Mobile codes (Flash, Pdf reader, Java, ActiveX) best practices & governance

Need more best practices & governance on mobile codes (eg: Flash player,
Pdf reader, JavaScript, Java Applets, ActiveX) as we have a few cases of
malicious codes being run when opening Pdf & 1 case of ransomware:

a) attachmt 1 is a screen of IE setting: mostly what to set in IE to stop ActiveX
    & to set to  Med-High (guess this is also to mitigate against ActiveX ?)

b) I wud say patch the various Adobe products (we use Adobe Flash &
     Shockwave) within 1 week upon release of patches ?

c) attachmt 2 has some suggestions on ActiveX & Java only: not much

d) Does AV mitigate against mobile codes vulnerabilities?  If so, keep
    AV signatures updated   is another mitigation

e) I'm sure IPS (NIDS & HIPS) have signatures for mobile codes but in
    McAfee's case, by default, they are rolled out in Detect & not Block
    mode?  Should they be in Block mode?

f) any other best practices & governances for mobile code?
IEmedhigh_ActiveXctrls.jpg
SANS_malicious-mobile-code-security-.pdf
sunhuxAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

David Johnson, CD, MVPOwnerCommented:
disable scripting in adobe reader or whichever pdf viewer you're using
1
btanExec ConsultantCommented:
a) yes mitigate ActiveX exploits
b) ASAP esp those in the internet. If severity level is high (based on CVE >7), you may still need to consider 2-3 week practically if the system is complicated. 1 week is a good to have for small site with a handful of clients.
c) old document. you could reference any hardening guide like the one in CIS. Default is disable active scripting. Enable applocker
d) AV can do as first line of defence besides the FW. AV is another candidate for memory resident scanner too - called antimalware.
e) Part of learning and default is not block as it leaves the discretion to user to define the norm and deviated traffic behavior.
f) OWASP mobile security , PCI DSS Mobile Payment practice
1
dbruntonCommented:
Consider if you really need Java running on your machines.  If there is no acceptable need (Facebook for example is not an acceptable need) then remove it.

Javascript isn't something you can easily disable as too many websites use it but for some browsers there are addins available that permit Javascript to be disabled.  I have found these addins to be too much of a pain to use.

Also consider disabling Flash or removing it.  If there is no acceptable need (Facebook for example is not an acceptable need) then remove it.  I'd also consider Shockwave as being unnecessary.

ActiveX.  Try using a better browser rather than Internet Explorer.  See if Chrome is acceptable in your environment.  Far better security than Internet Explorer.  ActiveX should be taken out the back and shot.

PDF files.  You may be stuck with Adobe but if you aren't then consider other viewers.
1
Top Threats of Q1 & How to Defend Against Them

WEBINAR: Join WatchGuard CTO and our Threat Research Team on Aug. 2nd to hear the findings from our Q1 Internet Security Report! Learn more about the top threats detected in the first quarter and how you can defend your business against them!

serialbandCommented:
Get Foxit or SumatraPDF for most PDF.  They come without the obnoxious javascript.  I usually include those and have them as default, but also have Adobe when they do need scripts.

There are flashblockers addons for some browsers.  They'll block flash elements until you decide to click on them.  There are also addons to disable HTML5 autoplay, that's just simpler than teaching users how to change it in their settings.

Adblockers will be sufficient to mitigate most malicious websites.

NoScript is usable if you're techinical and want to block all scripting, except for a few sites.  It's not really ideal for the majority of users, espcially if they're non-technical.
1
btanExec ConsultantCommented:
For hardening the Adobe software, use reader as default and considered the expert shared PDF s/w. Also some area on the adobe settings

Make sure you have the latest version of Adobe Reader. Enable automatic updates by opening Reader and choosing Edit > Preferences > Updater. Adobe regularly issues patches against new vulnerabilities.

Disable JavaScript in PDF files. This may affect certain features at times, such as PDF-based forms, but it’s better to enable JavaScript only when needed. In Reader, click Edit > Preferences > JavaScript and uncheck the box for “Enable Acrobat JavaScript.”

Disable Flash and multimedia in PDF files. Once again, this may prevent a few documents from loading some content, but embedded Flash is a common tool for exploiting Reader. Go to Edit > Preferences > Multimedia Trust (legacy) and either uncheck “Allow multimedia operations” or change the permissions on each listed player to “Prompt.” Be sure to check the settings for both trusted documents and other documents by changing the “Display Permissions for” option.

Disable attachments. To avoid this problem, open Edit > Preferences > Trust Manager and uncheck the box marked “Allow opening of non-PDF file attachments with external applications.”
1

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
sunhuxAuthor Commented:
Wonderful responses.  
Due to bureaucracy issue, some of it will take a while for our
End User Computing to change such as

a) replace Adobe Reader with the mentioned Pdf readers
b) change IE to Chrome/other browsers

For critical PCs & servers, I'm thinking of blocking Internet access &
no email clients on them
0
dbruntonCommented:
A server should not have email.

As for alternative browsers only Chrome.  It updates itself and is extremely secure.

Sumatra and Foxit have been suggested as alternatives to Adobe Reader.  I'll chuck in the one I use, PDF-Xchange.  You'll have to evaluate as which is the most suitable for your organization.
0
btanExec ConsultantCommented:
In my environment internet and intranet are physically segregated. Exposure is reduced but challenges in pushing patch will need different system to handle it. Applocker is also in place to guard unauthorised script and exe running. Likewise EMET is considered within a staged environment. Otherwise all servers ae avoided to have suite of office and if need to is reader. There is no player or media related software. E.g. Adobe flash player is not allowed. Nonetheless it is depreciating soon.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Vulnerabilities

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.