Security

Adobe and Microsoft: Why wait until the last minute?

Both companies are under the gun to release fixes for vulnerabilities they knew about months ago. Why is that? Security blogger Michael Kassner takes a closer look.

Let's start with Adobe. This is the second time in less than a year that Adobe is under the gun to fix major weaknesses in several of their products. The first problem started in February of 2009. In my post Adobe Alert: Updates available for latest zero-day exploit I described the problem:

"A critical vulnerability has been identified in Adobe Reader 9 and Acrobat 9 and earlier versions. This vulnerability would cause the application to crash and could potentially allow an attacker to take control of the affected system. There are reports that this issue is being exploited."

The software problem didn't really bother me; sadly we are becoming accustomed to buggy software. What concerned me was Adobe needing a month to fix something that they knew about for almost seven months and was already being exploited. Of course, they offered the usual temporary solution of disabling JavaScript. Adobe also suggested that Acrobat and Reader be upgraded to their latest respective versions.

Not a good solution

Adobe's suggestion meant that system administrators needed to visit every computer under their control and disable JavaScript in Adobe Acrobat and Reader. Then when the patches were released they would have to revisit each system, enable JavaScript and make sure the new fix was installed.

I had to do that with my clients; being unable to find a way to automate the process (Does anyone know if that's possible?). It took about 15 minutes per machine. That's not what I would call a reasonable solution.

Déjà vu time for Adobe

Just last week (22 Jul 2009) Adobe's Product Security Incident Response Team reluctantly admitted that once again many of their products were vulnerable to a zero-day exploit. Thanks to iDefense Tweet I knew there was a problem the day before.

The next day (23 Jul 2009) Adobe released a bulletin confirming the problem. It was a weakness in Flash, so Flash Player was added to the list of endangered applications along with Acrobat and Reader. That's when security experts started getting antsy. I caught on pretty quickly myself, trying to guesstimate how many millions of Web sites use Flash.

Adobe did their usual thing, suggesting that Flash applications be disabled until a fix can be rolled out (30 Jul 2009). I'm not going through the whole step-by process I did for the first Adobe vulnerability. I'm sure everyone understands that it's a time-consuming process.

Somewhat troubling

The tech media did a great job explaining the details and as I hinted at earlier, I'm focused on something else. In fact you may have already guessed what. But first let's recap:

  • This new vulnerability has been exploited into a zero-day threat.
  • There are millions of vulnerable computers that can be subverted by malicious Flash content that has been embedded in PDF files and or Web sites.

Oh, did I mention that Adobe knew about this issue nearly seven months ago? Greg Keizer noted that fact in his ComputerWorld post:

"One security researcher, however, said Adobe's own bug-tracking database shows that the company has known of the vulnerability for nearly seven months."

I understand that a certain amount of time is required to figure out what to do, but seven months? Maybe there's a reason for taking so long. If so, I'd hope Adobe will tell us. Other-wise I'm going to be suspicious, especially since waiting so long to fix this particular issue is putting millions of computers and loyal users at risk.

Adobe's update issues

With all their problems, one would hope that Adobe's update system was bullet-proof. Apparently that's not the case. In fact, Adobe's update process has much to be desired.

For example, Adobe's Reader 9.1 is the latest version that you can download. Yet the code is out-of-date. For some reason several of the latest fixes aren't included in the application download. That requires running the updater a second time. I suspect that's not something many people know about.

Not having the latest version as a download is only one of Adobe's problems. It seems that Adobe applications only check for updates once a week. Therefore, even if Adobe releases patches it could be up to seven days before Reader or Acrobat check for them. That's not a good thing with known zero-day exploits out and about.

Microsoft's turn

Microsoft is far from innocent when it comes to knowing vulnerabilities exist, yet fail to do anything about it. One that immediately comes to mind is MS08-067 and Conficker. We all know how that turned out.

We are witnessing another example of Microsoft waiting until the last minute right now. For almost a year Microsoft chose to disregard warnings by security researchers. So now developers at Microsoft are hurrying to release patches for issues in Visual Studio and Internet Explorer. To prove my point that Microsoft knew about at least one of vulnerabilities, I submit CVE-2008-0015 as proof.

Microsoft isn't telling

Truth be told, it's not real clear as to what Microsoft is trying to fix. They are keeping very quiet about it. Some experts believe that one of the out-of band patches may repair the repair that supposedly fixed the ActiveX problem.

Other experts are saying that Microsoft is also trying to keep ahead of the curve. This year's Black Hat conference starts this week and one of the seminars is titled: The Language of Trust: Exploiting Trust Relationships in Active Content. Coincidence or not, the subject is closely related to what Microsoft is trying to fix.

Final thoughts

I hope Adobe and Microsoft have good reasons for not fixing their problems in a timely fashion. System administrators and users all around the world now have to adjust already tight schedules and budgets to install their out-of-band patches.

About

Information is my field...Writing is my passion...Coupling the two is my mission.

Editor's Picks

Free Newsletters, In your Inbox