EMET and Java JRE RRS feed

  • General discussion

  • I don't have anything to add, but I wanted to start this thread to start to gather experiences of enabling EMET on Java processes.

    Not a lot of Google Bing results and I hope this brings some enterprise-specific feedback.

    My idea of a party is a virtualization server and a room of TechNet DVDs

    Thursday, May 19, 2011 12:03 AM

All replies

  • DEP on Java installer causes it to crash. The .msi installer still works, but you have to get that from a machine that just had it installed.

    Therefore, I don't recommend setting DEP as Always On or using Maximum Security Settings. Choosing Application Opt Out works fine.

    Thursday, May 19, 2011 2:14 AM
  • Doesn't help if some of us use "Max settings" to nuke virus chances on people who are careless about what they click on. I also put the blame for this on Oracle-Sun for having an installer that tries to put a toolbar (Bing/Yahoo usually) on your system.
    Friday, May 20, 2011 12:49 PM
  • The security difference between Always on and Opt-out is marginal. I think it's worth the extra compatibility (pretty sure other issues exists)

    It has nothing to do with the toolbars, which install fine with Max settings.

    Sunday, May 22, 2011 12:25 AM
  • I have yet to experience an issue but am using already installed Java enviroments thus far.

    I've enabled max system security settings (minus global mandatory ASLR), and tested java at java.com to see if it loaded. So far, so good and no crashes.

    I enabled EMET protection on java.exe, javaw.exe, and javaws.exe.

    Monday, May 23, 2011 1:50 PM
  • Does anyone know of a real-world attack that EMET will mitigate with Java?
    My idea of a party is a virtualization server and a room of TechNet DVDs
    Monday, May 23, 2011 9:53 PM
  • https://www.owasp.org/images/0/01/OWASL_IL_2010_Jan_-_Moshe_Ben_Abu_-_Advanced_Heapspray.pdf

    Read the above link for information on how EMET can assist against these attacks.

    The EMET Heap Spray protection is not full proof and will get updated as time goes on, but it should help guard against a large amount of known attacks and reduces the attack surface.

    As new methods evolve, so will the protection.

    At the end of the day, it's better to have some than no protection.

    Tuesday, May 24, 2011 2:51 PM
  • Confirmed :( Stupid Oracle.
    Wednesday, June 15, 2011 12:54 PM
  • I installed EMET 3 on Monday.  Tuesday I added iexplore.exe. Wednesday Explorer 9 still working fine.  Today I can't add Java jre7 no matter what I try.  NOTHING happens.  When I click ADD the screen comes up to select C: - I go to programs86 and there is Java. I click on it and nothing happens. Nothing changes or shows up as addad after I restart.  My first try (explorer) was so easy and simple.  What am I doing wrong?  Thx for any help.  Brian - Charlotte, NC
    • Edited by Mahler9 Wednesday, December 12, 2012 6:52 PM
    Wednesday, December 12, 2012 6:49 PM