Java 0 Day Exploit – How to Disable Java for IE On Your Network

*** Update Oracle has released Java 7 Update 7. This apparently fixes the 0 Day vulnerability. This is available on the PDQ Deploy Installer Library for both 32-bit and 64-bit Windows. This update is made available for both Free and Pro users. If you are running PDQ Deploy in Pro mode, some additional tweaks will take place before and after the installation (closing browsers, removing the Java Scheduler, etc.). If you are running PDQ Deploy in Free Mode the additional tweaks will not be attempted.***

Everyone knows about the 0 Day exploit discovered in Java 7. There are a lot of people “in the know” who are suggesting that Java 7 users should disable their Java plug-ins. Without debating whether or not disabling is appropriate or overkill we thought we’d help out by showing you how you can use PDQ Deploy (it’s free) to silently disable the Internet Explorer plug-in for Java 7 (updates 4 – 6).

Use the Installer Library to download the Installer that will disable the IE Plugin.

Installer Library

The installer will simply run a quick and dirty batch script on target machines. If you want to view the contents of the batch file you will find it in Java\DisableIEPlugin folder in your Repository (which is usually C:\Users\Public\Documents\Admin Arsenal\PDQ Deploy\Repository).

After you download the package just select it and hit Deploy Now. This will let you choose which targets should have the plugin disabled.

Which computers are vulnerable?

You can find out which computers are affected using PDQ Inventory. Now we are going to scan a few registry keys which you can’t do in Free mode. If don’t have Pro mode, download a free trial. Ready? Let’s do it.

Download and extract this .zip archive. There are three XML files inside. Feel free to open them and inspect the contents. 

From your PDQ Inventory console select File > Import (or hit CTRL+i) and navigate to the directory that contains the extracted files.

Import the file called ScanProfile-JavaPluginIE.xml.

This will create a new Scan Profile. You can view the profile by going to the Scan Profiles panel in your Preferences window. (File > Preferences). Select the Java Plug-in for IE Scan Profile.You will see that we have added two Registry scanners to this Profile.

See more about scan profiles here.

Scan your systems using the new Java Plug-in for IE profile. (see image below)

ScanwithProfile

 

While your systems are scanning import the other two XML files. After importing you will notice that you have a new Collection called Java 7 – IE Plugin Enabled. This will contain computers which have the UseJava2IExplorer value set to 1. Since we are only disabling Java 7 systems, the UseJava2IExplorer value will not be changed for earlier versions. (See Collection definition below)

JavaPluginCollection

The next File to import is a Report. (See images below)

Java Plugin Report Columns

Java Plugin Report Filters

Here’s a step-by-step video.

Silently disabling the Plugins for Firefox and/or Chrome is a lot more involved. If we find that this can be accomplished via a deployment we will make a new blog post.