Adobe FlashPlayer Emergency Group Policy

After posting a message to the patchmanagement.org distribution list about my strategy as a reaction to the following article, where I said that:

My strategy has always been a risk based approach.
If there’s a vulnerability, something needs to be done about the risk. The risk needs first to be identified and assessed.
The risk can then be:
– accepted (just inventory and evaluate your specific context, wait for a patch when it’s a 0-day)
– reduced, mitigated (apply the workaround instead of patching first, that gives you more time and you can patch later)
– shared, transferred (get more budget and buy a more expensive insurance)
– avoided (patch immediately or remove the offending software/component)

I’ve been contacted by Mitch Tulloch who is a widely recognized expert on Windows Server and cloud technologies who has written more than a thousand articles and has authored or been series editor for over 50 books for Microsoft Press. He is a twelve-time recipient of the Microsoft Most Valuable Professional (MVP) award in the technical category of Cloud and Datacenter Management.

I provided some recent examples to illustrate the above strategy.
He wrote a nice article on http://techgenix.com/patch-management/

I mentioned in the above article that:

Whenever there’s a zero-day in Flash, you can apply the workaround and set a kill-bit in the registry

The kill-bit is a registry value to tell the browser to avoid loading the vulnerable component.
It’s always documented as a mitigation in the workaround section of every Adobe FlashPlayer security bulletin posted by Microsoft:
https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV180014
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV180030
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV180031

The Office part is also well documented on this support page: https://support.microsoft.com/en-hk/help/4058123/security-settings-for-com-objects-in-office
https://support.office.com/en-us/article/flash-silverlight-and-shockwave-controls-blocked-in-microsoft-office-55738f12-a01d-420e-a533-7cef1ff6aeb1
Let’s see how to easily achieve using #PowerShell 🙂

#Requires -RunasAdministrator
#Requires -Modules ActiveDirectory,GroupPolicy
# Make sure we can reach the PDC
$PDC = (Get-ADDomainController -Service 1 -Discover -ErrorAction SilentlyContinue).Hostname
if ($PDC) {
# Get the domain name
$DomainName = [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain().Name
# Create the GPO
if (-not($GPO = Get-GPO -Name 'Adobe FlashPlayer Emergency' -Domain "$($DomainName)" -ErrorAction SilentlyContinue)){
try {
$GPO = New-GPO -Name 'Adobe FlashPlayer Emergency' -Domain "$($DomainName)" -ErrorAction Stop
} catch {
Write-Warning -Message "Failed to create the Adobe FlashPlayer GPO because $($_.Exception.Message)"
}
}
if ($GPO) {
# Don't need user settings
$GPO.GpoStatus = [Microsoft.GroupPolicy.GpoStatus]::UserSettingsDisabled
# Main hashtable
$HT = @{ GUID = ($GPO).Id ; ErrorAction = 'Stop' }
# Array that stores each setting as a hashtable
$ar = New-Object -TypeName System.Collections.ArrayList
$ar.Add(
# As of Internet Explorer 10.0 on Windows 8
@{
Key = 'HKLM\Software\Policies\Microsoft\Internet Explorer';
ValueName = 'DisableFlashInIE' ; Type = 'DWORD' ; Value = 0x1
}
)
#'{233C1507-6A77-46A4-9443-F871F945D258}', # Adobe Shockwave Player
'{D27CDB6E-AE6D-11CF-96B8-444553540000}', # Shockwave Flash Object
'{D27CDB70-AE6D-11CF-96B8-444553540000}' | # Macromedia Flash Factory Object
ForEach-Object {
$g = $_
@(
# Internet Explorer
@{
Key = "HKLM\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\$($g)";
ValueName = 'Compatibility Flags' ; Type = 'DWORD' ; Value = 1024
},
@{
Key = "HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\$($g)";
ValueName = 'Compatibility Flags' ; Type = 'DWORD' ; Value = 0x400
},
# Office 2007 to 2013
@{
Key = "HKLM\SOFTWARE\Microsoft\Office\Common\COM\Compatibility\$($g)";
ValueName = 'Compatibility Flags' ; Type = 'DWORD' ; Value = 0x400
},
# Office 2016 / 365
# The Office COM kill bit to block this object from being activated within Office
# For 64 bit Office on 64 bit Windows (or 32 bit Office on 32 bit Windows).
@{
Key = "HKLM\Software\Microsoft\Office\16.0\Common\COM Compatibility\$($g)";
ValueName = 'Compatibility Flags' ; Type = 'DWORD' ; Value = 0x400
},
# For 32 bit Office on 64 bit Windows.
@{
Key = "HKLM\Software\Wow6432Node\Microsoft\Office\16.0\Common\COM Compatibility\$($g)";
ValueName = 'Compatibility Flags' ; Type = 'DWORD' ; Value = 0x400
},
# Make sure it also blocks COM objects that are embedded or linked from within Office documents
@{
Key = "HKLM\Software\Microsoft\Office\16.0\Common\COM Compatibility\$($g)";
ValueName = 'ActivationFilterOverride' ; Type = 'DWORD' ; Value = 0x0
},
@{
Key = "HKLM\Software\Wow6432Node\Microsoft\Office\16.0\Common\COM Compatibility\$($g)";
ValueName = 'ActivationFilterOverride' ; Type = 'DWORD' ; Value = 0x0
}
) |
ForEach-Object {
$null = $ar.Add($_)
}
}
$ar |
ForEach-Object {
$reg = $_
try {
Set-GPRegistryValue @HT @reg
} catch {
Write-Warning -Message "Faile to set GPO setting because $($_.Exception.Message)"
}
}
}
}

You end up with the following GPO settings:

What’s next? Just link the GPO in Active Directory where it makes sense to apply it to computers beneath.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.