Yesterday I quoted a Microsoft security report based on information they gather from numerous sources:
“Detections of exploits targeting Adobe Flash, although uncommon in comparison to some other types of exploits, increased in 2Q11 to more than 40 times the volume seen in 1Q11 … Two vulnerabilities accounted for the bulk of zero-day exploit activity … Both vulnerabilities affect Adobe Flash Player”.
In other words, hackers have found a new sweet spot. Most (not all) companies have copped on when it comes to patching Microsoft products. But:
- Other companies make software
- Pretty much all software has vulnerabilities
- Hackers aren’t stupid. I’m reading a book called Kingpin and it illustrates how hackers will move from one attack vector to another to find a soft underbelly. Adobe is that new point of attack.
And there is a high profile example of that. The Inquirer website reports that (and there is no evidence because RSA have not publicly documented this):
“Criminals used a zero-day vulnerability in Adobe Flash player to penetrate RSA defences through an embedded Flash file in an Excel email attachment. A spear phishing attack, it targeted regular employees of RSA Security disguised as a recruitment form. It breached the RSA systems, even though it first went to Microsoft Outlook’s spam folder”.
OK, it was a zero day attack. We know this was a very organised attack, possibly sponsored by a nation. They found a hole in Flash (allegedly) that wasn’t yet reported and crafted an email attachment to attack it, knowing that the recipient would get stung by it, thus allowing the hacker to 0wn the PC. Unlucky.
But even if it wasn’t a zero day attack would they have patched Adobe? (we learned that less than 1% of attacks are zero day) I bet the answer is no. Most companies focus just on Microsoft software. Adobe products do automatically prompt for upgrades, but they are seriously click heavy and frequent, so most people probably disable the auto-check for upgrades, and the PCs probably go years without updating. And that leaves those PCs vulnerable to:
- Drive by attacks where a user navigates to an innocent website that has either been hacked (malware uploaded) or has a compromised advert that is hosted elsewhere.
- When a user reads a document/email with a crafted attachment for attacking an Adobe product vulnerability.
In other words, patch Adobe products too, and not just Microsoft ones. Unfortunately, that isn’t too easy (or supported) in WSUS. However, you can do it using System Center Essentials (that’s what we use in our office) or System Center Configuration Manager.