Jamf Nation Community

Oh for F's sake...

I THINK that Oracle and Adobe are trying to out do each other, I really do.

I think both products seriously need black/whitelist functionality. For us, we need Java and Flash for very few business cases. I'd like to whitelist the sites where they're allowed and that's it.

ohnonotagain..... *thumps head off wall*

at least you are gainfully employed, now that there seems to be people who spend their entire lives trying to break into stuff and then post what is broken, i would expect that our entire lives are going to be centered around patching stuff.

webex, ssl vpn solutions, streaming all employee meetings, yes you could whitelist, but thats not going to be any more fun to maintain i would expect.

yes you could whitelist, but thats not going to be any more fun to maintain i would expect.

Yes, but the point is that I'm whitelisting things that are only allowed internally. It gives me a little bit more room to do the patching instead of scrambling every single time because the plugins wouldn't be allowed on any "unknowns."

All I want is to get my hands on XProtect form top to bottom. As an administrator I would really love to be able to make the educated decision as to whether or not I feel an 'in the wild' exploit is worth shutting my users down on a Friday afternoon for the weekend if there isn't a patch available yet. Seriously! I appreciate this for consumers, but I'm going to have a seriously long talk with my local Apple Engineers and just what 'Enterprise' means!

Chris_Hafner - so disable it for your users. I did so when they disabled java without a new version available because our users have software that unfortunately relies on Java. I now treat it like Apple Software updates, I disable it for users and push updates after I test them.

<<launchctl unload -w /System/Library/LaunchDaemons/com.apple.xprotectupdater.plist>>

I've got a way to manage XProtect with regards to Java. My method is posted here:

http://derflounder.wordpress.com/2013/02/24/managing-java-browser-plug-in-settings-for-apples-xprote...

For my own deployment, I've got the script referenced in the post set up with a policy that runs every 15 minutes with Casper's every15 policy trigger. I did that instead of a LaunchDaemon in my own shop because then I could control it entirely from Casper, in the event that future edits needed to be made to the script.

For those interested in managing Flash using a similar method, Pepijn Bruienne wrote this script:

https://gist.github.com/bruienne/5066890

@ CasperSally: I worry about the ramifications of proceeding in that direction, though I do greatly appreciate it! I'm going to remember that I can yank it that way!
@ rtrouton: Brilliant. I'm going to keep that one in my back pocket! This looks like safe route to travel, and allows for management of the plist! Awesome!

I suppose that I should be fair here and state that my objections to this process are merely that of a grumbling admin. I'm lucky in the fact that the few things that we use Java for work with all the new versions, and that Flash and Java are extremely easy to distribute. What I'm really grumbling about is the fact that Apple seriously needs to understand that they also have enterprise customers and should provide the ability to manage XProtect in a fully supported manner. Separately, I strongly believe that this is a great thing for their consumer business.

P.S. I never expected to have such good answers! I might just have to grumble here more ;-) I'm still happily touting JAMFNation as the best user group around! Thanks all!

For what it's worth, I have Apple security engineers coming into Fidelity next week. They're going to get an earful.

I wish I could be a fly on the wall for that meeting.

It may be the second coming of pissed off Steve Jobs, which I've witnessed firsthand.

Here's the questions I've come up with that they've gotten already so they can come prepared with answers. If anyone wants additional questions asked, post them here and I'll try and get them in.

1. Does Apple believe they are allowed to act unilaterally when it comes to security on client systems?

2. Does Apple believe that a company should NOT be allowed to decide if they want to continue with a version of a piece of software even if there are exploits in the wild? E.g Allow the company to do its own risk assessment, NOT Apple.

3. What will Apple's security teams do in the future to better inform corporate and enterprise security teams of what they are doing?

4. How is Apple going to ensure that this never happens again? Does Apple even care if it happens again?

5. How are the decisions made where Apple decides upon which version of which pieces of technology to block with XProtect?

6. Why should I allow XProtect to see the light of day on my machines if it has the ability to screw me? Are you just going to block Java 7 Update 13 next week when the latest security hole is discovered? (Java 7 U17 has since been released and Java 7 U15 was blocked the second that happened.)

7. Apple has lost a whole lot of trust to a whole lot of admins. What will Apple do to re-build that trust?

8. I want a full list of all mechanisms within OS X and iOS that dial home to Apple. Anything that has the ability to change or modify the behavior of a Mac or iOS device that Apple is in control of I want fully disclosed. I want to know what it's called, what servers it hits, how changes are made, how it's logged… Everything. Period. I want under the hood.

9. I want a mea culpa. "Sorry, we screwed up," would be wonderful. Let's all be adults and someone admit they did something wrong. The sooner Apple can admit that something went wrong, I think the closer I'll be to trusting that you won't do it again.

Wish i could be there Jared. Im getting very tired of this.

Good list Jared. Can't really think of anything to add. Sounds like you're going make them squirm :)

FWIW, I have noticed that the XProtect plist on my Mac still reads 1.7.11.22 as the minimum Java 7 plugin version and 1.6.0_37-b06-435 for Java 6, so, unless my system just isn't checking in with the mothership anymore, it looks like they haven't updated the min version since that fiasco. Is anyone seeing a different minimum version showing up on their systems?

On my own system I run XProtect to see what's getting blocked by it though my clients don't run it. It was updated to 1.7.15.04 as the minimum version the second Update 17 came out.

Last Modified: Mon, 04 Mar 2013 21:47:02 GMT
Version: 2033

JavaWebComponentVersionMinimum: 1.6.0_41-b02-446
com.macromedia.Flash Player.plugin: 11.6.602.171
com.oracle.java.JavaAppletPlugin: 1.7.15.04

Jared, very nice list. If you can post their response, please do.

Mike, after I re-enabled our xprotectupdater (after editing XProtect.meta.plist), had to delete it so it could get a new one. It threw a couple of messages into system.log.

Hmm, OK, thanks guys. Not sure why I did not receive the updated XProtect plist then. My Mac was on the internet all day yesterday and has been since early this morning. I suppose it will get updated... eventually.
Maybe you can add that to your list of questions: 'why is so inconsistent when an XProtect updated definition is received?'

Edit: @ gregp, thanks, I'll look into that.

@jarednichols

when you say your clients dont run it. Do you mean you unload the launchdaemon at startup?

launchctl unload -w /System/Library/LaunchDaemons/com.apple.xprotectupdater.plist

Apple was similarly here about 2 weeks after they first disabled Java 6 on us, which killed our gradebook the day grades were due.

There was definitely not a "we were wrong" response. The one engineer said "we still feel we did the right thing" (and have since continued to disable flash/java). I complained it was the lack of transparency / notifications to administrators, the response was to sign up for the apple security newsletter for updates. I did sign up, but still get more timely news from Jamfnation/twitter.

It may be right for consumers, but it was the blindside I argued was wrong & the lack of control options. Lots of nodding and smiling, but it ends there. My opinion is they are a consumer company, they'll do ear service to supporting enterprise (or k12s the size of enterprise), but their decisions will continue to be made based on the good of their consumer market.

@tkimpton

Yes, they don't run XProtect.

@CasperSally

I get that they're an consumer company and that's fine. However they need to piss or get off the pot with Enterprise. Are they or aren't they? If they're not, get out completely. No AD plugin, no very nicely done fdesetup, nothing.

Get in or get out. There is no middle.

If they're putting in the small amount of effort they're doing now to do Enterprise, put in a smidge more to stop these shenanigans.

Unfortunately they dont care about the Enterprise. Their biggest market is the consumer and they know people need Java and Flash and Apple will see it as they are doing what they can to let consumers know they need to do updates.

Im sure the Apple reps will argue their views :(

Don't get me wrong i agree with you...its a pain in the arse...after all they are not the ones having do all this disabling, scripting, deleting in somecases to make the Os and software work in the Enterprise.

Unfortunately its self defating because we are patching problems all the time that Apple should be fixing!

This is why i think Apple can afford to do a yearly OS...because they are relying on people like us to sweep up after them!

To be fair here, Apple is merely responding to a problem outside of them: the fact that Oracle and Adobe are constantly patching their bug-laden software.

However, I think they need to be smarter about it. In fact, I have a suggestion for Apple in this regard:

Expand the feature-set of XProtect. Give it the ability to white and blacklist places where you'd allow and disallow where these plugins can run. In our case, we only need Java running from very few specific hosts. If I can add this to a whitelist, GREAT!

They should also add the ability to "grace" a version. Give me some manner of control of where I'd like to draw the "block" line.

This would give me the ability to better protect systems and allow a small window of planning to get the latest version out.

Amen!

Spot on Jared :) i think i been seeing things one sided and not the overall picture. Apple are doing there best, it just we have higher standards and definitions of best lol

I think that would bé the best approach to address the problem with Apple when you get to talk to them face to face.

I think a proactive approach would bé effective than going in with all guns blazing lol

Adding the option of "click to play" would be a much simpler solution then totally blocking the plug-in.

If you are running an outdated version warn the user they are out of date but allow them to continue to run the plug-in. Maybe even run the current version, click to play last version, block all older versions. That would at least give time to test and push out the updates before the plug-in is totally blocked.

Nick, I do like that idea. I can bring that up with Apple as well.

There is a Safari extension call ClickToFlash that does exactly that. In addition to protecting from running unwanted Flash, the pages also does not load unwanted Flash and the pages load much faster.

Something similar for Java would be really nice.

But if Apple decided to block the current version of Flash player or Java that wouldn't help any.

Correct, but my point was that instead of outright blocking it, they could leave the plugins enabled for current versions and something like ClickToFlash (ClickToJava?) for outdated versions.

If they think that will delay users from updating, then they can also have some defaults setting that by default is the current behavior (works or it doesn't), with an option for the user to set it so that we get the additional option of having to click on it to let it run. Alternatively, could also have a third setting to just ignore XProtect. Also be able to set these three behaviors by product (Java 6, 7, or Flash).

Sounds good to me.

I do like the idea of 'click to play' type functionality for both of these products. I would like both companies to offer the option for enterprise admins to be able to control (read: lock) those settings to what we want it to be. In other words, give us not just the ability to turn it on, but turn it on programmatically AND lock it so the end user can't change it.

It might be seen as an inconvenience, but so what? Security is rarely about convenience.

Agreed - it's not their place to force people to update. I had this bite me just now: back in from being out for a couple of days, I get a call to verify that a current, very important recording is still in progress. The system GUI is java-based; I have no other way to check this system - but, it's our in-house server & I'm quite confident that I'm not going to be haXX0r3d by going there...but lo and behold, my system won't let me run the console, so I have to apologize to the caller & make them wait for me to update java, only to find out that the new java isn't running the f@&G( console correctly!*

Thank goodness for Firefox, which 1) gave me a click-through warning about java security, and 2) ran the application I needed to see.

I do think users need to be trained to do their updates, but this could be done with a nag window - it is extremely intrusive to have Apple commandeering MY machine and deciding what I'm allowed to run on it.