Be attentive to Non-Microsoft Vulnerabilities

July 27, 2009

Most TrustCC clients have active and effective patch management programs.  We have certainly encouraged, both through our audits and our blog posts, that everyone actively patch with as aggressive a schedule as you can manage.  Today’s news however, points us to a flaw that we commonly find in our client’s patch management programs.  Many clients are singularly focused on Microsoft patches and fail to stay on top of other third party products.

Third party products are equally critical.  Case in point, a security research firm studying cyberattacks in the first 6 months of 2009 recently reported that 43% of the 1500 attacks identified by the firm (F-Secure) were attributed to Adobe  Reader.

Today’s (7/26/2009) news headline at USA Today reads:

Hackers may slip through hole found in Adobe tools
Cybercriminals may have a clear path to spread mayhem on computers this week by taking advantage of a newly discovered vulnerability in Adobe’s ubiquitous Flash video player and Acrobat Reader, the widely used tool for opening PDF documents.  Since early July, troublemakers have been e-mailing PDF files with corrupted Flash video clips and hacking into websites to implant them. These clips, when activated, enable attackers to quickly install malicious programs on the user’s computer.

TrustCC highly recommends that banks and credit unions (in fact, all organizations) closely monitor the security postings of any third party product vendor.  For Adobe products in particular, you should be regularly monitoring posts at http://blogs.adobe.com/psirt/

To complicate matters, Adobe does not yet have a fix for this latest vulnerability.  To combat the vulnerability the US Department of Homeland security has recommended that all organizations immediately disable Flash Player until this issue is resolved.  Of course disabling Adobe Flash Player from your web browsers will render many websites unusable.  Adobe recommends deleting a part of the Flash Player program (a Windows DLL) that will allow Flash to run on many sites but could cause crashes under certain circumstances.  Welcome to the world of “zero day exploits”.  Neither solution is attractive but we don’t yet have a well engineered solution.

TrustCC recommends 1) clients follow either the advice of DHS or Adobe in resolving this matter until a new release of Flash Player is published later this week and 2) that someone in your organization review the security blog/page for every third party vendor at least once each week to identify any critical security issues needing attention.

– TrustCC


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: