Security fails of 2009 – Adobe Takes the Exploit Crown from Microsoft

This is the fourth in the series of Security Fails of 2009.  As 2009 draws to a close I think no one would argue that this has been an extremely eventful year for IT security.  While others will soon be trotting out their “best of 2009” lists, I thought I would instead visit some of the prominent fails of 2009. 

For years, Microsoft sat comfortably atop its throne as the world’s number one source for exploits.  Malware writers around the globe fattened themselves at the Microsoft trough, turning these exploits into a vast array of attacks, including the media darling of 2009, Conficker.  For years, Microsoft sat uncontested on this Mount Olympus, issuing Patch Tuesday thunderbolts to the masses and continuing to churn out code with new exploits to replace those gaps just closed with the newest patch.

In 2009 a new contender eagerly stepped into the ring, and countered with products that were equally ubiquitous and, most importantly, full of exploits.  As we entered 2009, the list of attacks that leverage exploits in Adobe products continued to steadily rise.  Eventually stories began to break claiming that Adobe had passed Microsoft as the new top dog in regards to providing exploits to the malware community.

The problem eventually prompted Adobe to announce in May that they were initiating their own Patch Tuesday process.  Even after this announcement, Adobe continued to get heat about their questionable patching policies that allowed users to download unsecure versions of the product with the assumption that they would then apply patches in a timely manner. 

I can’t imagine that this newfound notoriety was viewed with enthusiasm by the folks at Adobe.  On a positive side, you could only knock Microsoft of its perch if you were very widely deployed.  But I somewhat doubt the Adobe exec team were having “We’re Number 1” balloons distributed. 

Microsoft on the other hand was likely very ready to give up their crown.  Seizing the opportunity, Microsoft began to note that many of the browser based exploits were not an IE problem but were instead could be attributed to third party utilities and other tools.  Of course Microsoft was able to create the exploit used by Conficker so they did not retire from the game. 

So the ascension of Adobe to the leading supplier of exploits is one of my security fails for 2009.  And Lord knows the world needs more regular patches to deploy because we all know how well the patching process performs.  It is also instructive to see that the bad guys are always looking for the road of least resistance and will happily use someone other than Microsoft as their supplier of exploits.

A Practical Primer on Triumfant – the ActiveX IE Exploit

In his blog The Last Watchdog, Byron Acohido discusses the recent zero day attacks that exploit a flaw in the video Active X component of the Internet Explorer browser. Acohido goes on to discuss why Microsoft may not have a patch ready in time for the next Patch Tuesday on July 14.   The exploits and associated problems described by Acohido are a perfect context for a very practical primer on what Triumfant can do for an organization.

First, we would detect the zero days that exploit the flaw, including the two attacks described that use a Trojan downloader and a rootkit. No signature required.

But of course we do not stop at detection. Triumfant Resolution Manager will build a remediation and remove the detected attacks. This includes ejecting the rootkit attack and cleaning up the various hooks it established, and repairing all of the collateral damage made by the Trojan downloader to configure the machine for subsequent incursions as described in the post. No humans needed to write the script, no re-imaging required.

Third, it would be a simple task to build a policy in Resolution Manager that would address the registry changes Microsoft has recommended as a stopgap for the problem until a patch is issued. The policy would be enforced on all machines and the organization would get an up-to-date report on what machines had been updated and what machines were still vulnerable until a patch is created. Given the length of time Acohido describes for Microsoft to build a patch and the well known time gaps in organization’s distributing the patch, the action by Triumfant would protect machines for the weeks and even months until the patch was in place.

This is not meant to be a sales pitch – this is a perfect and very practical example of how the unique functionality and capability of Triumfant would step into a gap not currently filled by any other product that I (or any industry expert or analyst or writer) am aware. As a new technology it is sometimes hard for people to get their heads around what Resolution Manager can do and the benefit it delivers. And exploits like this ActiveX IE exploit show up on an all-too-frequent basis.