Last time it was Adobe’s code signing servers. This time it’s 2.9 million (let’s just call it 3) customers’ data and lots and lots of source code – including that of Acrobat. Adobe products already require constant patching but offer no enterprise level solution for patching. In this presentation by Ultimate Windows Security, we’ll present why this will likely lead to more and we’ll look at what we know about this latest Adobe breach.
But more importantly I’ll show what you can do in advance to protect yourself against zero-day exploits in Adobe products and programs. After all this won’t be the last time a software vendor is hacked. In this day and age we have to protect ourselves from the failures of our software providers.
I’ll present 3 ways you can go on the offensive to protect yourself from the constant vulnerabilities discovered in Adobe Reader, Acrobat, Flash and Oracle Java. Here’s what we’ll discuss:
*Alternatives to Adobe and Java
*Different ways to containing vulnerable apps in a sandbox
* Using advanced memory protection technologies to detect and stop buffer overflows and other memory based attacks
Patching and AV only helps you close the window on hacker opportunity. To prevent the window from opening in the first place you have to prevent untrusted code from ever running in the first place. That requires application whitelisting and memory protection against code injection – a growing menace that bypasses controls based on file system and EXE scanning.
That’s why Lumension is sponsoring this event. I think you’ll be interested seeing 2 of their end-point security technologies that will help protect you from the new exploits on their way as a result of this hack as well as the constant stream of exploits discovered every day.
This is going to be a really cool presentation with practical tips that you can apply. Learn how to protect your systems from other software vendor vulnerabilities.
4. Privacy
Credit card data
Passwords
What we
know
Adobe sites and cloud services
Adobe ID
Revel
Creative Cloud
38 million customers/users affected
Gobs and gobs of source code
ColdFusion
Adobe Reader
Acrobat
PhotoShop
5. Obvious identity and privacy issues
Password practices
But the source code breaches are what worry me
Source code integrity
Risks
Possible to insert arbitrary bad guy code into Adobe products that are then
signed by Adobe and released to the public
Can you say Trojan horse?
More 0-day exploits
Instead of laboriously reverse engineering compiled Adobe code for buffer
overflows, etc
Analyze the actual source code
6. What can you
do about it?
You can’t fix Adobe’s problems, Oracle’s or anyone else
But you can reduce your exposure to them
7. Great examples
Adobe Acrobat
Adobe Reader
1. Replace
common,
vulnerable
tools where
possible
There are awesome free and for pay replacements for both products
Faster
Cheaper
Less irritating to use
Better security
Obscurity
Attack surface
Better coding?
Not really replacements available for
Flash
Java
Adobe Air
Other Adobe content creation products
8. Different ways to do sandboxes
Java websites
2. Isolate
necessary
vulnerable
apps in a
sandbox
Deploy 2 browsers
One with Java, one without
Optional: configure Java browser to use proxy server which limits which
sites you can access
NoScript?
Java applications
Deliver via VDI
Flash is really problematic
Especially in Windows 8
No alternative
Built into Chrome and IE now
HTML5 helping hasn’t displaced Flash yet
Click to play?
Flash sandbox?
Better in some browsers than others
Disable via group policy
http://www.howtogeek.com/115833/
9. Each version of Windows gets stronger memory protection
3. Using
advanced
memory
protection
technologies
Vista
Windows 7
Windows 8
Windows 8.1
Running 64 bit IE
3rd Party Memory protection
DLL injection
Reflective programming
11. Known Adobe Software Vulnerabilities
300
Source Code
Release
Implications ?
# of NVD CVEs
250
200
All Adobe
Acrobat
150
Reader
100
Flash
Shockwave
50
0
2010
2011
2012
Year
2013
Source data: nvd.nist.gov
2010 through October
A single CVE may apply to more than one product (especially) if from common source code
Acrobat and Acrobat Reader are extremely well correlated (.92-.98)
Acrobat/Release tracking at least at 2010 levels, will a dramatic increase be seen ?
NVD = National Vulnerability Database, CVE = Common Vulnerabilities and Exposures
12. Known Adobe Software Vulnerabilities
14
Source Code
Release
Implications ?
# of NVD CVEs
12
10
8
ColdFusion
6
Photoshop
4
Illustrator
2
0
2010
2011
2012
Year
2013
Source data: nvd.nist.gov
2010 through October 2013
Breach included Acrobat, ColdFusion, ColdFusion Builder & Photoshop
Weak correlation Acrobat and Flash (.00-.07) with none in later years
No other cross product correlations noted e.g. ColdFusion & Shockwave CVEs
were unrelated
13. Percentage of Adobe Vulnerabilities
Allowing “Arbitrary Code Execution”
87%
90%
Source Code
Release
Implications?
Percentage of CVEs
80%
70%
87%
80%
65%
60%
50%
Allows Arbitary Code
Execution
40%
30%
20%
10%
0%
2010
2011
2012
Year
2013
Source data: nvd.nist.gov
2010 through October 2013
The source code is a “key to castle” to find flaws in existing memory
management / bounds checking 0-day exploit creation
Techniques to detect and block such exploits and subsequent payloads are vital
Layered defense to monitor and report good as well as suspicious activity
Security Future : Correlation of disparate “big data” to “know the unknown”
14. Sponsored by
Defense-in-Depth with Lumension
Full Disk
Encryption
Physical
Access
Port / Device Control and Encryption
Anti-Malware
Patch and Configuration Management
Network
Access
Firewall Management
Click to edit
Master title
style
18
15. • Free Security Scanner Tools
» Vulnerability Scanner – discover all OS and
application vulnerabilities on your network
» Application Scanner – discover all the apps
being used in your network
» Device Scanner – discover all the
devices being used in your network
http://www.lumension.com/Resources/
Security-Tools.aspx
• Lumension® Endpoint Management and
Security Suite
» Online Demo Video:
http://www.lumension.com/Resources/DemoCenter/Vulnerability-Management.aspx
» Free Trial (virtual or download):
15
http://www.lumension.com/endpointmanagement-security-suite/free-trial.aspx
• Get a Quote (and more)
http://www.lumension.com/endp
oint-management-securitysuite/buy-now.aspx#2
Sponsored by
Editor's Notes
Closing on this slide allows the audience to see the true defense in depth strategy Lumension provides. It is suggested to start from the left side and move to the right, highlighting each module/capability along the way.