Java offers enterprises the ability to write code once and run it everywhere. However, this flexibility comes with a high cost: reduced security on endpoints. It has lately gotten so bad that Java has been nicknamed Just Another Vulnerability Announcement. Oracle has been working to produce updates to Java that addresses these vulnerabilities, but many enterprises are slow to roll out the updates.
We’ve recently conducted internal tests against fully patched Windows 7 systems using Metasploit. Our team had great success breaking into these systems by exploiting the vulnerabilities in Java. All of our testing was done using the latest releases from Oracle and the latest exploits obtained from various penetration testing web sites. Recent articles have highlighted that many enterprises are running old versions of Java. Our testing showed that companies are still vulnerable, even with the latest version.
Exploiting Java with Metasploit
How should a company defend itself against Java exploits when even the latest version can still be exploited? For me, the answer is simple: Application Whitelisting
You can read where SANS listed Application Whitelisting as the number one solution for controlling unauthorized software here. Our internal testing showed that Application Control blocked Java signed exploit attacks that would normally bypass anti-virus and other traditional security technologies.
I have restricted running Java to secure virtual machines or to systems secured with application whitelisting. Enterprises using any version of Java should consider its use case within the organization and then definitely investigate using whitelisting as a defense against Java exploits.
Editor’s Note Updated
For more information on securing Java, check out new resources (including a Java Scanner) available in the Java Survival Guide.