New Adobe Vulnerabilities: Time to Revisit Security Policies

Glenn Moore

The latest Adobe Flash Player vulnerability reinforces just how challenging it is to safeguard your company against targeted attacks.  On March 14, Adobe issued security advisory CVE-2011-0609 which warned of an attack that could cause a crash and potentially allow an attacker to take control of the affected system.  This occurs when a malicious Flash (.swf) file is embedded in a Microsoft Excel (.xls) file and delivered as an email attachment.  That’s an insidious method of attack!  Check out the blog post by Jeong Wook Oh & Marian Radu for a thorough technical analysis of this vulnerability.  Needless to say, it's easy to envision how such an attack could succeed.  The evil doer just needs to obtain some insider knowledge about a company which then aids the open rates of the infected emails. In a matter of hours, a company can become inundated with infected machines.

Before I review some ideas for addressing this type of vulnerability, I’d like to comment on Adobe’s response.  I’m impressed with speed and completeness of their actions.   Adobe plans to release an update for Flash Player 10.x and earlier versions for Windows, Mac, Linux, and Solaris during the week of March 21, 2011.  Android and Chrome users can update Flash Player versions already.  So while it’s unfortunate that Adobe code was again victimized, they have stepped up to the plate quickly.

So what can the security practitioner learn from this latest vulnerability?  Plenty! 

First, it’s never been more important for companies to deploy methods to ensure comprehensive endpoint security posture.  Policies are no longer good enough if they only monitor OS systems, OS patch levels, and whether anti-malware programs are in place and active.  Effective security postures must go deeper to inspect software elements such as Adobe Flash and Acrobat versions, browser revision levels, and other software programs.   Many of the nastier blended attacks target these programs.  Companies need to evaluate their security policies and work with technology partners to deploy deep end user posture checking capabilities.

Second, don’t underestimate the importance for common sense in your security policy.  Consistent end user education can and will reduce risk.  Employees should be constantly reminded not to open attachments from unknown senders.  Make sure cyber security awareness is part of new hire training and ongoing education efforts.  IT management should engage HR management to ensure that cyber-crime awareness is part of employee development curriculums.  There are some great web-based training materials available.  My company is a leader in this area.  Check us out or get something else in place to help mitigate risk from spam and phishing based exploits.

Those are my first thoughts on the topic.  In the coming weeks, our blog team will be offering more commentaries on how to mitigate risks from Adobe vulnerabilities.  Be sure to check back with us later.

Relevant Links:

A Technical Analysis on the CVE-2011-0609 Adobe Flash Player Vulnerability

Security Advisory for Adobe Flash Player, Adobe Reader and Acrobat

ANX employee security awareness training