Both companies are under the gun to release fixes for vulnerabilities they knew about months ago. Why is that? Security blogger Michael Kassner takes a closer look.
Let's start with Adobe. This is the second time in less than a year that Adobe is under the gun to fix major weaknesses in several of their products. The first problem started in February of 2009. In my post Adobe Alert: Updates available for latest zero-day exploit I described the problem:
"A critical vulnerability has been identified in Adobe Reader 9 and Acrobat 9 and earlier versions. This vulnerability would cause the application to crash and could potentially allow an attacker to take control of the affected system. There are reports that this issue is being exploited."
I had to do that with my clients; being unable to find a way to automate the process (Does anyone know if that's possible?). It took about 15 minutes per machine. That's not what I would call a reasonable solution.Déjà vu time for Adobe
Just last week (22 Jul 2009) Adobe's Product Security Incident Response Team reluctantly admitted that once again many of their products were vulnerable to a zero-day exploit. Thanks to iDefense Tweet I knew there was a problem the day before.
The next day (23 Jul 2009) Adobe released a bulletin confirming the problem. It was a weakness in Flash, so Flash Player was added to the list of endangered applications along with Acrobat and Reader. That's when security experts started getting antsy. I caught on pretty quickly myself, trying to guesstimate how many millions of Web sites use Flash.
Adobe did their usual thing, suggesting that Flash applications be disabled until a fix can be rolled out (30 Jul 2009). I'm not going through the whole step-by process I did for the first Adobe vulnerability. I'm sure everyone understands that it's a time-consuming process.Somewhat troubling
The tech media did a great job explaining the details and as I hinted at earlier, I'm focused on something else. In fact you may have already guessed what. But first let's recap:
- This new vulnerability has been exploited into a zero-day threat.
- There are millions of vulnerable computers that can be subverted by malicious Flash content that has been embedded in PDF files and or Web sites.
Oh, did I mention that Adobe knew about this issue nearly seven months ago? Greg Keizer noted that fact in his ComputerWorld post:
"One security researcher, however, said Adobe's own bug-tracking database shows that the company has known of the vulnerability for nearly seven months."
I understand that a certain amount of time is required to figure out what to do, but seven months? Maybe there's a reason for taking so long. If so, I'd hope Adobe will tell us. Other-wise I'm going to be suspicious, especially since waiting so long to fix this particular issue is putting millions of computers and loyal users at risk.Adobe's update issues
With all their problems, one would hope that Adobe's update system was bullet-proof. Apparently that's not the case. In fact, Adobe's update process has much to be desired.
For example, Adobe's Reader 9.1 is the latest version that you can download. Yet the code is out-of-date. For some reason several of the latest fixes aren't included in the application download. That requires running the updater a second time. I suspect that's not something many people know about.
Not having the latest version as a download is only one of Adobe's problems. It seems that Adobe applications only check for updates once a week. Therefore, even if Adobe releases patches it could be up to seven days before Reader or Acrobat check for them. That's not a good thing with known zero-day exploits out and about.Microsoft's turn
Microsoft is far from innocent when it comes to knowing vulnerabilities exist, yet fail to do anything about it. One that immediately comes to mind is MS08-067 and Conficker. We all know how that turned out.
We are witnessing another example of Microsoft waiting until the last minute right now. For almost a year Microsoft chose to disregard warnings by security researchers. So now developers at Microsoft are hurrying to release patches for issues in Visual Studio and Internet Explorer. To prove my point that Microsoft knew about at least one of vulnerabilities, I submit CVE-2008-0015 as proof.Microsoft isn't telling
Truth be told, it's not real clear as to what Microsoft is trying to fix. They are keeping very quiet about it. Some experts believe that one of the out-of band patches may repair the repair that supposedly fixed the ActiveX problem.
Other experts are saying that Microsoft is also trying to keep ahead of the curve. This year's Black Hat conference starts this week and one of the seminars is titled: The Language of Trust: Exploiting Trust Relationships in Active Content. Coincidence or not, the subject is closely related to what Microsoft is trying to fix.Final thoughts
I hope Adobe and Microsoft have good reasons for not fixing their problems in a timely fashion. System administrators and users all around the world now have to adjust already tight schedules and budgets to install their out-of-band patches.