Automatic update of Adobe Flash Player & Java RE in the Windows / AD domain
Hello!
I uploaded a script on the gitkhub VBS that has been keeping the installed versions of Java & Flash on users' computers in the Windows domain (Active Directory) for more than a year, with minimal administrative effort and minimal inconvenience to users.
Why I had to reinvent the wheel and how to use this script, see below.
It’s no secret that Flash & Java’s vulnerabilities, which are exploited during regular visits to malicious or hacked sites, are one of the most popular attacks on computers today (for example, mysql.com in September 2011)
')
And although Adobe and Oracle have already implemented auto-update mechanisms in their products, their essential drawback is the difficulty in setting up and operating. In order to use the automatic update mechanism from Adobe, you will have to browse the 50-page Administration Guide and do a lot of actions, and to install the update from Sun, you need the user to have local administrator rights, which is often found among home users and never in a domain network a good administrator.
The question on serverfault.com “How do you manage Java in your Windows / Active Directory environment?” Did not receive a clear answer, just general words about using scripts and Group Policy, manually reassembling MSI packages, using third-party services (ninite.com). However, all this requires constant manual work, and for a good admin everything should happen automatically.
Thus, maintaining the current versions of the installed browser plug-ins is shifted onto the administrator’s shoulders and becoming a serious task - it’s necessary to track the appearance of updates on manufacturers ’websites (this is easy to do with planned updates, and sometimes urgent ones are unplanned), download and upload to a local repository, create installation files (for example, MSI), monitor the progress of deployment of updates ...
Large companies use large products like SCCM for these purposes, medium ones use WSUS + Local Update Publisher (there is a tutorial on Habré about it from yosemity , and foxyovovich suggested a wiki where everything is described about java, flash, reader), and small ones simply start the process on drift. What is interesting, on request “automatic update of java” in Google on the first page, half of the links focus on the problem of how to disable automatic updating of Java .
For those who already have AD, but WSUS is not yet (or WSUS is, but there is no time / opportunity / desire to do manual work) I suggest FJUpdater.vbs. This is a VBS script written 1.5 years ago to simplify your life and automate the execution of this task. The script checks the relevance of Java & Flash versions installed on the computer (comparing with information from Sun & Adobe sites or local repository), and, if necessary, automatically downloads (via the Internet (HTTP) or local area network (SMB) respectively) and installs updates. It is proposed to run the script on users' computers through group policies (GPO) - the “Startup” option in the “Computer Configuration” section. In this case, the updates will be installed with local administrator rights when the computer is booted, silently and invisibly to the user.
About errors and the results of their activities can send a report to the mail.
The script successfully works in 6 companies that are not related to each other, within my area of ​​responsibility, with a number of users from 10 to 300.
1) Create a network folder that is writeable for the user account, on behalf of which the update check on the Internet will be launched, and readable for the Domain Computers group.
2) Download the script, place it, for example, in the NETLOGON folder on the domain controller and edit the send mail section and save installers path in the csInstallerPath constant.
3) Select any computer (for example, a virtual machine) with the same OS as the users. This computer will be the control “reference indicator” - versions of plug-ins via the Internet will be compared with it. Therefore, it should be installed all the plugins and set up their regular checks.
To do this, first run the script with the key / WEBModeSaveInstallForce . The current versions of the installers are downloaded and placed in the local folder (csInstallerPath), and the flag files with the version numbers of the plug-ins are generated. After successful receipt, we install all the plugins one by one - we run java_installer.exe for Java, flashP_installer.exe for Flash Player Plugin (Firefox, Mozilla, Netscape, Opera) and flashA_installer.exe for Flash Player ActiveX (IE).
Native auto-update mechanisms should be disabled. How to do this for Java can be viewed on the official website . In the case of Flash, select "Never check for updates."
Instead, in order to keep the reference computer and network repository up-to-date, we set up regular launch of the script with the / WEBModeSaveInstall key : 1 through the task scheduler or nncron.
4) In the group policies of client computers, in the section Computer Configuration \ Windows Configuration \ Scripts (Startup \ End) \ Startup (Computer Configuration \ Windows Settings \ Scripts \ Startup), add the launch of the script with the / WEBMode key : 0
When the client computer is restarted, the versions of the installed plugins will be updated - Java, Flash Player Plugin, Flash Player ActiveX
Other command line options (available with standard /? Or / help switches)
/ mail: 1 = send e-mail in case of work errors or updates.
/ debug: 0 = do not output anything
/ debug: 1 = write only action messages (default)
/ debug: 2 = write detailed messages
/ debug: 3 = write detailed messages about called functions and their parameters
/ MailTest = checking the correctness of the mail sending setting (sends a test message)
/ ShowVersion [: comp] = displays the versions of Java & Flash plug-ins installed on the computer. When started without parameters - on the local computer, if there is a parameter - it is interpreted as the name \ address of the computer
When run without parameters, the script simply updates the installed plugins via the Internet.
Lives here: github.com/osterik/FJUpdater
At the writing of this script inspired the idea, gleaned from ccccp workshop colleague , the author of the utility NetOp Manager . But its mechanism required the use of a separate Perl-script for each plug-in, could not automatically scratch the link to download Java updates from the Sun website, and the client part was written in KiXtart, which created certain difficulties in setting up the entire farm.
The structure is quite simple - information about the program (it is also displayed when requesting help), configuration settings, general logic (Main), specific code for working with Adobe & Sun sites, service procedures and functions (access to files, registry, http, sending mail and etc.)
In the case of JAVA, the current version number can simply be found in the www.java.com/applet/JreCurrentVersion2.txt file, but in order to download the full (offline) installer, you need to look at the link on the java.com/en/download/windows_manual.jsp page . For version 1.7.25 , it is equal to javadl.sun.com/webapps/download/AutoDL?BundleId=79063 , but for each version the numbers are different. This task is solved in the sJavaGetLinkToDownload function.
In the case of Flash, the opposite is true: parsing accounts for the current version number (on www.adobe.com/software/flash/about ). The sFlashVersionWEBGet function searches for table cells with a sequence of 4 numbers separated by dots and, depending on the sFlashType parameter (type of Flash player (A = ActiveX, P = Plugin), returns the first or third line of the table. The full installation packages are loaded the links download.macromedia.com/pub/flashplayer/current/support/install_flash_player.exe and
download.macromedia.com/pub/flashplayer/current/support/install_flash_player_ax.exe .
Naturally, the references change from time to time, therefore, in order not to miss this moment, it is recommended on the computer from P3. (which regularly runs the script with the / WEBModeSaveInstall key : 1 ) also include sending logs by mail, key / mail: 1 . When detecting discrepancies between versions or errors of the functions for accessing manufacturers' websites, the script will be felt.
I hope FJUpdater will be a great gift for system administrators, whose holiday we recently celebrated!
I uploaded a script on the gitkhub VBS that has been keeping the installed versions of Java & Flash on users' computers in the Windows domain (Active Directory) for more than a year, with minimal administrative effort and minimal inconvenience to users.
Why I had to reinvent the wheel and how to use this script, see below.
intro
It’s no secret that Flash & Java’s vulnerabilities, which are exploited during regular visits to malicious or hacked sites, are one of the most popular attacks on computers today (for example, mysql.com in September 2011)
')
And although Adobe and Oracle have already implemented auto-update mechanisms in their products, their essential drawback is the difficulty in setting up and operating. In order to use the automatic update mechanism from Adobe, you will have to browse the 50-page Administration Guide and do a lot of actions, and to install the update from Sun, you need the user to have local administrator rights, which is often found among home users and never in a domain network a good administrator.
The question on serverfault.com “How do you manage Java in your Windows / Active Directory environment?” Did not receive a clear answer, just general words about using scripts and Group Policy, manually reassembling MSI packages, using third-party services (ninite.com). However, all this requires constant manual work, and for a good admin everything should happen automatically.
Thus, maintaining the current versions of the installed browser plug-ins is shifted onto the administrator’s shoulders and becoming a serious task - it’s necessary to track the appearance of updates on manufacturers ’websites (this is easy to do with planned updates, and sometimes urgent ones are unplanned), download and upload to a local repository, create installation files (for example, MSI), monitor the progress of deployment of updates ...
Large companies use large products like SCCM for these purposes, medium ones use WSUS + Local Update Publisher (there is a tutorial on Habré about it from yosemity , and foxyovovich suggested a wiki where everything is described about java, flash, reader), and small ones simply start the process on drift. What is interesting, on request “automatic update of java” in Google on the first page, half of the links focus on the problem of how to disable automatic updating of Java .
FJUpdater.vbs
For those who already have AD, but WSUS is not yet (or WSUS is, but there is no time / opportunity / desire to do manual work) I suggest FJUpdater.vbs. This is a VBS script written 1.5 years ago to simplify your life and automate the execution of this task. The script checks the relevance of Java & Flash versions installed on the computer (comparing with information from Sun & Adobe sites or local repository), and, if necessary, automatically downloads (via the Internet (HTTP) or local area network (SMB) respectively) and installs updates. It is proposed to run the script on users' computers through group policies (GPO) - the “Startup” option in the “Computer Configuration” section. In this case, the updates will be installed with local administrator rights when the computer is booted, silently and invisibly to the user.
About errors and the results of their activities can send a report to the mail.
The script successfully works in 6 companies that are not related to each other, within my area of ​​responsibility, with a number of users from 10 to 300.
General scheme of installation and operation
1) Create a network folder that is writeable for the user account, on behalf of which the update check on the Internet will be launched, and readable for the Domain Computers group.
2) Download the script, place it, for example, in the NETLOGON folder on the domain controller and edit the send mail section and save installers path in the csInstallerPath constant.
3) Select any computer (for example, a virtual machine) with the same OS as the users. This computer will be the control “reference indicator” - versions of plug-ins via the Internet will be compared with it. Therefore, it should be installed all the plugins and set up their regular checks.
To do this, first run the script with the key / WEBModeSaveInstallForce . The current versions of the installers are downloaded and placed in the local folder (csInstallerPath), and the flag files with the version numbers of the plug-ins are generated. After successful receipt, we install all the plugins one by one - we run java_installer.exe for Java, flashP_installer.exe for Flash Player Plugin (Firefox, Mozilla, Netscape, Opera) and flashA_installer.exe for Flash Player ActiveX (IE).
Native auto-update mechanisms should be disabled. How to do this for Java can be viewed on the official website . In the case of Flash, select "Never check for updates."
Instead, in order to keep the reference computer and network repository up-to-date, we set up regular launch of the script with the / WEBModeSaveInstall key : 1 through the task scheduler or nncron.
4) In the group policies of client computers, in the section Computer Configuration \ Windows Configuration \ Scripts (Startup \ End) \ Startup (Computer Configuration \ Windows Settings \ Scripts \ Startup), add the launch of the script with the / WEBMode key : 0
When the client computer is restarted, the versions of the installed plugins will be updated - Java, Flash Player Plugin, Flash Player ActiveX
Other command line options (available with standard /? Or / help switches)
/ mail: 1 = send e-mail in case of work errors or updates.
/ debug: 0 = do not output anything
/ debug: 1 = write only action messages (default)
/ debug: 2 = write detailed messages
/ debug: 3 = write detailed messages about called functions and their parameters
/ MailTest = checking the correctness of the mail sending setting (sends a test message)
/ ShowVersion [: comp] = displays the versions of Java & Flash plug-ins installed on the computer. When started without parameters - on the local computer, if there is a parameter - it is interpreted as the name \ address of the computer
When run without parameters, the script simply updates the installed plugins via the Internet.
Lives here: github.com/osterik/FJUpdater
At the writing of this script inspired the idea, gleaned from ccccp workshop colleague , the author of the utility NetOp Manager . But its mechanism required the use of a separate Perl-script for each plug-in, could not automatically scratch the link to download Java updates from the Sun website, and the client part was written in KiXtart, which created certain difficulties in setting up the entire farm.
How it works
The structure is quite simple - information about the program (it is also displayed when requesting help), configuration settings, general logic (Main), specific code for working with Adobe & Sun sites, service procedures and functions (access to files, registry, http, sending mail and etc.)
Subtle moments
In the case of JAVA, the current version number can simply be found in the www.java.com/applet/JreCurrentVersion2.txt file, but in order to download the full (offline) installer, you need to look at the link on the java.com/en/download/windows_manual.jsp page . For version 1.7.25 , it is equal to javadl.sun.com/webapps/download/AutoDL?BundleId=79063 , but for each version the numbers are different. This task is solved in the sJavaGetLinkToDownload function.
In the case of Flash, the opposite is true: parsing accounts for the current version number (on www.adobe.com/software/flash/about ). The sFlashVersionWEBGet function searches for table cells with a sequence of 4 numbers separated by dots and, depending on the sFlashType parameter (type of Flash player (A = ActiveX, P = Plugin), returns the first or third line of the table. The full installation packages are loaded the links download.macromedia.com/pub/flashplayer/current/support/install_flash_player.exe and
download.macromedia.com/pub/flashplayer/current/support/install_flash_player_ax.exe .
Naturally, the references change from time to time, therefore, in order not to miss this moment, it is recommended on the computer from P3. (which regularly runs the script with the / WEBModeSaveInstall key : 1 ) also include sending logs by mail, key / mail: 1 . When detecting discrepancies between versions or errors of the functions for accessing manufacturers' websites, the script will be felt.
I hope FJUpdater will be a great gift for system administrators, whose holiday we recently celebrated!
Source: https://habr.com/ru/post/188116/
All Articles