Java Exploits Will Continue To Rise

Before I want to start I want to say that as a language I like Java and all animosity I ever express towards Java is likely really meant for Oracle.

Oracle is officially promoting Java 7 (u4) to users now. It offers no real security benefits in terms of system compromise but it does depreciate a few broken hash methods like md4. There’s some performance improvements as well but it’s Java so, yeah.

And, once again, they’re not removing old versions of Java when they update users to 7. Yep, Java 7 installs to the side of Java 6. That’ll work out well.

Java already makes up the vast majority of exploits used against Windows systems and now users will likely have two versions installed without realizing it. Not only is that two versions of software that’s exploited daily, they probably won’t even realize the first version wasn’t overwritten so they’ll likely not patch it either. The Java Updater is pretty broken, requires you give it UAC (task scheduler wtf) permissions when it runs, and it’s on like… a 1-week schedule or 1-month by default agh it’s actually painful to talk about.

Incidentally Adobe Flash Player 13 for Firefox is going to be sandboxed by default similar to what Chrome does. It’s not a super strong sandbox but unlike Oracle Adobe actually gives a damn about security (I know, I know) and they’re made really big progress with improved ASLR and this new sandbox, which has involved serious cooperation with vendors.

So, Flash, which is the most exploited software after Java, is now going to be significantly more secure on ~20-30% of computers. Attackers could break the relatively weak sandbox given enough time but why the hell bother? You’ve now got two Java versions sitting on systems ready to be exploited.

And, because it’s Java, exploit once – run anywhere! In a study by (I believe) Sophos they actually found quite a few pieces of Windows malware on OSX machines. The OSX users weren’t infected but they’d run into an exploit that had dropped a Windows payload. I’m betting you can guess which program was dropping them.

I’d say EMET + Java = enough but that’s a lie. JIT and EMET don’t go together, it’s irrelevant really for a lot of the exploits. DEP/ASLR/EAF helps only because it’s the JVM that’s so broken and I absolutely still recommend running EMET with your Java (see my guide) but your best bet is to just uninstall it. Seriously, you can’t rely on EMET here – uninstall it.

Linux users just AppArmor Java (see my guide) and you’ll be fine. Updates are handled by the OS so patching isn’t an issue anyways. Feels good.

Securing Windows

Windows is the most popular and most targeted operating system but a lot of the more common attacks on it are trivial to defeat. This guide will cover some  simple steps to secure Windows and keep your system safe.

Reducing Attack Surface

This should be the first step to securing literally any operating system. Code is attack surface, running code is valuable attack surface, internet facing code is a gold mine.

First thing’s first go ahead and run msconfig.exe. Disable startup applications you have that aren’t important like some toolbar service. Don’t disable applications looking to update.

You can also look in services.msc and disable what you don’t need. Personally, I don’t print from my computer, so right away I can disable the Printer Spooler service. This service has been involved in many infections and an exploit in it allowed for Stuxnet to propogate. There are other services like Computer Browser that you might want to disable. Don’t disable anything without understanding what it is, I suggest you check this wiki out for explanations:

http://www.blackviper.com/windows-services/

I don’t know who that guy is or why that site is the way it is… but the wiki is fine.

You should also uninstall any programs you don’t really run. Maybe you have Java installed but you don’t really know why – get rid of it. Java’s a massive hole on your system. Maybe you have 5 torrent clients for no real reasons, remove 4 of them. Just get rid of what’s on your computer if you don’t need it.

Run EMET

I’ve posted about EMET twice now with an explanation as to what EMET is and a guide to set it up. I highly suggest you follow that guide to the letter.

EMET is probably my favorite tool for Windows security. It’s not going to prevent every exploit ever but pretty much any automated exploit is dead in the water and even a targeted attack will be more difficult against a service running EMET.

If you follow my guide you’ll have many of the critical applications running EMET.

Stay Patched

Staying patched is the easiest way to stay secure. It’s a lot easier for bad guys to exploit known vulnerabilities than to come up with new ones. Even if you’re running EMET and you’ve reduced attack surface if your system is full of vulnerabilities that are well known to every skiddy and hacker out there you’re going to be an easy target.

Set Windows to automatically update.

Guide to set up automatic Windows updates here.

You should also check for browser and plugin updates frequently as these are very commonly exploited.

If you use EMET, uninstall and disable unnecessary software, and keep your system up to date you’re going to avoid most threats for Windows. This isn’t all you can do to secure Windows but if I’ll recommend the above three tips every single time. They’re pretty universal for securing Windows users.