Home page logo
/

pauldotcom logo PaulDotCom mailing list archives

Re: Java Updates
From: "Gibson, Samuel" <gibsons () my uwstout edu>
Date: Mon, 19 Jul 2010 12:14:44 +0000

I just wanted to thank everyone for the suggestions.  I really appreciate all the help.

-Sam
________________________________________
From: pauldotcom-bounces () mail pauldotcom com [pauldotcom-bounces () mail pauldotcom com] on behalf of Jordan Wagner 
[jmwagner () gmail com]
Sent: Saturday, July 17, 2010 10:55 AM
To: PaulDotCom Security Weekly Mailing List
Subject: Re: [Pauldotcom] Java Updates

I wrestled with this in my Active Directory environment.  Here's what
I settled on that didn't use 3rd party tools, which arguably may have
made this much easier if you had budget to cover such tools.  If you
use WSUS and have budget for tools to help you in this, Secunia has a
nice product called CSI that works this to help deploy such updates.

We use Active Directory GPO to deploy software installation baselines,
and we deploy Java in this way too.  Our practice to deploy
new/updated versions is to delete the old package and select the
option that tells AD to uninstall the package from the computers
immediately (which means next reboot for the computers in scope.)

So when a new version of Java comes out, you get the offline Windows
installer at http://java.sun.com/javase/downloads/index.jsp as Bugbear
suggested.  Follow Java's own backward instructions for snagging the
MSI out of the installer:
http://www.java.com/en/download/help/msi_install.xml.  From there, you
can use the MSI as-is if you want, and deploy it with a new software
installation package in your GPO.

You may want to edit the MSI.  I used to use Orca for this - now I use
a tool called InstEdIt http://www.instedit.com/.  For this, I edit out
some options such as the Java auto-updater.  (This is debatable, but
in my environment a controlled update is preferable.  We stay on top
of new releases and start our testing process immediately.  If the
update contains security fixes for exploited vulnerabilities, we speed
up the testing process and aim to deploy the update before the end of
the business week.)  There is good guidance to be found on what
properties in the MSI to edit at AppDeploy:
http://www.appdeploy.com/packages/detail.asp?id=38

As we create the new GPO software install package, we remove the old
one and set it to uninstall automatically.  The next step is the one
you can't control as easily:  we email our users and ask them to
pretty please reboot at the end of their business day.  Your mileage
will vary on this with users who ignore such requests, vacations,
emergencies that force users to ignore this, etc.  WMIC scripting can
monitor rebooting compliance (look for scripting examples to use "wmic
os get LastBootUpTime"), as Nessus scans and the like verify your Java
versions are patched.

Best of luck.  If you find a better (& free) way to do this, please
don't forget to tell us.  :)

--JW






On Fri, Jul 16, 2010 at 2:24 PM, Gibson, Samuel <gibsons () my uwstout edu> wrote:
Hello,

Does anyone have a recommendation as to how to keep java up to date on a
corporate network?  There does not seem to be a good way to do this and
users are not likely to click on the update notification that java
provides.

Thanks,
Sam
_______________________________________________
Pauldotcom mailing list
Pauldotcom () mail pauldotcom com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com

_______________________________________________
Pauldotcom mailing list
Pauldotcom () mail pauldotcom com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com
_______________________________________________
Pauldotcom mailing list
Pauldotcom () mail pauldotcom com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]