Download pptx - Adobe Hacked Again: What Does It Mean for You?

Sponsored byAdobe Hacked Again: What Does It Mean for

You?

© 2013 Monterey Technology Group Inc.

Thanks to

© 2013 Monterey Technology Group Inc.

www.Lumension.com

Paul Zimski

Preview of key points

What we know

The risks

What we can do about it

What we know

Privacy Credit card data Passwords

Adobe sites and cloud services Adobe ID Revel Creative Cloud

38 million customers/users affected

Gobs and gobs of source code ColdFusion Adobe Reader Acrobat PhotoShop

Risks

Obvious identity and privacy issues Password practices

But the source code breaches are what worry me Source code integrity

Possible to insert arbitrary bad guy code into Adobe products that are then signed by Adobe and released to the public

Can you say Trojan horse? More 0-day exploits

Instead of laboriously reverse engineering compiled Adobe code for buffer overflows, etc

Analyze the actual source code

What can you do about it?

You can’t fix Adobe’s problems, Oracle’s or anyone else

But you can reduce your exposure to them

1. Replace common, vulnerable tools where possible

Great examples Adobe Acrobat Adobe Reader

There are awesome free and for pay replacements for both products

Faster Cheaper Less irritating to use Better security

Obscurity Attack surface Better coding?

Not really replacements available for Flash Java Adobe Air Other Adobe content creation products

2. Isolate necessary vulnerable apps in a sandbox

Different ways to do sandboxes

Java websites Deploy 2 browsers One with Java, one without Optional: configure Java browser to use proxy server which

limits which sites you can access NoScript?

Java applications Deliver via VDI

Flash is really problematic Especially in Windows 8 No alternative

Built into Chrome and IE now HTML5 helping hasn’t displaced Flash yet

Click to play? Flash sandbox? Better in some browsers than others Disable via group policy

http://www.howtogeek.com/115833/

3. Using advanced memory protection technologies

Each version of Windows gets stronger memory protection

Vista Windows 7 Windows 8 Windows 8.1

Running 64 bit IE

3rd Party Memory protection DLL injection Reflective programming

Bottom line

Patch

Replace

Isolate

Control

Protect

Source Code Release Implications ?

2010 2011 2012 20130

50

100

150

200

250

300

Known Adobe Software Vulnerabilities

All Adobe AcrobatReaderFlashShockwave

Year

# o

f N

VD

CV

Es

Source data: nvd.nist.gov2010 through October 2013

A single CVE may apply to more than one product (especially) if from common source code

Acrobat and Acrobat Reader are extremely well correlated (.92-.98)

Acrobat/Release tracking at least at 2010 levels, will a dramatic increase be seen ?

NVD = National Vulnerability Database, CVE = Common Vulnerabilities and Exposures

Source Code Release Implications ?

Breach included Acrobat, ColdFusion, ColdFusion Builder & Photoshop

Weak correlation Acrobat and Flash (.00-.07) with none in later years

No other cross product correlations noted e.g. ColdFusion & Shockwave CVEs were unrelated

2010 2011 2012 20130

2

4

6

8

10

12

14

Known Adobe Software Vulnerabilities

ColdFusionPhotoshopIllustrator

Year

# o

f N

VD

CV

Es


Source Code Release Implications?

The source code is a “key to castle” to find flaws in existing memory management / bounds checking 0-day exploit creation

Techniques to detect and block such exploits and subsequent payloads are vital

Layered defense to monitor and report good as well as suspicious activity

Security Future : Correlation of disparate “big data” to “know the unknown”

2010 2011 2012 20130%

10%20%30%40%50%60%70%80%90%

65%

80%87% 87%

Percentage of Adobe Vulner-abilities Allowing “Arbitrary

Code Execution”

Allows Arbitary Code Execution

Year

Perc

enta

ge o

f C

VEs


18

Defense-in-Depth with Lumension

Click to edit Master title style

Physical Access

Por

t / D

evic

e C

ontr

ol a

nd E

ncry

ptio

n

Full DiskEncryption

Fire

wal

l Man

agem

ent

Pat

ch a

nd C

onfig

urat

ion

Man

agem

ent

Ant

i-Mal

war

e

NetworkAccess

Sponsored by

Sponsored by

• Free Security Scanner Tools» Vulnerability Scanner – discover

all OS and application vulnerabilities on your network

» Application Scanner – discover all the apps being used in your network

» Device Scanner – discover all the devices being used in your network

http://www.lumension.com/Resources/Security-Tools.aspx

• Lumension® Endpoint Management and Security Suite» Online Demo Video:

http://www.lumension.com/Resources/Demo-Center/Vulnerability-Management.aspx

» Free Trial (virtual or download):http://www.lumension.com/endpoint-management-security-suite/free-trial.aspx

• Get a Quote (and more)http://www.lumension.com/endpoint-management-security-suite/buy-now.aspx#2

15