Archive for January 2010

Symantec False Positive in Flash install file

January 28, 2010, 11:07 am

I noticed a bunch of computers reporting install_flash_player.exe as a Trojan Horse this morning. My first stop was the Symantec Forum where a bunch of users were already discussing this.
Since it appeared to be a false positive in an older install file for Adobe Flash, I set out to see which version of Flash was getting hit. Adobe has a archive of Flash players. I downloaded a zip with every version of Flash 10 and unzipped it to my hard drive. I got a detection on flashplayer10r22_87_win.exe. Once that was quarantined the easiest thing to do was go into my local quarantine, right-click and submit to Symantec.

A Symantec support employee points out the KB for false positives and the virus submission website https://submit.symantec.com/websubmit/gold.cgi. To use that I would have had to disable real-time protection, and unquarantine the file. So it was easier to submit from within Symantec. I’m running 1/27  r49 definitions.

Tags: ,
Category: Antivirus  |  Comment

Adobe Shockwave Update

January 19, 2010, 11:44 pm

Adobe has released an update for Shockwave to patch security vulnerabilities. A security bulletin was released today.

As usual Adobe is giving enterprise admins the finger by advising that in order to upgrade Shockwave, you must first uninstall old Shockwave versions, reboot and then install the new version of Shockwave. Does anyone actually do that? I don’t know about anyone else, but I try to minimize the disruption of my patching program. Part of that is limiting reboots. I can’t think of another application that makes such unreasonable demands. Fortunately I’ve ignored rebooting while upgrading Shockwave and it hasn’t caused me any major issue yet.

I also wonder where Shockwave fits into Adobe’s security program. If it’s so important that Adobe Reader only be upgraded on a planned quarterly basis, then why isn’t Shockwave updated in the same predictable manner? (BTW, I don’t find it helpful to have all my patches released on the same day. I don’t find it feasible to deploy all these patches at the same time, so some items will not be patched as quickly. When a patch is released (assuming there wasn’t already a zero day) there is a mad dash by the bad guys to reverse engineer the patch, find the vulnerable code, and develop an exploit. So releasing the patches any week other than the second week would be preferable.)

If someone finds a Flash zero day next week, I’m going to think someone declared an unofficial “Month of Adobe bugs”.

Tags: , ,
Category: General  |  1 Comment

TweetBrawl

January 18, 2010, 12:43 am

Looks like Purewire has taken a page from AOL’s AIM Fight and have put up Tweet Brawl

AIM Fight attempts to determine how popular you are right this second by looking at your online buddies and their online buddies out to the third degree of separation. It actually uses people connected to you so you can’t game the system by friending the world (like that stupid Luke Wilson AT&T ad).

TweetBrawl is merely follower based. The results aren’t going to change unless someone loses or gains a lot of followers.

If you want to follow me at @infosectweet maybe I’d have a chance of wining one of these things.

Tags: ,
Category: General  |  Comment

Microsoft Security Advisory for Flash

January 12, 2010, 9:00 pm

Microsoft published a security bulletin for Flash 6 which is included in Windows XP. MSKB 979267 recommends removing Flash 6 and installing the latest version of Flash from Adobe.

Maybe its just me, but I think since Microsoft included Flash 6 in the default XP install, shouldn’t they be responsible for patching it? Flash should be part of Microsoft Update.

Fortunately Flash 6 is ancient. I believe a lot of Flash content will prompt you to upgrade to Flash 8 or 9 rather than allow you to use such an old version. Even so, a lot of vulnerable Flash remains.

Tags: , ,
Category: Microsoft  |  2 Comments

SEPM Y2k.1

January 12, 2010, 8:34 pm

As anyone using Symantec Endpoint Manager (SEPM) to manage SEP11 clients should already know, SEPM has an issue where it thinks virus definition updates from 2010 are older than updates from 2009.

If you aren’t on top of this, you should be subscribed to Symantec emails here. I’d also apparently subscribed to something at the Symantec Forums at www.symantec.com/connect.

Symantec is just now starting to push out patches. Currently patches are available for 11.0.3. Keep an eye on this knowledge base article for updates.

So far this has caused three problems that I care about.
1. We use Forescout Counteract to monitor for virus definitions more than a week out of date. I came in one day and found all my computers in the “old definition” group. The defined action was run live update once. That wasn’t too big a problem.
2. Like most SEP admins, I have SEP configured to use SEPM for updates when on my corporate lan or VPNed in, but use Symantec’s liveupdate servers when on the Internet. It’s important for people to get updates even when away from the office, and that is a simpler solution than putting a live update server in the DMZ. The problem is the Y2K.1 issues was specific to SEPM. As a result Symantec foolishly used different virus definition numbers for their liveupdate servers and for updates through SEPM. So my internal clients are getting 12/31/2009 rev xyz definitions (where xyz is a incrementing number) and people who update directly from Symantec get normal updates dated today. If you are external to the company and you update from Symantec, your defs are dated 1/10/2010. If you go back to work, the defs offered from the server are 12/31/2009. You’ll never get updated while on the corporate network until Symantec fixes the original problem. To my understanding is you are now out of date. Kind of a big problem
3. Symantec by default notifies users of managed clients when the virus definitions are more than 30 days old. I take this to mean that unmanaged systems get no notification by default. In my environment managed systems are set to notify users if the virus definitions are more than 14 days out of date. Since we’re coming up fast on January 14th, I’ve disabled the notification. Of course any computer that isn’t on our network in the next couple of days wont get the new configuration.

Hopefully Symantec will get this issue resolved soon. Not sure why they couldn’t be ready to patch all SEPM builds at once. Why is MR3 so favored?

Tags: , ,
Category: Antivirus  |  Comment

AdobeARM.exe

January 1, 2010, 11:34 am

Back in October, I expressed my frustration with Adobe Reader updates. After updating Reader 8 and 9 too many times to count, suddenly in 9.2 I was left with more questions than answers. Part of that post was wondering what adobearm.exe was. That post is still strangely popular so I thought I’d post an update.

Adobe still has nothing about adobeARM.exe in its knowledgebase.

When you Google adobeARM.exe after finding the link for this site, you find some sites claiming adobeARM.exe is malware. Hard to believe since this file is part of the installation package from Adobe Reader.

The best info I’ve found is in this Adobe Forum thread.

Ignore the usual misinformation about Flash for ARM powered mobile devices, and the ubiquitous advice to just switch to FoxIT.

You find the same info that we had a commenter post in October. “AdobeARM.exe is a part of new Adobe Acrobat\Reader updater. If you manage updates yourself, it is absolutely safe to remove it from Run registry.”
While this info is far from authoritative, I would suggest home users leave it alone. In corporations that manage updates, I’d continue to disable updates via the Adobe Tuner and remove this exe from the startup directory.

Tags: ,
Category: General  |  21 Comments