[ale] [OT] updating, securing OpenOffice, Adobe Reader / Flash

Ron Frazier atllinuxenthinfo at c3energy.com
Fri Mar 11 10:01:07 EST 2011 

I've been doing my monthly patching of my Windows machines, and, what a 
pain.  Fortunately, I don't have to do it too often.  I have a checklist 
of things to do to the Linux machines too, so not all is automatic, 
although most of the application updates are automatic.

Some of you manage Windows machines, so I wanted to share some info.  
Also, Open Office, Adobe Reader, and Flash may be used on Linux, so this 
may be relevant from that point of view as well.  Now, before you start 
saying the best way to secure Adobe Reader and Flash is not to use them, 
I know, I'm looking for a way to fire Reader on Windows, and I don't use 
it on Linux.  I don't like Ubuntu 10.04's built in PDF reader either.  I 
may end up going to Foxit on both Linux and Windows.  I don't know of a 
viable replacement for doing what flash can do.

--------------------

Itunes

Itunes is not generally used in a corporate environment, and I don't use 
it, but my son has it.  It's refusing to update properly.  I've already 
removed and reinstalled it once last month, and it looks like I'll have 
to do the same this month.  ARRG!

-------------------

OpenOffice

OpenOffice is now up to version 3.3.  However, my version 3.2 was not 
updating properly.  When I'd say check for updates, it just failed.  
When I heard it was at a new rev level, I uninstalled it and installed 
version 3.3.  My Ubuntu version is still at 3.2.  I'm not sure why.  
Also, the install procedure installed version 22 of Java, when the 
current version is 24, so I had to uninstall the old version.

There are a couple of default settings that I change to improve 
security.  Running scripting in documents can be a big vector for 
viruses or malware.  Therefore, I turn that off.  I do this in Windows 
and Linux.

OpenOffice - options - openoffice.org section

    security
       macro security button
          set to VERY HIGH

    java
       use a java runtime environment
          set to OFF (uncheck)

If I were using Microsoft Office, I would maximize macro security and / 
or disable macros there too.

----------------------

Adobe Reader

This was a fiasco.  I know you can run Adobe Reader on Linux, but I 
don't, and I don't know for sure how much of this applies.  I had 
version 9.4.2 I think.  It was updating itself fine, but not upgrading.  
The current version for Windows is version 10.0.1.  I had to uninstall 
the old reader and install the new one.  This brings along lots of 
baggage I didn't want, which I then had to go back and uninstall.  On my 
Windows machines, I want ONLY flash and reader, nothing else.  So, after 
installing Reader X (as they call it), uninstall the following if you 
don't want it:

(from Firefox addons screen)
- Adobe DLM (download manager) from Firefox addons

(from Windows control panel)
- Adobe Flash Active X - not actually related to reader, but still adobe 
- I think this applies to IE only, and I only use Firefox.
- Adobe Air
- McAfee Security Scan Plus - came with the Reader install, don't know why
- Adobe DLM - yes it's here too - publisher name is Nos Microsystems

After this, there are a number of settings I check / change to improve 
security.  All I want my PDF reader to do is read PDF's and display 
them.  I don't want scripting, automation, multimedia, fill in forms, 
etc.  So, I turn all that off as follows.

Adobe reader options

javascript
    enable acrobat javascript
       set to OFF (unchecked)

multimedia trust (legacy)
    allow multimedia operations
       set to OFF (unchecked)

security (enhanced)
    enable enhanced security
       set to ON
    automatically trust sites from my windows os security zones
       set to OFF (unchecked)

trust manager
    allow opening of non PDF file attachments with external applications
       set to OFF (unchecked)

----------------------

Adobe Flash

Here's how to set the security settings in Flash.  You have to go to the 
Adobe website to do this.  Assuming Flash is already installed, you can 
do the following.  Go to the Adobe website at www.adobe.com .  Click 
products.  Scroll down and look in the E-O column.  Click Adobe Flash 
player.  This brings up a flash animation on the top part of the 
resulting page.  You could also go to YouTube, etc. to bring up a flash 
item.  Right click on the flash animation, this brings up a menu.  Click 
About Adobe Flash Player to check your version.  If this locks up, as it 
sometimes does on my Linux system, you can go to 
http://www.adobe.com/software/flash/about/ to do the same thing.

 From the popup menu, you can click Global settings to get to the 
settings screen.  If that doesn't work, you can go to

http://www.macromedia.com/support/documentation/en/flashplayer/help/settings_manager.html 
to do the same thing.

Once you get to this page, there are several links with settings you can 
set.  These are the settings I recommend.  Modify these if some flash 
site needs access to your camera or microphone.

Global Privacy Settings Panel
    Click Always deny button, then confirm, do this again - sometimes it 
doesn't save, then repeat the whole procedure.

Global Storage Settings Panel
    Check all three boxes.

Global Security Settings Panel
    Always Deny

Website Privacy Settings Panel
    All sites should have an Always Deny symbol unless they need access 
to your camera and microphone.

Website Storage Settings Panel
    All sites should say used - nothing and limit - never unless they 
need to store local data.  An example of something that needs to store 
local data to work is Pandora.

Peer Assisted Networking Panel
    Disable P2P uplink for all - should be CHECKED
    All websites listed should say Always Deny unless this feature is 
needed.

---------------------

Well, that's it.  I just have to do all that on 5 PC's and two OS's.  I 
also periodically recheck all the security settings in Reader, Flash, 
Firefox, and Noscript, as they have been known to change either by 
mistake or when updates come in and defaults mysteriously reappear.  If 
you have to deal with Reader, Flash, or Open Office, maybe this will be 
useful.  If you don't, be glad.

Sincerely,

Ron

-- 

(PS - If you email me and don't get a quick response, you might want to
call on the phone.  I get about 300 emails per day from alternate energy
mailing lists and such.  I don't always see new messages very quickly.)

Ron Frazier

770-205-9422 (O)   Leave a message.
linuxdude AT c3energy.com

More information about the Ale mailing list