Security Watch

Software Bugs That Cling

Old QuickTime flaw points to problems with 'barnacleware.' Plus: Adobe Acrobat BOV, and Blackberry-hating in the UK.

• By Russ Cooper
• 03/24/2008

There has been speculation that this vulnerability was being used in the wild. Rumors have not been confirmed, and we doubt the veracity of those claims.

To give you an idea why the QuickTime fix can pose a threat on a wide scale, allow me to introduce you to a relatively new term: barnacleware. Barnacleware is software, such as Adobe Acrobat, Flash, Roxio, DVD players and the like, that typically comes preloaded on a new home computer. A new system can have anywhere from five to 20 such applications installed on it, most of which never get updated.

The problem is that criminals are looking for -- and, in some cases, discovering -- vulnerabilities in barnacleware. Because those apps aren't often updated, once found, these become long-lived attack mechanisms.

Vendors are slowly realizing they need some method for automatically updating products. InstallShield, a commonly used tool for software installations, offers an update system that smaller vendors could use, but it seems it's rarely employed.

Performing updates on all this barnacleware is tough for administrators without the use of more elaborate patch management system like Systems Management Server. As such, even business systems can become laden with out-of-date barnacleware.

Unfortunately I don't have an answer to the problem that resolves all of the issues. Be careful about what you permit on your corporate builds when purchasing them; try to ensure the barnacleware has its own updating mechanism and that it is turned on by default. Consider any software that doesn't update itself as a potential problem, and keep your eyes open for competing products that do update themselves. If the barnacleware can be invoked via the browser, consider using administrator approval to block them or change the behavior, so that the documents they handle has to be saved to disk before being invoked -- that way, your anti-virus can have a look at it.

We've had this issue on our radar for some time now and see no reason for it to get much better any time soon.

Java Runtime Gives Up Too Easily
Sun has released details regarding two Sun Java Runtime Environment vulnerabilities that were previously patched. The vulnerabilities could allow an applet to elevate its privilege without notifying the user. The elevation could give the applet the permissions of the user. Updates were previously released.

Acrobat, Reader Makes JavaScript Jump Through Hoops
Adobe Acrobat and Reader, if JavaScript is enabled, could be exploited to cause code of a criminal's choice to execute should a potential victim agree to open a criminally crafted .PDF document. Such code would execute in the security context of the victim user. Patches are available for version 8, but not yet for 7. Proof-of-concept code was published, and reports indicate that exploitation has been seen in the wild.
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=657
http://www.adobe.com/support/security/advisories/apsa08-01.html
http://www.kb.cert.org/vuls/id/666281

Adobe has released an updated version that addresses this vulnerability, as well as at least two other as-yet-undisclosed vulnerabilities. Adobe does not automatically update its clients; however, version 8 can be set to check for updates each time it is invoked. This does not ensure the software is updated, because users must accept any updates and be prepared to wait for them to complete before reading whatever document caused them to start Acrobat in the first place. For many users, this convoluted updating mechanism will leave their Acrobat very out of date.

UK Doesn't Like the Unencrypted BlackBerry
The UK government introduced a policy that bans the use of any mobile device capable of storing personal information unless the data on it is encrypted. As a result, any Blackberry that is not using the Enterprise Server for its e-mail is banned from use. (Details here.)

Not all Blackberry's are alike. It is impossible to tell at a glance whether a Blackberry is or isn't connected to an Enterprise Server. So, users will simply purchase one themselves without having it connected to the corporate server. As such, data may be leaked unencrypted via the Desktop Redirector software. Scanning desktops for the running process should help identify rogue Blackberry users.