A recent analysis by SPI Dynamics revealed that approximately a quarter of patches released by Microsoft during the past two years were related to file format issues. There have also already been several cases of high-profile file format exploits in the wild, including the high-profile WMF exploit of 2005-06.
While Windows users are familiar with Patch Tuesday and the steady stream of updates from Microsoft, all computer users should become familiar with the updating processes used by their operating systems and application, since file format vulnerabilities tend to affect all operating systems. Evildoers who previously targeted Windows systems because of their predominance may now be less discriminatory in their attacks. Let's turn our attention to two recent cases that illustrate this point.
First, on Jan. 4, the United States Computer Emergency Readiness Team (US-CERT) announced that Apple's popular QuickTime player was vulnerable and would allow malicious users to read contents of the local file system by simply including a maliciously crafted QuickTime file on a Web page viewed by the affected system. This vulnerability applies to QuickTime plug-in users for both Microsoft's Internet Explorer (IE) and Apple's Safari Web browser. Hackers developed an exploit for this vulnerability and spread it through MySpace before Apple released a patch.
Then, on Jan. 9, Adobe Systems released a security bulletin acknowledging file format vulnerabilities in all versions of Acrobat Reader prior to 7.0.9. Again, this vulnerability was platform independent, therefore all Acrobat-supported platforms --Windows, Mac and Unix -- were affected. Exploitation only required that the user open a malicious PDF file and could allow the attacker to take control of the operating system. Given the widespread use of Acrobat Reader and the trust users have in the reliability of Adobe software, this vulnerability has the potential to cause widespread infections.
So, what can be done to protect the enterprise against file format vulnerabilities? The fixes aren't surprising; in fact they're all best practices that information security professionals have espoused for years:
- Patch applications regularly. While this sounds like a no-brainer, application patch management is trickier than it seems. Application patches are delivered through various mechanisms that all need to be coordinated. Microsoft applications use the standard Microsoft Update process, while other applications like Firefox and Acrobat have their own automatic update procedures. Each of those applications likely has a box buried somewhere in a preference tab that must be checked to enable automatic updates. For example, in Firefox, you must access the Tools->Options window, then select the Advanced tab, then select the Update subtab and finally choose "Automatically download and install the update" to enable automatic updates. Still more applications have no facility for automatic updates and require manual patching.
- Monitor security bulletins. Many vulnerabilities are identified and publicized days or weeks before a patch becomes available. Unfortunately, hackers also read security bulletins, meaning there's often an exploit before there's a patch (as was the case with the MySpace QuickTime exploit).
- Practice configuration management. In addition to assisting with operating system issues, configuration management practices such as standardized images and change control can help regulate environments and tame the "Wild West" atmosphere where users install software and tinker with settings, potentially undermining application security.
- Minimize the software footprint of your organization. The fewer software packages used, the fewer to track for new security vulnerabilities. If possible, consolidate or eliminate applications from the portfolio; doing so will reduce risk.
As operating system vendors continue to harden their products against yesterday's exploits, expect to see malware developers focus on application flaws. There's a relatively untapped wilderness of vulnerabilities out there and plenty of people with too much time on their hands preparing new exploits.
About the Author:
Mike Chapple, CISA, CISSP is an IT Security Professional with the University of Notre Dame. He previously served as an information security researcher with the National Security Agency and the U.S. Air Force. Mike is a frequent contributor to SearchSecurity, a technical editor for Information Security magazine and the author of several information security titles, including the CISSP Prep Guide and Information Security Illuminated.
This was first published in February 2009