Summary
Matthew J. Harmons (ISC)2 Twin Cities Chapter presentation Java Exploits: Offense and Defense, delivered on October 24, 2012, examines the pervasive risk of client-side Java vulnerabilities and outlines why these flaws represent a critical attack vector for organizations. Harmon, drawing on his two decades of security experience, highlights how the Java sandbox can be bypassed via reflection and code injectiondemonstrated by high-impact exploits documented by researchers like Joshua Drake and Adam Gowdiakand underscores the urgency of addressing these pervasive weaknesses.
Attacks
The talk begins by quantifying the threat: in 2012 alone, 23 out of 50 Oracle JRE vulnerabilities carried a CVSS score of 10, signaling complete system compromise without authentication. Harmon dissects sample exploit code that disables the Java SecurityManager by injecting an AllPermission-granted ProtectionDomain, illustrating how easily an attacker can escalate privileges. He reviews major sandbox escapes and stresses that patch cycles alone cannot keep pace with adversaries who weaponize newly discovered flaws .
Defense
To counter these risks, Harmon presents a two-pronged defense strategy. On the technical side, he advocates strict whitelisting of Java applets via Group Policy, Click-to-Run settings in browsers to prevent drive-by code execution, and deployment of inline or local sandboxessuch as Invinceas VM-based isolation or FireEye appliancesto contain untrusted code. Complementing this, he urges policy-driven measures: eliminate Java where it isnt business-critical, enforce inventory and configuration controls per the SANS Critical Security Controls (especially Controls 15), and integrate Java risk assessments into broader security governance. By combining these controls, organizations can substantially reduce their Java attack surface and stay ahead of emerging exploit techniques .