reward is we get to stay in business :) We have a major partner that requires us to run it for a B2B app. So, we have to use it. But I've made it so just one user uses that app. That and the occasional WebEx stuff, but I uninstall it from people's PCs right afterwards. So looks like 6 is now the flavor of the month. Hard to keep track. Speaking of months, v6 is EOL in FEB. We'll no longer have the options between 6 and 7 going forward to sidestep all these issues :( Sam -----Original Message----- From: Kennedy, Jim [mailto:[email protected]<mailto:[email protected]>] Sent: Tuesday, January 15, 2013 12:10 PM To: NT System Admin Issues Subject: RE: Java 7 0day actively exploited in the wild | BeyondTrust Correct, but 6 is vulnerable to it's own set of exploits that were never fixed and they are well known. Arguably the bad guys are paying more attention to attacking 7 now so theoretically you are safer with 6. Bottom line, java is insecure no matter what you do and will be that way for several years to come, imho. Risk vs reward. What is the reward for your org for continuing to allow java to run? Does the reward outweigh the risk? -----Original Message----- From: Sam Cayze [mailto:[email protected]<mailto:[email protected]>] Sent: Tuesday, January 15, 2013 12:24 PM To: NT System Admin Issues Subject: RE: Java 7 0day actively exploited in the wild | BeyondTrust Am I right in assuming that the latest version of version 6 is, or was, NOT affected by this? Can't find anything out there that suggests it was... -----Original Message----- From: Kennedy, Jim [mailto:[email protected]<mailto:[email protected]>] Sent: Friday, January 11, 2013 1:34 PM To: NT System Admin Issues Subject: RE: Java 7 0day actively exploited in the wild | BeyondTrust http://www.zdnet.com/homeland-security-warns-to-disable-java-amid-zero-day-f law-7000009713/ ________________________________________ From: Mark Boeck [[email protected]<mailto:[email protected]>] Sent: Friday, January 11, 2013 12:15 PM To: NT System Admin Issues Subject: Re: Java 7 0day actively exploited in the wild | BeyondTrust lol - a friend of mine, a microsoft security mvp, starts her blog off like this: how to uninstall java! http://securitygarden.blogspot.com/2013/01/java-zero-day-again-time-to.html only after that does she post some links about the threat - > - ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected]<mailto:[email protected]><mailto:[email protected]<mailto:[email protected]> re.com<http://re.com>> with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected]<mailto:[email protected]> with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected]<mailto:[email protected]> with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected]<mailto:[email protected]> with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected]<mailto:[email protected]> with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected]<mailto:[email protected]> with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected]<mailto:[email protected]> with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected]<mailto:[email protected]> with the body: unsubscribe ntsysadmin ________________________________ This message may contain confidential information. If it has been sent to you in error, please reply to advise the sender of the error and then immediately delete this message. / Ce message peut contenir des renseignements confidentiels. Si vous l'avez reçu par erreur, veuillez s'il vous plaît en aviser l'expéditeur par retour de courriel, puis supprimer immédiatement le message. Merci. / Este mensaje puede contener información confidencial. Si recibió este mensaje por error, le rogamos responder al remitente para comunicarle del error e inmediatamente después borrar el mensaje. ________________________________ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin
