Opinion
Flaw Watch: Why Adobe Flash Attacks Matter
Reported Adobe Flash Player attacks got plenty of attention this week. But it's unclear if this was really about a new flaw.
By Bill Brenner, Senior Editor
The most recent Top 20 Security Risks report from the SANS Institute warned that Web application vulnerabilities in open-source as well as custom-built applications account for almost half the total number of vulnerabilities discovered from late 2006 to late 2007. "These vulnerabilities are being exploited widely to convert trusted Web sites into malicious servers serving client-side exploits and phishing scams," the SANS report noted. At the same time, the report noted, media-player applications are under increased risk. "Vulnerabilities have been released for most popular media players available today," the report noted. "While the severity of the vulnerabilities varies, these vulnerabilities can often be used to install malware such as viruses, botnet applications, root kits, spyware, and adware."
The Adobe issue is a perfect example of why IT departments need to deploy security layers around all its applications, whether they are the homegrown Web-based variety or client-side programs provided by third-party vendors and the open source community.
The best solution is to apply patches whenever they are made available. But since it's inevitable that a lot of holes will go unpatched for weeks, months and even years at a time; and because most IT shops need a few days of patch testing before a deployment is made, other defenses are needed.
Plenty of vendors offer application security software and scanning tools, including HP, Application Security Inc., IBM (thanks to its acquisition of Watchfire last year), and Security Innovation Inc., to name a few. Other defensive layers include user awareness training and even policies forbidding the use of certain media players.
It also helps to keep track of security advisories coming from the likes of Symantec, even if initial zero-day alerts are later disproven.
Adobe Flash Player
Security Directions: A Virtual Conference
Available On Demand Sept. 30 - Dec. 30
Join us for a virtual event with candid, expert information on top security challenges and issues - all from the comfort of your desktop.
Protecting PII: How to Work with IT to Manage Risk
Understand the critical nature of the test data privacy problem and get tips on how to work with IT to implement a test data privacy program.
- Log Management in a Cyber World
- Implementing Best Practices for Web 2.0 Security
- Upgrading to VMware vSphere with vWire
- Removing Barriers To Better Server Virtualization Efficiency
- Practical Approaches for Securing Web Applications across the Software Delivery Lifecycle
- Staying A Step Ahead of the Hackers: The Importance of Identifying Critical Web Application Vulnerabilities
Get instant notifications when whitepapers, webcasts and case studies are added
to our library. Sign up for a Resource Alert now!
CSO Corporate Partners
CSO Perspectives
-
April 5-7, 2010Hyatt Regency Santa ClaraClick here for more information!
Santa Clara, California
(ISC)2 members can earn up to 24 CPE Credits!
