A Best Practice Approach to Third Party Patchingvox.veritas.com/legacyfs/online/veritasdata/EM B19.pdfA Best Practice Approach to Third Party Patching SYMANTEC VISION 2012 11 The “4A”

1

A Best Practice Approach to Third Party Patching

Mike Grueber Senior Product Manager


SYMANTEC VISION 2012

90% of successful attacks occurred against

previously known vulnerabilities where a patch

or secure configuration standard was already

available.

Terrence Cosgrove Gartner Symposium/IT Expo “Managing the Next Generation Desktop”

A Best Practice Approach to Third Party Patching 2

Effective patch management is essential


Agenda


Importance of third party applications 1

The “4A” model: A best practice approach 2

Tips and tricks 3

Additional resources 4


Top 15 Most Vulnerable Applications

4

Application Total High Medium Low Score

Apple Safari 81 2 71 8 413

Mozilla Firefox 44 3 30 11 236

Goggle Chrome 61 1 30 30 205

Microsoft Internet Explorer 34 1 30 3 178

Adobe Flash Player 34 0 34 0 170

Adobe Reader 34 0 34 0 170

Java Runtime Environment 28 5 5 18 168

Adobe Acrobat 32 0 32 0 160

Adobe Air 28 0 28 0 140

Mozilla SeaMonkey 26 1 20 5 130

Microsoft Office 22 0 22 0 110

Mozilla Thunderbird 18 1 14 3 98

Adobe Shockwave Player 18 0 18 0 90

Oracle Database Server 9 3 0 0 81

Microsoft Visio 3 3 0 0 75

Based on data feeds from National Vulnerability Database


SYMANTEC VISION 2012 5

“IT organizations must strive for continuous improvement in vulnerability detection and rapid security patch management, especially in often overlooked non-Microsoft components that are web-facing.”

“All internet-based applications especially browsers and browser plug-ins (i.e., Adobe and Apple QuickTime), should be a top patching priority.”


Gartner Research Note, “Top 10 Steps to Avoid Malware Infections”

Internet Browsers and Plug-Ins


Internet Security Report Year in Review


30% increase in overall number of vulnerabilities (6,253) 161% increase in new vendors affected by vulnerabilities Chrome and Safari vulnerabilities on the rise 346 vulnerabilities affecting browser plug-ins


Third Party Coverage

7 A Best Practice Approach to Third Party Patching

Altiris Patch Management Solution 7.1 SP1+

7-Zip Citrix Virtual Desktop Agent Opera

Adobe Acrobat Citrix XenApp Oracle OpenOffice.Org

Adobe AIR Citrix XenDesktop Rarlab WinRAR

Adobe Flash EMC Mozy RealPlayer

Adobe In-Design Foxit Reader RealVNC

Adobe Reader Google Chrome RIM Blackberry Desktop Manager

Adobe Shockwave Player Google Desktop Skype

AOL Instant Messenger Google Earth SourceForge.Net Audacity

Applie iTunes Google Picasa SourceForge.Net FileZilla

Apple QuickTime Google Talk SourceForge.Net Pidgin

Apple Safari HP System Management Homepage Sun Java Runtime Environment

Citrix Delivery Controller SDK LibreOffice UltraVNC

Citrix MetaFrame XP for Microsoft Windows Lightning UK ImgBurn VLC Media Player

Citrix Password Manager Console/Agent/Plug-In Mozilla Firefox WinZip

Citrix Presentation Server for Microsoft Windows Mozilla SeaMonkey Wireshark

Citrix Provisioning Services Mozilla Thunderbird Yahoo Messenger

Citrix Single Sign-On Console/Agent Nullsoft Winamp


The “4A” model: A best practices approach



Help Security and Operations teams strike an optimal balance between risk and cost

Security Team: Risk

Vulnerabilities:

• Coverage

• Timeliness

Operations Team: Impact & Cost

Patches & Workarounds:

• Coverage

• Accurate priorities

• Optimal process

• Minimal impact

The Primary Challenge


SYMANTEC VISION 2012 A Best Practice Approach to Third Party Patching 10

Impact Report

Risk Assessment

Compliance Report

Remediation Strategy

Security

Team

Change

Management Team

Computer

and Server Admins

The “4A” Model


The “4A” Model – Assessment Phase

• Primary Role: Security Officer

• Inputs:

• Security advisories/bulletins and threat management alerts/feeds

• List of endpoints that are likely to have a given vulnerability

• Goals:

• Learn as soon as possible about potential updates

• Perform an initial evaluation of the situation

• Assign a priority to updates

• Promptly notify the appropriate people/organizations

• Output: Risk Assessment assigning priority to each update


Assessment Phase – Nature of Vulnerability



Assessment Phase – Impact on Your Environment



Assessment Phase - Define Custom Severity Levels



Assessment Phase - Assign Custom Severity Levels



The “4A” Model – Analysis Phase

• Primary Role: Change Manager

• Input: Risk Assessment

• Goals:

• Identify the full scope

• Assess the potential impact

• Deliver the Remediation Strategy

• Output: Remediation Strategy, which identifies updates to be applied, endpoints to be targeted and excluded, roll back plan, etc.


• Monthly Releases • Severity 2 updates

• Rollout to begin on Thursday following second Tuesday of each month (i.e. “Patch Tuesday”)

• Bi-annual Releases • Severity 3 updates

• Rollout to begin on Thursday following monthly release during February and August

• Out of Band Releases • Severity Level 1 updates

• No set rollout schedule


Analysis Phase – Release Vehicles


• To mitigate risk, rollout updates to different groups of computers in phases • Test environment (lab) • Pilot group (often subset of IT group, or power users of an application) • Production (computers in production environment often broken down

into multiple groups)

• If problems discovered during testing • Defer rollout of update

• Exclude certain computers from rollout

• In addition to prioritizing updates, also prioritize groups of computers to which update will be distributed • Business criticality • Likelihood of exposure to vulnerability • System availability requirements • System redundancy


Analysis Phase – Phased Rollouts


The “4A” Model – Application Phase

• Primary Role: Computer/Server Administrator

• Input: Remediation Strategy

• Goals:

• Apply software updates on a timely basis

• Apply software updates in a manner that appropriately mitigates the risks involved

• Output: Compliance Report verifying that required updates have been successfully applied to a requisite percentage of relevant endpoints


Release Date


Application Phase – Phased Rollouts

Test Group (Lab)

Pilot Group (IT)

Production Group #1

Production Group #2

Production Group #3

SYMANTEC VISION 2012 21 A Best Practice Approach to Third Party Patching





Application Phase - Compliance Report

• Verify that expected compliance rate was achieved according to terms of SLA

• Note that Compliance Rate is calculated based on computers that have been scanned


The “4A” Model – Advancement Phase

• Primary Roles: All involved in process

• Inputs:

• Lessons learned

• Data analysis

• Goals:

• Ongoing evaluation and fine-tuning of process

• Continuous improvement

• Output: Process improvements


Tips and Tricks



Installing under System Account • Some third party vendor packages (e.g. Sun JRE) cannot be installed

under System Account • By default, Patch policies install updates under the System Account • The account used to install each package can be configured in

Resource Manager



Disabling previously installed versions in use

• Updates to Sun JRE require that previously installed versions be disabled before installing a new version/update

• The batch file which drives the installation of Sun JRE updates does not disable previously installed versions before attempting to install the new version/update, as this could result in unexpected user disruption

• Workaround is documented in release notes (i.e. Add 'tskill java /A' command to batch file)




28

• View command line information in Resource Manager





• Locate batch file in folder for package associated with update

• Modify batch file


Maintaining application customizations


• Third party vendors such as Adobe sometimes address security issues in packages that install a full version of the application rather than in a hot fix that only updates the affected files

• Updates distributed as full installation packages may fail to preserve customizations made to previously installed versions of the application (e.g. turning off an auto update feature)

• Customizations can be “preserved” by: • Running a separate task following installation of the update; • Creating a transform file, adding the transform file to the

package folder associated with the update, and creating a custom command line for the update package

30


Application Customizations - Adobe Flash


• Auto-update configuration settings stored in mms.cfg file • For Flash 8 and later, mms.cfg is stored in the following location:

• Windows NT, 2000: \\WINNT\System32\Macromed\Flash • Windows XP, Vista: \\WINDOWS\System32\Macromed\Flash • Windows 64 bit: \\Windows\SysWOW64

31

• For more information, see: http://helpx.adobe.com/flash-player/ kb/administration-configure-auto-update-notification.html

Parameter Default Description

AutoUpdateDisable 0 • 0 allows auto-update based on user settings. • 1 disables auto-update.

SilentAutoUpdateEnable

1 • 0 allows background update. • 1 disables background update.

http://helpx.adobe.com/flash-player/














Application Customizations - Adobe Acrobat and Reader


Three ways to customize installation

• Command line

• Changes to registry following distribution

• Customization wizard

• For more information, see Enterprise Administration Guide: http://helpx.adobe.com/content/dam/kb/en/837/cpsid_83709/attachments/Acrobat_Enterprise_Administration.pdf

32

http://helpx.adobe.com/content/dam/kb/en/837/cpsid_83709/attachments/Acrobat_Enterprise_Administration.pdf

http://helpx.adobe.com/content/dam/kb/en/837/cpsid_83709/attachments/Acrobat_Enterprise_Administration.pdf


Adobe Acrobat and Reader – Command Line


• Set value of Windows Installer properties on command line

33

• e.g. msiexec /i "[UNC PATH]\AdbeRdr1010_en_US.msi" EULA_ACCEPT=YES /qn


Adobe Acrobat and Reader – Registry changes


• Administrator’s Information Manager (dictionary of 450 registry/plist preferences)

• Example #1 – Disable automatic updates and remove associated user interface items

34


Adobe Acrobat and Reader – Registry Changes


• Example #2 – Disable prompts for upgrades to next major version (e.g. 10.0 to 11.0)

35

• For more information, see http://learn.adobe.com/wiki/

download/attachments/46432650/AIM.air

http://learn.adobe.com/wiki/





Adobe Acrobat and Reader – Customization Wizard


• Free utility that enables pre-deployment installation customization

• Creates transform file that gets applied to .MSI at installation time

36

• See: ftp://ftp.adobe.com/pub/adobe/acrobat/win/10.x/

10.0.0/misc/

ftp://ftp.adobe.com/pub/adobe/acrobat/win/10.x/




Adding Transform File to Software Update Package



Creating Custom Command Line



Additional Resources

39

• For tips and tricks on installing applications and updates to those applications, see IT Ninja (formerly AppDeploy): www.itninja.com/tips

• For informative discussions among system administrators regarding the distribution of software updates, subscribe to the Patch Management Mailing List: www.patchmanagement.org

• For more questions and answers regarding use of the Altiris Patch Management Solution, see Symantec Connect: http://www.symantec.com/connect/endpoint-management/forums


http://www.itninja.com/tips

http://www.patchmanagement.org/

http://www.symantec.com/connect/endpoint-management/forums



Thank you!

Copyright © 2011 Symantec Corporation. All rights reserved. Symantec and the Symantec Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners. This document is provided for informational purposes only and is not intended as advertising. All warranties relating to the information in this document, either express or implied, are disclaimed to the maximum extent allowed by law. The information in this document is subject to change without notice.


Mike Grueber

[email protected]

Documents

A Best Practice Approach to Third Party Patchingvox.veritas.com/legacyfs/online/veritasdata/EM B19.pdfA Best Practice Approach to Third Party Patching SYMANTEC VISION 2012 11 The “4A”