8 Elements of Complete Vulnerability Management
Eight essential elements to help reduce your vulnerability to hackers.
Earlier this week, Adobe announced a new critical vulnerability in its Adobe Reader. According to the released alert, this flaw affects Adobe Reader X (10.1.1) and earlier versions for Windows and Macintosh, Adobe Reader 9.4.6 and earlier 9.x versions for UNIX, and Adobe Acrobat X (10.1.1) and earlier versions for Windows and Macintosh. This isn't just a warning that systems are under a potential threat; as CNET pointed out, hackers are actively exploiting the vulnerability.
Right now, the target appears to be Windows PCs running Adobe Reader version 9.4.6. Apparently, the flaw was first reported by Lockheed Martin and the Defense Security Information Exchange, so you have to wonder if those hackers are purposely honing in on the defense industry. But attacks on other versions, other systems and other industries can't be discounted. This hack could easily happen to anyone.
As CNET explained it:
Described only as a "U3D memory corruption" vulnerability, if the attacker takes advantage of it by releasing a compromised PDF document that when opened causes the target system to crash, it allows the attacker to take control of the system. Adobe does not go into any additional details on the nature of the attack such as whether the Reader browser plug-in is affected.
Does anybody else remember when PDFs and using Adobe Reader were considered the safest way to read and send documents? I miss those days. Now, I admit that I flinch a little bit any time I go to open Adobe Reader. It seems like vulnerabilities and zero-day attacks have become way too common.
There is no imminent threat to the other flavors of Adobe Reader or Acrobat, so Adobe plans to issue patches for those as a part of the next scheduled quarterly update-which will occur January 10, 2012. There are no reports of any malicious PDFs targeting Mac OS X or Unix flavors of Adobe Reader or Acrobat, and Adobe Reader X and Acrobat X for Windows operate in a sandboxed protective mode that would prevent any exploit from executing.
As we wait for patches and updates, it is a good time to make sure that your current system is well-protected against zero-day attacks and other vulnerabilities. If you contract with a third-party company to handle your security software needs, do you know if your system is protected against new vulnerabilities?
Often, there is an attitude that if you are paying a vendor for a service, you are naturally covered and protected. And maybe you are. But I don't think it is a bad idea to have a quick chat to ask if your network is protected against the Adobe zero-day vulnerability or any new malware or software flaw out there. Security shouldn't happen in a vacuum. You should know how your security vendor is protecting your network and your security vendor should let you know what steps you should take to keep your system safe.