Adobe CSO offers Oracle security lesson: Go click-to-play
Pots and kettles in heated argument at Oz security confab
Oracle could have saved mountains of cash and bad press if Click-to-Play was enabled before Java was hosed by an armada of zero day vulnerabilities, Adobe security boss Brad Arkin says.
The simple fix introduced into browsers over the last year stopped the then zero day blitzkrieg in its tracks by forcing users to click a button to enable Java.
The chief security officer told the Australian Information Security Association conference the tool cost little and was very effective at driving up the cost of exploitation.
"Click to Play is very cheap and it may break usability, but given the pain they were experiencing and that what they were doing (patching) wasn't working," Arkin told delegates in Melbourne today.
"Since they introduced this change there hasn't been a single zero day against Java ... if they (Oracle) had done this a couple of years earlier it would have saved them a lot of pain and heartache.
"Finding and fixing bugs isn't the way to go, it's ... making it harder and more expensive for [attackers] to achieve an outcome."
Arkin said organisations should follow suit and stop "patching every vulnerability" and instead focus on increasing the cost of exploitation, frustrating attackers.
"The bad guys aren't stupid, they are going to apply their resources in the cost efficient way possible, and so they seek to minimise the cost of developing an exploit.
That strategy has iced much of the zero-day attacks against Adobe Reader and Flash, and sped the time to patch from 10 weeks in 2009, when Arkin joined as a product security bod, to a recent record of 36 hours.
Arkin suspected every attack against Reader and Flash were created by nation-states and later co-opted by the criminal underground rabble.
Many were single use, and lobbed at a single target such as a recent Reader attack that targeted a lone bank employee in the Middle East.
"Whenever we see an exploit against [Reader and Flash] it is the result of what we assume to be a nation-state adversary who makes that initial investment," Arkin said.
"Once that initial investment is made it is very cheap and easy to adapt."
He said Adobe suspected one recent attack was the product of a team of a dozen engineers complete with a product manager who developed the payload over several months. The attack was then deployed against a single staffer in an unnamed Middle Eastern bank.
Russian VXers and carders were particularly capable at re-appropriating nation-state-developed zero-days, he said. ®