A Best Practice Approach to Third Party
Patching
Mike Grueber
90% of successful attacks occurred against
previously known vulnerabilities where a patch
or secure configuration standard was already
available.
Terrence Cosgrove
Gartner Symposium/IT Expo
“Managing the Next Generation Desktop”
Agenda
Importance of third party applications
1
The “4A” model: A best practice approach
2
Tips and tricks
3
Additional resources
Top 15 Most Vulnerable Applications
Application Total High Medium Low Score
Apple Safari 81 2 71 8 413 Mozilla Firefox 44 3 30 11 236 Goggle Chrome 61 1 30 30 205 Microsoft Internet Explorer 34 1 30 3 178 Adobe Flash Player 34 0 34 0 170 Adobe Reader 34 0 34 0 170 Java Runtime Environment 28 5 5 18 168 Adobe Acrobat 32 0 32 0 160
Adobe Air 28 0 28 0 140
Mozilla SeaMonkey 26 1 20 5 130 Microsoft Office 22 0 22 0 110 Mozilla Thunderbird 18 1 14 3 98 Adobe Shockwave Player 18 0 18 0 90 Oracle Database Server 9 3 0 0 81 Microsoft Visio 3 3 0 0 75
“
IT organizations must strive for continuous improvement in
vulnerability detection and rapid security patch management,
especially in often overlooked non-Microsoft components that
are web-facing.
”
“
All internet-based applications especially browsers and browser
plug-ins (i.e., Adobe and Apple QuickTime), should be a top
patching priority.
”
Gartner Research Note, “Top 10 Steps to Avoid
Malware Infections”
Internet Security Report Year in Review
30% increase
in overall
number of vulnerabilities (6,253)
161% increase
in new vendors
affected by vulnerabilities
Chrome and Safari
vulnerabilities on the rise
346 vulnerabilities
affecting
Third Party Coverage
Altiris Patch Management Solution 7.1 SP1+ 7-Zip Citrix Virtual Desktop Agent Opera
Adobe Acrobat Citrix XenApp Oracle OpenOffice.Org Adobe AIR Citrix XenDesktop Rarlab WinRAR
Adobe Flash EMC Mozy RealPlayer
Adobe In-Design Foxit Reader RealVNC
Adobe Reader Google Chrome RIM Blackberry Desktop Manager Adobe Shockwave Player Google Desktop Skype
AOL Instant Messenger Google Earth SourceForge.Net Audacity Applie iTunes Google Picasa SourceForge.Net FileZilla Apple QuickTime Google Talk SourceForge.Net Pidgin
Apple Safari HP System Management Homepage Sun Java Runtime Environment Citrix Delivery Controller SDK LibreOffice UltraVNC
Citrix MetaFrame XP for Microsoft Windows Lightning UK ImgBurn VLC Media Player Citrix Password Manager
Console/Agent/Plug-In Mozilla Firefox WinZip Citrix Presentation Server for Microsoft
Windows Mozilla SeaMonkey Wireshark
Citrix Provisioning Services Mozilla Thunderbird Yahoo Messenger Citrix Single Sign-On Console/Agent Nullsoft Winamp
Help Security and Operations teams strike
an optimal balance between risk and cost
Security Team: Risk
Vulnerabilities:
•
Coverage
•
Timeliness
Operations Team: Impact & Cost
Patches & Workarounds:
•
Coverage
•
Accurate priorities
•
Optimal process
•
Minimal impact
Impact Report Risk Assessment Compliance Report Remediation Strategy
Security
Team
Change
Management Team
Computer
and Server Admins
The “4A” Model – Assessment Phase
• Primary Role
: Security Officer
• Inputs:
• Security advisories/bulletins
and threat management
alerts/feeds
• List of endpoints that are likely
to have a given vulnerability
• Goals:
• Learn as soon as possible
about potential updates
• Perform an initial evaluation of
the situation
• Assign a priority to updates
• Promptly notify the appropriate
people/organizations
• Output:
Risk Assessment
The “4A” Model – Analysis Phase
• Primary Role:
Change
Manager
• Input:
Risk Assessment
• Goals:
• Identify the full scope
• Assess the potential
impact
• Deliver the Remediation
Strategy
• Output:
Remediation
Strategy, which identifies
updates to be applied,
endpoints to be targeted and
excluded, roll back plan, etc.
•
Monthly Releases
•
Severity 2 updates
•
Rollout to begin on Thursday following second Tuesday of each month
(i.e. “Patch Tuesday”)
•
Bi-annual Releases
•
Severity 3 updates
•
Rollout to begin on Thursday following monthly release during February
and August
•
Out of Band Releases
•
Severity Level 1 updates
•
No set rollout schedule
•
To mitigate risk, rollout updates to different groups of
computers in phases
•
Test environment (lab)
•
Pilot group (often subset of IT group, or power users of an application)
•
Production (computers in production environment often broken down
into multiple groups)
•
If problems discovered during testing
•
Defer rollout of update
•
Exclude certain computers from rollout
•
In addition to prioritizing updates, also prioritize groups of
computers to which update will be distributed
•
Business criticality
•
Likelihood of exposure to vulnerability
•
System availability requirements
•
System redundancy
The “4A” Model – Application Phase
• Primary Role:
Computer/Server
Administrator
• Input:
Remediation Strategy
• Goals:
• Apply software updates on
a timely basis
• Apply software updates in a
manner that appropriately
mitigates the risks involved
• Output:
Compliance Report
verifying that required updates
have been successfully applied
to a requisite percentage of
relevant endpoints
Release Date
Application Phase – Phased Rollouts
Test Group (Lab)
Pilot Group (IT)
Production Group #1
Production Group #2
Production Group #3
Application Phase - Compliance Report
• Verify that expected compliance rate was achieved according to
terms of SLA
• Note that Compliance Rate is calculated based on computers
that have been scanned
The “4A” Model – Advancement Phase
• Primary Roles:
All involved in
process
• Inputs:
• Lessons learned
• Data analysis
• Goals:
• Ongoing evaluation and
fine-tuning of process
• Continuous improvement
Installing under System Account
• Some third party vendor packages (e.g. Sun JRE) cannot be installed
under System Account
• By default, Patch policies install updates under the System Account
• The account used to install each package can be configured in
Disabling previously installed versions in use
• Updates to Sun JRE require that previously installed versions be
disabled before installing a new version/update
• The batch file which drives the installation of Sun JRE updates
does not disable previously installed versions before attempting
to install the new version/update, as this could result in
unexpected user disruption
• Workaround is documented in release notes (i.e. Add 'tskill java
/A' command to batch file)
Disabling previously installed versions in use
Disabling previously installed versions in use
• Locate batch file in folder for package associated with
update
Maintaining application customizations
• Third party vendors such as Adobe sometimes address security
issues in packages that install a full version of the application
rather than in a hot fix that only updates the affected files
• Updates distributed as full installation packages may fail to
preserve customizations made to previously installed versions of
the application (e.g. turning off an auto update feature)
• Customizations can be “preserved” by:
• Running a separate task following installation of the update;
• Creating a transform file, adding the transform file to the
package folder associated with the update, and creating a
custom command line for the update package
Application Customizations - Adobe Flash
• Auto-update configuration settings stored in mms.cfg file
• For Flash 8 and later, mms.cfg is stored in the following location:
• Windows NT, 2000: \\WINNT\System32\Macromed\Flash
• Windows XP, Vista: \\WINDOWS\System32\Macromed\Flash
• Windows 64 bit: \\Windows\SysWOW64
• For more information, see:
http://helpx.adobe.com/flash-player/
kb/administration-configure-auto-update-notification.html
Parameter
Default
Description
AutoUpdateDisable
0
• 0 allows auto-update based on user
settings.
• 1 disables auto-update.
SilentAutoUpdateEnable
1
• 0 allows background update.
SYMANTEC VISION 2012
Application Customizations - Adobe Acrobat and Reader
A Best Practice Approach to Third Party Patching
Three ways to customize installation
• Command line
• Changes to registry following distribution
• Customization wizard
• For more information, see Enterprise Administration Guide:
http://helpx.adobe.com/content/dam/kb/en/837/cpsid_83709/a
ttachments/Acrobat_Enterprise_Administration.pdf
SYMANTEC VISION 2012
Adobe Acrobat and Reader – Command Line
A Best Practice Approach to Third Party Patching
• Set value of Windows Installer properties on command line
33
• e.g. msiexec /i "[UNC PATH]\AdbeRdr1010_en_US.msi"
EULA_ACCEPT=YES /qn
Adobe Acrobat and Reader – Registry changes
• Administrator’s Information Manager (dictionary of 450
registry/plist preferences)
• Example #1 – Disable automatic updates and remove associated
user interface items
SYMANTEC VISION 2012
Adobe Acrobat and Reader – Registry Changes
A Best Practice Approach to Third Party Patching
• Example #2 – Disable prompts for upgrades to next major version
(e.g. 10.0 to 11.0)
• For more information, see
http://learn.adobe.com/wiki/
Adobe Acrobat and Reader – Customization Wizard
• Free utility that enables pre-deployment installation customization
• Creates transform file that gets applied to .MSI at installation time
• See:
ftp://ftp.adobe.com/pub/adobe/acrobat/win/10.x/
Additional Resources
• For tips and tricks on installing applications and updates to those
applications, see IT Ninja (formerly AppDeploy):
www.itninja.com/tips
• For informative discussions among system administrators
regarding the distribution of software updates, subscribe to the
Patch Management Mailing List:
www.patchmanagement.org
• For more questions and answers regarding use of the Altiris Patch
Management Solution, see Symantec Connect:
http://www.symantec.com/connect/endpoint-management/forums
Thank you!
Copyright © 2011 Symantec Corporation. All rights reserved. Symantec and the Symantec Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners.
