Roger's Information Security Blog

People’s sense of entitlement about things they are stealing.

Adobe Reader 9.3.1 is a msp file that can only be applied to Adobe Reader 9.3. So what to do about the users that hadn’t installed 9.3 yet. I really didn’t want them to install 9.3 then have 9.3.1 install immediately after that. That sort of thing sets user revolt in motion.
So I searched and found an Adobe TechNote on deploying Adobe Acrobat and quarterly updates in one install..
If you’ve used MSPs before you’re probably already familiar with how to do this.

msiexec.exe /i ”[UNC PATH]\AcroPro.msi” PATCH=”[UNCPATH]\AcroProStdUpd910_T1T2_incr.msp;[UNCPATH]AcrobatUpd912_all_incr.msp TRANSFORMS=”1036.mst”

So I went to town, stringing together the path to all the MSP updates. Good Lord! There are a lot of them.
So after I did that for Reader and Acrobat 9, and tested it all out, I found another Adobe TechNote. “Install Acrobat 9 and all patches in one step with Adobe Bootstrapper (Setup.exe) and patch sequencing”. This method is much easier. No mistakes with quotes in the commandline. Users installing from the file server they can just run the same EXE they always have rather than running a bat file. The same problem exists in that if they run the MSI instead not only do they not get the custom config (MST), now they miss the patches.
This article has you list the patches in setup.ini. You just add the list of patches to the product section.

[Product]PATCH=AcroProStdUpd910_T1T2_incr.msp;AcrobatUpd912_all_incr.msp;AcrobatUpd913_all_incr.msp

This is really awesome. Now my helpdesk when they install Adobe Acrobat 9 wont accidentally leave the user with the 9.0.0. That is the version of the original install files. And when we upgrade Adobe Reader, it will be a lot easier for the users.
Unfortunately my day didn’t end there. I looked at our deployed systems. While there was very little Adobe Reader 8 (so I can skip that), we actually have more Adobe Acrobat 8 installed than Acrobat 9. So I sat down to recreate what I did for Acrobat 9. Guess what, it didn’t work! After trying many different things, I stumbled across another technote. “Install all Acrobat 8 patches in one step with Adobe Bootstrapper and patch sequencing”. Apparently the Adobe Bootstraper (setup.exe) in my 8.1 CD was customized. Once I downloaded the setup.exe linked in that TechNote, it worked. I was able to run the Adobe Acrobat 8 setup.exe and install the current 8.2.1 version.
Up next is writing a script to install Acrobat patches for the users. Currently because it’s not standard software, we ask the users to do the updates.
Up next after that is the next Adobe security updates. I’m sure there are some just around the corner like the Adobe Download Manager bug.

Today’s SANS Diary reminded me of something that happened a while back.
The SANS entry New Risks in Penetration Testing was concerned that reputation scoring for an IP could be effected by pen testing from that IP address. I guess someone is taking the old Senderbase concept and applying it to all traffic.
The helpdesk received an issue a while back about an inability to communicate with a government website. After checking it out, it looked like they were blocking our external IP. We communicated with the government people and confirmed that their ISS IPS appliance had automatically blocked our IP because we were attacking them. I checked the logs and found that one of our people who pentests for a living had done some probing of XSS on a WordPress blog hosted on the government site. I turned that over to someone else to find out if he had authorization to be doing such.
Probing other companies from your companies main IP address is not such a good idea.

Firefox 3.5.8 and Firefox 3.0.18 have been released to resolve several security vulnerabilities.

Today’s Dear Abby contained a letter about passwords. It’s the third letter at this link
The letter writer warns against sharing your passwords with anyone. The writer recounts instances where a password shared at one point in a relationship becomes a weapon when the relationship turns sour. People, after the divorce is finalized you need to make sure your ex doesn’t have your bank passwords.
Didn’t expect to be getting security advice from Dear Abby. If these people had followed the standard security advice to use different passwords for each account and change them regularly that alone would have prevented this breach.

Adobe has released a Security Advisory for Adobe Reader and Acrobat (APSB10-07).
Adobe is planning to release updates on 2/16/2010 to resolve critical security issues.
Adobe has released a security update for Adobe Flash and Adobe AIR.

Does anyone really think that sneezing into your arm is common sense? I suspect that if you do you must have small kids and have been trained by some sort of Elmo video. I don’t recall any mass agreement on sending snot flying into my shirt sleeve as a method of good hygiene.
At Shmoocon Bruce Potter compared the common sense of sneezing into your sleeve (to him apparently a good thing) with common sense security steps. Maybe he’s right, a password policy is kind of like getting snot all over yourself.
My notes seem to have mangled the opening remarks from Shmoocon 2010. The general summary is that it’s a waste to spend a boatload of money on security when you don’t have your policies and procedures clear. You’ve got to start with the basics.
A password policy needs to be applied consistently across all systems. Often the development can be compromised and then hop back across to the production systems. The dev systems need policy as well.
Network segmentation is important. Soft gooey center anyone?
Auditing. If you aren’t watching, how do you know something bad happened.
We laugh at the TSA, but they have fair less fail in their results.

A few weeks ago my officemate posted to Facebook,

As I read that, I figured this was Mac users in our company fighting our policy requiring antivirus for Macs. Certainly antivirus can slow a system. And any software can have vulnerabilities. But this wasn’t about that. No this was actual honest to god responses from Apple support. My officemate wanted to know if this was official policy. So he asked for it in writing. That got him escalated to the next level where he was apologetically told it was not Apple’s policy that antivirus is not necessary.
I thought of this today as Graham Cluley tweeted links to a couple of video blogs from last year. Unicorns have been spotted, Malware for the Mac does exist. Now to be fair these examples are largely social engineering. Just because it’s not a zero day doesn’t mean the systems isn’t owned. Fake Codecs and Fake anti-maiware aren’t the exclusive providence of Microsoft Operating Systems.

 

Shmoocon is this weekend. The city is starting to look like something from The Day After Tomorrow.
I live in the DC suburbs, and had considered grabbing a hotel room to take part in what has to be the crazyest Shmoo ever. The hotel rates when I checked online were lower than the Shmoo rate. But then I’d still have to pay a insane rate for hotel garage parking. And the Donner party jokes were worrying me too. I could see the hotel running out of food and everything else being closed.
I drove into Ballston on Friday. In December Metro closed the above ground stations without a lot of warning. I knew they’d do it again if snow got to 8 inches, Ballston is the last underground station on the Orange line. Metro didn’t close the above ground lines until 11 pm so that move was unnecessary. The drive back from Arlington out to Clifton was fun.
Today there is no way I’m getting out, so I’m watching what I can on live streaming. I’ll review my notes from yesterday and post if I can come up with anything semi-coherent.

After a fairly light December patching load, January took no prisoners.
Microsoft’s patch Tuesday had just one patch, MS10-001. But they made up for that with an out of band update later in the month MS10-002. They also put out a bulletin warning about old flash installs.
Adobe and Oracle piggybacked on patch Tuesday to release updates as well. Vendors pretend its more convenient for people to get all their patches at once, but Its more about losing their own vulnerability announcements in the crowd. Adobe Reader is installed on most machines, so deploying Reader and Acrobat updates is kind of a big deal.
To keep admins on their toes, Adobe also released security updates for Shockwave and Illustrator.
Real Player kept its name in the news with a security update of its own. While it lacks its once ubiquitous presence, it is another thing to watch for.
Firefox released 3.6. Fortunately , this was about new features not security fixes.
Apple not wanting to feel left out released a mega security update rolling up multiple patches.
Wireshark 1.2.6 came out with a couple of security updates.
If you’re responsible for patching in the enterprise looks like you picked the wrong month to stop sniffing glue.
For home use, I use the Secunia Personal Software Inspector in advanced mode. They are now a bit better about prompting you to exclude directories like i386 to avoid nagging you about things that aren’t a problem.