Q

Are RealPlayer, Adobe Shockwave vulnerability risks too great for the enterprise?

Adobe Shockwave and RealNetworks RealPlayer are fun and convenient for enterprise users, but are their vulnerabilities worth the risk of having them?

The US-CERT has issued security warnings regarding Shockwave and RealPlayer media applications. Are these applications considered safe for an enterprise environment, or do they pose too much risk?
The National Vulnerability Database (NVD) is run by the Computer Security Division Information Technology Laboratory of NIST and is sponsored by the Department of Homeland Security's National Cyber Security Division. The NVD vulnerability summary CVE-2010-0116 covers an integer overflow in RealNetworks RealPlayer, and summary CVE-2010-2874 covers an unspecified vulnerability in Adobe's Shockwave Player. Both of these alerts were issued in September and the vulnerabilities are classified as "critical." At the time of writing, no fixes have been released .

Hackers are certainly giving Adobe's products a tough time at the moment, with dangerous vulnerabilities being

discovered on a monthly basis. Back in January, the only way for Shockwave users to protect themselves from a variety of vulnerabilities was to manually uninstall Shockwave, reboot their systems, and then install the latest version. RealNetworks has also encountered problems, though not on the same scale as Adobe.

With any software used in an enterprise environment, it is important that a proper risk analysis is carried out prior to it being installed. What should prompt the risk analysis is a user request justifying why the software is needed. I am not sure what type of organization would need to roll out either RealPlayer or Shockwave across the enterprise; neither can be classified as productivity tools.

If there is one section of your organization that can justify their use, then evaluate the gains in productivity and any other benefits they deliver to your organization against the potential risks they introduce. Both these programs have been used by malicious hackers to attack networks in the past, so security pros must be confident that their organizations have both robust perimeter defenses that can handle traffic specific to these programs and a security policy that is strictly enforced.

Both the vulnerabilities mentioned above require the victim to interact with the attacker in some way, such as downloading a malicious file or clicking a malicious link. This is why it is vital to have a security policy mandating all users are made familiar with these risks through security awareness training, and back that up with controls to monitor user activity. These tactics are vital to prevent these attacks from succeeding.

Another defensive measure is to subscribe to security alerts for the software that you run on your systems. These can either be directly from the vendor or through an "unbiased" service such as Secunia's Vulnerability Intelligence Feed. This service can be tailored to trigger alerts relevant to your IT infrastructure, and Secunia often provides alternative remediation suggestions. Review Secunia's advisory statics for a vendor or product as part of your risk analysis. Doing this will help provide an idea of how many vulnerabilities exist for a given application and the speed with which a vendor responds to vulnerabilities.

This was first published in September 2010

Dig deeper on Vulnerability Risk Assessment

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchConsumerization

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly

Close