Secunia CSI7
Advisories
Research
Forums
Create Profile
Our Commitment
PSI
PSI API
CSI
OSI
xSI
Vulnerabilities
Programs
Open Discussions
My Threads
Create Thread
Statistics
About

Forum Thread: Adobe Flash Player 11.x SPS architecture

You are currently viewing a forum thread in the Secunia Community Forum. Please note that opinions expressed here are not of Secunia but solely reflect those of the user who wrote it.

This thread was submitted in the following forum:
CSI

This thread has been marked as locked.
dstancu Adobe Flash Player 11.x SPS architecture
Member 12th Sep, 2013 11:16
Ranking: 0
Posts: 6
User Since: 1st Jan, 1970
System Score: N/A
Location: N/A
I want to patch Adobe Flash player 11.x(ActiveX) with latest release 11.8.800.168(ActiveX). In Secunia CSI under SPS I see 3 different versions of this patch:

- Windows 32-bit
- Windows
- Windows 64-bit architecture

I am pretty confused which SPS packages should I deploy to my organization. My clients are Windows 7 x64 computers and I see that CSI detected instances for all 3 architectures. Which package should I deploy? I assume that Windows 64-bit should be set up to apply to \"64-bit Systems Only\"(other options are greyed). But what about other two packages? Which System Applicability rules should I configure?

r.danailov RE: Adobe Flash Player 11.x SPS architecture
Secunia Official 16th Sep, 2013 14:41
Score: 25
Posts: 173
User Since: 3rd Jan 2012
System Score: N/A
Location: Copenhagen, DK
Hi,

Thank you for addressing your question through the community forum. I will allow myself to provide a comprehensive answer so that my information could help other users as well.

Ever since the mid-2012, Adobe made the installer for Adobe Flash universal. This means that disregarding of which edition of the Adobe Flash you distribute to your systems, it would always install in both 32- and 64-bit instances, thus making each of the installers sufficient to patch the other version (32-bit installer patches also the 64-bit version and the vice versa).

This literally means that you actually need to create and deploy one package that is applicable to install for both 32- and 64-bit machines. However, please note that the default applicability rules of a SPS package are indeed the paths where Insecure software is detected. As you have 3 instances of Adobe Flash listed in the SPS view, you need to pick the one that covers the most paths, thus is the most appliable package.

The Insecure column under Secunia Package System view shows the number of machines which uploaded applicability data (their detection paths) to the corresponding package. This means that the package entry with the biggest number shown under Insecure column would possibly be deployed to the biggest amount of systems - this is the package you need to create.

Please note however that even though one package may not always cover all installations (because the unique detection paths were spread between 2 or more package entries), this is not an issue for you. Once you deployed the first package, and re-scanned your systems, the SPS shall then create a new product entry which will cover the rest - basically you take the patching process in two parts thus avoiding extra work and loosing of your precious time.

I hope you'll find my information helpful. Else, let us know if you have any further questions.

Kind regards / Stay Secure
Rosen Danailov / Security+
Secunia Customer Support

r.danailov

RE: Adobe Flash Player 11.x SPS architecture
[+]
This reply has been deleted

r.danailov

RE: Adobe Flash Player 11.x SPS architecture
[+]
This reply has been deleted
r.danailov RE: Adobe Flash Player 11.x SPS architecture
Secunia Official 16th Sep, 2013 14:52
Score: 25
Posts: 173
User Since: 3rd Jan 2012
System Score: N/A
Location: Copenhagen, DK
Hi,

In addition to my previous comment and with the intent to clarify how the Secunia Package System qualifies packages, please consider that when a package is marked as '64-bit' architecture, you shall ensure that indeed a 64-bit version is being distributed within this package.

If you navigate to step 2 of the Secunia Package Wizard, you could verify this as the default dynamic download link would usually display whether the version added by default is 64-bit. If it is not for some reason, you could either modify the link to point to the 64-bit download, or you could use Add Local File to attach the actual installer directly to the SPS package wizard.

You are also recommended (in all cases except Adobe Flash) to apply this package for only 64-bit systems to avoid 32-bit systems acquiring the package by mistake from WSUS and thus failing to install your package because of compatibility issues (error code 1642 in SecuniaPackage.log).

Kind regards / Stay Secure
Rosen Danailov / Security+
Secunia Customer Support
r.danailov RE: Adobe Flash Player 11.x SPS architecture
Secunia Official 16th Sep, 2013 15:01
Score: 25
Posts: 173
User Since: 3rd Jan 2012
System Score: N/A
Location: Copenhagen, DK
Last edited on 16th Sep, 2013 15:03
Hi,

Here is a description of the labels used in Secunia Package System:

a) 32-bit - this indicates that the detected version was 32-bit on 32-bit system. Package for this entry should include 32-bit installer and could be set to be applicable to both 32- and 64-bit machines (for all cases except Oracle Java Update Packages!).

b) Windows - this indicates that CSI detected 32-bit installation of 64-bit system. Package for this entry should include 32-bit installer and could be set to be applicable to both 32- and 64-bit machines (for all cases except Oracle Java Update Packages!).

c) 64-bit - this indicates that the detected version was 64-bit on 64-bit system. Package for this entry should include 64-bit installer and should be applicable to only 64-bit machines.

Finally, you can find more information about Secunia Package System within the Secunia CSI Best-Practices Guide available for download through the below direct URL. Appendix A of the BP Guide includes 6 pages of recommendations on how to manage Oracle Java in your domain.

http://secunia.com/?action=fetch&filename=Secunia_...

Kind regards / Stay Secure
Rosen Danailov / Security+
Secunia Customer Support

dstancu Adobe Flash Player 11.x SPS architecture
Member 17th Sep, 2013 07:45
Last edited on 17th Sep, 2013 07:45 Hi r.danailov,

thank you for the clarification, now I understand architecture part of Secunia CSI.

When you mentioned Oracle Java patching process, on 53rd page of Secunia CSI Best Practice Guide document, it states:

Package #2 - 32-bit package to install on 32-bit system

Shouldnt be Package #2 - 32-bit package to install on 64-bit system? Obviously path
C:\Program Files (x86)\Java\jre7\bin\... doesnt exist on 32-bit system. Also point c)Select 32-bit systems only under System Applicability... from my understanding should be c)Select 64-bit systems only under System Applicability..., even in screenshoot below I see that Apply Package To is set to 64-bit Systems Only

Am I right or not?

Best Regards,

Daniel



Was this reply relevant?
+0
-0
r.danailov RE: Adobe Flash Player 11.x SPS architecture
Secunia Official 17th Sep, 2013 11:28
Score: 25
Posts: 173
User Since: 3rd Jan 2012
System Score: N/A
Location: Copenhagen, DK
Hi,

Yes, your understanding is correct. Package #2 shall consist of a 32-bit installer, C:\Program Files (x86)\ paths and it shall be restricted for delivery to only 64-bit machines.

Unfortunately, I can see that the document attached to Secunia's website is not the updated copy of the document where this spelling mistake was fixed. Please excuse us for the inconvenience and the confusion, we will fix this right away.

Thank you for pointing out this small documentation issue.
Kindly, let us know if you need any further assistance.

Kind Regards | Stay Secure
Rosen Danailov | Security+
Secunia Customer Support

This thread has been marked as locked.


 Products Solutions Customers Partner Resources Company
 
 Corporate
Vulnerability Intelligence Manager (VIM)
Corporate Software Inspector (CSI)
Consumer
Personal Software Inspector (PSI)
Online Software Inspector (OSI)
 Industry
Compliance
Technology
Integration
 Customers
Testimonials
 VARS
MSSP
Technology Partners
References
 Reports
Webinars
Events
 About us
Careers
Memberships
Newsroom


 
© 2002-2014 Secunia ApS - Rued Langgaards Vej 8, 4th floor, DK-2300 Copenhagen, Denmark - +45 7020 5144
Terms & Conditions and Copyright - Privacy - Report Vulnerability