Adobe and Cisco have released security advisories covering vulnerabilities that, in some cases, would allow an attacker to take control of an infected system.
Adobe's half-dozen security bulletins detail vulnerabilities in the Unix version of its widely used Adobe Reader 8.1.2, ColdFusion MX 7 and ColdFusion 8, Adobe Form Designer 5.0 and Adobe Form Client 5.0 Components, and LiveCycle Workflow 6.2.
Of the six, Adobe rated only an ActiveX control vulnerability impacting the Adobe Form Designer 5.0 and Adobe Form Client as "critical." Adobe said in its bulletin that it has identified multiple input validation errors in those products that could allow an attacker who successfully exploits the vulnerabilities to take control of the affected system.
Exploiting the vulnerabilities would require loading a malicious html file in the end-user's browser; the vulnerabilities are remotely exploitable, the company noted. Adobe has release a patch for this bug.
With the vulnerable Adobe Form ActiveX control, "visiting a malicious or compromised site may result in an attacker being able to do anything that an administrator can do on the victim's computer," Will Dormann, a vulnerability analyst at the Carnegie Mellon Software Engineering Institute, CERT/CC, and the researcher who uncovered the Form Designer vulnerabilities, told SCMagazineUS.com.
"Because of the pervasiveness of flawed ActiveX controls, we recommend users disable ActiveX by default in [Internet Explorer's] Internet Zone. Rather than blocking individual ActiveX controls as the flaws are publicly revealed, it is much more effective to have ActiveX disabled by default and then choose which sites should be allowed to use ActiveX," he said.
Three of the Adobe flaws impacted ColdFusion, the company's web development tool. Two of them are "important," one is "moderate." The important vulnerabilities involve cross-site scripting attacks, the moderate one involves problems with ColdFusion recognizing failed login attempts. The cross-site scripting security vulnerability issue is specific to ColdFusion and Microsoft's Windows IIS 6 installations, Adobe said. Adobe has released patches or workarounds for these problems.
Similarly, LiveCycle Workflow 6.2 is vulnerable to cross-site scripting, another "important" flaw. Adobe has issues a patch for this bug.
Adobe said a vulnerability in the launcher script for Adobe Reader 8.1.2 for Unix could allow malicious local users to escalate their privileges, with the opportunity to modify or delete files. This is a "moderate" bug, with a patch in the works. Until the patch is out, Adobe recommends allowing only "trusted users" to access vulnerable systems locally.
Cisco meanwhile released cisco-sa-20080312-ucp, which addresses multiple flaws in its Secure Access Control Server for Windows User-Changeable Password (UCP) program. According to Cisco, Felix "FX" Lindner, a security researcher at Recurity Labs GmbH, discovered two sets of vulnerabilities in UCP.
"The first set of vulnerabilities address several buffer overflow conditions that could result in remote execution of arbitrary code on the system where UCP is installed," Cisco said in its advisory. The second set fix cross-site scripting in the UCP application pages.
Both sets of vulnerabilities could be remotely exploited, and neither require valid user credentials. Cisco has released an update for UCP that addresses these vulnerabilities. There are no workarounds that mitigate these vulnerabilities, according to the company.
Without addressing any of the specific Adobe or Cisco patches, John Walsh, senior vice president of engineering for Ecora, told SCMagazineUS.com that he doesn't think there is any silver bullet to solve the problem of managing ongoing patches in a multi-vendor enterprise IT environment.
"It's obviously a tough problem, but you have to evaluate what impact each patch has on your organization, and you have to take remediation steps fairly quickly," he said
The best way to manage this process is to have an accurate understanding of your environment, for two purposes, he said. "One is from a disaster-recover perspective and [the other] is a service-impact analyst, so you can understand what vulnerabilities you have and the risk level on the devices in your network."
On a broader note, CERT has "noticed a trend in attackers focusing less on servers and more on client systems," Dormann said. This is a logical evolution "as servers have become more protected and the number of client systems connected to the internet has drastically increased.”
CERT has also "seen a dramatic increase in the number of ActiveX vulnerabilities...used by attackers frequently," he said. "This can possibly be attributed to the public availability of ActiveX 'fuzz' testing tools and the ubiquity of Internet Explorer."