Tech or Treat! Write an article about your scariest tech disaster to win gadgets!Learn more

x
?
Solved

Mobile codes (Flash, Pdf reader, Java, ActiveX) best practices & governance

Posted on 2017-09-12
8
Medium Priority
?
93 Views
Last Modified: 2017-09-27
Need more best practices & governance on mobile codes (eg: Flash player,
Pdf reader, JavaScript, Java Applets, ActiveX) as we have a few cases of
malicious codes being run when opening Pdf & 1 case of ransomware:

a) attachmt 1 is a screen of IE setting: mostly what to set in IE to stop ActiveX
    & to set to  Med-High (guess this is also to mitigate against ActiveX ?)

b) I wud say patch the various Adobe products (we use Adobe Flash &
     Shockwave) within 1 week upon release of patches ?

c) attachmt 2 has some suggestions on ActiveX & Java only: not much

d) Does AV mitigate against mobile codes vulnerabilities?  If so, keep
    AV signatures updated   is another mitigation

e) I'm sure IPS (NIDS & HIPS) have signatures for mobile codes but in
    McAfee's case, by default, they are rolled out in Detect & not Block
    mode?  Should they be in Block mode?

f) any other best practices & governances for mobile code?
IEmedhigh_ActiveXctrls.jpg
SANS_malicious-mobile-code-security-.pdf
0
Comment
Question by:sunhux
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
8 Comments
 
LVL 83

Assisted Solution

by:David Johnson, CD, MVP
David Johnson, CD, MVP earned 280 total points
ID: 42290875
disable scripting in adobe reader or whichever pdf viewer you're using
1
 
LVL 65

Assisted Solution

by:btan
btan earned 900 total points
ID: 42291000
a) yes mitigate ActiveX exploits
b) ASAP esp those in the internet. If severity level is high (based on CVE >7), you may still need to consider 2-3 week practically if the system is complicated. 1 week is a good to have for small site with a handful of clients.
c) old document. you could reference any hardening guide like the one in CIS. Default is disable active scripting. Enable applocker
d) AV can do as first line of defence besides the FW. AV is another candidate for memory resident scanner too - called antimalware.
e) Part of learning and default is not block as it leaves the discretion to user to define the norm and deviated traffic behavior.
f) OWASP mobile security , PCI DSS Mobile Payment practice
1
 
LVL 49

Assisted Solution

by:dbrunton
dbrunton earned 420 total points
ID: 42291181
Consider if you really need Java running on your machines.  If there is no acceptable need (Facebook for example is not an acceptable need) then remove it.

Javascript isn't something you can easily disable as too many websites use it but for some browsers there are addins available that permit Javascript to be disabled.  I have found these addins to be too much of a pain to use.

Also consider disabling Flash or removing it.  If there is no acceptable need (Facebook for example is not an acceptable need) then remove it.  I'd also consider Shockwave as being unnecessary.

ActiveX.  Try using a better browser rather than Internet Explorer.  See if Chrome is acceptable in your environment.  Far better security than Internet Explorer.  ActiveX should be taken out the back and shot.

PDF files.  You may be stuck with Adobe but if you aren't then consider other viewers.
1
Q2 2017 - Latest Malware & Internet Attacks

WatchGuard’s Threat Lab is a group of dedicated threat researchers committed to helping you stay ahead of the bad guys by providing in-depth analysis of the top security threats to your network.  Check out our latest Quarterly Internet Security Report!

 
LVL 30

Assisted Solution

by:serialband
serialband earned 400 total points
ID: 42291759
Get Foxit or SumatraPDF for most PDF.  They come without the obnoxious javascript.  I usually include those and have them as default, but also have Adobe when they do need scripts.

There are flashblockers addons for some browsers.  They'll block flash elements until you decide to click on them.  There are also addons to disable HTML5 autoplay, that's just simpler than teaching users how to change it in their settings.

Adblockers will be sufficient to mitigate most malicious websites.

NoScript is usable if you're techinical and want to block all scripting, except for a few sites.  It's not really ideal for the majority of users, espcially if they're non-technical.
1
 
LVL 65

Accepted Solution

by:
btan earned 900 total points
ID: 42291822
For hardening the Adobe software, use reader as default and considered the expert shared PDF s/w. Also some area on the adobe settings

Make sure you have the latest version of Adobe Reader. Enable automatic updates by opening Reader and choosing Edit > Preferences > Updater. Adobe regularly issues patches against new vulnerabilities.

Disable JavaScript in PDF files. This may affect certain features at times, such as PDF-based forms, but it’s better to enable JavaScript only when needed. In Reader, click Edit > Preferences > JavaScript and uncheck the box for “Enable Acrobat JavaScript.”

Disable Flash and multimedia in PDF files. Once again, this may prevent a few documents from loading some content, but embedded Flash is a common tool for exploiting Reader. Go to Edit > Preferences > Multimedia Trust (legacy) and either uncheck “Allow multimedia operations” or change the permissions on each listed player to “Prompt.” Be sure to check the settings for both trusted documents and other documents by changing the “Display Permissions for” option.

Disable attachments. To avoid this problem, open Edit > Preferences > Trust Manager and uncheck the box marked “Allow opening of non-PDF file attachments with external applications.”
1
 

Author Comment

by:sunhux
ID: 42292109
Wonderful responses.  
Due to bureaucracy issue, some of it will take a while for our
End User Computing to change such as

a) replace Adobe Reader with the mentioned Pdf readers
b) change IE to Chrome/other browsers

For critical PCs & servers, I'm thinking of blocking Internet access &
no email clients on them
0
 
LVL 49

Assisted Solution

by:dbrunton
dbrunton earned 420 total points
ID: 42292170
A server should not have email.

As for alternative browsers only Chrome.  It updates itself and is extremely secure.

Sumatra and Foxit have been suggested as alternatives to Adobe Reader.  I'll chuck in the one I use, PDF-Xchange.  You'll have to evaluate as which is the most suitable for your organization.
0
 
LVL 65

Expert Comment

by:btan
ID: 42292564
In my environment internet and intranet are physically segregated. Exposure is reduced but challenges in pushing patch will need different system to handle it. Applocker is also in place to guard unauthorised script and exe running. Likewise EMET is considered within a staged environment. Otherwise all servers ae avoided to have suite of office and if need to is reader. There is no player or media related software. E.g. Adobe flash player is not allowed. Nonetheless it is depreciating soon.
0

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I don't pretend to be an expert at this, but I have found a few things that are useful. I hope that sharing them here will help others, so they will not have to face some rather hard choices. Since I felt this to be a topic of enough importance and…
How does someone stay on the right and legal side of the hacking world?
The goal of the tutorial is to teach the user how to select the video input device. Make sure you have an input device that in connected and work and recognized by Adobe Flash Media Live Encoder and select it in the “video input” menu.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…

647 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question