Are IT Risks Lurking On Your Machines?
Here's an interesting problem that comes with a lesson.
A vulnerability in an Adobe application isn't a big risk, but the problem can expose some other, more dangerous risks lurking on your systems. Adobe Photoshop Album Starter Edition version 3.2 can be made to execute code
with the privileges of the victim user if a criminally crafted BMP file is opened within the application.
Photoshop Album Starter is often installed on OEM systems or by default with some popular digital camera software, so it's probably on many systems. Bitmap .BMP files are one of the most basic file formats on a Windows system, given they're used for wallpaper. So, one might easily think, "Wow, this is a huge risk!"
But consider, if you will, the last time you found yourself thinking about .BMP images in the context of photos or, even less plausible, using them in a photo album. Sure, you might use .BMPs, but who does? In other words, risk took a huge step backward because it's highly unlikely you'd ever save a photo as a .BMP and use it in a photo album.
Now, another consideration: The issue here isn't a photo you've taken and wanted to include in a photo album, but one which you've obtained via the Web or via e-mail. Oh sure, you might get that file, but it'll likely be in those other, more popular formats, like .JPG or .GIF. Again, risk takes a step backwards.
Finally, consider that far .JPG and .GIF files, the most ubiquitous formats for photos on the Web, have both had vulnerabilities which, if criminally crafted, could cause code to execute simply by viewing them. Yet despite this, these vulnerabilities have never been attacked. If criminals have not chosen to exploit these more vulnerable formats, then why might they make a convoluted attempt to deliver a criminally crafted .BMP in the hopes you'd open it in Adobe Photoshop Album Started Edition?
Risk is now virtually non-existent. It's so typical for so many "discoveries." Vulnerability? Yes, there is one, and yes, it could be exploited ... but ... whose the victim? How likely is it that there'll be a victim?
At the very least, then, there are some lessons to be learned from such an announcement:
Have you provided your employees with systems that have default images on them supplied by an OEM? If you have, who knows how many applications that have no significant business use are sitting waiting for problems. We have long been predicting problems with what we term "barnacleware," or add-on applications that "help" get something done. We've heard about Flash vulnerabilities and vulnerabilities in Acrobat Reader. There are typically upwards of 30 or more of these types of applications in a standard OEM build. Allowing them all to stay on your corporate build is asking for problems.
The solution is to buy one, figure out what on the standard build you don't want and remove it. Test it to verify you haven't broken something significant, and then request that the OEM supply all further purchases with the new build you've designed. It isn't as hard as it sounds, and it's well worth the effort -- and, maybe, money -- to know your PCs won't change without your knowledge.
Do you allow employees to install whatever applications they want? Your employees are probably thinking, "Why e-mail your family photos from home when you can use the bandwidth offered from the office?" So your employee installs camera software on the work machine and uploads pictures, and then e-mails from there. Not only is all of this non-business related, but perhaps the camera software was only licensed for a single system, and now your business machine is in violation. Further, now your bandwidth is getting chewed up with, possibly, 20MB pictures being tossed around.
Make sure you have an "Appropriate Use" policy for your company machines. In these litigious days, not stating what your employees can and cannot do with their machines is another recipe for disaster. If you don't tell them explicitly, then they'll make all sorts of assumptions. Those assumptions may very well land you or employees in court. If the only thing they need say is; "Here is our 'Appropriate Use' policy," you'll have far less to worry about.
Considering that so many of your are into patch-o-mania, have you thought about just how you're going to keep 20 to 30 barnacleware applications up to date? Those apps may or may not have automatic updating features. Some update only when they're opened, others install yet another application that periodically checks for updates. Some let you specify how often apps get fixed. None, other than Windows Update, allow you to host the updates to save bandwidth. Scared yet? Isn't it enough that you have to worry about the OS, browser, and your main applications and server services?
In some cases, the risk is nil. In the case of Flash, it is more pronounced. In other words, just because it's barnacleware doesn't mean it's a non-issue, nor does it mean it has to be a fire drill to get something patched. In any event, carefully considering what you will or won't allow on your corporate systems goes a long way to minimizing risk, and maybe more importantly, the effort you have to put into maintaining secure systems.
Russ Cooper is a senior information security analyst with Verizon Business, Inc.
He's also founder and editor of NTBugtraq, www.ntbugtraq.com,
one of the industry's most influential mailing lists dedicated to Microsoft security.
One of the world's most-recognized security experts, he's often quoted by major
media outlets on security issues.