I opened a ticket with their support group and they were unable to duplicate the problem. I asked them if they were using the MSI installer or the EXE installer from Adobe when they are testing. They told me they only support the EXE installed version of Flash and shockwave. So I wrote an SCCM delivered app that switched Flash and Shockwave to the EXE versions by removing the MSI installed and then installed the EXE as one last SCCM package delivered update. Now my clients are all on the version of Flash/Shockwave that can be patched by secunia patches. The only downside is that the EXE doesn't contain the backwards compatibility for Shockwave 10, so there were some web pages that broke when we dumped the Shockwave backwards compatibility. Since I've switched to the EXE versions of Shockwave/Flash, those Secunia patches have been working fine unmodified.
For adobe reader, I had to get rid of the Secunia SPS executable baked into the patch and replace it with the URL to the adobe web site. If you look at some of the older 10.1.5 or 10.1.4 patches (and all the acrobat pro patches) they point to the adobe URL for downloading the patches. Sometime around Reader 10.1.6, Secunia switched to their own custom SPS.exe and I have never had luck with that working. There is a post on secunia's web site from January that explains how to correct the Reader patches, why they are still broken 6 months and 4 patches later, I dunno. From: [email protected] [mailto:[email protected]] On Behalf Of Michael Gouldthorp Sent: Thursday, July 10, 2014 8:11 AM To: [email protected] Subject: RE: [mssms] Secunia Apparently I'm not alone. I'm currently dealing with the exact same issue (Adobe Reader). We installed Flash using the MSI provided from the Adobe redistribution license. Secunia was great at detecting that flash was out of date and provided a patch to update flash to the current version. Unfortunately, the patch from Secunia assumes you used the EXE version of the Flash installer from Adobe. The end result from using Secunia's provided patch is that the systems were left with two versions of Flash installed. One older from the MSI version and one current from the EXE/patched version. Same story for Shockwave. How did you determine that Secunia assumes that you used the EXE installer? Thanks, Mike From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of Miller, Todd Sent: Wednesday, July 09, 2014 4:50 PM To: [email protected]<mailto:[email protected]> Subject: RE: [mssms] Secunia I find the scanning portion of the tool to work very well. You can scan using a client on the system, or it can be made to scan against software inventory data in SCCM. I choose to scan against SCCM software inventory data, but that does mean you have to turn on SCCM software inventory which plently of people hate. I find I need it for other things anyway - so two birds one stone. It helps to figure out what patches you are missing in your environment and also to prioritise which patches you should focus on based on number of hosts affected and severity of the vulnerability. Those are the PROS of the software. Here are the CONS... They only provide patches due to security issues, so if patches are provided by software for feature or bugfix reasons, they do no support the patch. For instance, they are behind on Shockwave patches currently because the current version is a bug fix to a previous version and is not a security risk. To me, I want to rely on this product to patch Shockwave - not just when the missing patch is a security risk. The other major drawback of the product is the quality of the patches are really not up to snuff. It is uncommon for me to take a patch from secunia and have it work reliably. I end up recoding all the patches and by the time I finish with that, I wonder if I am really gaining all that much over SCUP. On the one hand the detection part of the patch is all fixed up for me, but I have to write my own code to actually apply the patch and the secunia framework just calls the executable I write to apply the patches. Here are examples of what I mean. We installed Flash using the MSI provided from the Adobe redistribution license. Secunia was great at detecting that flash was out of date and provided a patch to update flash to the current version. Unfortunately, the patch from Secunia assumes you used the EXE version of the Flash installer from Adobe. The end result from using Secunia's provided patch is that the systems were left with two versions of Flash installed. One older from the MSI version and one current from the EXE/patched version. Same story for Shockwave. I have a custom build of Firefox, so I always have to build the new version of Firefox MSI and then replace the Secunia patch installer with my own custom MSI. It is not that much work. Apple Quicktime, I modified to not check for updates and not put the quicktime icon on the desktop. After applying the Secunia supplied Quicktime patch, all those settings (no check for update - no desktop icon) revert to the default. So I had to build my own self-extracting exe that updated Quicktime silently. So, it is no panacea. If you think you can just check in a bunch of patches for third party programs and deploy them out to your clients seamlessly, forget about it. It is still a full time job one week a month to prepare/test/deploy patches. But, Secunia is great at figuring out what patches you should be working on, and is a big help at developing the targeting rules in the patch and publishing to SCCM. From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of Sherry Kissinger Sent: Wednesday, July 09, 2014 2:30 PM To: [email protected]<mailto:[email protected]> Subject: Re: [mssms] Secunia I've used it in a lab environment--and it's quite nice. We haven't bought it (yet--internal politics, who is going to pay for it, that kind of thing; but I have high hopes). I can't think of anything bad about their product at all. It's all good. Contact them for a demo is the easiest. To be fair, don't forget about looking at Shavlik, PatchMyPC.net, and um...I think there's a couple more. Eminentware? did I forget a few more? If you've already implement SCUP / deployed a trusted certificate, any one of them will allow you to deploy 3rd party patches. You'd just have to determine which vendor best fits your needs. Sherry Kissinger On Wednesday, July 9, 2014 1:57 PM, "Mitchell, Steven R" <[email protected]<mailto:[email protected]>> wrote: Hey all, Does anyone have any good/bad information on Secunia? There is a move here to look into this for addressing vulnerabilities. Just curious if you have had dealings with it as a solution. Thanks, Steven CONFIDENTIALITY NOTICE: This e-mail and any files transmitted with it are intended solely for the use of the individual or entity to whom they are addressed and may contain confidential and privileged information protected by law. If you received this e-mail in error, any review, use, dissemination, distribution, or copying of the e-mail is strictly prohibited. Please notify the sender immediately by return e-mail and delete all copies from your system. ________________________________ Notice: This UI Health Care e-mail (including attachments) is covered by the Electronic Communications Privacy Act, 18 U.S.C. 2510-2521, is confidential and may be legally privileged. If you are not the intended recipient, you are hereby notified that any retention, dissemination, distribution, or copying of this communication is strictly prohibited. Please reply to the sender that you have received the message in error, then delete it. Thank you. ________________________________ ________________________________ Notice: This UI Health Care e-mail (including attachments) is covered by the Electronic Communications Privacy Act, 18 U.S.C. 2510-2521, is confidential and may be legally privileged. If you are not the intended recipient, you are hereby notified that any retention, dissemination, distribution, or copying of this communication is strictly prohibited. Please reply to the sender that you have received the message in error, then delete it. Thank you. ________________________________
