What is making you vulnerable?
The VMware patch mentioned in the oneliner raises an interesting question. What is making you vulnerable? The notification in this case is very careful to explicitly state that the security vulnerabilities are in the thirdparty products used within the solution provided by the vendor. If you have a look at the issues being addressed you will notice that quite a number of the issues are 2008 CVE numbers and yes also some 2007 numbers. So doesn't that make the product itself vulnerable? Well I guess the true answer is "it depends", there may be measures in place to mitigate the risk, but you'll find that for many products the answer will be a resounding "YES".
Now this is just a convenient example. You will find that many products in your environment have open source or other thirdparty products lurking under the covers. Most products including SSL will be based on OpenSSL, SSH, web services, mail, etc are often based on their opensource equivalents. It is likely your firewall is based on Linux, uses OpenSSL or one of the other opensource products. Many mail gateways are based on sendmail or postfix. So it is not unreasonable to assume that if one of these products has a security issue, the integrity of the commercial solution provided to you has been compromised.
The best defence is to know and understand your environment. On Monday get junior to do an inventory of the "thirdparty" products in the security solutions and other products in your environment. you will find thta many of them are running old versions with known issues. Include routers, switches, printers and solutions such as VMware, Xen, your firewall, mailgateway, etc, etc. This will allow you to identify which products may be a risk if one or more of their components has security issues. Once you know the products that may have an issue you will be able to determine the risk to your organisation and you can develop some treatments to address the issue. Make sure If you do find old vulnerable versions of software to ask your vendor when they might be addressing it.
Mark H - Shearwater
Comments