Importance of client-side security

At the time of writing it’s reported that a vulnerability in Adobe Flash Player, Acrobat Reader and Acrobat, “authplay.dll”, is getting exploited in the wild. Last week at the Kaspersky Security Analyst Summit in Cyprus (http://www.kaspersky.com/press-tour-june-2010), Roel Schouwenberg also brought up the importance of client side security by talking about PDF insecurities. At ph-neutral in Germany another security researcher named Julia Wolf talked about generating and parsing PDF files. Client side security is a huge problem, and often hard to deal with since most automatic updating functions simply don’t support third party software.

My background as a security auditor performing penetration testing has taught me one important thing, which is that most organizations/companies focus on server-side security. Their major focus is to have an advanced firewall, and functions to secure their external assets and DMZ, while totally forgetting about all the workstations.

When companies do perform security audits of their assets, these are often limited to resources which are exposed to the general public such as web, mail and storage, and to internal resources such as databases. It seems that all the focus is put on having a secure website, and totally forgetting about all the clients. Administrators often rely on the built-in update function to make sure that the system is up to date with all security patches. The problem with the built-in update functions is that they often miss third party applications such as PDF readers, flash players, media players, browsers, email clients etc, and these clients are often exploited by malware. In this case not even the built-in update functions would work because there is no patch for this vulnerability. Kaspersky Lab has been working very hard on making the heuristics be able to identify threats like this, which also is the case for this vulnerability and as a result, our customers are protected from this threat. When this threat first was starting to spread in the wild, we did not have a fixed signature for it, but due to the advanced heuristic modules within the Kaspersky product suit we detected this new threat as HEUR:Exploit.Script.Generic and currently detect it as Exploit.JS.Pdfka.ckq.

Currently there is a vulnerability in some of the major Adobe programs, and Kaspersky Lab has identified malware exploiting this vulnerability in the form of drive-by downloads. Such malware can be used in both web-based attacks, and malicious attachments sent in, for example, emails. The payload of this latest vulnerability would in most cases result in malware being downloaded that could, for example, steal sensitive information such as usernames, passwords or banking information, or turn the attacked computer into a node in a botnet. Similar attacks have been successfully exploited against high-profile companies such as Google and ID Software.

According to SecurityFocus this vulnerability affects the following applications and versions:

• Adobe Flash Player 10.0.45.2, 9.0.262, and earlier
• Adobe Flash Player 10.0.x and 9.0.x versions for Windows, Macintosh, Linux, and Solaris
• Adobe Reader and Acrobat 9.3.2 and earlier
• Adobe Reader and Acrobat 9.x versions for Windows, Macintosh, and UNIX

How can I protect myself against these attacks?
Even that there’s no patch yet available for this specific vulnerability, using anti-virus software may prevent further malicious code from being downloaded. Most of the attacks exploiting this vulnerability are using some form of malicious code that can be easily detected by an antivirus solution due to its generic behaviour. Besides antivirus software, we also recommend that you use one of the most effective prevention mechanisms you have; your own instinct.

You may also perform the following best practices to preventing you of getting infected by malware exploiting this vulnerability:

• Disable Javascript mode in Adobe Reader (available in settings)
• Use alternative PDF reader such as Foxit reader with their latest nice feature “Safe reading mode”