Adobe’s name is mud

More is coming out about the loss of the “keys to the Kingdom” at RSA.

For a great discussion of this and other security topics follow the Security Now! Podcast and the archive at GRC.com

In short a user just opened a spreadsheet.

A small group of RSA employees received a targeted spearfishing email, which got intercepted and moved into their spam folders.

Steve Gibson continues:

But one of the employees in one of these small groups looked in her junk mail folder, and the email was titled “2011 Recruitment Plan.” And she opened the email, and there was an attachment, 2011 Recruitment Plan.XLS, making it a Microsoft Excel spreadsheet. That she opened, and that allowed a Flash movie, an Adobe Flash file that was embedded in the spreadsheet with an at-that-time unknown exploit, a zero-day flaw which Adobe has since patched, that allowed it to run. And that installed a well-known trojan which is freely available on the Internet called “Poison Ivy.” It’s a so-called RAT, an R-A-T, a Remote Administration/Access Tool/Toolkit trojan, which then phoned home, that is, it called outwards from her machine to a remote server that gave bad guys essentially the ability to do anything that she could do from her machine, they could do. And that’s all it took. That was their foothold in RSA. And the rest, as they say, is history…

The incident highlights two major security issues.

Firstly however much you warn people not to open attachments from sources they don’t know, the hackers will always come up with something so tempting – such as the promise of video of a tennis star -that someone, somewhere will just have to open it. And it only takes one. That’s social engineering!

The second is equally challenging to solve.

Adobe have rightly earned their place on every desktop, laptop, tablet and smartphone (except for Flash on Apple IOS!) by providing software for rich media.

A PDF document will always display a document as it would appear on the printed page – but it can extend beyond that to include video and links to the page. When filing my company return earlier in the year, I downloaded a PDF from the Companies House , filled it in. The PDF document validated my return and then transmitted the return off with the click of a button. Most useful when you have four hours left before the filing deadline.

No multimedia or social networking site would survive now without Adobe Flash videos. Celebrating the Royal Wedding I am stiing with the live YouTube courtesy of Flash and even the programme with animated page turns.

However to provide this rich media the Adobe software has system powers far beyond what you would expect for a “reader” or “player” software. And the Adobe software is cross platform – common across browsers (Internet Explorer, Firefox, Chrome, Safari, Opera) and Operating Systems (All versions of Windows, Mac OS, Unix) so the products provide a big target for exploits.

My Adobe Reader has 21 Plugins – from a vanilla installation – allowing internet access, sending mail, reading out loud, updating, and the Adobe EScript plug-in ‘that allows PDF documents to take advantage of JavaScript’.

Right click on any flash plug in and look at the settings. There flash can take over your hardware including the microphone and the webcam. It can put a file anywhere the user can – including the installation of malicious software.

Adobe are belatedly patching vulnerabilities – and seem to be giving up on their lethargic quarterly update frequency. Adobe Reader X (I’m no sure if that’s an “ex” or a “ten”) is starting to introduce a sandbox to isolate Adobe from the core operating system.

So what can be done to avoid these vulnerabilities?

  • You can remove add-ins and features you don’t need or intend to use (For adobe reader Edit Menu Preferences – but this is a long winded “expert-level” exercise.
  • You can handle this at a corporate level with the security settings downloaded from a specified location – This has a slight downside by slowing down distribution of updates patching vulnerabilities.
  • Braver IT Management might even try to eliminate Adobe Software. Other PDF readers are available – and Google’s Chrome browser now has a built in PDF reader. Many larger web video sites are moving away from Flash video toward the emerging HTML5 standard. This has the additional advantage of reducing the client resources needed.

However it would be a brave IT manager to try to take Adobe reader and Flash away from users, and it is a complex exercise to find substitutes. Few would have enough clout to impose the “iPhone approach” and simply say No.