Lightys PC-Hilfe Forum

anisella hat geschrieben:Orginalbeitrag Lesen

Da Sun Microsystems selbst die Sicherheitslücke als nicht so dringend betrachtet, beabsichtigt man derzeit nicht vom üblichen dreimonatigen Updatezyklus abzuweichen.
Demnach würde die Lücke erst Ende Juni behoben.

Disabling the java plugin is not sufficient to
prevent exploitation, as the toolkit is installed independently.
.....I believe non-Windows installations are unaffected.

If you believe your users may be affected, you should consider applying one of
the workarounds described below as a matter of urgency.

- Internet Explorer users can be protected by temporarily setting the killbit
on CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA. To the best of my knowledge, the
deployment toolkit is not in widespread usage and is unlikely to impact end
users.

- Mozilla Firefox and other NPAPI based browser users can be protected using
File System ACLs to prevent access to npdeploytk.dll. These ACLs can also be
managed via GPO.

Detailed documentation on killbits is provided by Microsoft here

http://support.microsoft.com/kb/240797

Domain administrators can deploy killbits and File System ACLs using GPOs, for
more information on Group Policy, see Microsoft's Group Policy site, here

http://technet.microsoft.com/en-us/wind ... 10732.aspx

You may be tempted to kill the HKLM\...\JNLPFile\Shell\Open\Command key, but
the author does not believe this is sufficient, as the plugin also provides
enough functionality to install and downgrade JRE installations without
prompting (seriously). However, if none of your affected users are local
Administrators, this solution may work (untested).

As always, if you do not require this feature, consider permanently disabling
it in order to reduce attack surface.