This is a classic case of putting functionality before security. If a bank building had been badly damaged by a...
truck running into it, you'd temporarily close it until it was fixed. Nobody would dream of advising customers to keep using that particular branch until the building had been checked and made safe. So why tell customers to continue using an application that's not secure while it's being fixed? For some reason we treat IT systems and software differently, happily allowing customers to carry on using them even when they're known to be insecure. I imagine that Fiserv's software uses some Adobe-related components -- for example, a component to display a PDF document -- and the application hasn't been upgraded to work with newer versions of Adobe Reader.
My big problem with this advisory is that Fiserv has no knowledge or control over how its customers use Adobe Reader for other tasks. This wasn't an advisory solely for internal staff whose surfing and use of Adobe could be more tightly controlled. Given the spate of recent zero-day vulnerabilities in Adobe products (see sidebar), their advice could easily have left customers exposed to flaws that are actively being exploited. It also undoes all the work that has gone into making people understand the importance of keeping their software up to date. Any application providers or companies who urge users to continue using outdated and insecure software because upgrading may break functionality in custom software are doing the industry a disservice.
The best way to avoid Adobe's security issues is to keep your system and software up to date with the latest patches and don't open any attachments from unknown sources. Also make sure your antivirus software provides some form of URL filtering to alert you should you inadvertently head to a known malicious site, as this is a common method used to install malware.
For more information: According to a report issued last month by ScanSafe, 80% of the Web-based attacks from malicious and hacked websites targeted Adobe Reader vulnerabilities in the last three months of 2009. Security firm F-Secure also noted that Adobe Reader vulnerabilities are by far the most popular for use in targeted email attacks.
Dig Deeper on Productivity apps and messaging security
Related Q&A from Michael Cobb
A technique known as the GhostHook attack can get around PatchGuard, but Microsoft hasn't patched the flaw. Expert Michael Cobb explains why, as well...continue reading
Software developed by the hacking group Platinum takes advantage of Intel AMT to bypass the built-in Windows firewall. Expert Michael Cobb explains ...continue reading
Tensions between the U.S. and Russia have led to source code reviews on security products, but the process isn't new. Expert Michael Cobb explains ...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.