Get your update on folks...again...
Question
Adobe Flash Emergency Update 11.6.602.171
+21
+24I think both products seriously need black/whitelist functionality. For us, we need Java and Flash for very few business cases. I'd like to whitelist the sites where they're allowed and that's it.
+18at least you are gainfully employed, now that there seems to be people who spend their entire lives trying to break into stuff and then post what is broken, i would expect that our entire lives are going to be centered around patching stuff.
webex, ssl vpn solutions, streaming all employee meetings, yes you could whitelist, but thats not going to be any more fun to maintain i would expect.
+24yes you could whitelist, but thats not going to be any more fun to maintain i would expect.
Yes, but the point is that I'm whitelisting things that are only allowed internally. It gives me a little bit more room to do the patching instead of scrambling every single time because the plugins wouldn't be allowed on any "unknowns."
+27All I want is to get my hands on XProtect form top to bottom. As an administrator I would really love to be able to make the educated decision as to whether or not I feel an 'in the wild' exploit is worth shutting my users down on a Friday afternoon for the weekend if there isn't a patch available yet. Seriously! I appreciate this for consumers, but I'm going to have a seriously long talk with my local Apple Engineers and just what 'Enterprise' means!
+17Chris_Hafner - so disable it for your users. I did so when they disabled java without a new version available because our users have software that unfortunately relies on Java. I now treat it like Apple Software updates, I disable it for users and push updates after I test them.
<<launchctl unload -w /System/Library/LaunchDaemons/com.apple.xprotectupdater.plist>>
I've got a way to manage XProtect with regards to Java. My method is posted here:
For my own deployment, I've got the script referenced in the post set up with a policy that runs every 15 minutes with Casper's every15 policy trigger. I did that instead of a LaunchDaemon in my own shop because then I could control it entirely from Casper, in the event that future edits needed to be made to the script.
For those interested in managing Flash using a similar method, Pepijn Bruienne wrote this script:
+27@ CasperSally: I worry about the ramifications of proceeding in that direction, though I do greatly appreciate it! I'm going to remember that I can yank it that way!
@ rtrouton: Brilliant. I'm going to keep that one in my back pocket! This looks like safe route to travel, and allows for management of the plist! Awesome!
I suppose that I should be fair here and state that my objections to this process are merely that of a grumbling admin. I'm lucky in the fact that the few things that we use Java for work with all the new versions, and that Flash and Java are extremely easy to distribute. What I'm really grumbling about is the fact that Apple seriously needs to understand that they also have enterprise customers and should provide the ability to manage XProtect in a fully supported manner. Separately, I strongly believe that this is a great thing for their consumer business.
P.S. I never expected to have such good answers! I might just have to grumble here more ;-) I'm still happily touting JAMFNation as the best user group around! Thanks all!
+24For what it's worth, I have Apple security engineers coming into Fidelity next week. They're going to get an earful.
+24It may be the second coming of pissed off Steve Jobs, which I've witnessed firsthand.
Here's the questions I've come up with that they've gotten already so they can come prepared with answers. If anyone wants additional questions asked, post them here and I'll try and get them in.
Does Apple believe they are allowed to act unilaterally when it comes to security on client systems?
Does Apple believe that a company should NOT be allowed to decide if they want to continue with a version of a piece of software even if there are exploits in the wild? E.g Allow the company to do its own risk assessment, NOT Apple.
What will Apple's security teams do in the future to better inform corporate and enterprise security teams of what they are doing?
How is Apple going to ensure that this never happens again? Does Apple even care if it happens again?
How are the decisions made where Apple decides upon which version of which pieces of technology to block with XProtect?
Why should I allow XProtect to see the light of day on my machines if it has the ability to screw me? Are you just going to block Java 7 Update 13 next week when the latest security hole is discovered? (Java 7 U17 has since been released and Java 7 U15 was blocked the second that happened.)
Apple has lost a whole lot of trust to a whole lot of admins. What will Apple do to re-build that trust?
I want a full list of all mechanisms within OS X and iOS that dial home to Apple. Anything that has the ability to change or modify the behavior of a Mac or iOS device that Apple is in control of I want fully disclosed. I want to know what it's called, what servers it hits, how changes are made, how it's logged… Everything. Period. I want under the hood.
I want a mea culpa. "Sorry, we screwed up," would be wonderful. Let's all be adults and someone admit they did something wrong. The sooner Apple can admit that something went wrong, I think the closer I'll be to trusting that you won't do it again.
+24Good list Jared. Can't really think of anything to add. Sounds like you're going make them squirm :)
FWIW, I have noticed that the XProtect plist on my Mac still reads 1.7.11.22 as the minimum Java 7 plugin version and 1.6.0_37-b06-435 for Java 6, so, unless my system just isn't checking in with the mothership anymore, it looks like they haven't updated the min version since that fiasco. Is anyone seeing a different minimum version showing up on their systems?
+24On my own system I run XProtect to see what's getting blocked by it though my clients don't run it. It was updated to 1.7.15.04 as the minimum version the second Update 17 came out.
+5Last Modified: Mon, 04 Mar 2013 21:47:02 GMT
Version: 2033
JavaWebComponentVersionMinimum: 1.6.0_41-b02-446
com.macromedia.Flash Player.plugin: 11.6.602.171
com.oracle.java.JavaAppletPlugin: 1.7.15.04
Jared, very nice list. If you can post their response, please do.
Mike, after I re-enabled our xprotectupdater (after editing XProtect.meta.plist), had to delete it so it could get a new one. It threw a couple of messages into system.log.
+24Hmm, OK, thanks guys. Not sure why I did not receive the updated XProtect plist then. My Mac was on the internet all day yesterday and has been since early this morning. I suppose it will get updated... eventually.
Maybe you can add that to your list of questions: 'why is so inconsistent when an XProtect updated definition is received?'
Edit: @ gregp, thanks, I'll look into that.
@jarednichols
when you say your clients dont run it. Do you mean you unload the launchdaemon at startup?
launchctl unload -w /System/Library/LaunchDaemons/com.apple.xprotectupdater.plist
+17Apple was similarly here about 2 weeks after they first disabled Java 6 on us, which killed our gradebook the day grades were due.
There was definitely not a "we were wrong" response. The one engineer said "we still feel we did the right thing" (and have since continued to disable flash/java). I complained it was the lack of transparency / notifications to administrators, the response was to sign up for the apple security newsletter for updates. I did sign up, but still get more timely news from Jamfnation/twitter.
It may be right for consumers, but it was the blindside I argued was wrong & the lack of control options. Lots of nodding and smiling, but it ends there. My opinion is they are a consumer company, they'll do ear service to supporting enterprise (or k12s the size of enterprise), but their decisions will continue to be made based on the good of their consumer market.
+24@tkimpton
Yes, they don't run XProtect.
@CasperSally
I get that they're an consumer company and that's fine. However they need to piss or get off the pot with Enterprise. Are they or aren't they? If they're not, get out completely. No AD plugin, no very nicely done fdesetup, nothing.
Get in or get out. There is no middle.
If they're putting in the small amount of effort they're doing now to do Enterprise, put in a smidge more to stop these shenanigans.
Unfortunately they dont care about the Enterprise. Their biggest market is the consumer and they know people need Java and Flash and Apple will see it as they are doing what they can to let consumers know they need to do updates.
Im sure the Apple reps will argue their views :(
Don't get me wrong i agree with you...its a pain in the arse...after all they are not the ones having do all this disabling, scripting, deleting in somecases to make the Os and software work in the Enterprise.
Unfortunately its self defating because we are patching problems all the time that Apple should be fixing!
This is why i think Apple can afford to do a yearly OS...because they are relying on people like us to sweep up after them!
+24To be fair here, Apple is merely responding to a problem outside of them: the fact that Oracle and Adobe are constantly patching their bug-laden software.
However, I think they need to be smarter about it. In fact, I have a suggestion for Apple in this regard:
Expand the feature-set of XProtect. Give it the ability to white and blacklist places where you'd allow and disallow where these plugins can run. In our case, we only need Java running from very few specific hosts. If I can add this to a whitelist, GREAT!
They should also add the ability to "grace" a version. Give me some manner of control of where I'd like to draw the "block" line.
This would give me the ability to better protect systems and allow a small window of planning to get the latest version out.
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.