Just when you thought it was safe to do something online, an example emerges that shows there can be dangerous vulnerabilities in virtually any application. I'm discussing this Photoshop file threat not because I think it will become some massive security threat to a lot of users but simply as an example that ANYTHING connected with computers can turn around and bite you where it hurts.
I bet very few of you have ever given a thought to how Photoshop could be used to compromise your system. However, FrSIRT recently published information about a remotely exploitable PNG file handling code execution threat in Adobe Photoshop and Photoshop Elements. According to the report, a buffer overflow error that occurs when opening a malformed PNG image can lead to a DoS event or a complete system compromise.
I use Photoshop but never open anyone else's image files. What this report does for me is remind me that there can be threats anyplace — and that I shouldn't become complacent just because I have solid antivirus software and a good firewall.
Are there applications or protocols that you never give a second thought to when it comes to security?
Some major apps, mostly Microsoft Office components and their files, are probably on everyone's security radar. We all know that there are a lot of hidden vulnerabilities in the files generated by these applications (mostly the macros Microsoft so thoughtfully included that make Office files so dangerous). And all of us who hope to keep our security jobs watch for new browser threats, even in the more secure browsers such as Firefox.
Another type of file threat that shows up pretty often in vulnerability lists is tied to Adobe Acrobat, so I bet you keep an eye on new developments there as well. But do you pay attention to threats to operating systems, office apps, browsers, and perhaps Acrobat — other than the big ones?
Just as UNIX and Macintosh operating systems will face a growing number of threats as Windows becomes more secure and other operating systems become more popular (and thus more attractive targets to hackers), so to will the more thoughtful attackers turn to applications that seldom get mentioned in security alerts.
Think about it for a minute: If you really wanted to compromise some corporate system, would you pick a malware attack vector when most big targets regularly update antivirus software? Or would you turn to some application that very few IT departments pay any attention to — like Photoshop?
What about your security plan? Does it include a mechanism for monitoring such unusual attack vectors — particularly newly discovered vulnerabilities that you'll need to warn users about and patch when one becomes available? Or do you simply watch for new browser and operating system threats and let it go at that?
Do you even know which applications and versions your users may have installed so you CAN set up a comprehensive threat monitoring system? I want to hear from you — share your opinions.
Am I getting TOO paranoid? Or are you not being paranoid enough? After all, being paranoid enough is what we're being paid for, isn't it?