Qualys Blog

493 posts

On Adobe, Qualys, CVE and Math

Over the weekend Jericho published on the OSVDB blog an analysis of annual vulnerability numbers that Elinor Mills from CNET had written about on Thursday in her InSecurity Complex blog. Some of the numbers originated from Qualys and we were not specific enough on the exact scope. As Jericho speculated our numbers were indeed for a more narrow set of products – not for all of Adobe and Microsoft software, but specifically for Adobe Reader and Microsoft Office. Elinor has since updated the article.

The overall point that we are trying to make remains the same – patching such applications is being neglected by most IT admins and attackers have increasingly shifted their attention to exploiting vulnerabilities in them. On Friday Brad Arkin from Adobe stated that Adobe Reader as a cross operating system application has a bigger installed base than Microsoft Windows, which makes it a very attractive target to attack.

What is your opinion on why the number of vulnerabilities found in Adobe Reader have gone up in 2009? Did attackers first notice that there was a potential, started writing exploits and then security researchers followed up or was it the other way around?

I am looking forward for your comments…

Update: Adobe Reader 0-day Vulnerability

Yesterday Adobe’s PSIRT acknowledged a flaw in Adobe Reader in the handling of PDF documents that is being exploited in the wild. The flaw affects Adobe Reader under Windows, MAC OS X and Linux/Unix.Symantec identifies the attack as Trojan-Pidief.H.

The ISC’s handler on duty Pedro Bueno posted additional information.

Stay tuned for more information about potential workarounds – some have suggested turning off JavaScript in Adobe Reader which we think is a best practice anyway, but we do not know whether this is helpful for this attack.

Update: according to the advisory turning off Javascript is the recommended workaround, and enabling DEP in newer version of Windows provides further protection.

Patch Tuesday Bottomline – December 2009

Microsoft closes 2009 with its last regular patch release adding 6 bulletins bringing the year’s total to 74. December’s release is by our current standards a rather normal workload of 12 individual vulnerabilities. As expected Bulletin MS09-072 fixes the critical 0-day Internet Explorer vulnerability that was publicly disclosed just 3 weeks ago. Microsoft credits iDefense for the vulnerability, so it appears that they had been working on the issue already. Still Kudos to the team at Microsoft for the quick release. This patch is rated for immediate deployment as attackers are actively working on making the POC into a reliable exploit. The advisory further contains an additional 4 vulnerabilities, with 3 affecting Internet Explorer 8, including Windows 7. BTW, this is the only bulletin this month that affects Windows 7 and Windows 2008 R2.

Bulletin MS09-070 deals with remote code execution on Active Directory on Windows 2003 and 2008. This is rated as Important because it requires an attacker to be authenticated. If the attacker has credentials, an exploit can be used to execute code on the active directory server and impact core infrastructure of corporate environments – we recommend fixing it as quickly as possible after internal testing.

MS09-073 and MS09-074 address vulnerabilities in file formats for Word/Wordpad converters and MS-Project. Both allow remote code execution when users open specifically crafted files that can be received through e-mail or downloaded from a website. Install the patches as quickly as possible and review whether extended testing is necessary in your environment.

The 2 remaining bulletins MS09-069 and MS09-071 address the Windows operating system, one in the well-known LSASS component and the other in the Intenet Authentication Services (IAS). The LSASS is a resource consumption DOS only vulnerability and the IAS only affect Windows 2008 with MSCHAP v2 enabled. The exploitability index for both is 2 and we think these patches should be installed as necessary.

The highly critical vulnerability in IE6/7 with an exposure window to exploits of over 3 weeks without the availability of a patch, should put the task of getting users off IE6/7 on the top of IT admins New Year’s resolutions for 2010. They have to be migrated to a more modern browser, with the most viable options being IE8 with its well known patching mechanism or Firefox 3 with its more aggressive patching schedule.

Outside of the direct Microsoft realm, Adobe will release an update for a critical Flash vulnerability that we recommend installing right away.