[ISN] Corporate crimeware threat 'moving to Adobe'

From: InfoSec News (alerts@private)
Date: Thu Feb 08 2007 - 22:09:08 PST


http://news.zdnet.co.uk/security/0,1000000189,39285850,00.htm

By Graeme Wearden in San Francisco  
ZDNet UK
08 Feb 2007

Security improvements made to Office 2007 mean cyberattackers will focus 
on flaws in other desktop applications, experts warn

The launch of Microsoft Office 2007 is likely to force malicious hackers 
to focus more attention on looking for vulnerabilities in other desktop 
applications, such as Abobe's Acrobat Reader, experts told delegates at 
the RSA Conference 2007 in San Francisco on Wednesday.

Today, most spyware and other "crimeware" applications target flaws in 
client-side applications, explained Jeff Moss, who founded the Black Hat 
and Def Con hacker conventions. These attacks involve sending an 
employee or home user a modified file, or a hyperlink to a web download, 
which will compromise their system if executed.

"Office 2007 is much better architected, and the fine-grained 
capabilities are much better [than Office 2003], so you're going to see 
a lot less application attacks against Office, and because of that 
you're going to see less attacks against Vista that are successful," 
predicted Moss.

"So, where do the attackers go? Every other app that you are running. 
That's going to be Acrobat, and we've already started seeing that in the 
last couple of months. They just go for the lowest hanging fruit", Moss 
said.

Moss added that Adobe has recently begun patching more quickly, because 
it has become more of a target for these attacks. In January, Adobe 
admitted that its PDF Reader application contained a major security 
hole, which exposes a user's hard drive to attack.

The RSA Conference heard that crimeware is a rapidly growing threat 
facing both companies and individuals. Criminals are using Trojans, 
rootkits, keyloggers and other pieces of malware in a concerted attempt 
to steal personal data, log-in codes or banking details.

Doug Camplejohn, chief executive of Mi5 Networks which sells 
anti-spyware products cited analyst firm Gartner's prediction that 75 
percent of enterprises will fall victim to a piece of financially 
motivated spyware in 2007. However, he wasn't sure that the recent 
launch of Office 2007 will have a significant effect on the problem.

"Not everyone is going to move to Vista overnight. So there's going to 
be a broad period of time when there's a broad user base that is going 
to have the existing vulnerabilities to deal with," said Camplejohn.

According to Moss, a team of malicious hackers might spend a month 
working on a client-side exploit before releasing it, but may devote as 
much as nine months perfecting a server-side attack, trying to get it 
exactly right before launching it. If the attack relies on a 
previously-unknown flaw, they may only have one shot before security 
vendors wake up to the problem and issue protection.

Because crimeware often relies on an individual running an application 
or clicking on a link, education should be a key part of a company's 
defence strategy, the conference heard. Locking down non-essential 
applications to limit the company's exposure to danger is also 
recommended.

"If I've got a user who isn't supposed to go onto the internet, why am I 
allowing them internet access?" asked Andre Gold, director of 
information security at Continental Airlines.

Camplejohn agreed that a more prescriptive, proactive approach may be 
better. "User education is nice, but I think that for the most part it 
falls on deaf ears," he said. "What we find most effective is to 
basically slap someone's hand right when they're doing something. A 
screen pop-up that tells them 'You can't do this' because that's 
confidential data that's going out that door."

"In some cases, people don't know that's something that they shouldn't 
be doing. And also, they know someone's watching."


______________________________________
Subscribe to the InfoSec News RSS Feed
http://www.infosecnews.org/isn.rss



This archive was generated by hypermail 2.1.3 : Thu Feb 08 2007 - 22:34:26 PST