Device Management Accelerated Release of Flash Update

The Information Security Office working with the Device Management Core Team 
will be accelerating the patching of University-owned systems running vulnerable
versions of Flash; however, students especially are encouraged to check their computer as soon as 
possible using browsercheck.pepperdine.edu and update Flash (or disable Flash if not
needed).

Our normal patch operation in Device Management is designed to test automated
patches and apply them within two weeks of their release. The current program
for this release of Flash we expect to shorten to one week, because this vulnerability
is being so widely and actively exploited. Again, Device Mangement only updates University owned machines,
so personal and student systems should be updated with browsercheck.

BACKGROUND

There is a vulnerability in Adobe Flash that is being exploited in large
scale attacks. The vulnerability is being tracked as CVE-2014-0569 [1]
on the Common Vulnerabilities and Exposures (CVE) database. The exploit
includes memory corruption vulnerabilities and an integer overflow
vulnerability that could lead to code execution. Adobe released security
updates for all versions of Flash on October 14, 2014.

IMPACT

These vulnerabilities could allow an attacker to take control of an
affected system. This vulnerability may be exploited during a drive-by
download attack. This can happen by visiting a malicious website or
viewing and email message or clicking on a deceptive pop-up window.
Check your version of Flash here.

PLATFORMS AFFECTED

  * Adobe Flash Player 15.0.0.167 and earlier versions
  * Adobe Flash Player 13.0.0.244 and earlier 13.x versions
  * Adobe Flash Player 11.2.202.406 and earlier versions for Linux
  * Adobe AIR desktop runtime 15.0.0.249 and earlier versions
  * Adobe AIR SDK 15.0.0.249 and earlier versions
  * Adobe AIR SDK & Compiler 15.0.0.249 and earlier versions
  * Adobe AIR 15.0.0.252 and earlier versions for Android

RECOMMENDATIONS

Users should update to the latest version of Adobe Flash.

 * Adobe recommends users of the Adobe Flash Player desktop runtime for
Windows and Macintosh update to Adobe Flash Player 15.0.0.189 by
visiting the Adobe Flash Player Download Center, or via the update
mechanism within the product when prompted.

 * Adobe recommends users of the Adobe Flash Player Extended Support
Release should update to version 13.0.0.250.

 * Adobe recommends users of Adobe Flash Player for Linux update to
Adobe Flash Player 11.2.202.411 by visiting the Adobe Flash Player
Download Center.

 * Adobe Flash Player installed with Google Chrome will be automatically
updated to the latest Google Chrome version, which will include Adobe
Flash Player 15.0.0.189.

 * Adobe Flash Player installed with Internet Explorer for Windows 8.x
will be automatically updated to the latest version, which will include
Adobe Flash Player 15.0.0.189.

 * Adobe recommends users of the Adobe AIR desktop runtime should update
to version 15.0.0.293 by visiting the Adobe AIR Download Center.

 * Adobe recommends users of the Adobe AIR SDK should update to version
15.0.0.302 by visiting the Adobe AIR Download Center.

 * Adobe recommends users of the Adobe AIR SDK & Compiler should update
to version 15.0.0.302 by visiting the Adobe AIR Download Center.

 * Adobe recommends users of the Adobe AIR for Android should update to
Adobe AIR 15.0.0.293 by downloading the new version from the Google Play
store.

REFERENCES

>   [1] http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0558

FURTHER READING

>   http://helpx.adobe.com/security/products/flash-player/apsb14-22.html
>   http://www.pcworld.com/article/2836732/one-week-after-patch-flash-vulnerability-already-exploited-in-largescale-attacks.html

Endpoint Protection Coming to Macs!

Pepperdine's Endpoint Protection solution will soon be coming to Macs. The installation job runs silently, and will install the Sophos shield in the Mac notification area (the top right of the Mac desktop, near the Day/Date).

Figure: Sophos Shield in the Mac Notification Area.

Endpoint Protection Installation Process Continues

Dear Pepperdine Faculty and Staff,

Pepperdine’s Information Technology division is continuing the installation of Endpoint Protection.

Many people who have Pepperdine-owned computers running the Windows operating system already have received the Sophos antivirus client. Others may expect the installation in the coming weeks. Please note the following:

What will happen:	In order to prevent conflicts with other antivirus programs, the Sophos installation process may remove existing antivirus solutions installed on your computer.
What you might see:	You may see messages indicating that various antivirus programs were removed and/or encouraging you to obtain antivirus protection. Please ignore or minimize these messages should they appear. (They will disappear on their own.) A blank black window: Find an antivirus message: Trend Notification:
Successful installation:	Upon installation, Sophos, your new antivirus program, will appear as a shield in your system tray.

We appreciate your cooperation during the installation process. We know the Endpoint Protection Service will help keep the University data and community safe.

Frozen but Not Vulnerable

Prior to implementing Device Management to secure our network, many of our campus computer labs and public computers relied on a product known as Deep Freeze to help mitigate malware infections. Deep Freeze works by taking a snapshot of the computer after it's setup and no matter what changes happen to it after that, automatically reverts to that snapshot when the computer is rebooted. So no matter what kind of nasty virus may have found its way onto the computer or whatever infected file inadvertently gets transferred to the computer, a simple reboot would get rid of it and the computer would be clean and happy again.

An unfortunate side-effect however, was that any security updates or system patches that were applied without going through a special process to update the snapshot would also get wiped clean on reboot. Previously these updates had to be manually applied by the lab manager or other IT staff to each computer protected with Deep Freeze, but we are now happy to report that we have successfully developed an automatic process that takes care of it utilizing Device Management. This will save countless hours of employee time and allows greater efficiency in network management and increased security.

We ran a pilot test of the process in late June on selected computers in Cafe Fresca and have recently expanded it to include some of the computers in Payson Library. Full implementation across all Pepperdine computers protected with Deep Freeze will be rolled out by the end of the year.

July 16, 2014

No new patches this week.

Endpoint Protection Installation

Information Technology soon will deploy the new Endpoint Protection Service for all Pepperdine-owned computers. This new service will monitor malware activity and take corrective measures to minimize malware action and data loss.

On July 14, 2014, the Device Management Service will begin installing the Sophos antivirus client on Pepperdine-owned Windows computers and removing the old antivirus, Trend Officescan.  Installation on Macintosh computers will follow thereafter.

You may be prompted to reboot your computer to complete the installation process.

Server and Flash Upgrades

The Device Management Server was recently upgraded to add new administrative features and enhancements that will make the job of keeping our computers updated and secure more efficient. The most noticeable change on the client side is that the Windows and Mac alert messages are now standardized (see image below) so there is a uniform experience on both platforms. This makes it much easier for users to recognize when a security patch has been applied to their computer and helps reassure them it is a legitimate Device Management alert.

Before: Windows and Mac users received different alert windows leading to confusion

After, both Windows and Mac users receive an alert window displaying the official Device Management logo

Adobe also released a new version of Adobe Flash (version 14) for Windows and Macintosh which addresses vulnerabilities that could potentially allow an attacker to take control of an affected system. Adobe recommended all users update to the latest version as soon as possible. Following our standard period of compatibility testing on campus for use with our systems such as WaveNet and Kronos, we are now actively upgrading computers with older versions to the more secure current version.

Mac 10.5 and 10.6 Sunset

Similar to the Windows XP Sunset that recently concluded, we will be retiring Mac operating systems 10.5 (Leopard) and 10.6 (Snow Leopard). Device Management will soon require a minimum of 10.7 (Lion) for patching.

If you provide user support, please be proactive in assisting work colleagues with upgrading their Macs. IT will also be reaching out to staff running 10.5 and 10.6, reminding them of the sunset schedule as well as assisting with upgrade options.

Clean-up of Old Adobe Reader/Acrobat Programs

With the successful deployment of Adobe Acrobat XI Pro, older versions of Adobe PDF products are not necessary and may even pose a security risk. Therefore, any computer that has Acrobat XI Pro will have any other version of Adobe Acrobat or Reader uninstalled starting today. What do you need to do? If you do not yet have Acrobat XI Pro, please restart your computer and refer to the previous blog posts for instructions. If you do have Acrobat XI Pro installed then no further action is needed; any necessary uninstall actions will occur silently. Thank you for helping keep all Pepperdine computers up-to-date with the latest software!

Deployment of Adobe Acrobat Pro XI Almost Complete

The deployment of Adobe Acrobat Pro XI to university-owned computers has gone smoothly. Currently, there are now 1,612 computers with Acrobat Pro XI, 1,378 of which are Windows and 234 are Macs. According to the device management team, a handful of computers still need to have the software installed. Those members of the community will encounter the following pop-up windows. Please pay heed to the notices to ensure you will enjoy the benefits of Acrobat Pro XI.

Pop-up notice for Windows

Pop-up notice for Mac

Pepperdine Faculty and Staff to Receive Adobe Acrobat Pro XI

On Thursday, April 17, 2014, IT’s Device Management service will begin deploying Adobe Acrobat XI Pro to all university-owned machines.

Pepperdine faculty and staff will be able to enjoy the Pro version features, which include creating and editing PDF files and forms as well as merging and combining files into a PDF.

What do I need to do?
Nothing! All of the work will be done by the DM service with no disruption to your work. During the month of April and into May, DM will silently install Acrobat and remove older versions of Acrobat and/or Reader from your computer.

Will I notice anything?
No. In most cases the installation will be all done in the background. However, some of you (i.e. Macintosh users) might see a pop-up window like the ones pictured below.

Should you encounter these, please select “Ok” and close any instances of Acrobat or Reader. Select “Snooze” to delay the installation if it’s during an inconvenient time. You will see an alert when the process has been completed on your computer.

Pop-up notice for Windows

Pop-up notice for Mac

IT staff know the features of Adobe Acrobat Pro XI will provide many benefits to Pepperdine’s business processes.

Windows XP Sunset: March Update

Windows XP will no longer be supported by Microsoft after April 8, 2014. Consequently, all university-owned computers running Windows XP need to be upgraded to Windows 7 or else retired from duty as they will not be allowed on Pepperdine’s network after April 8, 2014. 

Thanks to all our Pepperdine colleagues who have been upgrading or surplusing their Windows XP computers.  There are only 43 computers at Pepperdine still running XP.  Of those, 25 need to be upgraded to Windows 7 while 18 need to be retired as they do not have the resources required to be upgraded.  These computers are receiving daily pop-ups informing their users of the Windows XP sunset program.  In addition, the Device Management team has contacted all students informing them of the deadlines, and it is collaborating with colleagues across Pepperdine to educate guests, vendors, and newly admitted students about the end of Windows XP. 

Windows XP Sunset: February Update

Windows XP will no longer be supported by Microsoft after April 8, 2014. Consequently, all university-owned computers running Windows XP need to be upgraded to Windows 7 or else retired from duty as they will not be allowed on Pepperdine’s network after April 8, 2014.


Thanks to all our Pepperdine colleagues who have been upgrading or surplusing their Windows XP computers.  There are only 115 computers at Pepperdine still running XP.  Of those, 69 need to be upgraded to Windows 7 while 46 computers need to be retired as they do not have the resources required to be upgraded.  E-mails were sent on 2/26/14 to the owners of these computers (if they are able to be determined) informing them of the Windows XP sunset program.  If no definitive owner can be determined for a given computer, then technology support personnel will visit the computer and work with attendant staff in sunsetting XP.

Windows XP Sunset: January Update

Windows XP will no longer be supported by Microsoft after April 8, 2014. Consequently, all university-owned computers running Windows XP need to be upgraded to Windows 7 or else retired from duty as they will not be allowed on Pepperdine’s network after April 8, 2014. 

Thanks to all our Pepperdine colleagues who have been upgrading or surplusing their Windows XP computers.  There are only 211 computers at Pepperdine still running XP.  Of those, 125 need to be upgraded to Windows 7 while 86 computers need to be retired as they do not have the resources required to be upgraded.  E-mails were sent on 1/15/14 to the owners of these computers (if they are able to be determined) informing them of the Windows XP sunset program.  If no definitive owner can be determined for a given computer, then technology support personnel will visit the computer and work with attendant staff in sunsetting XP.

Now patching Win 8.1 and OSX 10.9

Patching has been enabled for Windows 8.1 and Macintosh OSX 10.9 systems. Patch support became available in December for these systems along with our recent upgrade to the Device Management system just before the Winter Break. While use of these operating systems are few and far between, we do currently have approximately 9 - Windows 8.1 and 58 - OSX 10.9 in the Device Management system.