Re: Howto update (security patches) Java on Windows 8

[Carlos Perez <carlos_perez () darkoperator com>]

Another method is to use the WSUS Package Publisher http://wsuspackagepublisher.codeplex.com/ , still you will need a 
software inventory solution or build your own, that is just basics for security, no way to be able to be effective at 
determining risk if you do not have a host and software inventory. The modification of the MSI is so it removes Java 6 
if you do not use it, also remember there are more that one packaged version of Java, you have the JDK, JRE and some 
software even bundles it,  so a proper inventory will help. You can use WMI or SMB Remote Registry to look for Java in 
the install/uninstall keys and set firewall rules so only the server segment or your management segment has access to 
the WMI/SMB ports (reduces chances of pass the hash in case of compromise). My recommendation build a lab, test, 
document and re-deploy in lab from clean, once you have the process down with each new version it is just a matter 
updating the package. WMI filters is a good way to determine if java is installed or not to determine to what host a 
policy applies to. 


On May 21, 2013, at 10:08 AM, Guillaume Ross <guillaume () binaryfactory ca> wrote:

> In the GPO itself you can mark a package to be installed after the removal of a previous version as well.
>
> I don't recommend using GPOs to push software, especially software that is updated so often and found vulnerable so 
> often, because you will have little information on how successful the deployment is.
> One day or another, you will end up with a bunch of workstations still running an old Java, or maybe stuck without 
> Java. (One could argue - is that really a bad thing? I guess it is if it's really needed).
>
> If you do use GPOs because you don't have anything else, consider using something else (maybe something as simple as 
> a script) to output some information about the version of java on each workstation, and monitor those logs.
>
> Guillaume
>
> On 2013-05-20, at 11:28 AM, Carlos Perez <carlos_perez () darkoperator com> wrote:
>
> > 2 Methods depending on your inf, the first one would be to extract the MSI from the installer, open the MSI in Orca 
> > and modify it to remove previous version and publish the MSI via GPO. The second one would be using a third party 
> > patch management solution.
> >
> > On May 20, 2013, at 7:29 AM, Alex Kornilov <alex.kornilov3 () mail ru> wrote:
> >
> > > Maybe very stupid question. Howto update (security patches) Java on Windows 8?
> > > _______________________________________________
> > > Pauldotcom mailing list
> > > Pauldotcom () mail pauldotcom com
> > > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
> > > Main Web Site: http://pauldotcom.com
> >
> > _______________________________________________
> > Pauldotcom mailing list
> > Pauldotcom () mail pauldotcom com
> > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
> > Main Web Site: http://pauldotcom.com
>
> _______________________________________________
> Pauldotcom mailing list
> Pauldotcom () mail pauldotcom com
> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
> Main Web Site: http://pauldotcom.com

Attachment: signature.asc
Description: Message signed with OpenPGP using GPGMail

_______________________________________________
Pauldotcom mailing list
Pauldotcom () mail pauldotcom com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com