Hackers are certainly giving Adobe's products a tough time at the moment, with dangerous vulnerabilities being discovered on a monthly basis. Back in January, the only way for Shockwave users to protect themselves from a variety of vulnerabilities was to manually uninstall Shockwave, reboot their systems, and then install the latest version. RealNetworks has also encountered problems, though not on the same scale as Adobe.
With any software used in an enterprise environment, it is important that a proper risk analysis is carried out prior to it being installed. What should prompt the risk analysis is a user request justifying why the software is needed. I am not sure what type of organization would need to roll out either RealPlayer or Shockwave across the enterprise; neither can be classified as productivity tools.
If there is one section of your organization that can justify their use, then evaluate the gains in productivity and any other benefits they deliver to your organization against the potential risks they introduce. Both these programs have been used by malicious hackers to attack networks in the past, so security pros must be confident that their organizations have both robust perimeter defenses that can handle traffic specific to these programs and a security policy that is strictly enforced.
Both the vulnerabilities mentioned above require the victim to interact with the attacker in some way, such as downloading a malicious file or clicking a malicious link. This is why it is vital to have a security policy mandating all users are made familiar with these risks through security awareness training, and back that up with controls to monitor user activity. These tactics are vital to prevent these attacks from succeeding.
Another defensive measure is to subscribe to security alerts for the software that you run on your systems. These can either be directly from the vendor or through an "unbiased" service such as Secunia's Vulnerability Intelligence Feed. This service can be tailored to trigger alerts relevant to your IT infrastructure, and Secunia often provides alternative remediation suggestions. Review Secunia's advisory statics for a vendor or product as part of your risk analysis. Doing this will help provide an idea of how many vulnerabilities exist for a given application and the speed with which a vendor responds to vulnerabilities.
This was first published in September 2010