Mobile codes (Flash, Pdf reader, Java, ActiveX) best practices & governance

Posted on 2017-09-12
Medium Priority
Last Modified: 2017-09-27
Need more best practices & governance on mobile codes (eg: Flash player,
Pdf reader, JavaScript, Java Applets, ActiveX) as we have a few cases of
malicious codes being run when opening Pdf & 1 case of ransomware:

a) attachmt 1 is a screen of IE setting: mostly what to set in IE to stop ActiveX
    & to set to  Med-High (guess this is also to mitigate against ActiveX ?)

b) I wud say patch the various Adobe products (we use Adobe Flash &
     Shockwave) within 1 week upon release of patches ?

c) attachmt 2 has some suggestions on ActiveX & Java only: not much

d) Does AV mitigate against mobile codes vulnerabilities?  If so, keep
    AV signatures updated   is another mitigation

e) I'm sure IPS (NIDS & HIPS) have signatures for mobile codes but in
    McAfee's case, by default, they are rolled out in Detect & not Block
    mode?  Should they be in Block mode?

f) any other best practices & governances for mobile code?
Question by:sunhux
LVL 85

Assisted Solution

by:David Johnson, CD, MVP
David Johnson, CD, MVP earned 280 total points
ID: 42290875
disable scripting in adobe reader or whichever pdf viewer you're using
LVL 66

Assisted Solution

btan earned 900 total points
ID: 42291000
a) yes mitigate ActiveX exploits
b) ASAP esp those in the internet. If severity level is high (based on CVE >7), you may still need to consider 2-3 week practically if the system is complicated. 1 week is a good to have for small site with a handful of clients.
c) old document. you could reference any hardening guide like the one in CIS. Default is disable active scripting. Enable applocker
d) AV can do as first line of defence besides the FW. AV is another candidate for memory resident scanner too - called antimalware.
e) Part of learning and default is not block as it leaves the discretion to user to define the norm and deviated traffic behavior.
f) OWASP mobile security , PCI DSS Mobile Payment practice
LVL 50

Assisted Solution

dbrunton earned 420 total points
ID: 42291181
Consider if you really need Java running on your machines.  If there is no acceptable need (Facebook for example is not an acceptable need) then remove it.

Javascript isn't something you can easily disable as too many websites use it but for some browsers there are addins available that permit Javascript to be disabled.  I have found these addins to be too much of a pain to use.

Also consider disabling Flash or removing it.  If there is no acceptable need (Facebook for example is not an acceptable need) then remove it.  I'd also consider Shockwave as being unnecessary.

ActiveX.  Try using a better browser rather than Internet Explorer.  See if Chrome is acceptable in your environment.  Far better security than Internet Explorer.  ActiveX should be taken out the back and shot.

PDF files.  You may be stuck with Adobe but if you aren't then consider other viewers.
Firewall Management 201 with Professor Wool

In this whiteboard video, Professor Wool highlights the challenges, benefits and trade-offs of utilizing zero-touch automation for security policy change management. Watch and Learn!

LVL 32

Assisted Solution

serialband earned 400 total points
ID: 42291759
Get Foxit or SumatraPDF for most PDF.  They come without the obnoxious javascript.  I usually include those and have them as default, but also have Adobe when they do need scripts.

There are flashblockers addons for some browsers.  They'll block flash elements until you decide to click on them.  There are also addons to disable HTML5 autoplay, that's just simpler than teaching users how to change it in their settings.

Adblockers will be sufficient to mitigate most malicious websites.

NoScript is usable if you're techinical and want to block all scripting, except for a few sites.  It's not really ideal for the majority of users, espcially if they're non-technical.
LVL 66

Accepted Solution

btan earned 900 total points
ID: 42291822
For hardening the Adobe software, use reader as default and considered the expert shared PDF s/w. Also some area on the adobe settings

Make sure you have the latest version of Adobe Reader. Enable automatic updates by opening Reader and choosing Edit > Preferences > Updater. Adobe regularly issues patches against new vulnerabilities.

Disable JavaScript in PDF files. This may affect certain features at times, such as PDF-based forms, but it’s better to enable JavaScript only when needed. In Reader, click Edit > Preferences > JavaScript and uncheck the box for “Enable Acrobat JavaScript.”

Disable Flash and multimedia in PDF files. Once again, this may prevent a few documents from loading some content, but embedded Flash is a common tool for exploiting Reader. Go to Edit > Preferences > Multimedia Trust (legacy) and either uncheck “Allow multimedia operations” or change the permissions on each listed player to “Prompt.” Be sure to check the settings for both trusted documents and other documents by changing the “Display Permissions for” option.

Disable attachments. To avoid this problem, open Edit > Preferences > Trust Manager and uncheck the box marked “Allow opening of non-PDF file attachments with external applications.”

Author Comment

ID: 42292109
Wonderful responses.  
Due to bureaucracy issue, some of it will take a while for our
End User Computing to change such as

a) replace Adobe Reader with the mentioned Pdf readers
b) change IE to Chrome/other browsers

For critical PCs & servers, I'm thinking of blocking Internet access &
no email clients on them
LVL 50

Assisted Solution

dbrunton earned 420 total points
ID: 42292170
A server should not have email.

As for alternative browsers only Chrome.  It updates itself and is extremely secure.

Sumatra and Foxit have been suggested as alternatives to Adobe Reader.  I'll chuck in the one I use, PDF-Xchange.  You'll have to evaluate as which is the most suitable for your organization.
LVL 66

Expert Comment

ID: 42292564
In my environment internet and intranet are physically segregated. Exposure is reduced but challenges in pushing patch will need different system to handle it. Applocker is also in place to guard unauthorised script and exe running. Likewise EMET is considered within a staged environment. Otherwise all servers ae avoided to have suite of office and if need to is reader. There is no player or media related software. E.g. Adobe flash player is not allowed. Nonetheless it is depreciating soon.

Featured Post

Get 10% Off Your First Squarespace Website

Ready to showcase your work, publish content or promote your business online? With Squarespace’s award-winning templates and 24/7 customer service, getting started is simple. Head to Squarespace.com and use offer code ‘EXPERTS’ to get 10% off your first purchase.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

The Super Bowl is just days away. Millions of advertising dollars will be spent in just a few hours to drive people to websites around the globe. Optimizing your site in anticipation of a big event like this (and the traffic surges that follow) will…
To share tips on how to stay ALERT and avoid being the next victim - at least not due to your own poor cyber habits and hygiene!
The goal of the tutorial is to teach the user how to set there setting in Adobe Flash Media Live Encoder and YouTube for optimal video and audio quality.
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…

607 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question