WinZip Vulnerabilities Highlight User Threat
Following yesterdays report on new winzip vulnerabilities, I thought it would be a good time to highlight the user factor in security.


Quite frequently users will open many files which have traditionally been treated as 'safe', many new vulnerabilities are highlighting the fact that files from an untrusted source should never be opened. Several exploits are currently in the wild for Adobe Acrobat (PDF), Winzip (ZIP), Microsoft Compressed Folders(ZIP), and many other products.

User education should include basic malware recognition, although corporate firewalls, email scanners, and end user virus scanners are great, they can not completely eliminate the threat.

In most cases, files do not open automatically, but the user is required to take action to open them. Many users are conditioned that files are safe if they are a zip, or a pdf, or a jpg, but they should understand that no file is ever safe, and that files from untrusted sources should not be opened, not even to see whats inside.

Currently no worms are propagating using the above exploits, but it would be reasonable to assume that they will be used for this purpose in the future, the time to act is now, before the worm exists, not after word.

I urge all of you to consider implementing a user education program to compliment your current network security programs. Despite what the exploit is, quite often, the end user, not the network administrator will be the first to encounter it, and their reaction can determine how much damage is done, recognizing a threat, eliminating it, or at least reducing the risk can do wonders. Train your users, they can understand the basic concepts of network security.
Also our heart felt condolances go out to Matt Scarborough, one of the other SANS Incident Handlers for the loss of his father.
--

Michael Haisley

Handler On Duty

SANS Incident Storm Center