Every week the RISK Team gets together to discuss the week’s events, and, among other things, we look into the future to try to predict what we think might become a significant problem. Late in 2007 our predictions looked like this:

• Increased incidents of reputation attacks (Human Factors)
• Increased JavaScript Exploits
• Increased IPv6 vulnerability chatter
• Vulnerability disclosure and exploits in MS Office documents
• Increased exploitation of web sites/web apps that offer up 3rd party content that can be scripted or include code that executes on the visitor’s system
• Fourth age worm attack
• (New) Exploitation of Barnacleware: Bundled and Helper software and utilities. Software that is installed by the OEM or is picked up through routine usage but is not supported. Examples: quick launch buttons, acceleration, quicktime, adobe, realplayer, webex, zip etc…

Our concern was based not only on vulnerabilities in these products appearing more frequently, but more in the following beliefs:

• These applications are everywhere, on virtually all systems
• These applications are often installed for the user, so the user may not even know they’re there or that they need to be maintained/patched/updated
• Most, if not all, have no automatic (no user interaction) update mechanism

We felt this was forming a perfect storm. Largely unknown applications sitting on peoples’ machines, vulnerable for extended periods of time. As it turned out, we weren’t wrong. Throughout 2008 and 2009 we saw a distinct shift from attacks against the operating system to attacks against the applications, particularly barnacleware.

As the vulnerabilities in Adobe Acrobat Reader were announced, or attacked before being announced, we noticed a recurring trend that we felt was disturbing. The trend was, and still is, that Adobe isn’t the one discovering the majority of the vulnerabilities in Acrobat Reader. Third party security researchers, or criminals, have been the source for all but a couple of security vulnerabilities Adobe has patched in Acrobat Reader from what we can see. Couple this with the announcement from Scansafe that their analysis shows that criminally-crafted PDF exploits accounted for 80% of all exploits via the web in the fourth quarter of 2009.

What we didn’t expect in 2007 when we first made our prediction was that any one piece of barnacleware would be so abused without the product’s vendor taking distinct action to resolve the problems. You may remember that Microsoft shut down development of Windows Vista in order to take a serious stab at addressing the vulnerabilities in Windows XP, resulting in Windows XP SP2 which did make a big difference in the security of the operating system. In Adobe’s case, however, we have seen continual bloating of Acrobat Reader with new features and a significant increase in code base. What we haven’t seen is a new updating mechanism, one which ensures Acrobat Reader stays up-to-date without significant user interaction. Also, advice from Adobe on how to turn off Javascript completely was lacking until late 2009. When it did arrive it was via third party supporters who offered registry hacks that would achieve the goal. Even today, Adobe’s own link for “Managing JavaScript Execution in the Acrobat Family of Products ” is broken. In May 2009 Adobe introduced new functionality to restrict Javascript, allowing for the blacklisting of specific Javascript APIs. While extremely granular, it remains to be seen whether it is effective since the vulnerable APIs are not blacklisted until Adobe finds out they are vulnerable, unless the user is in an enterprise environment where Enterprise Administrators could establish their own blacklist. This certainly seems to be in line with Adobe not discovering vulnerabilities themselves, giving users the ability to disable functionality without relying on an update from Adobe.

There are numerous alternatives for reading PDF documents and we believe that you should consider whether you can deploy an alternative in your environment. We believe that the vast majority of PDF viewers do not need all of the functionality that Acrobat Reader offers, and so could be productive with an alternative. If you can find a way to get some or all of your users using an alternative, it will significantly reduce the attack surface of your enterprise. While appreciating that replacing Acrobat Reader is no small task, we do recommend you consider the risk reduction possibilities.

Finally, here is our current list of predictions:

• Increased incidents of health record compromise resulting from implementation of HITECH Act in the ARRA
• Increased targeting of EHR due to activism opposed to the health care reform debate
• A new and improved security infrastructure purposed for defending the enterprise from social networking risks
• Adoption of Business Intelligence platforms for security intelligence extraction
• High-profile financial services firm attacked through their web site
• The tipping point is imminent or has been reached for risk to mobile devices and enterprise policy will be compelled to mitigate it with controls and products, for example: anti-virus, secure “wallets,” device and application controls, etc

This entry was posted on Thursday, February 25th, 2010 at 7:03 pm and is filed under Analysis. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.