Manage Learn to apply best practices and optimize your operations.

Are RealPlayer, Adobe Shockwave vulnerability risks too great for the enterprise?

Adobe Shockwave and RealNetworks RealPlayer are fun and convenient for enterprise users, but are their vulnerabilities worth the risk of having them?

The US-CERT has issued security warnings regarding Shockwave and RealPlayer media applications. Are these applications considered safe for an enterprise environment, or do they pose too much risk?
The National Vulnerability Database (NVD) is run by the Computer Security Division Information Technology Laboratory of NIST and is sponsored by the Department of Homeland Security's National Cyber Security Division. The NVD vulnerability summary CVE-2010-0116 covers an integer overflow in RealNetworks RealPlayer, and summary CVE-2010-2874 covers an unspecified vulnerability in Adobe's Shockwave Player. Both of these alerts were issued in September and the vulnerabilities are classified as "critical." At the time of writing, no fixes have been released .

Hackers are certainly giving Adobe's products a tough time at the moment, with dangerous vulnerabilities being discovered on a monthly basis. Back in January, the only way for Shockwave users to protect themselves from a variety of vulnerabilities was to manually uninstall Shockwave, reboot their systems, and then install the latest version. RealNetworks has also encountered problems, though not on the same scale as Adobe.

With any software used in an enterprise environment, it is important that a proper risk analysis is carried out prior to it being installed. What should prompt the risk analysis is a user request justifying why the software is needed. I am not sure what type of organization would need to roll out either RealPlayer or Shockwave across the enterprise; neither can be classified as productivity tools.

If there is one section of your organization that can justify their use, then evaluate the gains in productivity and any other benefits they deliver to your organization against the potential risks they introduce. Both these programs have been used by malicious hackers to attack networks in the past, so security pros must be confident that their organizations have both robust perimeter defenses that can handle traffic specific to these programs and a security policy that is strictly enforced.

Both the vulnerabilities mentioned above require the victim to interact with the attacker in some way, such as downloading a malicious file or clicking a malicious link. This is why it is vital to have a security policy mandating all users are made familiar with these risks through security awareness training, and back that up with controls to monitor user activity. These tactics are vital to prevent these attacks from succeeding.

Another defensive measure is to subscribe to security alerts for the software that you run on your systems. These can either be directly from the vendor or through an "unbiased" service such as Secunia's Vulnerability Intelligence Feed. This service can be tailored to trigger alerts relevant to your IT infrastructure, and Secunia often provides alternative remediation suggestions. Review Secunia's advisory statics for a vendor or product as part of your risk analysis. Doing this will help provide an idea of how many vulnerabilities exist for a given application and the speed with which a vendor responds to vulnerabilities.

This was last published in September 2010

Dig Deeper on Risk assessments, metrics and frameworks

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.