File format vulnerabilities: Protecting your applications

A recent analysis by SPI Dynamics revealed that approximately a quarter of patches released by Microsoft during the past two years were related to file format issues. There have also already been several cases of high-profile file format exploits in the wild, including the high-profile WMF exploit of 2005-06.

((Content component not found.)) While Windows users are familiar with Patch Tuesday and the steady stream of updates from Microsoft, all computer users should become familiar with the updating processes used by their operating systems and application, since file format vulnerabilities tend to affect all operating systems. Evildoers who previously targeted Windows systems because of their predominance may now be less discriminatory in their attacks. Let's turn our attention to two recent cases that illustrate this point.

First, on Jan. 4, the United States Computer Emergency Readiness Team (US-CERT) announced that Apple's popular QuickTime player was vulnerable and would allow malicious users to read contents of the local file system by simply including a maliciously crafted QuickTime file on a Web page viewed by the affected system. This vulnerability applies to QuickTime plug-in users for both Microsoft's Internet Explorer (IE) and Apple's Safari Web browser. Hackers developed an exploit for this vulnerability and spread it through MySpace before Apple released a patch.

Then, on Jan. 9, Adobe Systems released a security bulletin acknowledging file format vulnerabilities in all versions of Acrobat Reader prior to 7.0.9. Again, this vulnerability was platform independent, therefore all Acrobat-supported platforms --Windows, Mac and Unix -- were affected. Exploitation only required that the user open a malicious PDF file and could allow the attacker to take control of the operating system. Given the widespread use of Acrobat Reader and the trust users have in the reliability of Adobe software, this vulnerability has the potential to cause widespread infections.

So, what can be done to protect the enterprise against file format vulnerabilities? The fixes aren't surprising; in fact they're all best practices that information security professionals have espoused for years:

• Patch applications regularly. While this sounds like a no-brainer, application patch management is trickier than it seems. Application patches are delivered through various mechanisms that all need to be coordinated. Microsoft applications use the standard Microsoft Update process, while other applications like Firefox and Acrobat have their own automatic update procedures. Each of those applications likely has a box buried somewhere in a preference tab that must be checked to enable automatic updates. For example, in Firefox, you must access the Tools->Options window, then select the Advanced tab, then select the Update subtab and finally choose "Automatically download and install the update" to enable automatic updates. Still more applications have no facility for automatic updates and require manual patching.

• Monitor security bulletins. Many vulnerabilities are identified and publicized days or weeks before a patch becomes available. Unfortunately, hackers also read security bulletins, meaning there's often an exploit before there's a patch (as was the case with the MySpace QuickTime exploit).

• Practice configuration management. In addition to assisting with operating system issues, configuration management practices such as standardized images and change control can help regulate environments and tame the "Wild West" atmosphere where users install software and tinker with settings, potentially undermining application security.

• Minimize the software footprint of your organization. The fewer software packages used, the fewer to track for new security vulnerabilities. If possible, consolidate or eliminate applications from the portfolio; doing so will reduce risk.

As operating system vendors continue to harden their products against yesterday's exploits, expect to see malware developers focus on application flaws. There's a relatively untapped wilderness of vulnerabilities out there and plenty of people with too much time on their hands preparing new exploits.

About the Author:
Mike Chapple, CISA, CISSP is an IT Security Professional with the University of Notre Dame. He previously served as an information security researcher with the National Security Agency and the U.S. Air Force. Mike is a frequent contributor to SearchSecurity, a technical editor for Information Security magazine and the author of several information security titles, including the CISSP Prep Guide and Information Security Illuminated.

Rate this Tip To rate tips, you must be a member of SearchMidmarketSecurity.com. Register now to start rating these tips. Log in if you are already a member. Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT Microsoft security threat management The keys to locking down Windows Vista User Account Control How to use Excel for security log data analysis Three ways to prioritize endpoint security over perimeter defenses Examining Conficker: When a worm becomes a botnet Hackers targeting unpatched Microsoft DirectShow flaw Stolen FTP credentials likely in latest website attacks Understand the basics of Microsoft BitLocker encryption Conficker updates with no problems reported Microsoft Threat Management Gateway has some drawbacks Next version of Microsoft ISA Server brings Web security to midmarket RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary Back Orifice  (SearchMidmarketSecurity.com) RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.