Java Out of Band! This vulnerability fits the profile…

Oracle has announced an out of band Java update to resolve a publicly-disclosed vulnerability that can be exploited over the network, without need for authentication. The vulnerability fits the profile of one that’s more likely to be exploited in 3o days or less.

The Oracle Security Advisory for CVE-2016-0636 provides the CVSS details regarding the vulnerability. The vulnerability has a CVSS of 9.3, access vector is network, access complexity is medium and authentication is none. Confidentiality, integrity and availability are all complete. If you have taken a look at Verizon’s 2015 Data Breach Investigations Report, the pattern indicates there is high risk of this vulnerability being exploited in a short time frame.

In the report, there is a section dedicated to indicators of risk, specifically focused on how they help to profile CVEs that are more likely to be exploited quickly. A vulnerability that ends up in the Metasploit framework is the most obvious indicator, since it would easily be replicated by a Threat Actor to exploit the vulnerability. However, based on the CVE information and analysis of over 67,000 CVEs, the Verizon team was able to uncover a pattern for vulnerabilities that have been exploited, including those exploited in less than 30 days.

The majority of vulnerabilities that have been exploited have an access vector of network; authentication would be none, and access complexity of medium or low. If confidentiality, integrity and availability are complete, and have a CVSS of nine or 10, it falls to a more critical time frame where it is likely to be exploited very quickly. (See image of the figure from the Verizon Breach Report)

VerizonCVEFigure

As a precaution, put some urgency on getting this updated as quickly as possible. Aside from meeting the pattern described above, this vulnerability has been publicly disclosed. The Shavlik Content Team is already working on releasing content for this update.

Microsoft is finally pushing people off of old Internet Explorer versions

internet-explorer1_12

Microsoft warned us back in April of 2014 that they would be reducing support for the Internet Explorer browser to only cover the latest version available for each operating system. Well that date it upon us. January 12, 2016 will be the official end-of-life date for any version of IE older than the latest available for the version of Windows you are running. If you take a look at the original life-cycle announcement, it provides the version that will be supported for each OS. After the January Patch Tuesday release there will be no security updates unless you are on the supported version for that OS.

On January 12, expect to see upgrade notifications on older versions of Windows, if you are running a version of the browser older than the latest. You can disable those notifications if you have a need to continue running an older version of the browser for some reason.

If you need to continue running an older version of IE for some reason, take precautions. After this last IE update, older versions will become a prime target.

  • Visualize a system with the older version of IE and remove access to the internet and from anyone who does not require access. Of course this only works if the browser will be used for an application or site that is internal to your network.
  • If you need to use an older version for access to an external site, you should begin putting pressure on the vendor involved or start shopping around for alternate solutions. In the mean time, you can also install an alternative browser and inform users of those systems that they must use Google Chrome or Mozilla Firefox for everything but that one purpose. Not a great solution.
  • You can add additional levels of protection with products like Bufferzone. This will containerize the browsing experience, protecting the system if the user happens to come across anything malicious.

This one is not a drill folks. If you recall my assessment of the top five vulnerable vendors from 2015, I called out the three primary contributors to vulnerability counts; OS, browser, and the media\office products. Internet Explorer had the largest single product vulnerability count in 2014. In 2015 it moved down the list to #7, but that was more due to the significant increase in vulnerabilities in other products. It had only 12 less resolved in 2015 than in the previous year. Point being, expect that from the point that older versions of IE are end-of-life’d this month, we will see around 200+ vulnerabilities identified that will go unresolved in the unsupported versions.

 

 

 

A look at the top 5 most vulnerable vendors from 2015

I have read a number of speculative articles recently, discussing the number of bulletins and vulnerabilities released\resolved by Microsoft. Was it due to the introduction of Windows 10, Edge and several other product releases this year? I am going to say no. Let’s expand out past looking at just Microsoft and I think you will agree as well.

Taking a look from a vendor perspective, Microsoft finished 2015 with 135 security bulletins released with a total of 571 vulnerabilities resolved. This is the highest bulletin count over the previous shared 2010/2013 high of 106 bulletins. This also tops last year’s all-time vulnerability high of 376 vulnerabilities resolved across 85 bulletins and is more than double the vulnerabilities resolved than 13 of the last 15 years.

Even with 571 vulnerabilities resolved, Microsoft took the No. 2 spot on the Top 50 vendor list on CVE-Details. No. 1 goes to Apple, who finished 2015 with 654 vulnerabilities. Mac OS X contributed 384 of those vulnerabilities, which is more than three times the 2014 count of 130 vulnerabilities resolved. This jumped them from No. 5 in 2014 to No. 1 this year.

Cisco came in third this year with a new all-time high of 480 vulnerabilities resolved. This only tops its previous 2013 high by around 50 vulnerabilities.

Oracle is in the No. 4 spot this year and is the only vendor in the top five that finished the year without topping its vulnerability high. They resolved 479, which is down from their 2013 record of 496 vulnerabilities.

Adobe finished the year in fifth place (up from No. 8) with 440 vulnerabilities resolved. This is a new all-time high and also more than double the previous 2010 record of 207 vulnerabilities. This jump comes from the staggering 295 vulnerabilities resolved in Adobe Flash Player in 2015.

Here is a visual recap of the Top 5:

SummaryTop5VulnVendors

As you can see there is a trend here and there are many contributing factors. Exploits and breaches are on the rise. One of my favorite visual examples of this trend is the POS Breaches Timeline from OpenDNS Security Labs. It starts back in 2002 with a six-year gap until the next major event. As you go forward there is an explosion in 2012 and it keeps increasing rapidly. This timeline focuses just on Point of Sale (POS) breaches, but the visual is on a similar trajectory to the broader security industry trend. Threat actors are better organized, better funded and there are more tools available to them than ever before. Off-the-shelf exploit kits are a competitive product market in today’s dark web hacking services markets and the number of products and increase in features they provide coincide with the drastic increase in breaches we have seen since 2012.

The exploit gap is also shrinking. From the time an update is released to when a vulnerability is resolved, baring a Zero Day, you have about two weeks before the exploits start to hit. According to the Verizon 2015 Breach Report, 50 percent of vulnerabilities that will be exploited are exploited in two–four weeks of release of an update from the vendor. One of the contributors to the Verizon Breach Report, Kenna Security, released an additional report that goes further out and shows that 90 percent of vulnerabilities that will be exploited are exploited within 40–60 days of an update being made available from the vendor. They go on to discuss that many enterprises struggle to release updates within 120 days. In fact, 99.9 percent of vulnerabilities exploited in 2014 were exploited more than a year after an update was made available to resolve the vulnerability. In the case of web exploits that time falls to less than 24 hours for major vulnerabilities.

We have a general upward trend of exploits and a shrinking window between updates from a vendor and exploit code being made available to take advantage of the resolved CVEs. Events of the three previous years set the stage for vendors in 2015. Let’s take a look at our top 5 vendors and talk a about how this trend may have affected each.

Apple has a combination of OS, Browser, and Media player products all of which are prime targets for attackers. Mac OS X is gaining in popularity, but so is OS X related malware. “There’s been an unprecedented rise in Mac OS X malware this year, according to security researchers at Bit9 + Carbon Black, with the number of samples found in 2015 being five times that seen in the previous five years combined.” With such a prolific increase in negative attention, Apple has had to step up its game on resolving vulnerabilities. The company is digging into and resolving vulnerabilities in components that likely did not receive the same level of attention in years past.

Microsoft has long held the OS market and it has built out browsers, media players and the Office suite of products. Microsoft has been a big target for a long time and there is no question that the trends we are seeing would have directly affected them. The thing I will add here is Windows 10 and Edge were likely much less significant in their contributions. OS bulletins released since Windows 10 have affected earlier versions of the Windows OS similarly and the same vulnerabilities were being addressed across different versions, so there were few net new vulnerabilities introduced by Windows 10. If you look at a filtered view of CVE’s affecting Windows 10 you will see in the description a list of many of the currently supported OS versions also affected. Edge did contribute additional security bulletins that would not have been in the mix otherwise, but most of the CVEs affected other components of the OS and IE browser as well. Similar to Apple, the increase of CVEs is in part due to the fact that they are focused on hardening shared components and products that previously were not being targeted.

Cisco did have an influx of CVEs resolved this year and a new all-time high, but the increase was not nearly as large as Apple, Microsoft or Adobe. Cisco does have its proprietary OS for its devices and it has a count on par with many of the individual Windows OS and Linux distributions, as far as CVE counts. It has other products, such as Cisco Anyconnect VPN, that could be an ideal target for attackers, but it does not have a browser or wildly popular media player products (as we will talk about with our No. 4 and No. 5 vendors). With Cisco, the huge list of products is the other significant contributing factor with over a thousand products with small contributions to get them into the No. 3 spot.

Oracle is down from its record 496 CVEs in 2013. It was the only vendor of the top five that didn’t set new CVE records this year. Probably the most high-profile product with security issues in the Oracle portfolio is Java. Java has been a high-profile target due to its popularity and availability worldwide. More importantly, Java is one of those products that gets neglected too often. Older applications built to run on Java often required a specific version of Java. If you updated Java, you broke the application. This resulted in an easily exploitable scenario that treat actors have taken advantage of for years and still do. It was so easily exploitable that a site was created to track how many days since the last Java Zero Day. Oracle went through some changes in the past few years and its security practice seems to be paying off. It reached 723 days without a Zero Day until CVE-2015-2590 hit earlier this year. It is back up over 150 days since the last Zero Day and its total CVE count (80) is trending down from the 2013 peak of 180 CVEs resolved.

Adobe charged into the top five this year with the most significant increase over the previous year. With over three times the increase in CVEs resolved, Adobe had a busy year and much of the attention was on Adobe Flash Player. Adobe Flash Player has gained the same broad use and popularity that caused Java to become a target. It has, quite possibly, topped Java for its notoriety as a vulnerable product. This year Adobe faced a staggering eight Zero-Day streak. Early in the year three Zero-Days were reported in a two-week span. The Hacking Team breach uncovered a few more mid year and it did not stop there. Security experts have called for the death of Flash Player from Brian Krebs’ life without Flash Player series to tech giant Google killing Flash in its browser. Flash Player contributed 295 of the 440 total Adobe CVE count for 2015, which more than doubled the 2014 count of 138 on its own. Adobe is trying to move away from Flash and in January 2016 it will restrict distribution of Flash Player by removing it from its public download pages and restricting access to companies with Adobe Enterprise Agreements in place.

So from the pattern we are seeing, OS and commonly used media products are a significant contributor to counts for our top 5 vendors. Browser is another significant contributor. Apple Safari and Microsoft Internet Explorer and Edge contributed 135 and 231 CVEs respectively to their vendor’s total counts this year. Two vendors worth noting that did not quite make the top five are Google and Mozilla. Google Chrome contributed 185 out of Google’s total 321, putting them in the No. 6 spot for vulnerabilities by vendor. Mozilla Firefox contributed 177 out of 187 total placing them at No. 8 for vendors in 2015. So in the great browser faceoff, you have the following:

  • Microsoft Internet Explorer with 231 CVEs falls in at No. 4 for vulnerable products and No. 1 for browsers.
  • Google Chrome with 185 CVEs falls in at No. 8 for products and No. 2 for browsers.
  • Mozilla Firefox with 177 CVEs falls in at No. 9 for products and No. 3 for browsers.
  • Apple Safari with 135 CVEs falls in at No. 19 for products and No. 4 for browsers.
  • Microsoft Edge with 27 CVEs makes the list, but I would not place them this year as they were a late year entry into the race. We will see where they fall next year.

Overall you can rest assured that if you are running a computer with an operating system, a variety of media player products and a browser, you are as vulnerable as you can possibly be. The window between product release and exposure has shrunk considerably, so you need to be proactive and effective in deciding what you will deploy and how frequently. So what to do? You need to bring your processes and tools up to a new level to deal with these threats.

Challenges:

  • Updates can break critical systems. Yes, but with proper prioritization you can reduce this risk by making sure to deliver updates for the most likely to be exploited vulnerabilities. There are threat indicators out there that will tell you much of what you need to know. You can join our Shavlik Patch Tuesday webinarseries where we discuss updates that occur on the infamous Patch Tuesday, as well as other releases and indicators that will help you here. We will be posting 2016 versions of that series shortly and you can catch a playback of the December webinar there as well.
  • I run maintenance once a month and users complain about that event. You want me to update more frequently? Yes, we are absolutely saying any system with an end user must be updated more than once a month if you are going to weather this storm. Features of our Shavlik Protect + Empower products are specifically designed to ensure you can reach users wherever they go and also work around their needs to reboot and finalize installs of updates effectively. The ProtectCloud enabled agents allow you to push policy updates to systems that reside off network without opening security risks to your network or the end user system. We host this service for you and provide it as part of the base feature set of our product so you can reach those systems and ensure you can report on them no matter how long they stay off network. With our SafeReboot technology you can provide the user a variety of reboot options from deferring reboot for up to seven days, reboot at logoff or at next occurrence of a specified time.
  • I am on SCCM and cannot switch to another solution, so how do I cover the frequency of product updates and the number of products that are on my network? We have a plug-in for Microsoft System Center Configuration Manager. It is called Shavlik Patchand provides our catalog of third-party updates, including those we spoke about above, so you can quickly publish those updates in SCCM and not change your infrastructure or processes you have in place.

Protecting Against Phishing

Phish mail

A recent survey by Blue Coat Systems highlighted the continued threat of poor user IT security behavior. One of the interesting results related to phishing found that 17 percent of US employees open unsolicited emails despite 80 percent viewing such behavior as a serious risk. In today’s mature phishing and spear phishing environment, businesses should refresh their protection measures against such behavior.

Phishing and Spear Phishing Revisited

As a quick refresher, phishing is when unsolicited emails are sent out in mass with malicious URLs, or attachments, that will result in the potential compromise of a computer by malicious software.

Spear Phishing goes one step further and creates messages that appear to come from a trusted or known source such as your bank, ecommerce website, or a personal connection. If 17 percent of US employees are opening unsolicited emails, it is fair to assume that the rate would be significantly higher for a spear phishing attack where the sender is assumed to be trusted.

Steps to Protect

Here are a few steps to add or review in the battle against phishing.

  1. Keep applications patched
  2. Remove administrator privileges
  3. Containerization
  4. SPAM filters
  5. Anti-malware
  6. User education

Application Patching

Much has been said about patching operating systems, but most phishing attacks will exploit a browser or application. In the case of a browser, a URL can be shortened, lengthened, or have a domain name that is slightly off, leading to a link that exploits a browser vulnerability. Keeping browsers up to date with patch management software (shameless plug) is critical to success. Even in a highly managed environment, end users can still install alternates, so inventory and patch everything.

As to other applications, the exploit can be a malicious PDF, Office document, or something similar. Phishers are going after big targets, so keep all your software patched as well as your operating systems.

Remove Administrator Privileges

Less common in the US, as in Europe and Asia, is the removal of administrator rights. Many users want to run with an administrator account so they can install their own software and modify operating system settings. Where users have administrator accounts, privilege management software (such as Arellia Application Control Solution) can reduce the privileges of targeted software such as browsers, PDF readers, and email clients. By reducing the privileges of applications, exploits will be limited in their impact (browser crashes versus a malicious program is installed).

Containerization

Containerization is a newer technology similar to operating system virtualization, except applied to applications. With containerization software (such as BUFFERZONE), an application doesn’t have the ability to access other application data or certain areas of the operating system. Should a browser be compromised, the access is limited to that container. This has been the model for mobile operating systems such as iOS and Android, and proved to be fairly successful.

SPAM Filters

There isn’t much to be said here other than you need to prevent bad behavior by never giving users the choice. While not perfect, a good SPAM filter can reduce the number of decisions users need to make, not to mention reduce the number of emails one needs to review and delete daily.

Anti-malware

Although frequently maligned these days, it is still important to use anti-malware software to protect against malicious exploits. It may not catch the zero-day vulnerability attacks or advanced threats, but not everything will be that sophisticated.

User Education

Sometimes it feels hopeless after a study like this, but user education should still be provided to reduce risk. Not every user will learn, but you can assume some users will apply better behaviors and not click on that enticing email that leads to a path of doom and dismay.

Summary

These are a few recommendations, but not a comprehensive list. Apply these steps to reduce the risk of phishing in your environment.

Why you should #fearthetoaster!

Back to work after a long holiday weekend! I thought I would start the week off with a recap of LANDESK Interchange 2015. The show was great! The very first keynote showed off some of the new workspaces which bring together LANDESK Systems Management and Service Desk features for the user that will make life easier. The ability to use your phone to take an image of on-screen errors and have a solution presented to you, without having to contact IT directly, was pretty cool. The new security workspace was also very interesting to see, but the highlight of the keynotes for me was on day two and three.

The keynote on day two focused on Security. Rob Juncker, Tom Davis, and Steve Morton talked about how more devices are being connected to the internet every day. The Internet of Things is bringing us more innovative life experiences than ever, but with this more connected world we have larger concerns. Self driving cars, internet connected toasters, voice activated TVs (which vendor admit are spying on you), and much more are getting connected every day. Rob then scared everyone by talking about that internet connected toaster and how it may be used as an attack to potentially burn down a house. Scary realization.

The final day of the event, we had a guest keynote speaker, Marc Goodman, author of Future Crimes. Marc hit on all the topics from they keynote the day before and really opened some eyes. Marc talked about the exponential growth of technology and the proliferation of internet connected devices. And while really cool things may come of these trends, ultimately, it is leading us to a world where crime knows no borders, no boundaries, and becomes less and less personal. A good example of this is the hacking ring which reportedly has stolen up to $1 billion from banks globally. These are not street thugs walking into banks with masks on, but cybercriminals with the skills to target more than 100 banks in 30 countries.

Marc talked about the risks the future brings if we are not diligent about security. Risks like exploiting vulnerabilities in a car and he even went as far as to share this photo in reference to the previous day’s keynote conversations around toasters #fearthetoaster.

killertoaster

 

While no toaster exploits have occurred yet, the message was clear. In a future where more of our world will be connected, more of that world will be exposed to risks. Marc’s message was about awareness. We can do great things if we work together. If companies do their part in securing the customer and personal data they collect, and if the new innovators creating the next connected device do so with security in mind, we can mitigate these risks.

Check out Marc’s Update Protocol on his website and his book Future Crimes.  There are some tips here that will help you protect yourself and your company.

Mobile Data Security + User Freedom = Shavlik’s Newest Product: Secure Mobile Email by LetMobile

Shavlik is happy to announce that we have added a new product, Secure Mobile Email by LetMobile, to our product line. LetMobile is a secure email solution that brings the same effectiveness and ease of management that you have come to expect from Shavlik to the challenge of protecting corporate information on mobile devices.

Today, I sat down with product manager Eran Livne to learn more about Secure Mobile Email by LetMobile. Eran has led this product from its inception and has spent years studying the mobile device management space.

 

Anne: Why LetMobile? What problem does it solve for our friends in IT?

Eran:  There’s a new challenge with all of these smart devices.  Users buy devices and want to use them for work; however, they don’t want IT to control them and have less concern about security. IT is used to managing and controlling, owns security, and is held responsible if a data breach occurs. There is a huge gap between the interests of these two sides.

 

Anne:  How do we bridge this gap?

Eran:  LetMobile was built to find this balance and to bridge this gap. We provide the best of both worlds; IT gets security compliance management and data protection, and users get a native email experience on the device of their choosing. They don’t have to use subpar email clients to consume corporate emails or separate the process of reading work email from reading personal email.

With LetMobile security policies apply only to corporate data, so the solution has no knowledge or control over personal data or app’s. This means users are free to use their devices how they wish, do not need to fear corporate “big brother,” and don’t have to comply with annoying policies like being forced to lock their devices or granting the company access to wipe their devices.

 

LetMobile diagramAnne:  Wow, that sounds almost too good to be true. How does LetMobile work?

Eran:  LetMobile is a gateway solution. We offer on-premise and SaaS offerings that act as an intermediary between Exchange (or your email service) and user devices. The LetMobile gateway streams email to the device, so email and email attachments are never stored on the device. Additionally, corporate credentials are never stored on the mobile device, so if the device is lost, the user’s corporate creds cannot be compromised.

 

Anne:  Beyond basic email security what are some of the other cool capabilities of LetMobile?

Eran:  LetMobile includes data loss prevention (DLP) capabilities that look into the “body” of emails and attachments and can take action based on the presence of keywords or regular expressions. This coupled with LetMobile’s geo-fencing capabilities means say a financial institution could enforce a policy where customer account numbers are masked in emails unless the device is in a trusted location. LetMobile can keep confidential information from leaving the four walls of your corporate headquarters and even your country’s borders.

 

Anne:  If readers want to learn more about LetMobile or see a demo, what should they do?

Eran:  We have a wealth of information out there on our website. Check out…

Also, Shavlik will be hosting a number of live LetMobile webinars in the coming weeks, so stay tuned to our webinars page for more information.

Beyond Patch: Shavlik Protect IT Scripts

As we continue in our “Beyond Patch” video blog series, let’s examine Shavlik Protect’s ITScripts capabilities.

Protect’s ITScripts allow you to run PowerShell scripts on targeted machines at a scheduled time.

Why is this important?

  • You can automate the performance of mundane maintenance tasks like Check Disk or defrags. Tasks that often get left undone due to time constraints can now be done automatically at a time of your choosing.
  • You can acquire information about the machines in your environment. For example, you can run scripts to report on disk space or when the machine was last rebooted.
  • Shavlik Protect provides a library of scripts you can use OOTB or…
  • You can create your own PowerShell scripts and use Protect to schedule and to deploy them. This means that nearly any operation can be automated.

Check out this video where Shavlik Product Evangelist John Rush walks you through the ITScripts capabilities within Shavlik Protect. For more information, please contact us at sales@shavlik.com.

March Patch Tuesday Round Up

What would Patch Tuesday be without a Critical IE Cumulative Update.  It would probably just feel wrong.  So it is no surprise that the lead in patch for this month was an IE Cumulative, was rated Critical, and covers a whopping 18 CVE’s  Needless to say this is the most important update to push for March.

There was also a Security Advisory for IE and an Update from Google Chrome to add plug-in support for the Adobe Flash patch that released on the 11th.  While this Flash update was only rated as a Priority 2 (by Adobe’s definition of severity), this update replaces APSB14-07 from February 20th which was a Priority 1.  That update resolves three CVE’s of a more serious nature.  Unless you are patching your endpoints multiple times each month that puts the Flash update to a high priority in our opinion.   The other two Flash updates we have seen so far this year (1/14 and 2/4) resolve three additional high priority CVE’s.  Long story short, UPDATE FLASH!

Google Chrome had a update to the Stable Channel resolving 4 high priority CVE’s and 3 additional vulnerabilities that were not as severe.  The 4 high’s plus the Flash plug-in push Chrome up into the spotlight with IE and Flash this month.  Roll those three product updates out ASAP!

Aside from that Microsoft did have another Critical update this month, in DirectShow (MS14-013), which should be a priority.  While there are no active attacks currently identified, the vulnerability could allow for Remote Code Execution by enticing a user to click on a JPG file in IE.  This type of exploit reemphasizes the importance of the least privilege rule.  It could mean the difference between giving the attacker keys to the kingdom vs keys to the room they entered.

The Important bulletins for March may not be as high of a priority, but we have two Security Feature Bypass exploits in the SAMR protocol and in Silverlight.  Although possibly more difficult to exploit and not currently being exploited in the wild, you will want to get these rolled out in a timely manner.  We also have a Kernel-Mode Driver to update.  Again, only rated as Important, but as with all Kernel updates, you will want to ensure proper testing before rolling out.

For these types of updates and more, join us each month for the Shavlik Patch Tuesday webinar.  In this monthly webinar we discuss the Microsoft and 3rd Party updates that affect you and your users.  We focus on Patch Tuesday, but we also discuss what happens in between.  Remember, 86% of attacks of reported vulnerabilities target 3rd Party applications.  Those vendors do not release on the same schedule as Microsoft and what happens between Patch Tuesdays can often be of more importance than what happens on Patch Tuesday.

 

 

Avoid the latest Java Zero Day by upgrading to Java 7 today

If you have not ready up on the ZDNet and other posts regarding this exploit here is a link to an article talking in more depth.  If you are still on Java 6 you are vulnerable to this Java vulnerability.  Java 7 update 21 and earlier are also exposed.  There is an exploit kit available to hackers for $450 dollars.  They can purchase a way to exploit this vulnerability off the shelf.  This means it is past time to upgrade your Java runtime.

So, Shavlik Protect users, here are some easy steps to create a scan template to allow you to deployupgrade Java 7 update 25 to your machines to ensure they are up to date.

For users on Protect 9.0 the steps are as follows:

  1. Create a new Patch Group by clicking on the +New > Patch Group…
  2. Name the Patch Group “Java 7 Software Distribution”
  3. Click add and sort by QNumber column.  Select QJAVA7U25N and QJAVA7U25X64N and save the patch group.
  4. Click +New > Patch Scan Template… and name it Java 7 Software Distribution
  5. On the Filtering tab uncheck the Patch Type > Security Patches and Patch filter settings set to “Scan Selected” and click the “…” button and select the “Java 7 Software Distribution” patch group.
  6. Click on the “Software Distribution” tab and check the box to enable Software Distribution.  Save the scan template.
  7. Scan and Deploy the Java 7 update 25.

The best way to protect against this zero day is to eliminate the presence of Java 6 and this should be an easy way to do so.

Chris Goettl