File format vulnerabilities: Protecting your applications

A recent analysis by SPI Dynamics revealed that approximately a quarter of patches released by Microsoft during the past two years were related to file format issues. There have also already been several cases of high-profile file format exploits in the wild, including the high-profile WMF exploit of 2005-06.

More on File Format Vulnerabilities Examine the attack against file format vulnerabilities. Learn how to patch vulnerabilities and keep them sealed.

While Windows users are familiar with Patch Tuesday and the steady stream of updates from Microsoft, all computer users should become familiar with the updating processes used by their operating systems and application, since file format vulnerabilities tend to affect all operating systems. Evildoers who previously targeted Windows systems because of their predominance may now be less discriminatory in their attacks. Let's turn our attention to two recent cases that illustrate this point.

First, on Jan. 4, the United States Computer Emergency Readiness Team (US-CERT) announced that Apple's popular QuickTime player was vulnerable and would allow malicious users to read contents of the local file system by simply including a maliciously crafted QuickTime file on a Web page viewed by the affected system. This vulnerability applies to QuickTime plug-in users for both Microsoft's Internet Explorer (IE) and Apple's Safari Web browser. Hackers developed an exploit for this vulnerability and spread it through MySpace before Apple released a patch.

Then, on Jan. 9, Adobe Systems released a security bulletin acknowledging file format vulnerabilities in all versions of Acrobat Reader prior to 7.0.9. Again, this vulnerability was platform independent, therefore all Acrobat-supported platforms --Windows, Mac and Unix -- were affected. Exploitation only required that the user open a malicious PDF file and could allow the attacker to take control of the operating system. Given the widespread use of Acrobat Reader and the trust users have in the reliability of Adobe software, this vulnerability has the potential to cause widespread infections.

So, what can be done to protect the enterprise against file format vulnerabilities? The fixes aren't surprising; in fact they're all best practices that information security professionals have espoused for years:

• Patch applications regularly. While this sounds like a no-brainer, application patch management is trickier than it seems. Application patches are delivered through various mechanisms that all need to be coordinated. Microsoft applications use the standard Microsoft Update process, while other applications like Firefox and Acrobat have their own automatic update procedures. Each of those applications likely has a box buried somewhere in a preference tab that must be checked to enable automatic updates. For example, in Firefox, you must access the Tools->Options window, then select the Advanced tab, then select the Update subtab and finally choose "Automatically download and install the update" to enable automatic updates. Still more applications have no facility for automatic updates and require manual patching.

• Monitor security bulletins. Many vulnerabilities are identified and publicized days or weeks before a patch becomes available. Unfortunately, hackers also read security bulletins, meaning there's often an exploit before there's a patch (as was the case with the MySpace QuickTime exploit).

• Practice configuration management. In addition to assisting with operating system issues, configuration management practices such as standardized images and change control can help regulate environments and tame the "Wild West" atmosphere where users install software and tinker with settings, potentially undermining application security.

• Minimize the software footprint of your organization. The fewer software packages used, the fewer to track for new security vulnerabilities. If possible, consolidate or eliminate applications from the portfolio; doing so will reduce risk.

As operating system vendors continue to harden their products against yesterday's exploits, expect to see malware developers focus on application flaws. There's a relatively untapped wilderness of vulnerabilities out there and plenty of people with too much time on their hands preparing new exploits.

About the Author:
Mike Chapple, CISA, CISSP is an IT Security Professional with the University of Notre Dame. He previously served as an information security researcher with the National Security Agency and the U.S. Air Force. Mike is a frequent contributor to SearchSecurity, a technical editor for Information Security magazine and the author of several information security titles, including the CISSP Prep Guide and Information Security Illuminated.

Rate this Tip To rate tips, you must be a member of SearchSecurity.com. Register now to start rating these tips. Log in if you are already a member. Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT Network Security Tactics Cracks in WPA? How to continue protecting Wi-Fi networks Screencast: How to gather host-level data with Network Miner How to secure desktops as suites expand, network perimeters shrink Writing Wireshark network traffic filters Screencast: Collecting metadata with Metagoofil Video: Setting up a secure wireless network How to implement and enforce a social networking security policy New blacklists: Highly predictive or hardly worth it? Smartphone security: The growing threat of mobile malware Screencast: How Tor improves Web surfing privacy and security audits Patch Management Microsoft Windows XML flaw exploits test desktop antimalware Microsoft warns of SQL Server zero-day Adobe issues warning for Linux users Microsoft issues emergency patch to fix IE flaw Microsoft to release emergency patch for IE XML flaw Microsoft fixes critical flaws in Office, IE Inside MSRC: Microsoft issues guidance on critical flaws Dangerous Java flaws could expose sensitive data Microsoft to patch critical Windows, Excel flaws Microsoft flaw reveals inefficient security model Configuration Management Product Review: Shavlik's NetChk Compliance Security services: Fiberlink's MaaS360 Mobility Platform CISSP Essentials training: Domain 10, Operations Security 5 Steps for Achieving Change Management Program Best Practices Misconfiguration issues could have contributed to Hannaford breach Misconfigured networks create huge security risks Will saving Microsoft patches and updates on a CD improve installation efforts? Private sector should learn from government insecurity Compliance drives security configuration management Standalone patch management vendors under siege Configuration Management Research RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary attack vector  (SearchSecurity.com) back door  (SearchSecurity.com) ethical worm  (SearchSecurity.com) Patch Tuesday  (SearchSecurity.com) zero-day exploit  (SearchSecurity.com) RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.