Flaw Watch: Why Adobe Flash Attacks Matter

About Flaw Watch: Each day, piles of flaw advisories are released by the various vendors, researchers and vulnerability clearinghouses. Since CSOs don’t have time to review them all, we zero in on the most pressing issues and what can be done about them.

Vulnerability management experts are constantly telling IT shops to be on the lookout for new zero-day flaws and to take precautions against potential attacks until the vendor releases a patch.

That good advice applies to the Adobe Flash Player exploits that got so much attention this week – even though confusion abounds over whether this concerns a new flaw or something for which a patch was released weeks ago.

As the IDG News Service’s Robert McMillan reported, security vendor Symantec Corp. issued grim warnings earlier in the week about a previously unknown and unpatched flaw that was being exploited on tens of thousands of Web pages. The flaw allowed attackers to install unauthorized software on a victim’s machine and was being used to install botnet programs and password-logging software, Symantec said.

Thursday, however, Symantec backtracked after Adobe released a statement denying that the matter concerned a new flaw.

In a progress report posted to the official Adobe PSIRT blog, David Lenoe said the exploit “appears to be taking advantage of a known vulnerability, reported by Mark Dowd of the ISS X-Force and wushi of team509, that was resolved in Flash Player 9.0.124.0.”

In an update to that blog entry, he said Symantec had confirmed that all versions of Flash Player 9.0.124.0 are not vulnerable to the exploits. Symantec Senior Researcher Ben Greenbaum acknowledged the flaw was previously known and patched by Adobe April 8, though the Linux version of Adobe’s stand-alone Flash Player version 9.0.124 was indeed vulnerable to the attack.

In the bigger picture, it’s beside the point if this was a new flaw or something older. The reality is that Adobe Flash player was targeted and has been attacked several times before. Since a massive number of people use the application on their work machines, IT security pros need to be concerned.

For a couple of years now, attackers have largely set their sights on application flaws as organizations got better at securing their network perimeters. Multimedia applications like Flash Player, Windows Media Player, Apple QuickTime and RealPlayer have proven to be fertile ground for exploits.

Meanwhile, application attacks have grown more popular in a Web 2.0 universe where companies are increasingly dependent on e-commerce.

The most recent Top 20 Security Risks report from the SANS Institute warned that Web application vulnerabilities in open-source as well as custom-built applications account for almost half the total number of vulnerabilities discovered from late 2006 to late 2007. “These vulnerabilities are being exploited widely to convert trusted Web sites into malicious servers serving client-side exploits and phishing scams,” the SANS report noted. At the same time, the report noted, media-player applications are under increased risk. “Vulnerabilities have been released for most popular media players available today,” the report noted. “While the severity of the vulnerabilities varies, these vulnerabilities can often be used to install malware such as viruses, botnet applications, root kits, spyware, and adware.”

The Adobe issue is a perfect example of why IT departments need to deploy security layers around all its applications, whether they are the homegrown Web-based variety or client-side programs provided by third-party vendors and the open source community.

The best solution is to apply patches whenever they are made available. But since it’s inevitable that a lot of holes will go unpatched for weeks, months and even years at a time; and because most IT shops need a few days of patch testing before a deployment is made, other defenses are needed.

Plenty of vendors offer application security software and scanning tools, including HP, Application Security Inc., IBM (thanks to its acquisition of Watchfire last year), and Security Innovation Inc., to name a few. Other defensive layers include user awareness training and even policies forbidding the use of certain media players.

It also helps to keep track of security advisories coming from the likes of Symantec, even if initial zero-day alerts are later disproven.