FTA: "The spreadsheet contained a zero-day exploit that installs a backdoor through an Adobe Flash vulnerability (CVE-2011-0609)."
How many times has Adobe been responsible for such backdoors? I mean, they can't even put out a decent PDF "reader", for Chrissake. This company shouldn't be allowed to operate till they get their act together (I'm just venting). I hope someone sues Adobe one of these days and drives them into bankruptcy.
Let us not forget that Adobe's PDF reader actually has a good track record against alternative implementations, such as the one used by Apple. Given Flash's ubiquity (which makes it a prime target for production exploits) it is actually doing quite well at the whole security game.
“Later this month at the CanSecWest security conference in Vancouver, Charlie Miller plans to unveil research that he says has turned up 30 previously unknown critical security vulnerabilities in common software, 20 of which are in Apple’s Preview application,” Andy Greenberg reports for Forbes. “In other words, he says he’s found 20 different ways that a cybercriminal could hijack the machine of any Mac user tricked into opening an infected PDF–or given that Safari uses the same code as Preview to render PDFs, simply visiting an infected Web page.”
...
“After running his fuzzer program on the applications for 3 weeks each, Miller found nearly a thousand unique ways to make the programs crash, and combed through those data to find which of those bugs allowed him to take control of the program,” Greenberg reports. “The results don’t look good for Apple: 20 exploitable bugs in Preview compared with either 3 or 4 each in Reader, PowerPoint, and OpenOffice… Even so, Miller doesn’t confine his criticism to Apple. ‘Microsoft, Apple, and Adobe all have huge security teams, and I’m one guy working out of my house,’ he says. ‘I shouldn’t be able to find bugs like these, ever.’”
Reader has probably 100 other features that are very important to companies who produce documents consumed by it, that you're probably not even aware of.
If you're using it as a PDF reader, you're doing it wrong. Try FoxIt (or since they're going the bloat/install-ware route), the lighter Sumatra. If you're not on Windows, I have no idea why you'd go installing Adobe Reader anyway, less you need those previously alluded to features.
>If you're using it as a PDF reader, you're doing it wrong.
Entirely agree. As well as the extra features, which I essentially never see anyone use, though I of course don't see internal documentation. And I've seen one embedded 3D model and a couple sound files.
However. "You're doing it wrong" ignores the real world, where almost everyone uses Adobe's reader to view PDFs. OSX users are a bit of an abnormality, as they have Preview installed by default, but many many many things still tell you you need "Adobe Reader" installed, and provide a link, and people install it, and it takes over. Or company / school / government-supplied computers have it pre-installed.
I feel I can be confident saying that millions of people use Adobe's reader as nothing more than a reader. That's millions of slow, intrusive, background-running, auto-starting readers just hanging around, waiting to be exploited. And they're likely sitting on computers for people who don't even know any other option exists, are less techy, and are therefore even more likely to be easy-entry targets.
Millions of people run Windows, ignore automatic updates and don't understand why their peers tell them to use Firefox.
I don't disagree with your point, but maybe they're just different variants of "doing it wrong". The fact that they're ignorant of alternatives doesn't make it less of a bad practice.
The majority of this post is RSA tooting its own horn for catching the attackers so quickly (along with other PR shenanigans). It'd be a nice if we could see a more detailed, straight-up technical version without all the pandering.
That said, the "new defense doctrine" against phishing and other impersonation scams should be, dun dun DUN, public key cryptography. It's not that complicated, and it would save so many people so much trouble if they actually used it. HBGary comes to mind, and now RSA; if RSA had even just signed its emails, not encrypted, this attack would not have happened. Kind of funny that a big firm whose whole business is based on this kind of cryptography wouldn't use it extensively itself.
It'd also be nice if they answered the important question "was the private key securing all the deployed tokens stolen?". Knowing _how_ it happened satisfies some intellectual curiosity, but fundamentally hasn't shown us anything we don't know.
A number of employees within RSA do sign their emails. But there is this weird issue where you can only setup email signatures if you're a full time employee of RSA, not a contractor. But most do sign their emails.
What surprises me is Poison Ivy, we were on the EMC network which was quite highly restricted, with all ports blocked apart from 80 and 443, even ssh was blocked over 443. So this method of using Poison Ivy would've had to have been on a popular site which was whitelisted which included most if not all of the social networking websites and online email. Not sure how data was "ftped" since that is also blocked.
Is there any authority under which DHS or the Department of Commerce can condemn as unsafe-for-human-habitation the entire Adobe product line? Just red-tag the whole vulnerability-infested infrastructure?
How many times has Adobe been responsible for such backdoors? I mean, they can't even put out a decent PDF "reader", for Chrissake. This company shouldn't be allowed to operate till they get their act together (I'm just venting). I hope someone sues Adobe one of these days and drives them into bankruptcy.