Learn how to a build a cloud-first strategyRegister Now


Mobile codes (Flash, Pdf reader, Java, ActiveX) best practices & governance

Posted on 2017-09-12
Medium Priority
Last Modified: 2017-09-27
Need more best practices & governance on mobile codes (eg: Flash player,
Pdf reader, JavaScript, Java Applets, ActiveX) as we have a few cases of
malicious codes being run when opening Pdf & 1 case of ransomware:

a) attachmt 1 is a screen of IE setting: mostly what to set in IE to stop ActiveX
    & to set to  Med-High (guess this is also to mitigate against ActiveX ?)

b) I wud say patch the various Adobe products (we use Adobe Flash &
     Shockwave) within 1 week upon release of patches ?

c) attachmt 2 has some suggestions on ActiveX & Java only: not much

d) Does AV mitigate against mobile codes vulnerabilities?  If so, keep
    AV signatures updated   is another mitigation

e) I'm sure IPS (NIDS & HIPS) have signatures for mobile codes but in
    McAfee's case, by default, they are rolled out in Detect & not Block
    mode?  Should they be in Block mode?

f) any other best practices & governances for mobile code?
Question by:sunhux
LVL 84

Assisted Solution

by:David Johnson, CD, MVP
David Johnson, CD, MVP earned 280 total points
ID: 42290875
disable scripting in adobe reader or whichever pdf viewer you're using
LVL 65

Assisted Solution

btan earned 900 total points
ID: 42291000
a) yes mitigate ActiveX exploits
b) ASAP esp those in the internet. If severity level is high (based on CVE >7), you may still need to consider 2-3 week practically if the system is complicated. 1 week is a good to have for small site with a handful of clients.
c) old document. you could reference any hardening guide like the one in CIS. Default is disable active scripting. Enable applocker
d) AV can do as first line of defence besides the FW. AV is another candidate for memory resident scanner too - called antimalware.
e) Part of learning and default is not block as it leaves the discretion to user to define the norm and deviated traffic behavior.
f) OWASP mobile security , PCI DSS Mobile Payment practice
LVL 50

Assisted Solution

dbrunton earned 420 total points
ID: 42291181
Consider if you really need Java running on your machines.  If there is no acceptable need (Facebook for example is not an acceptable need) then remove it.

Javascript isn't something you can easily disable as too many websites use it but for some browsers there are addins available that permit Javascript to be disabled.  I have found these addins to be too much of a pain to use.

Also consider disabling Flash or removing it.  If there is no acceptable need (Facebook for example is not an acceptable need) then remove it.  I'd also consider Shockwave as being unnecessary.

ActiveX.  Try using a better browser rather than Internet Explorer.  See if Chrome is acceptable in your environment.  Far better security than Internet Explorer.  ActiveX should be taken out the back and shot.

PDF files.  You may be stuck with Adobe but if you aren't then consider other viewers.

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

LVL 31

Assisted Solution

serialband earned 400 total points
ID: 42291759
Get Foxit or SumatraPDF for most PDF.  They come without the obnoxious javascript.  I usually include those and have them as default, but also have Adobe when they do need scripts.

There are flashblockers addons for some browsers.  They'll block flash elements until you decide to click on them.  There are also addons to disable HTML5 autoplay, that's just simpler than teaching users how to change it in their settings.

Adblockers will be sufficient to mitigate most malicious websites.

NoScript is usable if you're techinical and want to block all scripting, except for a few sites.  It's not really ideal for the majority of users, espcially if they're non-technical.
LVL 65

Accepted Solution

btan earned 900 total points
ID: 42291822
For hardening the Adobe software, use reader as default and considered the expert shared PDF s/w. Also some area on the adobe settings

Make sure you have the latest version of Adobe Reader. Enable automatic updates by opening Reader and choosing Edit > Preferences > Updater. Adobe regularly issues patches against new vulnerabilities.

Disable JavaScript in PDF files. This may affect certain features at times, such as PDF-based forms, but it’s better to enable JavaScript only when needed. In Reader, click Edit > Preferences > JavaScript and uncheck the box for “Enable Acrobat JavaScript.”

Disable Flash and multimedia in PDF files. Once again, this may prevent a few documents from loading some content, but embedded Flash is a common tool for exploiting Reader. Go to Edit > Preferences > Multimedia Trust (legacy) and either uncheck “Allow multimedia operations” or change the permissions on each listed player to “Prompt.” Be sure to check the settings for both trusted documents and other documents by changing the “Display Permissions for” option.

Disable attachments. To avoid this problem, open Edit > Preferences > Trust Manager and uncheck the box marked “Allow opening of non-PDF file attachments with external applications.”

Author Comment

ID: 42292109
Wonderful responses.  
Due to bureaucracy issue, some of it will take a while for our
End User Computing to change such as

a) replace Adobe Reader with the mentioned Pdf readers
b) change IE to Chrome/other browsers

For critical PCs & servers, I'm thinking of blocking Internet access &
no email clients on them
LVL 50

Assisted Solution

dbrunton earned 420 total points
ID: 42292170
A server should not have email.

As for alternative browsers only Chrome.  It updates itself and is extremely secure.

Sumatra and Foxit have been suggested as alternatives to Adobe Reader.  I'll chuck in the one I use, PDF-Xchange.  You'll have to evaluate as which is the most suitable for your organization.
LVL 65

Expert Comment

ID: 42292564
In my environment internet and intranet are physically segregated. Exposure is reduced but challenges in pushing patch will need different system to handle it. Applocker is also in place to guard unauthorised script and exe running. Likewise EMET is considered within a staged environment. Otherwise all servers ae avoided to have suite of office and if need to is reader. There is no player or media related software. E.g. Adobe flash player is not allowed. Nonetheless it is depreciating soon.

Featured Post

New Tabletop Appliances Blow Competitors Away!

WatchGuard’s new T15, T35 and T55 tabletop UTMs provide the highest-performing security inspection in their class, allowing users at small offices, home offices and distributed enterprises to experience blazing-fast Internet speeds without sacrificing enterprise-grade security.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Tech spooks aren't just for those who are tech savvy, it also happens to those of us running a business. Check out the top tech spooks for business owners.
Ransomware - Defeated! Client opened the wrong email and was attacked by Ransomware. I was able to use file recovery utilities to find shadow copies of the encrypted files and make a complete recovery.
The goal of the tutorial is to teach the user how to use the auto adjust feature and what the different options do. When your video is not working right you can choose the auto adjust feature to help choose your settings.
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…
Suggested Courses

810 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question