Educause Security Discussion mailing list archives
Handling the spate of bad browser plug-in vulnerabilities
From: David Escalante <david.escalante () BC EDU>
Date: Fri, 9 Nov 2007 12:13:07 -0500
Hi, we're concerned here at BC with the batch of really nasty vulnerabilities that have come out in the past several weeks involving very popular software including Adobe Acrobat, SUN Java, Apple Quicktime, and RealPlayer. All of these vulnerabilities have been ranked a 9 or 10 on the CVSS severity scale, which ranges from a low of 1 to a high of 10. (Details below the signature for those who are curious or who missed these announcements.) Our network equipment is already seeing attacks using some of these vulnerabilities. The attacks require luring the user to a web site or file download, so at least they're not like a worm, but one or more of these pieces of software is likely installed on everyone's computer on campus. What we're wondering is what, if anything, other campuses are doing to address this issue. Simple notification is one option. Automated patching is not likely to be available for the student computers. More aggressive campaigns beyond simple notification also might have an effect, as would attempting various network defenses, which would have to rely on network technology that monitors outbound connections. We have also found, for what it's worth, that it's difficult to document how to patch this software because there are so many versions of it out there, along with "professional" and "free" editions, that all have slightly different patching paths. Some patch automatically or notify the user that a patch is available, others do not. Has anyone had any strategy, technique, or lucky idea they've used to address the smorgasbord of browser plug-in issues? -- David Escalante Boston College ----------------------------------------------------------------- Acrobat: CVE-2007-5020, CVSS base score: 9.3 Java: CVE-2007-5689, CVSS base score: 10.0 Quicktime: CVE-2007-[4672-4677], CVSS base score: 9.3 RealPlayer: CVE-2007-[5601,2263-4,4599,5080-1], CVSS base score: 9.3
Attachment:
david.escalante.vcf
Description:
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature
Current thread:
- Handling the spate of bad browser plug-in vulnerabilities David Escalante (Nov 09)