Site Network: Beskerming.com | Skiifwrald.com | Jongsma & Jongsma

Innovation in Information Security

Coverage of important Information Security and Information Technology news and events from the research team at S?nnet Beskerming.

Username: | Password: Contact us to request an account

Patching Cycles and the Adobe Vulnerability

Just how quickly a vendor should move to release patches for security vulnerabilities has been a point of contention for as long as there have been patches for software. Over time different vendors have settled into their own routines and patching cycles, providing end users and administrators with either a time-based releasing cycle or an opportunistic release cycle.

Time based cycles, such as Microsoft's monthly patch release, or Oracle's quarterly patch releases, may provide users and administrators with the knowledge that there are defined times when patches will be made available, but it does mean that vulnerabilities may be exposed for significant periods of time before patching (though there is no guarantee that a patch for any vulnerability will be made available in the period following discovery or disclosure). Microsoft made their move to releasing patches on the second Tuesday of every month, with a pre-release notification released the previous Thursday, following pressure from administrators and end users that a seemingly random release cycle was making their jobs more difficult than they needed to be and that a regular release cycle would allow them to plan patch testing and rollout reliably.

For Microsoft, the monthly release cycle seems to have hit a sweet spot for patch releases, helping to reduce the number of out-of-cycle patches that need releasing, while for a database vendor like Oracle, the quarterly release cycle seems to work well, although there are critics of this lengthy approach.

Ad-hoc patch release cycles, such as adhered to by Apple, most Linux distributions, and a number of other software vendors means that patches can be released on an as-needed basis, but it does mean that administrators and users are left in the dark about the length of time before the next patch release. Even though the ad-hoc approach seems like it would provide the most rapid response to any publicised vulnerability, which is the case for many Linux distributions, it can still have inherent delays between vulnerability disclosure and patching - something that has been seen recently with a highly public disclosure of an Adobe Acrobat and Reader exploit.

Public claims were made in mid February by Shadowserver of a previously undiscovered PDF-related vulnerability that was circulating in the wild, being used for targeted attacks. This was soon followed by the public release of exploit sample code which demonstrated a JBIG issue. Initially it was believed that JavaScript was required to exploit the issue and early mitigation advice was that disabling JavaScript support would be sufficient to protect against exploitation. When exploit sample code was freely available it was found that it was possible to exploit without the use of JavaScript

Shadowserver are considered the first to publicly alert to the presence of the vulnerability under exploitation, but there are counterclaims that some security companies were aware of this as early as December 2008. With the different times of discovery being claimed, and the Adobe advisory not appearing until after Shadowserver issued their information, it raises the question as to whether Adobe were on top of the vulnerability at an earlier date than their Advisory, or whether they were pressured into releasing the information following the Shadowserver release.

With no patch scheduled until March 11, there are community released patches, but it only provides limited protection for Windows XP users, leaving the other affected platforms unprotected.

At the same time that information about the new vulnerability was being made public, there were cases of exploits against Internet users by way of poisoned ads hosted at Ziff-Davis that used an attack against older versions of Adobe Acrobat Reader (8.12 and earlier) to deliver their payload.

1 March 2009

Social bookmark this page at eKstreme.
Alternatively, Bookmark or Share via AddThis

Do you like how we cover Information Security news? How about checking out our company services, delivered the same way our news is.

Let our Free OS X Screen Saver deliver the latest security alerts and commentary to your desktop when you're not at your system.

Comments will soon be available for registered users.