Tuesday, February 24, 2009

The Best Defense is Information

Via Metasploit Blog -

Over the last two months, rumors of an unpatched vulnerability in the Adobe Acrobat products have been circulating. Last Thursday (the 19th), the Shadowserver folks confirmed that there is an exploit in the wild and that they had obtained a sample. A few hours later, Adobe confirmed the issue in their official advisory. McAfee, Symantec, and others have all chimed in saying that they have samples dating back as far as January and even December of last year. Symantec published a response almost a week before the Adobe advisory.

The exploit was detected in the wild, is being actively exploited, and it wasn't until the Shadowserver folks wrote a summary of the issue that Adobe bothered to issue an advisory. With the February 12th coverage date from Symantec, we can only assume that they contacted Adobe as well and provided any sample they had access to. Adobe's official response is that a patch for Adobe Acrobat 9 will be made available on March 11th, but no timeline has been issued for older versions. Compare this Microsoft's response to MS08-078, MS08-067, or even MS06-001 and you can see a clear difference in how these companies respond to real-world attacks against their user base.


The strongest case for information disclosure is when the benefit of releasing the information outweighs the possible risks. In this case, like many others, the bad guys already won. Exploits are already being used in the wild and the fact that the rest of the world is just now taking notice doesn't mean that these are new vulnerabilities. At this point, the best strategy is to raise awareness, distribute the relevant information, and apply pressure on the vendor to release a patch.

Adobe has scheduled the patch for March 11th. If you believe that Symantec notified them on February 12th, this is almost a full month from news of a live exploit to a vendor response. If the vendor involved was Microsoft, the press would be tearing them apart right now. What part of "your customers are being exploited" do they not understand?


Well said...

Adobe, are you listening? Hello?

No comments:

Post a Comment