by Peter Tippett and David Kennedy

The acetaminophen and antacid consumption in enterprise IT staffs is likely on the increase due to the recent release of two Security Bulletins by Microsoft, one for Internet Explorer and one for Visual Studio. This security problem has the potential to be both far-reaching and subtle in nature.  We would like to offer a dose of reason in hopes that your stress-induced ailments will at least be caused by wrestling with the real problem. The biggest risk is not from attacks; lost productivity dealing with the scope and confusion around the ATL issue is the greatest risk from these announcements.

To be clear, we do expect attacks but do not believe they will be novel or pervasive. We have seen hundreds of browser vulnerabilities over the years and the pattern of successful exploits is well understood:  such attacks mainly result in home-user machines being absorbed into large-scale botnets.  Our series of Data Breach Investigations Reports, covering nearly 600 breaches studied over five years, consistently finds that browser vulnerabilities rarely contribute (even incidentally) to significant enterprise data breaches.

What the ATL issue will do is create a certain degree of confusion, hype and so on.  You may see items in the press with regard to this problem in the coming days and weeks. Especially since none of our typical controls will initially be able to provide much help. AV updates, firewall and IDS rule-set work, proxy blocking — none of them will readily and convincingly address the scope of this issue.  Therefore, there will be discussion, claims, counter claims, etc. on whether or not a particular ActiveX control is good or not, whether a countermeasure that only provides partial protection is worth deploying (if it is inexpensive, and minimally infringing, then yes, it is worth deploying), and where to go from here.

As we mention above, the real impact of this ATL issue will be the productivity hit against both our IT departments, and our software development shops.  We will discover that we have hundreds or thousands of ActiveX controls already installed on our PCs.  We will not know which are good or which are vulnerable, nor will we know which are actually needed to keep our businesses humming.  Constructing and deploying Group Policy Objects (GPO) as though they were patch deployments will tax our systems and people.

We will discover that the average enterprise has not only a broad mix of new potential targets, but also that most of us have created and are “publishing” ActiveX controls for our users, partners, or customers.  How many? Where are they? Do they have ATL-related vulnerabilities?  Which have we written, and which come from partners, or vendors, or others? Who “owns” them, and can drive getting them tested, then updated, tested again, and then deployed?  This range of issues will challenge our software development shops and cost real money.

How much money and how can we minimize the impact? Perhaps the child’s riddle: “How do you eat an elephant? One bite at a time” is useful.  It might be similar to the following:

• “Ok, there’s a security bulletin on Internet Explorer (IE).  We’ve seen them before, is         there any reason to treat this one differently?”

• What are the threats related to this right now?  Do we need to do something new, right now, to protect our network from them?

• What’s the smart way to inventory our systems?

• What is our IDS vendor doing that can help us?

• What is our anti-virus vendor doing that can help us?

Not all of these questions need to be answered at once.  Focus on what we do know. Focus on the risks now.  A few ActiveX controls are being exploited; mitigate them first.  For these, time is our enemy.

After this initial activity has momentum of its own, engage project management skills to begin planning for the more complex issues.  In this regard, time is our friend.  In a few days, details will emerge helping us discern the scope of the issue.  Skill will come in and, perhaps, some elegant solutions will emerge. In the meantime, we think it wise to avoid allowing a cognitive bias such as a Zero-risk bias to misdirect energies. Awareness that productivity is at risk is a critical first step.

Tags: ActiveX, ActiveX Control, ATL, Microsoft, Vulnerability

This entry was posted on Thursday, July 30th, 2009 at 10:33 pm and is filed under Analysis. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.