PaulDotCom mailing list archives
Re: Java Updates
From: "Gibson, Samuel" <gibsons () my uwstout edu>
Date: Mon, 19 Jul 2010 12:14:44 +0000
I just wanted to thank everyone for the suggestions. I really appreciate all the help. -Sam ________________________________________ From: pauldotcom-bounces () mail pauldotcom com [pauldotcom-bounces () mail pauldotcom com] on behalf of Jordan Wagner [jmwagner () gmail com] Sent: Saturday, July 17, 2010 10:55 AM To: PaulDotCom Security Weekly Mailing List Subject: Re: [Pauldotcom] Java Updates I wrestled with this in my Active Directory environment. Here's what I settled on that didn't use 3rd party tools, which arguably may have made this much easier if you had budget to cover such tools. If you use WSUS and have budget for tools to help you in this, Secunia has a nice product called CSI that works this to help deploy such updates. We use Active Directory GPO to deploy software installation baselines, and we deploy Java in this way too. Our practice to deploy new/updated versions is to delete the old package and select the option that tells AD to uninstall the package from the computers immediately (which means next reboot for the computers in scope.) So when a new version of Java comes out, you get the offline Windows installer at http://java.sun.com/javase/downloads/index.jsp as Bugbear suggested. Follow Java's own backward instructions for snagging the MSI out of the installer: http://www.java.com/en/download/help/msi_install.xml. From there, you can use the MSI as-is if you want, and deploy it with a new software installation package in your GPO. You may want to edit the MSI. I used to use Orca for this - now I use a tool called InstEdIt http://www.instedit.com/. For this, I edit out some options such as the Java auto-updater. (This is debatable, but in my environment a controlled update is preferable. We stay on top of new releases and start our testing process immediately. If the update contains security fixes for exploited vulnerabilities, we speed up the testing process and aim to deploy the update before the end of the business week.) There is good guidance to be found on what properties in the MSI to edit at AppDeploy: http://www.appdeploy.com/packages/detail.asp?id=38 As we create the new GPO software install package, we remove the old one and set it to uninstall automatically. The next step is the one you can't control as easily: we email our users and ask them to pretty please reboot at the end of their business day. Your mileage will vary on this with users who ignore such requests, vacations, emergencies that force users to ignore this, etc. WMIC scripting can monitor rebooting compliance (look for scripting examples to use "wmic os get LastBootUpTime"), as Nessus scans and the like verify your Java versions are patched. Best of luck. If you find a better (& free) way to do this, please don't forget to tell us. :) --JW On Fri, Jul 16, 2010 at 2:24 PM, Gibson, Samuel <gibsons () my uwstout edu> wrote:
Hello, Does anyone have a recommendation as to how to keep java up to date on a corporate network? There does not seem to be a good way to do this and users are not likely to click on the update notification that java provides. Thanks, Sam _______________________________________________ Pauldotcom mailing list Pauldotcom () mail pauldotcom com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
_______________________________________________ Pauldotcom mailing list Pauldotcom () mail pauldotcom com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com _______________________________________________ Pauldotcom mailing list Pauldotcom () mail pauldotcom com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
Current thread:
- Java Updates Gibson, Samuel (Jul 16)
- Re: Java Updates Pommerening, Jeremy (Jul 16)
- Re: Java Updates Bugbear (Jul 17)
- Re: Java Updates Jordan Wagner (Jul 18)
- Re: Java Updates Gibson, Samuel (Jul 19)
- Re: Java Updates Pommerening, Jeremy (Jul 16)